Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Resource-aware Cyber Deception for Microservice-based Applications

Marco Zambianco, Claudio Facchinetti, Roberto Doriguzzi-Corin, Domenico Siracusa

TL;DR

This work designs a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget and designs a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation.

Abstract

Cyber deception can be a valuable addition to traditional cyber defense mechanisms, especially for modern cloud-native environments with a fading security perimeter. However, pre-built decoys used in classical computer networks are not effective in detecting and mitigating malicious actors due to their inability to blend with the variety of applications in such environments. On the other hand, decoys cloning the deployed microservices of an application can offer a high-fidelity deception mechanism to intercept ongoing attacks within production environments. However, to fully benefit from this approach, it is essential to use a limited amount of decoy resources and devise a suitable cloning strategy to minimize the impact on legitimate services performance. Following this observation, we formulate a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget. Attack paths represent the attacker's movements within the infrastructure as a sequence of violated microservices. We also design a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation. We evaluate the performance of the optimal and heuristic solutions against other schemes that use local vulnerability metrics to select which microservices to clone as decoys. Our results show that the proposed allocation strategy achieves a higher number of intercepted attack paths compared to these schemes while requiring approximately the same number of decoys.

Resource-aware Cyber Deception for Microservice-based Applications

TL;DR

This work designs a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget and designs a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation.

Abstract

Cyber deception can be a valuable addition to traditional cyber defense mechanisms, especially for modern cloud-native environments with a fading security perimeter. However, pre-built decoys used in classical computer networks are not effective in detecting and mitigating malicious actors due to their inability to blend with the variety of applications in such environments. On the other hand, decoys cloning the deployed microservices of an application can offer a high-fidelity deception mechanism to intercept ongoing attacks within production environments. However, to fully benefit from this approach, it is essential to use a limited amount of decoy resources and devise a suitable cloning strategy to minimize the impact on legitimate services performance. Following this observation, we formulate a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget. Attack paths represent the attacker's movements within the infrastructure as a sequence of violated microservices. We also design a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation. We evaluate the performance of the optimal and heuristic solutions against other schemes that use local vulnerability metrics to select which microservices to clone as decoys. Our results show that the proposed allocation strategy achieves a higher number of intercepted attack paths compared to these schemes while requiring approximately the same number of decoys.
Paper Structure (15 sections, 12 equations, 11 figures, 3 tables, 1 algorithm)

This paper contains 15 sections, 12 equations, 11 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related work
  3. System model
  4. Microservice architecture model
  5. Decoy configuration and placement model
  6. Threat model
  7. Problem formulation
  8. Optimal decoy allocation
  9. Heuristic decoy allocation
  10. Performance evaluation
  11. Simulation setup
  12. Variable number of microservices
  13. Variable decoy resource ratio
  14. Sensitivity to attacker's behavior
  15. Conclusion

Figures (11)

  • Figure 1: Overview of the considered system model. Microservices can be compromised by the attacker using remote code execution techniques (solid red arrow) or container escape techniques (dashed red arrow).
  • Figure 2: Example of deceptive microservice allocation within a microservice architecture.
  • Figure 3: Example of DAPs generated by a different number of decoys along a specific AP in AG. The red and yellow microservices represent the AP source and target, respectively.
  • Figure 4: Decoy interaction probability $P_{DAP}$ when the number of microservices is increased from $M = 100$ to $M = 500$. The decoy resource ratio is $\delta = 0.3$.
  • Figure 5: Average number of decoy per AP ${D}_{AP}$ when the number of microservices is increased from $M = 100$ to $M = 500$. The decoy resource ratio is $\delta = 0.3$.
  • ...and 6 more figures