Cyber deception can be a valuable addition to traditional cyber defense mechanisms, especially for modern cloudnative environments with a fading security perimeter. However, pre-built decoys used in classical computer networks are not effective in detecting and mitigating malicious actors due to their inability to blend with the variety of applications in such environments. On the other hand, decoys cloning the deployed microservices of an application can offer a high-fidelity deception mechanism to intercept ongoing attacks within production environments. However, to fully benefit from this approach, it is essential to use a limited amount of decoy resources and devise a suitable cloning strategy to minimize the impact on legitimate services performance. Following this observation, we formulate a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget. Attack paths represent the attacker's movements within the infrastructure as a sequence of violated microservices. We also design a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation. We evaluate the performance of the optimal and heuristic solutions against other schemes that use local vulnerability metrics to select which microservices to clone as decoys. Our results show that the proposed allocation strategy achieves a higher number of intercepted attack paths compared to these schemes while requiring approximately the same number of decoys.

Resource-aware Cyber Deception for Microservice-based Applications / Zambianco, Marco; Facchinetti, Claudio; Doriguzzi-Corin, Roberto; Siracusa, Domenico. - In: IEEE TRANSACTIONS ON SERVICES COMPUTING. - ISSN 1939-1374. - 2024:(2024), pp. 1-14. [10.1109/tsc.2024.3395919]

Resource-aware Cyber Deception for Microservice-based Applications

Doriguzzi-Corin, Roberto;Siracusa, Domenico
2024-01-01

Abstract

Cyber deception can be a valuable addition to traditional cyber defense mechanisms, especially for modern cloudnative environments with a fading security perimeter. However, pre-built decoys used in classical computer networks are not effective in detecting and mitigating malicious actors due to their inability to blend with the variety of applications in such environments. On the other hand, decoys cloning the deployed microservices of an application can offer a high-fidelity deception mechanism to intercept ongoing attacks within production environments. However, to fully benefit from this approach, it is essential to use a limited amount of decoy resources and devise a suitable cloning strategy to minimize the impact on legitimate services performance. Following this observation, we formulate a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget. Attack paths represent the attacker's movements within the infrastructure as a sequence of violated microservices. We also design a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation. We evaluate the performance of the optimal and heuristic solutions against other schemes that use local vulnerability metrics to select which microservices to clone as decoys. Our results show that the proposed allocation strategy achieves a higher number of intercepted attack paths compared to these schemes while requiring approximately the same number of decoys.
2024
Zambianco, Marco; Facchinetti, Claudio; Doriguzzi-Corin, Roberto; Siracusa, Domenico
Resource-aware Cyber Deception for Microservice-based Applications / Zambianco, Marco; Facchinetti, Claudio; Doriguzzi-Corin, Roberto; Siracusa, Domenico. - In: IEEE TRANSACTIONS ON SERVICES COMPUTING. - ISSN 1939-1374. - 2024:(2024), pp. 1-14. [10.1109/tsc.2024.3395919]
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/437375
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? ND
  • OpenAlex ND
social impact