Name
Title | ||
|---|---|---|
After we knew it: empirical study and modeling of cost-effectiveness of exploiting prevalent known vulnerabilities across IaaS cloud |
Abstract | ||
|---|---|---|
Infrastructure as a Service (IaaS) cloud has been attracting more and more customers as it provides the highest level of flexibility by offering configurable virtual machines (VMs) and computing infrastructures. Public VM images are usually available for customers to customize and launch. However, the 1 to N mapping between VM images and running instances in IaaS makes vulnerabilities propagate rapidly across the entire public cloud. Besides, IaaS cloud naturally comes with a larger and more stable attack surface and more concentrated target resources than traditional surroundings. In this paper, we first identify the threat of exploiting prevalent vulnerabilities over public IaaS cloud with an empirical study in Amazon EC2. We find that attackers can compromise a considerable number of VMs with trivial cost. We then do a qualitative cost-effectiveness analysis of this threat. Our main result is a two-fold observation: in IaaS cloud, exploiting prevalent vulnerabilities is much more cost-effective than traditional in-house computing environment, therefore attackers have stronger incentive; Fortunately, on the other hand, cloud defenders (cloud providers and customers) also have much lower cost-loss ratio than in traditional environment, therefore they can be more effective for defending attacks. We then build a game-theoretic model and conduct a risk-gain analysis to compare exploiting and patching strategies under cloud and traditional computing environments. Our modeling indicates that under cloud environment, both attack and defense become less cost-effective as time goes by, and the earlier actioner can be more rewarding. We propose countermeasures against such threat in order to bridge the gap between current security situation and defending mechanisms. To our best knowledge, we are the first to analyze and model the threat with prevalent known-vulnerabilities in public cloud. |
Year | DOI | Venue |
|---|---|---|
2014 | 10.1145/2590296.2590300 | ASIACCS |
Keywords | Field | DocType |
statistical methods,strategic information systems planning,virtual machine images,game theory,patching management,vulnerability management,cloud computing | Internet privacy,Virtual machine,Attack surface,Computer security,Computer science,Cloud computing security,Game theory,Vulnerability management,Empirical research,Cloud computing,Vulnerability | Conference |
Citations | PageRank | References |
39 | 1.15 | 17 |
Authors | ||
3 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Su Zhang | 1 | 156 | 6.77 |
| Zhang Xinwen | 2 | 1695 | 104.61 |
| Xinming Ou | 3 | 1081 | 55.30 |