- Email: [email protected]
Goal Based Threat Modeling for Peer-to-Peer Cloud
Available online at www.sciencedirect.com
ScienceDirect Procedia Computer Science 89 (2016) 64 – 72
Twelfth International Multi-Conference on Information Processing-2016 (IMCIP-2016)
Goal Based Threat Modeling for Peer-to-Peer Cloud Sanghamitra Dea,∗ , Mridul Sankar Barikb and Indrajit Banerjeec a Future Institute of Engineering & Management, Kolkata, India b Jadavpur University, Kolkata, India c IIEST, Howrah, India
Abstract Peer-to-peer networks, without central servers, have peers operating both as client and server. This paper discusses flaws of P2P networks and clouds. That P2PClouds can be derived from idle resources is also briefly discussed. A re-classification of P2P attacks has been proposed based on attacker goals. Threat modeling enables developing designs for secure systems. An existing goal based threat modeling approach has been used and threats and countermeasures of a P2PCloud has been modeled using Threat-SIG. Finally, security requirements of P2PClouds are discussed as being potential area for further research in this field. © 2016 The Authors. Published by Elsevier B.V. © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license Peer-review under responsibility of organizing committee of the Twelfth International Multi-Conference on Information (http://creativecommons.org/licenses/by-nc-nd/4.0/). Processing-2016 Peer-review under (IMCIP-2016). responsibility of organizing committee of the Organizing Committee of IMCIP-2016 Keywords:
Cryptography; Cloud Security; IoT; Role Based Access Control Model; Sensors.
1. Introduction Peer-to peer (P2P) computing or P2P networks essentially involves a cluster of nodes connected in a network. Users at each node use the network to accomplish a task, download files, transfer data, search for information and so on. It is a form of distributed computing paradigm, where any user sitting at one node is able to utilize other nodes and their resources1 namely: disk space, computation speed, and bandwidth. Data sought by node A may be present/absent/partly present in its peer node B. On querying, B may find the complete data or a part of it with a peer of B (say C or D). Likewise, information sought by one node may be found with its peer or with the peer of its peer. This essentially indicates that a peer can perform as a client as well as a server of information. The effect of being able to procure resources from or provide resources to peers in a network, share one’s own storage space with others introduce security issues in peer groups or peer networks. This also holds true for quasi-closed groups in which a subset of the original set of nodes form a peer network, while superset nodes enter and leave as required. P2P networks such as Napster and Gnutella are also referred to as P2P Overlays2. Overlays can be considered as a set of servers across networks that provide infrastructure for different applications, forward data and can be operated by third parties3 . P2P networks have since found their way into being used4 as trusted network in critical infrastructure providing organizations. P2P networking has unresolved design flaws due to which it has persistently remained a target to certain attack trends. This directly points to the requirement to ensure that nodes agree to security protocols of a peer group and function to meet goals of the group. Some of the major flaws in P2P networking are: ∗ Corresponding author. Tel:: +91 -9836659766.
E-mail address: [email protected]
1877-0509 © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of organizing committee of the Organizing Committee of IMCIP-2016 doi:10.1016/j.procs.2016.06.010
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
• Absence of trust-based inter-peer communication: Peers join and leave the group as per their requirements and IP addresses could be dynamic or even spoofed. This implies that decoy or rogue nodes may assume identities and join peer groups. • Absence of policing for secure operations: In the absence of central control, there is little or no policing to establish trust within a peer group or for managing untrusted code5 in a peer network. • Peer reputation does not consider security aspects: There is no criterion based on which an unknown peer maybe introduced to a peer group. Decentralized methods of computing peers’ reputation based on traffic, search efficiency6 and other methods have been proposed so far. Peer reputation in applications such as Torrent is usually computed based on their contribution in the peer network, search hits and misses. • Lack of monitoring of performance: Peers are not resilient to botnets (networks of infected computers controlled by an attacker) or as the current trends are, to super botnets. Super botnets are advantageous compared to a large botnet in that, they involve a mass of botnets and propagate very fast. Bot tracking procedures need to improve to keep up with maturing botnet technologies7. Cloud computing provides the benefit of making ICT services available as a commodity. This ensures that the organizations which use cloud services can respond faster and reliably to their customer’s needs and improve their own efficiency8. Cloud computing paradigm provides on-demand self-service of essential components that are required by all ICT dependent sectors, namely: software, platform comprising of programming languages, libraries, services, and tools required and infrastructure components such as, computing resources, storage and selected network components. The availability of such resource pool through different business models as public, private, community and hybrid clouds is a security concern. With public, community and hybrid cloud there is practically no control over the security of such resource9. With clouds a number of security loopholes are introduced, such as: • Ambiguity of responsibility for the cloud service providers and users. • Loss of confidentiality, integrity, availability or even authenticity due to reduced accountability involved with cloud usage. • Loss of governance due to non-uniformity in application of internal controls, regarding which controls are selected and how they are integrated across different deployment models (SaaS, PaaS and IaaS or NaaS). • Users do not have a true view of the security level provided by the service provider as the cloud is merely a black box. Users have no idea as to where from their services are provided and how secure are those services10 . • Cloud services are accessed via unprotected, easily breached APIs. • Clouds have little or no provision for providing privacy to user data and often do not meet compliance requirements for data protection. • Clouds are being used to provide services such as in Microsoft Azure, or Amazon EC2. Considering the features, merits and demerits of both cloud and peer-to-peer networking, research efforts have been directed towards incorporating Clouds and P2P network into one single realizable system of P2P Clouds. A P2P Cloud would in effect provide on-demand scalability, computing resource and storage space (which can be added) as per varying needs. There would be no central point of failure, or central management and resource addition can be done by installing daemons. Also, such P2P Cloud System or P2PCS has been realized as a fully decentralized distributed IaaS cloud infrastructure11 from idle resources existing in an organization. The P2PCS has been derived by using daemons and algorithms as follows: • Peers comprise of a large number of networked nodes owned by different organizations/individuals of differing capacity & computing power (nodes ranging from notebooks to multicore servers). • Resource sharing is done by installation of daemon. • Daemon provides 2 interfaces: one for entering user requests, another for communicating with other peers. • Daemon handles churn ‘gracefully’ and maintains cohesion among nodes. Thus, the cloud as a whole is not reliable as nodes may enter and leave the cloud as per their requirements. Algorithms and protocols are used for handling churn and maintaining internode cohesion • Other algorithms are required for slicing/partitioning resources among service requestors and creation of sub-clouds. Slices are dynamic since user resource requirements may shrink or expand over time.
65
66
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
• Nodes inside slices may run reliably or crash. Keeping such possibilities in mind, nodes within a slice can interact with nodes inside as well as in the global cloud. P2PCS as discussed above is a constantly changing repository of resources, the changing nature being due to the entering and leaving of nodes. The stability of such a structure is maintained mainly by using gossip protocols. The most important requirement towards maintaining the stability of the structure is management of its partitions or slices. Bringing together peers and clouds even strengthens the security concerns of such structure including the feasibility of monitoring security in a peer cloud and validity of the results of monitoring. However, the P2PCS model does not have any provision for trust and security-based reputation management in its existing framework. Methods for providing access control, security monitoring using OpenFlow and Software Defined Networking (SDN) approaches already exist12 . P2P Cloud systems are used for providing Content Delivery Network (CDN) or in Data Centres. Some examples of Cloud service providers in use are: My Cloud (provides comprehensive multi-cloud security platform), Amazon Cloud Front (CDN) and SymForm (providing distributed backup), Peer-to-Peer backup (for P2P cloud storage). With peers interacting with other peers or peer groups, peer groups talking to each other and lack of proper internal controls in clouds used by the P2P networks, this can have far-reaching effects. P2P Clouds due to weaknesses inherent in P2P networks and Clouds, provide scope for further research. The goal of the paper is to perform threat modelling on P2P Cloud system and identify threats and vulnerabilities associated with the system and arrive at possible mitigation measures. This in turn would also aid in identifying security requirements of a P2P Cloud system The main contributions of this paper are: (i) the proposed re-classification of attacks on P2P networks on the basis of the objective of the attacker and (ii) the goal based threat modelling of P2P Cloud. Using the goal based threat modelling one can analytically arrive at the threat-vulnerability pairs and their respective mitigation measures. The final outcome of this work is the identification of the mitigation measures as operational softgoals by analysis of the threat-vulnerability pairs. The paper also identifies the security requirements related to P2P Cloud as being the open research areas to be considered for future work. The paper is organized as follows: section 2 discusses a goal based classification scheme of security attacks (on P2P networks) as proposed by the authors. Section 3 provides a discussion on Goal oriented Threat modeling while Section 4 provides details on the threat modeling method (discussed in the earlier section) applied on a P2PCloud system. Section 5 concludes listing some of the areas related to P2PCloud security having research potential. 2. Security Attacks in P2P Network P2P networking as a relatively new paradigm of networking and resource sharing is not resilient against attacks. The fact that peer networking can enable resource sharing on a massive scale and involve idle nodes often outside of an established network is motivation enough for large scale attacks. In this paper the authors propose a re-classification of the attacks based on the objectives of the attackers. To the best of our knowledge, such classification has not been done yet. An existing classification scheme39 classifies attacks based on the relatively independent processes like identity assignment, routing and application which are present in P2P networks. Based the objectives of the attackers the attacks have been grouped as follows: 2.1 Attacks to acquire nodes The importance of this type of attack is due to the fact that, capturing nodes is a way of acquiring more processing capability apart from being a good start for launching massive network perimeter breach attacks. Attacks such as Eclipse and Sybil can be launched after acquiring new nodes. Eclipse attacks typically involve a group of malicious node posing as prospective peers to a victim node say X. Node X then makes the malicious nodes as its peers. The effect here is to hijack the node, block out any actually non-malicious node from communicating with X, as well as to completely gain control over the traffic send and received by X, essentially making a censorship attack14 . A Sybil attack is related to an eclipse attack. In Sybil, a malicious node assumes a large number of identities and becomes peers to a victim node15.
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
Table 1. Objective-Based Classification of Attacks on P2P Networks. Node acquisition
Service Disruption
Disintegrating network structure
Eclipse, Botnet architecture based measures22 .
Routing attacks, Secure Routing19 .
Churn, Dynamic hypercube & pancake topology based systems26 . Identity based attacks, proof managers27 .
Eclipse, proximity neighbor selection23 . Eclipse, enforce degree bounds on nodes14 . Sybil, Trusted certification15 . Sybil, Constrained Routing Tables19 . Sybil, Recurring fee24 . Bot attacks, Centralised defense mechanism25 .
In both these types of attacks the victim is isolated from other possible non-malicious peers and these attacks enable acquiring unsuspecting vulnerable nodes which can possibly be used (later) to work as Command-and–Control (C&C) centers of botnets. Botnets or bot attacks are rising significantly. A bot is a node over which a malicious node gets control. Several of such nodes form a botnet or an army of bots with differing topology. There is a command and control (C&C) center for every botnet. A botnet is run by a botmaster who sends commands to the C&C center16, 17. These commands are transmitted to the bots via communication with the C&C center. This allows an attacker to enjoy anonymity, perpetuate attacks through any number of bot nodes and even leave or acquire bots as per attack strategies. Botnets can be widely scattered (physically) and can resort to fast fluxing18 by which locating a botnet becomes difficult. In fast-fluxing, a domain name is mapped to a number of IP addresses (hundreds, or even thousands) rather than a single IP address. 2.2 Attacks to disrupt services Routing attacks come in this category. Such attacks are in the form of incorrect routing updates, incorrect lookup update and so on. The objective could be disrupting normal routing services of nodes or, changing its routes to gather information or send information19. 2.3 Attacks to disintegrate existing network structure Random leaving and joining a network by a number of peers can disturb a network structure in that, the load distribution balance will be lost. In severe cases the peer network may break down. Churn is a type of network level attack in which peers join and leave network as per their requirements, thereby dividing the original peer network into smaller sub-networks and the structure of the peer network breaks down20, 21. The Table 1 lists the attacks under the heads into which they are classified. Information under each attack class include: Attack Name and Suggested Solution. 3. Goal Oriented Threat Modeling Considering the classification of attacks based on the objective of the attacker that has been presented earlier in this paper, a goal-based threat modeling approach has been considered in this paper. Goal based threat modeling can either model the goal of the adversary and how such goals are achieved as in attack tree based modeling28 or how a system goal is hampered by events as in the goal based approach which extends upon the NFR model and uses negative softgoals29. The NFR model focuses on the Non-Functional Requirements of a software system, which are essentially the quality attributes of which security, reliability are some. It introduces the concept of considering the non-functional requirements as the softgoals or those goals which “need to be addressed not absolutely but in a good enough sense”. The “good enough” achievement of the softgoals is in keeping with the difficulty level associated with the problem and its corresponding solution. NFR model has the concept of satisficing (instead of satisfying) the softgoals as such softgoals can be addressed in a “good enough” sense only. The softgoals may satisfice or deny (negatively satisfice) another softgoal30. In this type of threat modeling, each non-functional requirement being represented as a softgoal
67
68
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
undergoes an iterative interleaving process whereby they are satisficed (positively or negatively) by using and/or decompositions, other operations and arguments29. Such semantics result in the formation of Softgoal Interdependency Graph (SIG) as an outcome of the NFR model. Oladimeji modifies the NFR model in that negative softgoals (goals of an attacker) are introduced30 for representing threats and their inverse contributions for evaluating design alternatives during analysis. As P2P Clouds are increasingly being used for commercial purpose (such as in data center for banks31, 32 or in content delivery networks33, 34 for telecom sector), it is useful to arrive at the security requirements specifications of a P2P Cloud system. Towards this end, threat modeling is imperative in that it involves identification of threats, providing mitigation measures for the threats and creation of threat model to assist in further penetration testing30 . Apart from this, threat modeling also enables identification of the circumstances to which a system should adapt. Towards performing threat modeling for a P2PCloud system (see section 4), most of the semantics of the NFR model used, has been retained in this paper. The notations used in creating the SIG for P2PCloud system are summarized below: The light bordered clouds are the softgoals, whether system softgoals or attacker’s softgoals. Attacker’s softgoals may also be referred as the negative softgoals. Clouds with thick dark borders are the operationalizing softgoals which can be decomposed into more specific security mechanisms. Softgoals have been decomposed by AND (single arc) or OR (double arc) decomposition. Such decompositions are made by type or topic. Here type refers to the specific descriptor in use (e.g. security, performance) and topic refers to the context in which such descriptor is used (e.g. account, node). Contributions of one softgoals to its parent softgoals are denoted by Make (green line with ++ label), Help (green line with + label), Break (red line with –) and Hurt (red line with -). While Make indicates that an operationalization (e.g. A solution) by itself can achieve (or satisfice) a goal, Help indicates that an operationalization can help but cannot by itself achieve or satisfice a goal. Similarly, Break by itself can deny a goal while Hurt ‘hurts’ but does not by itself deny a goal. The solid contribution line represents a contribution by a solution or a problem to a goal one is trying to achieve or mitigate. In case the degree of positive or negative contribution of softgoals to their parent softgoals is not known, one can use SomePlus (S+) or SomeMinus (S-) to indicate some degree of positive or negative contribution. 4. Threat Modeling for P2PCloud The Goal-based Threat modeling for the P2PCloud using NFR model begins with the high-level security softgoal, which is the Security of Online P2P Cloud System (P2PCS) also written as Security[Online Cloud System]. This is then refined to a more specific softgoal, namely Security[Node] which shows that to protect the Security of the Online Cloud Network System, the Security of individual nodes must be ensured. Use of AND decomposition causes further decomposition into softgoals: Confidentiality/Privacy[Node] AND Integrity[Node] AND Availability[Node]. Node integrity can again be satisficed to some extent by Node Authenticity OR by Node Non-repudiation. The softgoal Availability of a node can be broken by DOS (Denial of Service) attacks. DOS attack as a negative softgoal can be achieved by successive satisficing of negative softgoals Bot installation in a node and Node Hijack successively. Spoofing the ID of a node can to some extent negatively affect the Authenticity or Non-repudiation of a node. The negative softgoal ID spoofing can be satisficed to some extent by either launching DGA based attacks on node addresses or Fast Fluxing the node addresses. Here DGA based attacks on nodes are referred to the much in use Domain Name Generation Algorithm (DGA) based attack which makes ascertaining the identity of a rogue node difficult35 . DGA attacks if made on host nodes ensure that such nodes now work under the control of Bots- their authenticity and Non repudiation within a closed cloud network becomes questionable. Fast fluxing refers to the rapid changing of IP addresses of either the host nodes or of the host nodes and the domain name servers36. Before arriving at the security requirements of the Cloud, the SIG formed so far can be analysed and threats can be perceived keeping in mind the system goals. Some of the likely negative softgoals or threats for a P2PCS are identified as: a) Node Hijack Attacks b) Denial of Service (DOS) attacks
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72 Table 2. Likely Threats and Corresponding Vulnerabilities in a Cloud Environment. Sl. No.
Threats
Vulnerabilities
Relation
1
Node Hijack
Threats 1, 2 and 5 are related. Botnet attack results in a node hijack causing DoS attacks to be launched from the attacked node.
2
Denial of Service (DOS)
Lack of policy for remote code execution Lack of trust-based inter-peer communication Lack of monitoring and logging Lack of reputation based trust management Security aspect not considered in peer reputation computation. Unnecessary services enabled37 Uncontrolled downloading and use of software37 Unprotected communication lines37
3
Domain Generation (DGA) based attacks
Lack of policy for remote code execution Inadequate network management (resilience of routing)37 Lack of monitoring and logging
Threats 3, 4 and 5 are related. Botnet attack result in generation of bogus domain names, rapid change of IP addresses make tracking of botnet command & control (C&C) server difficult.
4
Spoofing and Fast Fluxing
Inadequate network management (resilience of routing)37 Lack of trust-based inter-peer communication Lack of reputation based trust management Security aspect not considered in peer reputation computation
Threats 3, 4 and 5 are related. Botnet attack result in generation of bogus domain names, rapid change of IP addresses make tracking of botnet command & control (C&C) server difficult.
5
Botnet Attacks
Lack of policy for remote code execution Lack of monitoring and logging Lack of reputation based trust management Security aspect not considered in peer reputation computation
Threats 1, 2 and 5 are related. Botnet attack results in a node hijack causing DoS attacks to be launched from the attacked node.
Algorithm
Threats 1, 2 and 5 are related. Botnet attack results in a node hijack causing DoS attacks to be launched from the attacked node.
c) Domain Generation Algorithm (DGA) based attacks d) Spoofing and Fast Flux attacks e) Botnet Attacks These are also some of the common attacks carried out in a cloud environment. Without going into any details of the individual attack types (because of the space constraints), the associated vulnerabilities for each of these attacks are now considered. This is an important part of threat modelling as threats come to exist only if vulnerabilities are not plugged or mitigated. The threats with associated vulnerabilities and how they are related are as follows: It is evident from the table above that the attacks and their associated vulnerabilities are inter-related. Due to the interrelation of the threats, plugging some vulnerabilities can take care of more than a single threat. From the SIG and the likely threats and vulnerabilities to the cloud network, a Threat-SIG can be formulated as a means for Threat modeling. In the Threat-SIG, the threats form the negative softgoals and, operationalizing softgoals Deny the satisficing of the negative softgoals. The operationalizing softgoals are the mitigation measures and can be arrived at by analyzing the threats and their corresponding vulnerabilities. Fig.1 shows the Threat-SIG for the Online P2PCloud System with the operationalizing softgoals which are also the mitigation measures. For instance, operationalizing softgoals of Extrusion detection and Reputation based Trust Management of a node can to some extent Deny the negative softgoal DGA based attack. Periodic scan of installed program and Logging and Monitoring can to some extent Deny the negative softgoal Bot installation. A Cloud Privacy Policy for each node and a Cloud Metadata Management model will in turn contribute to satisficing Privacy or Confidentiality of cloud nodes.
69
70
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
Fig. 1. Threat-SIG for P2PCloud.
From the Threat-SIG, the mitigation measures that can be listed are: a) b) c) d) e) f) g) h) i) j) k) l)
Cloud Metadata Management Model Privacy Policy Trusted Download Policy Logging and Monitoring of Cloud Nodes Unnecessary services disabled across nodes Periodic refresh of Routing Table rulesets Reputation based Trust management Trust based Policy for inter-peer communication Periodic scan of installed programs in nodes Remote Code execution Policy. Extrusion Detection Node Authentication and Authorization.
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
5. Conclusions and Future Work In this paper, we have proposed a classification of attacks on P2P networks which as per our knowledge has not yet been attempted. Such re-classification based on attacker’s goal has been a direct motivation towards performing a goal based Threat modeling on P2P Cloud System or P2PCS, which is the other contribution of this paper. Finally, due to identification of the threats from the model and linking them to their respective vulnerabilities, we have been able to analyse the threat-vulnerability pairs and identify the possible, applicable mitigation measures. These measures are the operational goals in the Threat-SIG. Therefore, the third contribution of the paper and a direct consequence of the goal-based Threat Modeling is, analysis of threat-vulnerability pair and identification of mitigation measures for them. For example a bot installation can Deny the positive softgoal Availability by launching DoS attacks and absence of remote code execution policy in a P2PCloud is a vulnerability which can be exploited by this threat. Having a Remote code execution policy or Periodic scan of installed program can counter the threat bot installation. Of course, threat-vulnerabilities, their effect on a P2PCloud system and the mitigation measures can be identified and verified by experimental data also. Towards securing the P2PCloud model, the security issues (which can be considered as open research areas) outlined below, need to be considered. These have been derived from the operational goals. Such as, Logging and Monitoring of nodes indicate that some kind of forensic process model specific to the needs of the Cloud environment should be there. • A reputation model based on the trust framework within which a peer system may operate can provide insight into the security aspect of peer nodes. This in turn will introduce some intelligence in the way peers communicate and introduce new peers. • A forensic process model incorporating the basics of the traditional forensic model and, its applicability to cloud environment is essential. In this context, existing proposed models may be reviewed and supplemented with other services. • A Cloud Metadata Management Framework would be much needed keeping in mind the growing concern about present scenario where metadata of cloud transactions are not secure and its authenticity questionable due to lack of proper management of such data. • Policy-based research for minimal Privacy policies that all cloud providers need to have is also an area of much concern. • Clouds being popular and having little or no standards dedicated towards secure cloud operations has become a focal point for a growing number of botnet activities. Testbed requirements for simulating secure transactions and countering bot attacks on clouds need to be developed. The research directions are in keeping with the trend of moving on to cloud data centers and in consideration of the US Government Cloud Computing Technology Roadmap Volume I Release 1.0 drafted as NIST SP 500-29338. With penetration of ICT infrastructure in every critical sector, lack of inbuilt security to prevent infiltration of malware into critical information systems, critical sectors remain vulnerable to internal and external threats. The paradigm shift towards superpeer39 computing and gradual adoption of cloud based data centers, creates research needs to focus not just on destroying botnets but on securing cloud based superpeer structures and interactions. Acknowledgements The authors would like to Thank Prof. Lawrence Chung and Dr. Sam Supakkul of the Department of Computer Science at UT Dallas for their help and use of RE Tools and Star UML both of which are Requirements Engineering Tools. References [1] M. Bawa, B. F. Cooper, A. Crespo, N. Daswani, P. Ganesan, H. Garcia-Molina and P. Vinograd, Peer-to-Peer Research at Stanford, ACM SIGMOD Record, vol. 32(3), pp. 23–28, (2003). [2] C. Wang and B. Li, Peer-to-Peer Overlay Networks: A Survey, Department of Computer Science, The Hong Kong University of Science and Technology, Hong Kong, 9, (2003).
71
72
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
[3] D. Clark, B. Lehr, S. Bauer, P. Faratin, R. Sami and J. Wroclawski, Overlay Networks and the Future of the Internet, Communications and Strategies, vol. 63, pp. 109, (2006). [4] D. Nicol, S. W. Smith and C. Hawblitzel, Marianas: Survivable Trust for Critical Infrastructure, Research Proposal NSF-01-160, December (2001). [5] D. S. Wallach, A Survey of Peer-to-Peer Security Issues, In Software Security—Theories and Systems, Springer Berlin Heidelberg, pp. 42–57, (2003). [6] N. Stakhanova, S. Ferrero, J. S. Wong and Y. Cai, A Reputation-Based Trust Management in Peer-to-Peer Network Systems, ISCA PDCS, vol. 4, pp. 510–515, (2004). [7] Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts and K. Han, Botnet Research Survey, In 32nd Annual IEEE International Computer Software and Applications, 2008, COMPSAC’08, IEEE, pp. 967–972, July (2008). [8] S. Radack, Cloud Computing: A Review of Features, Benefits, and Risks, and Recommendations for Secure, Efficient Implementations, ITL bulletin for June (2012). [9] P. Simmonds, A. Yeomans, I. Dobson, J. Arnold, A. Secombe, P. Johnson and Y. Wilson, Security Guidance for Critical Area of Focus in Cloud Computing v3.0, Cloud Security Alliance (CSA), (2011). [10] W. Jansen and T. Grance, NIST Special Publication 800-144. Guidelines on Security and Privacy in Public Cloud Computing, (2011). [11] O. Babaoglu, M. Marzolla and M. Tamburini, Design and Implementation of a P2P Cloud System, In Proceedings of the 27th Annual ACM Symposium on Applied Computing, ACM, pp. 412–417, March (2012). [12] S. Shin and G. Gu, CloudWatcher: Network Security Monitoring using OpenFlow in Dynamic Cloud Networks (or: How to Provide Security Monitoring as a Service in Clouds?), In 20th IEEE International Conference on Network Protocols (ICNP), 2012 IEEE, pp. 1–6, October (2012). [13] X. Yue, X. Qiu, Y. Ji and C. Zhang, P2P Attack Taxonomy and Relationship Analysis, In 11th International Conference on Advanced Communication Technology, 2009 ICACT, 2009 IEEE, vol. 2, pp. 1207–1210, February (2009). [14] A. Singh, Eclipse Attacks on Overlay Networks: Threats and Defenses, In IEEE INFOCOM, (2006). [15] J. R. Douceur, The Sybil Attack, In Peer-to-peer Systems, Springer Berlin Heidelberg, pp. 251–260, (2002). [16] J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang and D. Dagon, Peer-to-Peer Botnets: Overview and Case Study, In Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, pp. 1–1, April (2007). [17] D. Dittrich and S. Dietrich, P2P as Botnet Command and Control: A Deeper Insight, In 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, IEEE 2008, pp. 41–48, October (2008). [18] W. Xu, X. Wang and H. Xie, New Trends in FastFlux Networks, (2013). [19] M. Castro, P. Druschel, A. Ganesh, A. Rowstron and D. S. Wallach, Secure Routing for Structured Peer-to-Peer Overlay Networks, ACM SIGOPS Operating Systems Review, vol. 36(SI), pp. 299–314, (2002). [20] B. Mitra, S. Ghose, N. Ganguly and F. Peruani, Stability Analysis of Peer-to-Peer Networks Against Churn, Pramana, vol. 71(2), pp. 263–273, (2008). [21] F. Kuhn, S. Schmid and R. Wattenhofer, Towards Worst-Case Churn Resistant Peer-to-Peer Systems, Distributed Computing, vol. 22(4), pp. 249–267. [22] E. Heilman, A. Kendler, A. Zohar and S. Goldberg, Eclipse Attacks on Bitcoin’s Peer-to-Peer Network, (2015). [23] K. Hildrum and J. Kubiatowicz, Asymptotically Efficient Approaches to Fault-Tolerance in Peer-to-Peer Networks, Proc. of 17th International Symposium on Distributed Computing, Sorrento, Italy, October (2003). [24] N. B. Margolin, B. N. Levine, N. B. Margolin and B. N. Levine, Quantifying and Discouraging Sybil Attacks, Computer Science Technical Report, vol. 67, (2005). [25] R. Vogt, J. Aycock, and M. J. Jacobson Jr, Army of Botnets, In NDSS, February (2007). [26] F. Kuhn, S. Schmid and R. Wattenhofer, Towards Worst-Case Churn Resistant Peer-to-Peer Systems, Distributed Computing, vol. 22(4), pp. 249–267, (2010). [27] K. P. Puttaswamy, H. Zheng and B. Y. Zhao, Securing Structured Overlays Against Identity Attacks, IEEE Transactions on Parallel and Distributed Systems, vol. 20(10), pp. 1487–1498, (2009). [28] B. Schneier, Attack Trees, Dr. Dobb’s Journal, vol. 24(12), pp. 21–29, (1999). [29] L. Chung and J. C. S. Do Prado Leite, On Non-Functional Requirements in Software Engineering, In Conceptual Modeling: Foundations and Applications, Springer Berlin Heidelberg, pp. 363–379, (2009). [30] E. A. Oladimeji, S. Supakkul and L. Chung, Security Threat Modeling and Analysis: A Goal-Oriented Approach, In Proc. of the 10th IASTED International Conference on Software Engineering and Applications (SEA 2006), pp. 13–15, November (2006). [31] http://www.datacenterdynamics.com/colo-cloud-/deutsche-bank-picks-hp-for-ten-year-cloud-deal/93443.fullarticle [32] http://www.wsj.com/articles/bank-of-america-follows-internet-companies-into-the-cloud-1425676214 [33] http://telecoms.com/441371/alcatel-lucent-and-google-both-upgrade-content-delivery-networks/ [34] http://www.tatacommunications.com/services/system-integrators/network-services/cdn [35] S. Yadav, A. K. K. Reddy, A. N. Reddy and S. Ranjan, Detecting Algorithmically Generated Domain-Flux Attacks with DNS Traffic Analysis, IEEE/ACM Transactions on Networking, vol. 20(5), pp. 1663–1677, (2012). [36] ICANN Security and Stability Advisory Committee (SSAC), SAC 025: SSAC Advisory on Fast Flux Hosting and DNS, (2008). [37] B. ISO, IEC 27005: 2008, Information Technology–Security Techniques–Information Security Risk Management, (2012). [38] L. Badger, R. Bohn, S. Chu, M. Hogan, F. Liu, V. Kaufmann and D. Leaf, US Government Cloud Computing Technology Roadmap, vol. II Release 1.0-Special Publication 500-293 (draft), (2011). [39] B. Yang and H. Garcia-Molina, Designing a Super-Peer Network, In Proceedings. 19th International Conference on Data Engineering, 2003 IEEE, pp. 49–60, March (2003).
ScienceDirect Procedia Computer Science 89 (2016) 64 – 72
Twelfth International Multi-Conference on Information Processing-2016 (IMCIP-2016)
Goal Based Threat Modeling for Peer-to-Peer Cloud Sanghamitra Dea,∗ , Mridul Sankar Barikb and Indrajit Banerjeec a Future Institute of Engineering & Management, Kolkata, India b Jadavpur University, Kolkata, India c IIEST, Howrah, India
Abstract Peer-to-peer networks, without central servers, have peers operating both as client and server. This paper discusses flaws of P2P networks and clouds. That P2PClouds can be derived from idle resources is also briefly discussed. A re-classification of P2P attacks has been proposed based on attacker goals. Threat modeling enables developing designs for secure systems. An existing goal based threat modeling approach has been used and threats and countermeasures of a P2PCloud has been modeled using Threat-SIG. Finally, security requirements of P2PClouds are discussed as being potential area for further research in this field. © 2016 The Authors. Published by Elsevier B.V. © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license Peer-review under responsibility of organizing committee of the Twelfth International Multi-Conference on Information (http://creativecommons.org/licenses/by-nc-nd/4.0/). Processing-2016 Peer-review under (IMCIP-2016). responsibility of organizing committee of the Organizing Committee of IMCIP-2016 Keywords:
Cryptography; Cloud Security; IoT; Role Based Access Control Model; Sensors.
1. Introduction Peer-to peer (P2P) computing or P2P networks essentially involves a cluster of nodes connected in a network. Users at each node use the network to accomplish a task, download files, transfer data, search for information and so on. It is a form of distributed computing paradigm, where any user sitting at one node is able to utilize other nodes and their resources1 namely: disk space, computation speed, and bandwidth. Data sought by node A may be present/absent/partly present in its peer node B. On querying, B may find the complete data or a part of it with a peer of B (say C or D). Likewise, information sought by one node may be found with its peer or with the peer of its peer. This essentially indicates that a peer can perform as a client as well as a server of information. The effect of being able to procure resources from or provide resources to peers in a network, share one’s own storage space with others introduce security issues in peer groups or peer networks. This also holds true for quasi-closed groups in which a subset of the original set of nodes form a peer network, while superset nodes enter and leave as required. P2P networks such as Napster and Gnutella are also referred to as P2P Overlays2. Overlays can be considered as a set of servers across networks that provide infrastructure for different applications, forward data and can be operated by third parties3 . P2P networks have since found their way into being used4 as trusted network in critical infrastructure providing organizations. P2P networking has unresolved design flaws due to which it has persistently remained a target to certain attack trends. This directly points to the requirement to ensure that nodes agree to security protocols of a peer group and function to meet goals of the group. Some of the major flaws in P2P networking are: ∗ Corresponding author. Tel:: +91 -9836659766.
E-mail address: [email protected]
1877-0509 © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of organizing committee of the Organizing Committee of IMCIP-2016 doi:10.1016/j.procs.2016.06.010
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
• Absence of trust-based inter-peer communication: Peers join and leave the group as per their requirements and IP addresses could be dynamic or even spoofed. This implies that decoy or rogue nodes may assume identities and join peer groups. • Absence of policing for secure operations: In the absence of central control, there is little or no policing to establish trust within a peer group or for managing untrusted code5 in a peer network. • Peer reputation does not consider security aspects: There is no criterion based on which an unknown peer maybe introduced to a peer group. Decentralized methods of computing peers’ reputation based on traffic, search efficiency6 and other methods have been proposed so far. Peer reputation in applications such as Torrent is usually computed based on their contribution in the peer network, search hits and misses. • Lack of monitoring of performance: Peers are not resilient to botnets (networks of infected computers controlled by an attacker) or as the current trends are, to super botnets. Super botnets are advantageous compared to a large botnet in that, they involve a mass of botnets and propagate very fast. Bot tracking procedures need to improve to keep up with maturing botnet technologies7. Cloud computing provides the benefit of making ICT services available as a commodity. This ensures that the organizations which use cloud services can respond faster and reliably to their customer’s needs and improve their own efficiency8. Cloud computing paradigm provides on-demand self-service of essential components that are required by all ICT dependent sectors, namely: software, platform comprising of programming languages, libraries, services, and tools required and infrastructure components such as, computing resources, storage and selected network components. The availability of such resource pool through different business models as public, private, community and hybrid clouds is a security concern. With public, community and hybrid cloud there is practically no control over the security of such resource9. With clouds a number of security loopholes are introduced, such as: • Ambiguity of responsibility for the cloud service providers and users. • Loss of confidentiality, integrity, availability or even authenticity due to reduced accountability involved with cloud usage. • Loss of governance due to non-uniformity in application of internal controls, regarding which controls are selected and how they are integrated across different deployment models (SaaS, PaaS and IaaS or NaaS). • Users do not have a true view of the security level provided by the service provider as the cloud is merely a black box. Users have no idea as to where from their services are provided and how secure are those services10 . • Cloud services are accessed via unprotected, easily breached APIs. • Clouds have little or no provision for providing privacy to user data and often do not meet compliance requirements for data protection. • Clouds are being used to provide services such as in Microsoft Azure, or Amazon EC2. Considering the features, merits and demerits of both cloud and peer-to-peer networking, research efforts have been directed towards incorporating Clouds and P2P network into one single realizable system of P2P Clouds. A P2P Cloud would in effect provide on-demand scalability, computing resource and storage space (which can be added) as per varying needs. There would be no central point of failure, or central management and resource addition can be done by installing daemons. Also, such P2P Cloud System or P2PCS has been realized as a fully decentralized distributed IaaS cloud infrastructure11 from idle resources existing in an organization. The P2PCS has been derived by using daemons and algorithms as follows: • Peers comprise of a large number of networked nodes owned by different organizations/individuals of differing capacity & computing power (nodes ranging from notebooks to multicore servers). • Resource sharing is done by installation of daemon. • Daemon provides 2 interfaces: one for entering user requests, another for communicating with other peers. • Daemon handles churn ‘gracefully’ and maintains cohesion among nodes. Thus, the cloud as a whole is not reliable as nodes may enter and leave the cloud as per their requirements. Algorithms and protocols are used for handling churn and maintaining internode cohesion • Other algorithms are required for slicing/partitioning resources among service requestors and creation of sub-clouds. Slices are dynamic since user resource requirements may shrink or expand over time.
65
66
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
• Nodes inside slices may run reliably or crash. Keeping such possibilities in mind, nodes within a slice can interact with nodes inside as well as in the global cloud. P2PCS as discussed above is a constantly changing repository of resources, the changing nature being due to the entering and leaving of nodes. The stability of such a structure is maintained mainly by using gossip protocols. The most important requirement towards maintaining the stability of the structure is management of its partitions or slices. Bringing together peers and clouds even strengthens the security concerns of such structure including the feasibility of monitoring security in a peer cloud and validity of the results of monitoring. However, the P2PCS model does not have any provision for trust and security-based reputation management in its existing framework. Methods for providing access control, security monitoring using OpenFlow and Software Defined Networking (SDN) approaches already exist12 . P2P Cloud systems are used for providing Content Delivery Network (CDN) or in Data Centres. Some examples of Cloud service providers in use are: My Cloud (provides comprehensive multi-cloud security platform), Amazon Cloud Front (CDN) and SymForm (providing distributed backup), Peer-to-Peer backup (for P2P cloud storage). With peers interacting with other peers or peer groups, peer groups talking to each other and lack of proper internal controls in clouds used by the P2P networks, this can have far-reaching effects. P2P Clouds due to weaknesses inherent in P2P networks and Clouds, provide scope for further research. The goal of the paper is to perform threat modelling on P2P Cloud system and identify threats and vulnerabilities associated with the system and arrive at possible mitigation measures. This in turn would also aid in identifying security requirements of a P2P Cloud system The main contributions of this paper are: (i) the proposed re-classification of attacks on P2P networks on the basis of the objective of the attacker and (ii) the goal based threat modelling of P2P Cloud. Using the goal based threat modelling one can analytically arrive at the threat-vulnerability pairs and their respective mitigation measures. The final outcome of this work is the identification of the mitigation measures as operational softgoals by analysis of the threat-vulnerability pairs. The paper also identifies the security requirements related to P2P Cloud as being the open research areas to be considered for future work. The paper is organized as follows: section 2 discusses a goal based classification scheme of security attacks (on P2P networks) as proposed by the authors. Section 3 provides a discussion on Goal oriented Threat modeling while Section 4 provides details on the threat modeling method (discussed in the earlier section) applied on a P2PCloud system. Section 5 concludes listing some of the areas related to P2PCloud security having research potential. 2. Security Attacks in P2P Network P2P networking as a relatively new paradigm of networking and resource sharing is not resilient against attacks. The fact that peer networking can enable resource sharing on a massive scale and involve idle nodes often outside of an established network is motivation enough for large scale attacks. In this paper the authors propose a re-classification of the attacks based on the objectives of the attackers. To the best of our knowledge, such classification has not been done yet. An existing classification scheme39 classifies attacks based on the relatively independent processes like identity assignment, routing and application which are present in P2P networks. Based the objectives of the attackers the attacks have been grouped as follows: 2.1 Attacks to acquire nodes The importance of this type of attack is due to the fact that, capturing nodes is a way of acquiring more processing capability apart from being a good start for launching massive network perimeter breach attacks. Attacks such as Eclipse and Sybil can be launched after acquiring new nodes. Eclipse attacks typically involve a group of malicious node posing as prospective peers to a victim node say X. Node X then makes the malicious nodes as its peers. The effect here is to hijack the node, block out any actually non-malicious node from communicating with X, as well as to completely gain control over the traffic send and received by X, essentially making a censorship attack14 . A Sybil attack is related to an eclipse attack. In Sybil, a malicious node assumes a large number of identities and becomes peers to a victim node15.
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
Table 1. Objective-Based Classification of Attacks on P2P Networks. Node acquisition
Service Disruption
Disintegrating network structure
Eclipse, Botnet architecture based measures22 .
Routing attacks, Secure Routing19 .
Churn, Dynamic hypercube & pancake topology based systems26 . Identity based attacks, proof managers27 .
Eclipse, proximity neighbor selection23 . Eclipse, enforce degree bounds on nodes14 . Sybil, Trusted certification15 . Sybil, Constrained Routing Tables19 . Sybil, Recurring fee24 . Bot attacks, Centralised defense mechanism25 .
In both these types of attacks the victim is isolated from other possible non-malicious peers and these attacks enable acquiring unsuspecting vulnerable nodes which can possibly be used (later) to work as Command-and–Control (C&C) centers of botnets. Botnets or bot attacks are rising significantly. A bot is a node over which a malicious node gets control. Several of such nodes form a botnet or an army of bots with differing topology. There is a command and control (C&C) center for every botnet. A botnet is run by a botmaster who sends commands to the C&C center16, 17. These commands are transmitted to the bots via communication with the C&C center. This allows an attacker to enjoy anonymity, perpetuate attacks through any number of bot nodes and even leave or acquire bots as per attack strategies. Botnets can be widely scattered (physically) and can resort to fast fluxing18 by which locating a botnet becomes difficult. In fast-fluxing, a domain name is mapped to a number of IP addresses (hundreds, or even thousands) rather than a single IP address. 2.2 Attacks to disrupt services Routing attacks come in this category. Such attacks are in the form of incorrect routing updates, incorrect lookup update and so on. The objective could be disrupting normal routing services of nodes or, changing its routes to gather information or send information19. 2.3 Attacks to disintegrate existing network structure Random leaving and joining a network by a number of peers can disturb a network structure in that, the load distribution balance will be lost. In severe cases the peer network may break down. Churn is a type of network level attack in which peers join and leave network as per their requirements, thereby dividing the original peer network into smaller sub-networks and the structure of the peer network breaks down20, 21. The Table 1 lists the attacks under the heads into which they are classified. Information under each attack class include: Attack Name and Suggested Solution. 3. Goal Oriented Threat Modeling Considering the classification of attacks based on the objective of the attacker that has been presented earlier in this paper, a goal-based threat modeling approach has been considered in this paper. Goal based threat modeling can either model the goal of the adversary and how such goals are achieved as in attack tree based modeling28 or how a system goal is hampered by events as in the goal based approach which extends upon the NFR model and uses negative softgoals29. The NFR model focuses on the Non-Functional Requirements of a software system, which are essentially the quality attributes of which security, reliability are some. It introduces the concept of considering the non-functional requirements as the softgoals or those goals which “need to be addressed not absolutely but in a good enough sense”. The “good enough” achievement of the softgoals is in keeping with the difficulty level associated with the problem and its corresponding solution. NFR model has the concept of satisficing (instead of satisfying) the softgoals as such softgoals can be addressed in a “good enough” sense only. The softgoals may satisfice or deny (negatively satisfice) another softgoal30. In this type of threat modeling, each non-functional requirement being represented as a softgoal
67
68
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
undergoes an iterative interleaving process whereby they are satisficed (positively or negatively) by using and/or decompositions, other operations and arguments29. Such semantics result in the formation of Softgoal Interdependency Graph (SIG) as an outcome of the NFR model. Oladimeji modifies the NFR model in that negative softgoals (goals of an attacker) are introduced30 for representing threats and their inverse contributions for evaluating design alternatives during analysis. As P2P Clouds are increasingly being used for commercial purpose (such as in data center for banks31, 32 or in content delivery networks33, 34 for telecom sector), it is useful to arrive at the security requirements specifications of a P2P Cloud system. Towards this end, threat modeling is imperative in that it involves identification of threats, providing mitigation measures for the threats and creation of threat model to assist in further penetration testing30 . Apart from this, threat modeling also enables identification of the circumstances to which a system should adapt. Towards performing threat modeling for a P2PCloud system (see section 4), most of the semantics of the NFR model used, has been retained in this paper. The notations used in creating the SIG for P2PCloud system are summarized below: The light bordered clouds are the softgoals, whether system softgoals or attacker’s softgoals. Attacker’s softgoals may also be referred as the negative softgoals. Clouds with thick dark borders are the operationalizing softgoals which can be decomposed into more specific security mechanisms. Softgoals have been decomposed by AND (single arc) or OR (double arc) decomposition. Such decompositions are made by type or topic. Here type refers to the specific descriptor in use (e.g. security, performance) and topic refers to the context in which such descriptor is used (e.g. account, node). Contributions of one softgoals to its parent softgoals are denoted by Make (green line with ++ label), Help (green line with + label), Break (red line with –) and Hurt (red line with -). While Make indicates that an operationalization (e.g. A solution) by itself can achieve (or satisfice) a goal, Help indicates that an operationalization can help but cannot by itself achieve or satisfice a goal. Similarly, Break by itself can deny a goal while Hurt ‘hurts’ but does not by itself deny a goal. The solid contribution line represents a contribution by a solution or a problem to a goal one is trying to achieve or mitigate. In case the degree of positive or negative contribution of softgoals to their parent softgoals is not known, one can use SomePlus (S+) or SomeMinus (S-) to indicate some degree of positive or negative contribution. 4. Threat Modeling for P2PCloud The Goal-based Threat modeling for the P2PCloud using NFR model begins with the high-level security softgoal, which is the Security of Online P2P Cloud System (P2PCS) also written as Security[Online Cloud System]. This is then refined to a more specific softgoal, namely Security[Node] which shows that to protect the Security of the Online Cloud Network System, the Security of individual nodes must be ensured. Use of AND decomposition causes further decomposition into softgoals: Confidentiality/Privacy[Node] AND Integrity[Node] AND Availability[Node]. Node integrity can again be satisficed to some extent by Node Authenticity OR by Node Non-repudiation. The softgoal Availability of a node can be broken by DOS (Denial of Service) attacks. DOS attack as a negative softgoal can be achieved by successive satisficing of negative softgoals Bot installation in a node and Node Hijack successively. Spoofing the ID of a node can to some extent negatively affect the Authenticity or Non-repudiation of a node. The negative softgoal ID spoofing can be satisficed to some extent by either launching DGA based attacks on node addresses or Fast Fluxing the node addresses. Here DGA based attacks on nodes are referred to the much in use Domain Name Generation Algorithm (DGA) based attack which makes ascertaining the identity of a rogue node difficult35 . DGA attacks if made on host nodes ensure that such nodes now work under the control of Bots- their authenticity and Non repudiation within a closed cloud network becomes questionable. Fast fluxing refers to the rapid changing of IP addresses of either the host nodes or of the host nodes and the domain name servers36. Before arriving at the security requirements of the Cloud, the SIG formed so far can be analysed and threats can be perceived keeping in mind the system goals. Some of the likely negative softgoals or threats for a P2PCS are identified as: a) Node Hijack Attacks b) Denial of Service (DOS) attacks
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72 Table 2. Likely Threats and Corresponding Vulnerabilities in a Cloud Environment. Sl. No.
Threats
Vulnerabilities
Relation
1
Node Hijack
Threats 1, 2 and 5 are related. Botnet attack results in a node hijack causing DoS attacks to be launched from the attacked node.
2
Denial of Service (DOS)
Lack of policy for remote code execution Lack of trust-based inter-peer communication Lack of monitoring and logging Lack of reputation based trust management Security aspect not considered in peer reputation computation. Unnecessary services enabled37 Uncontrolled downloading and use of software37 Unprotected communication lines37
3
Domain Generation (DGA) based attacks
Lack of policy for remote code execution Inadequate network management (resilience of routing)37 Lack of monitoring and logging
Threats 3, 4 and 5 are related. Botnet attack result in generation of bogus domain names, rapid change of IP addresses make tracking of botnet command & control (C&C) server difficult.
4
Spoofing and Fast Fluxing
Inadequate network management (resilience of routing)37 Lack of trust-based inter-peer communication Lack of reputation based trust management Security aspect not considered in peer reputation computation
Threats 3, 4 and 5 are related. Botnet attack result in generation of bogus domain names, rapid change of IP addresses make tracking of botnet command & control (C&C) server difficult.
5
Botnet Attacks
Lack of policy for remote code execution Lack of monitoring and logging Lack of reputation based trust management Security aspect not considered in peer reputation computation
Threats 1, 2 and 5 are related. Botnet attack results in a node hijack causing DoS attacks to be launched from the attacked node.
Algorithm
Threats 1, 2 and 5 are related. Botnet attack results in a node hijack causing DoS attacks to be launched from the attacked node.
c) Domain Generation Algorithm (DGA) based attacks d) Spoofing and Fast Flux attacks e) Botnet Attacks These are also some of the common attacks carried out in a cloud environment. Without going into any details of the individual attack types (because of the space constraints), the associated vulnerabilities for each of these attacks are now considered. This is an important part of threat modelling as threats come to exist only if vulnerabilities are not plugged or mitigated. The threats with associated vulnerabilities and how they are related are as follows: It is evident from the table above that the attacks and their associated vulnerabilities are inter-related. Due to the interrelation of the threats, plugging some vulnerabilities can take care of more than a single threat. From the SIG and the likely threats and vulnerabilities to the cloud network, a Threat-SIG can be formulated as a means for Threat modeling. In the Threat-SIG, the threats form the negative softgoals and, operationalizing softgoals Deny the satisficing of the negative softgoals. The operationalizing softgoals are the mitigation measures and can be arrived at by analyzing the threats and their corresponding vulnerabilities. Fig.1 shows the Threat-SIG for the Online P2PCloud System with the operationalizing softgoals which are also the mitigation measures. For instance, operationalizing softgoals of Extrusion detection and Reputation based Trust Management of a node can to some extent Deny the negative softgoal DGA based attack. Periodic scan of installed program and Logging and Monitoring can to some extent Deny the negative softgoal Bot installation. A Cloud Privacy Policy for each node and a Cloud Metadata Management model will in turn contribute to satisficing Privacy or Confidentiality of cloud nodes.
69
70
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
Fig. 1. Threat-SIG for P2PCloud.
From the Threat-SIG, the mitigation measures that can be listed are: a) b) c) d) e) f) g) h) i) j) k) l)
Cloud Metadata Management Model Privacy Policy Trusted Download Policy Logging and Monitoring of Cloud Nodes Unnecessary services disabled across nodes Periodic refresh of Routing Table rulesets Reputation based Trust management Trust based Policy for inter-peer communication Periodic scan of installed programs in nodes Remote Code execution Policy. Extrusion Detection Node Authentication and Authorization.
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
5. Conclusions and Future Work In this paper, we have proposed a classification of attacks on P2P networks which as per our knowledge has not yet been attempted. Such re-classification based on attacker’s goal has been a direct motivation towards performing a goal based Threat modeling on P2P Cloud System or P2PCS, which is the other contribution of this paper. Finally, due to identification of the threats from the model and linking them to their respective vulnerabilities, we have been able to analyse the threat-vulnerability pairs and identify the possible, applicable mitigation measures. These measures are the operational goals in the Threat-SIG. Therefore, the third contribution of the paper and a direct consequence of the goal-based Threat Modeling is, analysis of threat-vulnerability pair and identification of mitigation measures for them. For example a bot installation can Deny the positive softgoal Availability by launching DoS attacks and absence of remote code execution policy in a P2PCloud is a vulnerability which can be exploited by this threat. Having a Remote code execution policy or Periodic scan of installed program can counter the threat bot installation. Of course, threat-vulnerabilities, their effect on a P2PCloud system and the mitigation measures can be identified and verified by experimental data also. Towards securing the P2PCloud model, the security issues (which can be considered as open research areas) outlined below, need to be considered. These have been derived from the operational goals. Such as, Logging and Monitoring of nodes indicate that some kind of forensic process model specific to the needs of the Cloud environment should be there. • A reputation model based on the trust framework within which a peer system may operate can provide insight into the security aspect of peer nodes. This in turn will introduce some intelligence in the way peers communicate and introduce new peers. • A forensic process model incorporating the basics of the traditional forensic model and, its applicability to cloud environment is essential. In this context, existing proposed models may be reviewed and supplemented with other services. • A Cloud Metadata Management Framework would be much needed keeping in mind the growing concern about present scenario where metadata of cloud transactions are not secure and its authenticity questionable due to lack of proper management of such data. • Policy-based research for minimal Privacy policies that all cloud providers need to have is also an area of much concern. • Clouds being popular and having little or no standards dedicated towards secure cloud operations has become a focal point for a growing number of botnet activities. Testbed requirements for simulating secure transactions and countering bot attacks on clouds need to be developed. The research directions are in keeping with the trend of moving on to cloud data centers and in consideration of the US Government Cloud Computing Technology Roadmap Volume I Release 1.0 drafted as NIST SP 500-29338. With penetration of ICT infrastructure in every critical sector, lack of inbuilt security to prevent infiltration of malware into critical information systems, critical sectors remain vulnerable to internal and external threats. The paradigm shift towards superpeer39 computing and gradual adoption of cloud based data centers, creates research needs to focus not just on destroying botnets but on securing cloud based superpeer structures and interactions. Acknowledgements The authors would like to Thank Prof. Lawrence Chung and Dr. Sam Supakkul of the Department of Computer Science at UT Dallas for their help and use of RE Tools and Star UML both of which are Requirements Engineering Tools. References [1] M. Bawa, B. F. Cooper, A. Crespo, N. Daswani, P. Ganesan, H. Garcia-Molina and P. Vinograd, Peer-to-Peer Research at Stanford, ACM SIGMOD Record, vol. 32(3), pp. 23–28, (2003). [2] C. Wang and B. Li, Peer-to-Peer Overlay Networks: A Survey, Department of Computer Science, The Hong Kong University of Science and Technology, Hong Kong, 9, (2003).
71
72
Sanghamitra De et al. / Procedia Computer Science 89 (2016) 64 – 72
[3] D. Clark, B. Lehr, S. Bauer, P. Faratin, R. Sami and J. Wroclawski, Overlay Networks and the Future of the Internet, Communications and Strategies, vol. 63, pp. 109, (2006). [4] D. Nicol, S. W. Smith and C. Hawblitzel, Marianas: Survivable Trust for Critical Infrastructure, Research Proposal NSF-01-160, December (2001). [5] D. S. Wallach, A Survey of Peer-to-Peer Security Issues, In Software Security—Theories and Systems, Springer Berlin Heidelberg, pp. 42–57, (2003). [6] N. Stakhanova, S. Ferrero, J. S. Wong and Y. Cai, A Reputation-Based Trust Management in Peer-to-Peer Network Systems, ISCA PDCS, vol. 4, pp. 510–515, (2004). [7] Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts and K. Han, Botnet Research Survey, In 32nd Annual IEEE International Computer Software and Applications, 2008, COMPSAC’08, IEEE, pp. 967–972, July (2008). [8] S. Radack, Cloud Computing: A Review of Features, Benefits, and Risks, and Recommendations for Secure, Efficient Implementations, ITL bulletin for June (2012). [9] P. Simmonds, A. Yeomans, I. Dobson, J. Arnold, A. Secombe, P. Johnson and Y. Wilson, Security Guidance for Critical Area of Focus in Cloud Computing v3.0, Cloud Security Alliance (CSA), (2011). [10] W. Jansen and T. Grance, NIST Special Publication 800-144. Guidelines on Security and Privacy in Public Cloud Computing, (2011). [11] O. Babaoglu, M. Marzolla and M. Tamburini, Design and Implementation of a P2P Cloud System, In Proceedings of the 27th Annual ACM Symposium on Applied Computing, ACM, pp. 412–417, March (2012). [12] S. Shin and G. Gu, CloudWatcher: Network Security Monitoring using OpenFlow in Dynamic Cloud Networks (or: How to Provide Security Monitoring as a Service in Clouds?), In 20th IEEE International Conference on Network Protocols (ICNP), 2012 IEEE, pp. 1–6, October (2012). [13] X. Yue, X. Qiu, Y. Ji and C. Zhang, P2P Attack Taxonomy and Relationship Analysis, In 11th International Conference on Advanced Communication Technology, 2009 ICACT, 2009 IEEE, vol. 2, pp. 1207–1210, February (2009). [14] A. Singh, Eclipse Attacks on Overlay Networks: Threats and Defenses, In IEEE INFOCOM, (2006). [15] J. R. Douceur, The Sybil Attack, In Peer-to-peer Systems, Springer Berlin Heidelberg, pp. 251–260, (2002). [16] J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang and D. Dagon, Peer-to-Peer Botnets: Overview and Case Study, In Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, pp. 1–1, April (2007). [17] D. Dittrich and S. Dietrich, P2P as Botnet Command and Control: A Deeper Insight, In 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, IEEE 2008, pp. 41–48, October (2008). [18] W. Xu, X. Wang and H. Xie, New Trends in FastFlux Networks, (2013). [19] M. Castro, P. Druschel, A. Ganesh, A. Rowstron and D. S. Wallach, Secure Routing for Structured Peer-to-Peer Overlay Networks, ACM SIGOPS Operating Systems Review, vol. 36(SI), pp. 299–314, (2002). [20] B. Mitra, S. Ghose, N. Ganguly and F. Peruani, Stability Analysis of Peer-to-Peer Networks Against Churn, Pramana, vol. 71(2), pp. 263–273, (2008). [21] F. Kuhn, S. Schmid and R. Wattenhofer, Towards Worst-Case Churn Resistant Peer-to-Peer Systems, Distributed Computing, vol. 22(4), pp. 249–267. [22] E. Heilman, A. Kendler, A. Zohar and S. Goldberg, Eclipse Attacks on Bitcoin’s Peer-to-Peer Network, (2015). [23] K. Hildrum and J. Kubiatowicz, Asymptotically Efficient Approaches to Fault-Tolerance in Peer-to-Peer Networks, Proc. of 17th International Symposium on Distributed Computing, Sorrento, Italy, October (2003). [24] N. B. Margolin, B. N. Levine, N. B. Margolin and B. N. Levine, Quantifying and Discouraging Sybil Attacks, Computer Science Technical Report, vol. 67, (2005). [25] R. Vogt, J. Aycock, and M. J. Jacobson Jr, Army of Botnets, In NDSS, February (2007). [26] F. Kuhn, S. Schmid and R. Wattenhofer, Towards Worst-Case Churn Resistant Peer-to-Peer Systems, Distributed Computing, vol. 22(4), pp. 249–267, (2010). [27] K. P. Puttaswamy, H. Zheng and B. Y. Zhao, Securing Structured Overlays Against Identity Attacks, IEEE Transactions on Parallel and Distributed Systems, vol. 20(10), pp. 1487–1498, (2009). [28] B. Schneier, Attack Trees, Dr. Dobb’s Journal, vol. 24(12), pp. 21–29, (1999). [29] L. Chung and J. C. S. Do Prado Leite, On Non-Functional Requirements in Software Engineering, In Conceptual Modeling: Foundations and Applications, Springer Berlin Heidelberg, pp. 363–379, (2009). [30] E. A. Oladimeji, S. Supakkul and L. Chung, Security Threat Modeling and Analysis: A Goal-Oriented Approach, In Proc. of the 10th IASTED International Conference on Software Engineering and Applications (SEA 2006), pp. 13–15, November (2006). [31] http://www.datacenterdynamics.com/colo-cloud-/deutsche-bank-picks-hp-for-ten-year-cloud-deal/93443.fullarticle [32] http://www.wsj.com/articles/bank-of-america-follows-internet-companies-into-the-cloud-1425676214 [33] http://telecoms.com/441371/alcatel-lucent-and-google-both-upgrade-content-delivery-networks/ [34] http://www.tatacommunications.com/services/system-integrators/network-services/cdn [35] S. Yadav, A. K. K. Reddy, A. N. Reddy and S. Ranjan, Detecting Algorithmically Generated Domain-Flux Attacks with DNS Traffic Analysis, IEEE/ACM Transactions on Networking, vol. 20(5), pp. 1663–1677, (2012). [36] ICANN Security and Stability Advisory Committee (SSAC), SAC 025: SSAC Advisory on Fast Flux Hosting and DNS, (2008). [37] B. ISO, IEC 27005: 2008, Information Technology–Security Techniques–Information Security Risk Management, (2012). [38] L. Badger, R. Bohn, S. Chu, M. Hogan, F. Liu, V. Kaufmann and D. Leaf, US Government Cloud Computing Technology Roadmap, vol. II Release 1.0-Special Publication 500-293 (draft), (2011). [39] B. Yang and H. Garcia-Molina, Designing a Super-Peer Network, In Proceedings. 19th International Conference on Data Engineering, 2003 IEEE, pp. 49–60, March (2003).