Toward Smart Moving Target Defense for Linux Container Resiliency
This work addresses container security in cloud environments, offering a novel defense approach, though it appears incremental as it builds on existing moving target defense concepts.
The paper tackles the problem of securing cloud containers by introducing ESCAPE, a moving target defense mechanism that models attacker-container interactions as a predator-prey search game, using live migration to avoid attacks and failures, with simulation results showing high container survival probabilities and minimal overhead.
This paper presents ESCAPE, an informed moving target defense mechanism for cloud containers. ESCAPE models the interaction between attackers and their target containers as a "predator searching for a prey" search game. Live migration of Linux-containers (prey) is used to avoid attacks (predator) and failures. The entire process is guided by a novel host-based behavior-monitoring system that seamlessly monitors containers for indications of intrusions and attacks. To evaluate ESCAPE effectiveness, we simulated the attack avoidance process based on a mathematical model mimicking the prey-vs-predator search game. Simulation results show high container survival probabilities with minimal added overhead.