Abstract-This paper presents ESCAPE, an informed moving target defense mechanism for cloud containers. ESCAPE models the interaction between attackers and their target containers as a "predator searching for a prey" search game. Live migration of Linux-containers (prey) is used to avoid attacks (predator) and failures. The entire process is guided by a novel host-based behavior-monitoring system that seamlessly monitors containers for indications of intrusions and attacks. To evaluate ESCAPE effectiveness, we simulated the attack avoidance process based on a mathematical model mimicking the prey-vs-predator search game. Simulation results show high container survival probabilities with minimal added overhead.c 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
I. INTROUCTIONLinux containers running in a commercial cloud environments share the same kernel with containers from other customers, which increases the attack surface compared to the case of VM-based virtualization. To protect Linux containers in a shared environment, service providers are expected to monitor the behavior of the containers running on their system for suspicious activity. Upon detection of a possible threat, the service provider should take an action to protect the guest containers. While the most straightforward action is to kill the misbehaving container and inform the owner of the detected anomaly, such action may not be cost effective especially for long running stateful applications.A more cost-effective alternative [1] is to take a snapshot of the running application while in safe state. Upon attack detection, the system simply rolls back to the most recent safe state saved. One drawback with this approach is when the last saved safe state is a vulnerable state and/or the attack is persistent, in which case the container will go into a continuous loop of restores. To overcome such limitations, we propose a nature inspired approach that aims at changing the container execution environment in order to mislead a persistent attack. The system aims to equip the attacker target (prey) with the tools needed to ESCAPE from the attacker (predator), e.g. by moving the container to a random remote host.In this paper, we use live migration of cloud containers as a moving target defense (MTD) [2] mechanism against hostbased persistent attacks. The MTD mechanism is guided by a host-based intrusion detection system (HIDS) [3] [4] that monitors operating containers to detect potential anomalies or misbehaviors. The HIDS learns the behavior of all the containers running on the host, and upon detection of a change of behavior of one or more container, the HIDS signals the MTD module of the system to ESCAPE the affected contai...