Abstract
Nowadays, the edge-cloud (EC) paradigm is adopted in several domains, including manufacturing, health, and critical infrastructure management. Identifying existing threats and vulnerabilities of an EC system and determining appropriate countermeasures is a costly and time-consuming process due to the inherent system complexity and to the heterogeneity of involved assets. Moreover, even when appropriate security measures are enforced, attacks may still succeed because of the natural degradation of security mechanisms’ effectiveness due to attackers’ reconnaissance efforts and/or to unknown vulnerabilities coming into play. This paper describes the objectives of the DEFEDGE project, which aims to define a set of techniques for the development of secure and resilient edge-cloud systems and for their assessment based on a threat-driven approach. The main idea is to leverage the results of a guided threat modeling process to derive both the security controls and the mechanisms to be enforced, as well as the security tests to perform in order to verify the effectiveness of controls in place. Security controls selection and enforcement will follow Moving Target Defense principles. Security testing will exploit existing threat intelligence and attack patterns knowledge bases to derive a set of general-purpose attack procedures that can be suitably customized to test a target system. For the generation of attack procedures and their customization, the project will also explore machine learning techniques to infer new attack patterns and scenarios, in order to improve the overall testing effectiveness.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Microsoft Inc. IoT Security. https://azure.microsoft.com/en-gb/resources/cloud-computing-dictionary/what-is-iot/security/.
- 2.
Cloud Security Alliance. Top Threats to Cloud Computing: Egregious Eleven. https://cloudsecurityalliance.org/artifacts /top-threats-to-cloud-computing-egregious-eleven/.
- 3.
Penetration Testing Execution Standard (PTES). http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines.
- 4.
OWASP Testing project page. https://owasp.org/www-project-web-security-testing-guide/.
- 5.
Pete Herzog. Osstmm 3: The open source security testing methodology manual-contemporary security testing and analysis. https://www.isecom.org/OSSTMM.3.pdf. 2010.
- 6.
Penetration Testing Framework (PTS). http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html.
- 7.
Mitre Corporation. Adversary Emulation Plans. https://attack.mitre.org/resources/adversary-emulation-plans/.
- 8.
References
Jajodia, S., et al.: Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, vol. 54. Springer, Cham (2011)
Casola, V., De Benedictis, A., Albanese, M.: A multi-layer moving target defense approach for protecting resource-constrained distributed devices. In: Bouabana-Tebibel, T., Rubin, S. (eds.) Integration of Reusable Systems. Advances in Intelligent Systems and Computing, vol. 263, pp. 299–324. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04717-1_14
Ometov, A., et al.: A survey of security in cloud, edge, and fog computing. Sensors 22(3), 927 (2022)
Xiao, Y., et al.: Edge computing security: state of the art and challenges. Proc. IEEE 107(8), 1608–1631 (2019)
Ficco, M., Granata, D., Rak, M., Salzillo, G.: Threat modeling of edge-based IoT applications. In: Paiva, A.C.R., Cavalli, A.R., Ventura Martins, P., Perez-Castillo, R. (eds.) Quality of Information and Communications Technology. Communications in Computer and Information Science, vol. 1439, pp. 282-296. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-85347-1_21
Cho, J.-H., et al.: Toward proactive, adaptive defense: a survey on moving target defense. IEEE Commun. Surv. Tutorials 22(1), 709–745 (2020)
Navas, R.E., et al.: MTD, where art thou? A systematic review of moving target defense techniques for IoT. IEEE Internet Things J. 8(10), 7818–7832 (2020)
Scarfone, K., et al.: Technical guide to information security testing and assessment. NIST Spec. Publ. 800(115), 2–25 (2008)
Knowles, W., Baron, A., McGarr, T.: The simulated security assessment ecosystem: does penetration testing need standardisation? Comput. Secur. 62, 296–316 (2016)
Arkin, B., Stender, S., McGraw, G.: Software penetration testing. IEEE Secur. Priv. 3(1), 84–87 (2005)
Rak, M., Salzillo, G., Granata, D.: ESSecA: an automated expert system for threat modelling and penetration testing for IoT ecosystems. Comput. Electr. Eng. 99, 107721 (2022)
Lin, P.-Y., et al.: ICPFuzzer: proprietary communication protocol fuzzing by using machine learning and feedback strategies. Cybersecurity 4(1), 1–15 (2021)
Wang, Y., et al.: A systematic review of fuzzing based on machine learning techniques. PLoS ONE 15(8), e0237749 (2020)
McKinnel, D.R., et al.: A systematic literature review and meta-analysis on artificial intelligence in penetration testing and vulnerability assessment. Comput. Electr. Eng. 75, 175–188 (2019)
Confido, A., Ntagiou, E.V., Wallum, M.: Reinforcing penetration testing using AI. In: 2022 IEEE Aerospace Conference (AERO), pp. 1–15. IEEE (2022)
Jiao, J., Zhao, H., Cao, H.: Using deep learning to construct auto web penetration test. In: 2021 13th International Conference on Machine Learning and Computing, pp. 59-66 (2021)
Ghanem, M.C., Chen, T.M.: Reinforcement learning for efficient network penetration testing. Information 11(1), 6 (2019)
Acknowledgements
This work has been partially funded by the European Union - Next-GenerationEU - National Recovery and Resilience Plan (NRRP) - MISSION 4 COMPONENT 2, INVESTIMENT N. 1.1, CALL PRIN 2022 D.D. 1409 14-09-2022 - (Threat-driven security testing and proactive defense identification for edge-cloud systems). PROJECT CODE: P2022TT7A7. CUP. E53D23016380001.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Casola, V. et al. (2024). DEFEDGE: Threat-Driven Security Testing and Proactive Defense Identification for Edge-Cloud Systems. In: Barolli, L. (eds) Advanced Information Networking and Applications. AINA 2024. Lecture Notes on Data Engineering and Communications Technologies, vol 203. Springer, Cham. https://doi.org/10.1007/978-3-031-57931-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-57931-8_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57930-1
Online ISBN: 978-3-031-57931-8
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)