Security method for allocation of virtual machines in a cloud computing network
Inventors
KWIAT, LUKE • KAMHOUA, CHARLES • KWIAT, KEVIN
Assignees
United States Department of the Air Force
Publication Number
US-9832220-B2
Publication Date
2017-11-28
Expiration Date
2035-09-22
Interested in licensing this patent?
MTEC can help explore whether this patent might be available for licensing for your application.
Abstract
A method for enhancing security in a cloud computing system by allocating virtual machines over hypervisors, in a cloud computing environment, in a security-aware fashion. The invention solves the cloud user risk problem by inducing a state such that, unless there is a change in the conditions under which the present invention operates, the cloud users do not gain by deviating from the allocation induced by the present invention. The invention's methods include grouping virtual machines of similar loss potential on the same hypervisor, creating hypervisor environments of similar total loss, and implementing a risk tiered system of hypervisors based on expense factors.
Core Innovation
The invention provides a method for enhancing security in cloud computing systems by allocating virtual machines (VMs) over hypervisors in a security-aware fashion. This allocation induces a stable state such that cloud users do not gain by deviating from the allocation unless operational conditions change. The method includes grouping VMs of similar loss potential on the same hypervisor, creating hypervisor environments with similar total expected loss, and implementing a risk tiered system of hypervisors based on expense factors related to security investment.
The problem addressed is the security risk posed by shared platforms in cloud environments, particularly the vulnerability of hypervisors that manage multiple users' VMs. Since multiple users share hypervisors, an attack on one user's VM can compromise the hypervisor and indirectly affect other users’ VMs. This creates negative externalities and interdependencies where one user's security affects others. Existing VM allocation methods focus on metrics like load balancing or resource scarcity but do not systematically account for security concerns.
The invention models interactions between cloud users and attackers using game theory to identify likely targets and predict behaviors. It ensures allocation based on user loss potential, grouping users to minimize interdependency and balance risk across hypervisors. The system calculates expected loss and uses expense-based risk tiers to influence allocation, guiding users to invest in security and maintain stable equilibrium states where no user benefits from unilaterally changing VM placement. This provides proactive mitigation for attacks and equilibrium in VM allocations.
Claims Coverage
The patent includes one primary independent claim with detailed method steps for security-enhanced VM allocation.
Observation and identification of attacker-user interactions
The method observes interactions between attackers and cloud users and identifies most likely targeted users based on events and equilibrium states.
Loss potential-based user ordering and condition checking
Users are ordered according to increasing loss potential, and the method checks a mathematical condition involving loss potentials, compromise probabilities, the probability of hypervisor compromise, and the cost of investing in security.
Adaptive cost setting and VM allocation to hypervisors
When the condition is not initially met, the security investment cost is set by the provider to satisfy it. Subsequently, the method allocates the first user to the first hypervisor and the nth user to the second hypervisor.
Iterative determination of Nash Equilibrium for VM allocation
If secondary equilibrium conditions are not met, the method performs an iterative determination for a Nash Equilibrium solution, allocating users to hypervisors based on satisfying specific inequalities involving loss potentials, expense, and equilibrium balance.
Handling mixed Nash Equilibria with probabilistic user allocation
When pure Nash Equilibria conditions are not found, the method identifies mixed Nash Equilibria, allocating a particular user probabilistically across hypervisors so the attacker is indifferent to attacking either hypervisor, ensuring risk balancing.
The claims focus on a methodical, game theoretic approach to VM allocation in cloud computing, using loss potential ordering, expense-adjusted security investment, and iterative equilibrium computations to achieve secure, stable allocations that minimize user incentives to deviate.
Stated Advantages
Provides a stable, security-aware VM allocation method where users do not gain by unilaterally deviating from the allocation.
Reduces interdependency and negative externalities among users by grouping VMs of similar loss potential.
Balances total expected loss across hypervisors to mitigate risk exposure.
Implements a risk tiered system based on security investment costs to incentivize protective measures.
Allows proactive identification of likely attack targets and enables minimizing damage and responding to subsequent attacks.
Documented Applications
Application in cloud computing environments with multiple hypervisors and users sharing physical resources.
Use in public cloud infrastructures where security concerns due to shared hypervisor platforms are significant.
Environments where cloud providers must allocate virtual machines dynamically while accounting for security risks and attacker behaviors.
Game theoretic modeling of attacker and user interactions to optimize VM placement and enhance cloud security.
Interested in licensing this patent?