Attack Surface Expansion Using Decoys to Protect Virtualized Infrastructure

As cloud services using the virtualized technique are emerging and developing rapidly, protection of cloud services is a key issue. Most research efforts focus on reducing the attack surface observed by the external attackers, which is an impractical solution for a complex system like virtualized infrastructure. In order to deceive the attackers and waste their time and efforts, three attack surface expansion approaches for moving target defense are proposed in this paper. These three approaches provide different protection capability with different system complexity by using decoy virtual machines that co-exist with the real virtual machines in the same physical host. The probability that the external attacker successfully exploits the valid assets is theoretically analyzed. Simulation results show the attackers' success rate can be significantly reduced by adding decoy virtual machines. Simulation results also show that the greater the knowledge about the attackers' capability, the better protection the proposed approaches can provide.