Multi-Dimensional Moving Target Defense Method Based on Adaptive Simulated Annealing Genetic Algorithm

Abstract

Due to the fine-grained splitting of microservices and frequent communication between microservices, the exposed attack surface of microservices has exploded, facilitating the lateral movement of attackers between microservices. To solve this problem, a multi-dimensional moving target defense method based on an adaptive simulated annealing genetic algorithm (MD2RS) is proposed. Firstly, according to the characteristics of microservices in the cloud, a microservice attack graph is proposed to quantify the attack scenario of microservices in the cloud so as to conveniently and intuitively observe the vulnerability of microservices in the cloud and the dependency relationship between microservices. Secondly, the security gain and resource cost are quantified for the key nodes selected by measuring the degree of dependence of each node according to the degree centrality. Finally, the Adaptive Simulated Annealing Genetic Algorithm (ASAGA) is used to solve the optimal security configuration information of the moving target defense, that is, the combination of the number of copies of the multi-copy deployment and the rotation cycle of the dynamic rotation of microservices, in order to quickly evaluate the security risks of microservices and optimize the security policy. Experiments show that the defense return rate of MD2RS is 85.95% higher than that of the mainstream methods, and the experimental results are conducive to applying this method to the dynamic defense of microservices in the cloud.

1. Introduction

With the continuous development of Cloud Computing (CC) technology, Cloud Native (CN) technology is gradually maturing [1]. Cloud computing is a distributed computing model that is now widely used in integrating computing resources [2]. In order to make more effective use of cloud resources, micro-service architecture came into being. In the cloud environment scenario, the traditional monolithic application will be decoupled into multiple microservices with a single function according to logical functions, and each microservice is allowed to be independently developed and deployed. It is precisely because of the independent publishing and agile development of microservices that the scale of microservices has exploded, which makes the attack surface of microservices difficult to control. Most micro-services usually use a Hyper Text Transfer Protocol (HTTP) or Remote Procedure Call Protocol (RPC) to call each other to provide users with corresponding functional services. In order to reduce the dependence between micro-services, micro-services are loosely coupled, which can ensure the update iteration of micro-services, which also leads to a large attack surface of micro-services. Because microservices in a cloud environment support fine-grained deployment, the state information of microservices will change dynamically with the change in user requests, which leads to a strong time-varying attack surface of microservices. In the face of complex and changeable micro-service scenarios, the traditional passive defense technology using a firewall or intrusion detection technology struggles to cope with today’s network situation, so the active defense technology came into being.

Moving Target Defense (MTD) [3] is an active defense technology based on the ideas of dynamics, randomization, and diversification to improve the existing information system defense defects. MTD aims to increase the ambiguity and complexity of the attacker and reduce the opportunity for the attacker to identify the target or infiltrate the target [4]. Based on its core theory, active defense can be realized by constructing unpredictable dynamic systems, changing the attack surface of defense targets, and limiting the time when the vulnerabilities of defense targets are exposed. The common basic methods of mobile target defense include: reorganizing IP addresses [5,6], rearranging network topology [4,7], and diversifying software [8,9].

Microservice architecture makes the security management of cloud applications increasingly difficult. With the increasing complexity of cloud service business, the scale of microservices is growing explosively. For example, Alibaba has over 20,000 microservices [10]. Because the traditional passive defense method makes it difficult to deal with the increasingly complex network attacks, to change the situation that cyberspace is easy to defend but difficult to attack, active defense technology is very important. Therefore, using the idea of active defense and formulating appropriate strategies to effectively improve the security of the system without introducing too much resource expenditure is very important. Therefore, deploying a defense strategy for moving targets is a difficult task. In addition, micro-services in a cloud environment are complex and changeable, which makes dynamic defense more difficult. The main challenges are as follows:

• The communication between micro-services in a cloud environment introduces frequent east–west communication traffic, which provides convenient conditions for attackers to move horizontally between micro-services, and the attack surface of micro-services has exploded;
• In a complex cloud environment, there are various paths from attackers to attack targets. Since the environment usually contains hundreds of microservice nodes, it will waste a lot of system resources to protect all microservice nodes, so it is necessary to use a moving target defense strategy to protect important nodes in a cloud environment.

Aiming at the above problems, this paper proposes a defense strategy for multi-dimensional moving targets based on an Adaptive Simulated Annealing Genetic Algorithm (ASAGA). In the attack graph of a cloud environment, the nodes in the micro-service attack graph are filtered by degree centrality, and the nodes that are highly dependent on the attack graph are screened out. The strategy of multi-copy deployment and dynamic copy rotation is deployed to these nodes to disturb the attacker’s attack process and improve the overall security of the system. Then, the Cyber Kill Chain (CKC) model is used to analyze the attack process of microservice nodes, and the vulnerability of each microservice in the cloud environment is correlated by the Attack Graph (AG) model, and the attack path that can represent the system security is presented in the form of the directed graph. ASAGA is used to solve the replica number and rotation period of the micro-service to achieve the maximum defense benefit while spending as few resources as possible. Therefore, by modeling the number of replicas deployed by microservice nodes in the cloud environment and the rotation period of replicas, the degree of difficulty in exploiting microservice vulnerabilities is assigned as the weight of the directed edge of the attack graph, and nodes with the sum of discrepancy greater than two are screened out through degree centrality for the Multi-replica Deployment and Dynamic Rotation Strategy (MD2RS).

The main contributions of this paper are as follows:

• This paper puts forward the strategy of multi-copy deployment and dynamic rotation, which can protect the attacker from the attack on a specific target micro-service to a certain extent by adopting multi-copy deployment and dynamic rotation of micro-services for important nodes in the cloud environment. ASAGA is used to solve the replica number and dynamic rotation period of micro-services;
• In this paper, the attack graph model is used to simulate the topological structure of each microservice in the microservice scenario in the cloud environment, including the call relationship between each microservice. Referring to the centrality of the directed graph, the nodes with the sum of access degrees greater than two in the attack graph model are selected as important nodes to deploy multi-dimensional dynamic defense methods.

The structure of other sections in this paper is as follows: Section 2 introduces related work; Section 3 introduces the threat model, modeling, and optimization of microservices in a cloud environment; Section 4 introduces the security configuration algorithm based on ASAGA; Section 5 mainly introduces the experiment, and finally, we summarize this work.

2. Related Work

With the continuous development of cloud computing technology, its application in all walks of life has become increasingly extensive. The traditional monolithic application is divided into multiple microservices according to functional logic, and container technology provides a lightweight environment for the operation of microservices [11]. To solve the problem of the attack surface of microservice applications increasing sharply, this paper has conducted a lot of preliminary work and found that there are two main defense methods in the industry; one is the traditional passive defense technology, and the other is the active defense technology to be used in this paper. Traditional passive defense technologies are also divided into two types. One is to strengthen the system to protect the system information. The main technologies are encryption, authentication, and access control based on cryptography [12]; the other is a “better late than never” defense technology that focuses on detecting attacks. The main technologies are intrusion detection, virus killing, and intrusion tolerance [13]. Active defense technology is a technology that improves the security of the system by blocking or interfering with the attacker’s attack chain, introducing redundancy, heterogeneity, and dynamics, and adopting corresponding defense strategies [14].

Venkatesan et al. [15] studied the optimal MTD conversion cycle in botnets. Firstly, the author deployed botnet detection probes to identify botnets for the key nodes selected in the network. To prevent attackers from bypassing important nodes, the detection probes will be changed from time to time, thus enhancing the dynamic nature of the defense strategy; finally, the attacker’s attack path is designed according to the assumption of minimizing the detection probability, and the optimal MTD defense strategy is deployed for this path. Sharma et al. [16] designed an active defense system based on MTD based on IP address reuse and software-defined networks, which can map real IP addresses to multiple random and virtual IP addresses. Luo et al. [17] constantly change the port number to prevent the attacker’s investigation behavior before the attack and quantify the probability of the attacker’s success according to the size of the port pool, the number of the attacker’s probes, and the number of vulnerable services. Thompson et al. [18] randomly selected the rotation cycle of the operating system from 60 s to 300 s for multiple versions of the Linux system and analyzed the success rate of blocking the attack chain, the influence degree of vulnerability exploitation, and the influence of application usability to improve a management platform more based on heterogeneous virtual machines. Sourour et al. [19] use containers with different operating systems to resist attackers’ attacks by actively and randomly changing defense strategies. Li Lingshu et al. [20] proposed a container migration and honeypot deployment strategy based on a signaling game to solve the threat caused by co-resident attacks in the container cloud environment. All the above articles focus on the randomness of active defense to deploy the system safely and then mainly list the work to enhance the security of information systems from the diversity of active defense. For a common mode attack, Zeng Wei et al. [21] used diversified containers to build a heterogeneous image resource pool to spread attacks based on common mode vulnerability on the cloud and used a Stackelberg game model to solve the optimal scheduling strategy. In the face of security threats such as co-resident attacks in cloud computing, Liu Daoqing et al. [22] constructed a signaling game model based on MTD and proposed a multi-stage optimal defense strategy solving algorithm to enhance security. Wang Yawen et al. [23,24] use various operating systems to build diversified virtual machines, take different operating system distributions as different defense strategies, model the security problem of scientific workflow in a cloud environment as a two-person zero-sum game problem, solve the Nash equilibrium to generate defense strategies, periodically switch between different defense strategies according to the solution results, and improve the efficiency of scientific workflow in a cloud environment according to the mapping algorithm between tasks and virtual machines. Tong Qing et al. [25] use a heterogeneous operating system and heterogeneous software stack to enhance the intrusion tolerance of the system. Taguinod et al. [26] divide web applications into different layers and use different programming languages to realize different functions to prevent code injection and SQL injection attacks without affecting the normal work of web applications. In addition to focusing on the randomness and diversity of active defense, some people start with redundancy in active defense to enhance the security of the system. Ahmed et al. [27] designed a Byzantine fault-tolerant system combining OpenStack and software-defined networks by taking advantage of the virtualization characteristics of cloud computing and using multiple short-period replicas to meet the Byzantine fault-tolerant conditions. Wang et al. [28,29] proposed an intrusion tolerance system for cloud scientific workflow based on mimicry defense, which deployed redundant executors according to the number of common-mode vulnerabilities between operating systems without affecting the efficiency of scientific workflow and made a lag decision on the running results of the executors.

Because of the explosive growth of the attack surface of microservices in the cloud environment, Torkura et al. [30] adopted a dynamic transformation of the image file and programming language of microservices to change the attack surface exposed by microservices in the cloud environment. Jin et al. [31] established a multi-dimensional attack graph model for microservices in the cloud environment and proposed a method of screening key nodes through centricity and evaluating and protecting the key nodes screened by centricity. Zhang Shuai and others [32] protect all microservices in the cloud environment as a whole and use the DQN algorithm to solve the dynamic cleaning cycle of microservices in the cloud environment to achieve the purpose of dynamically changing the attack surface of microservices and improving the overall security of the system. This strategy dynamically cleans all microservices in the cloud environment and improves the overall defense efficiency of the system through dynamic cleaning.

The strategy proposed in reference [31] can improve the security of the cloud environment. However, since the defense strategy is only deployed to the nodes screened by centricity, once the attacker is aware of it, he will bypass the key nodes. This situation will not only fail to achieve the optimal defense effect but also cause additional resource expenditure. Reference [32] has taken corresponding protection measures for all micro-service nodes in the cloud environment and used the DKN algorithm to solve the cleaning cycle of micro-services. Although the defense efficiency has been greatly improved, the deep reinforcement learning algorithm requires a lot of training in the early stage, which is relatively time-consuming, and protecting all micro-services in the cloud environment will increase the resource overhead of the system. Therefore, in this paper, referring to the degree centrality, the nodes whose sum of out-of-degree and in-degree is greater than two are screened out in the attack graph, and protective measures are deployed to these nodes, which can effectively prevent attackers from bypassing the nodes where protective measures are deployed and can also reasonably control the resource expenditure of the system. In addition, using the ASAGA algorithm can save training time. In order to distinguish between our article and related work, we list related articles that address the exploding attack surface of microservices

Table 1. Comparison of related work.

Related Work	Protecting Nodes	Protection Method	Can the Protection Node Be Bypassed	Resource Cost
Torkura et al. [30]	All nodes	Reduce common mode vulnerabilities	No	More
Jin et al. [31]	Critical nodes	Cleaning	Yes	Less
Zhang Shuai et al. [32]	All nodes	Cleaning	No	More
Our article	Critical nodes	Cleaning and Multiple replica deployment	No	Less

.

3. Problem Model

This section firstly introduces the attack process of the attacker on the microservice node in the cloud environment, then introduces the dynamic defense strategy deployed in this paper. Furthermore, it obtains the security quantitative model and resource cost model according to the attack process of the attacker and the defense strategy deployed in this paper. Finally, it summarizes the problems that need to be optimized.

3.1. Threat Model

In this section, the CKC model is used to analyze the attack process of attackers on microservice nodes. In the CKC model, a complete attack process includes several stages, such as the pre-attack investigation stage, vulnerability utilization stage, permission acquisition stage, backdoor installation stage, and expanding influence. In the cloud-native environment, a single microservice runs in an independent container, and a plurality of microservices are run on the network-connected microservice call chain formed by a container arrangement; they coordinate with each other to complete complex business functions. In this paper, we assume that both the cloud platform and the service provider are credible and that the attacker comes from outside the cloud platform. Attackers aim to infiltrate the internal network to obtain important data information or move horizontally. Figure 1 shows a schematic diagram of an attack scenario based on a micro-service environment in a cloud environment, and describes the attack target, attack process, and attack capability as follows:

• Attack the target. In the cloud environment, all micro-services running may become the targets of attackers. Micro-services are composed of dependency libraries and service codes. We assume that micro-services running in the current environment have some vulnerabilities that can be exploited by attackers. The attacker’s final target is the node where we store our important data, which is the microservice M in Figure 1.
• Attack strategy. Suppose the attacker uses the network kill chain model to attack. In the CKC model, the attacker will first carry out various investigative actions to identify the vulnerability of the target. Secondly, the attacker will choose one or more suitable vulnerabilities and use the corresponding attack means to attack. Finally, attackers can use network attack tools to execute malicious code to harm the target;
• Attack ability. In this paper, our experimental scenario is an internal network scenario, assuming that an attacker from outside the cloud platform will attack the microservices through the Internet. Micro-services in the cloud environment will open specific service access portals to the outside world, so attackers can only attack micro-services from specific access portals. As shown in Figure 1, it is assumed that the attacker’s attack target is microservice M. The attacker comes from the outside of the cloud platform and can only carry out the attack through the specific service access entrance. Therefore, when the attacker uses the vulnerability to successfully hijack microservice A, he can successively infiltrate microservice D, microservice G, microservice J, and microservice K or successively microservice E and microservice K and other nodes and, finally, achieve the attack on the target microservice M.

In this paper, it is assumed that the attacker’s ability will be limited and that the attacker does not know the detailed configuration details, such as the arrangement of microservices, the location of microservices in the cloud, and the number of microservice copies.

3.2. Dynamic Defense Strategy

Moving Target Defense (MTD) uses the characteristics of diversification, dynamics, and randomization to construct a dynamic, heterogeneous, and uncertain defense effect. An efficient and fast cloud environment makes the system dynamic and complex. In this paper, the replica transformation and replica dynamic rotation are combined to disrupt the process of attackers’ gradual infiltration along the microservice chain.

• Copy transformation. In this paper, the microservice is deployed in multiple copies, and the microservice copies that provide services are dynamically transformed by random load balancing, thus disturbing the attacker’s continuous control over the microservice copies that were previously injected with an attack load and increasing the attack difficulty of the attacker.
• Dynamic rotation of copies. A microservice in a cloud environment leads to a sharp increase in attack surface, which makes security control more difficult. Therefore, changing the attack surface of the microservice by dynamic replica rotation can also achieve the purpose of disturbing the attacker’s continuous control of the microservice replica that was previously injected with the attack load.

This section takes the microservice attack scenario shown in Figure 1 as an example to illustrate the effectiveness of microservice replica transformation and replica dynamic rotation strategy. Assuming that the replica of microservice A, microservice A_1, was injected with the attack load during the attacker’s last attack, the attacker needs to hold microservice A_1 hostage to attack microservice B or microservice C called by microservice A according to the dependency between microservices. However, after the deployment of micro-service replica transformation, through the random load balancing of micro-service replicas, multiple replicas of micro-service A will be presented to the attacker with the effect of random transformation, and the attacker needs to infiltrate micro-service A many times before continuing to attack the subsequent nodes. Before full penetration, if the replica of microservice A is dynamically rotated, the attacker’s previous attack will not affect it.

In this section, replica transformation and replica dynamic rotation are used to realize dynamic defense against microservice systems in the cloud environment. In the actual environment, we cannot judge the attacker’s attack target, and we cannot predict which path the attacker will use to launch a detection attack on the attack target. In the research of graph structure, centrality is an index used to quantify the importance of each node in the graph structure. Based on the consideration of resource cost, this paper uses degree centrality to screen out the nodes with the sum of discrepancy greater than two as important nodes and makes multi-copy deployment and dynamic rotation of important nodes. ASAGA is used to solve the number of copies to be deployed and the period of dynamic rotation of nodes for each key node.

3.3. Safety Quantification Model

Analyze the attacker’s attack path based on the cloud environment and make the following definition:

Definition 1.

The attacker’s attack path is defined as a directed graph G = (V, E), where V is a set of nodes in the directed graph, which can be formalized as a set of microservices in the cloud environment in the scenario of this paper. $V=\{V_1,V_2,\cdots ,V_n\}$ represents a collection of n microservices. Microservice $V=\{V_1,V_2,\cdots ,V_n\}$ contains $d_i$ microservice replicas, that is, $V_i=\{v^k,1\le k\le d_i\}$, each of which is created from the same microservice image and has the same functionality and configuration.

Definition 2.

E is the set of all edges of a directed graph, $E=\left\{e_{ab}\right|V_a,V_b\in V,e_{ab}\in [0, 1],a\ne b$. When $e_{ab}=0$, there is no calling relationship between microservices and microservices. If $e_{ab}=1$, there is an invocation relationship between microservices and microservices.

The attacker needs to probe and inject microservices several times through API calls to achieve the expected effect. In the previous article, we assumed that microservice $V_i$ has $d_i$ copies, and the API request will be redirected to d copies by a random load balancer with equal probability. Therefore, the probability $p_i$ of the microservice $V_i$ receiving the API call issued by the attacker is:

$$p_i=\frac{1}{d_i},V_i\in V$$

(1)

We define the weight of the edge of the directed graph as the probability of the microservice being successfully attacked, the weight of the directed graph and the difficulty of the node vulnerability being exploited W($e_{ab}$), and the dynamic rotation cycle of the microservice $T_n=\{t_1,t_2,\cdots ,t_n\}$, where $t_i$ represents the rotation cycle of the microservice $V_i$.

This paper assumes that the attacker needs to lock the target several times during the attack to achieve the attack effect. Since microservices adopt the multi-copy deployment strategy, it is assumed that an attacker needs to successfully attack the same microservice copy $\delta$ times to successfully invade the attack target.

The difficulty of node vulnerabilities being exploited is described by the Exploitability Metrics (EM) in the Base Score Metrics (BSM) and the Exploitability Code Maturity (ECM) in the Temporal Metrics (TM) in CVSS 3.1 released by the vulnerability scoring system. The exploitability index quantifies the exploitability of the vulnerability, and the code maturity index quantifies the possibility of the vulnerability of being attacked by the attacker. EM can be expressed as:

$$EM=\frac{1}{8.22\times AV\times AC\times UI\times PR}$$

(2)

In the above formula, $AV, AC, UI, \mathrm{and}PR$ are, respectively, attack vectors, attack complexity, user interaction, and permission requirements, all of which are parameters in EM. Each node represents an attack surface that may have one or more vulnerabilities that can be exploited. Because the attacker’s attack capability is unknown, every vulnerability in the node is vulnerable to the attacker. Given the above problems, we use the temporary metric W as a weight to evaluate the possibility of each vulnerability being attacked, and the weighted average of the vulnerability to be exploited to obtain the vulnerability of each node W($e_{ab}$) is as follows:

$$w\left(e_{ab}\right)=\frac{{\displaystyle \sum _R}\left(w\times EM\right)}{{\displaystyle \sum _R}w}$$

(3)

where R is the set of all vulnerabilities existing on the attack surface of the node.

To analyze the relationship between the probability of a successful attack on microservice replicas and the dynamic rotation cycle, this paper assumes that the attacker has sufficient time to obtain the information needed for the attack and penetrate each replica of microservice $V_i$. Therefore, the longer the dynamic rotation cycle, the greater the probability of a successful attack. Therefore, this paper uses an exponential function to represent the relationship between the probability of microservice $V_i$ being successfully breached by an attacker and the time, and $p_i^{succ}$ can be expressed as:

$$p_i^{succ}=1-\frac{1-e^{t-T_{max}}}{1-e^{-T_{max}}}$$

(4)

where $T_{max}$ is the time required by the attacker to achieve the maximum probability of a successful attack, and $T_{\max }=f\left(W\left(e_{ab}\right)\right)$ represents the mapping between the difficulty of the node vulnerability being exploited W($e_{ab}$) and the time $T_{max}$ required by the attacker to achieve the maximum probability of the success of the attack.

Definition 3.

In the given attack graph, we measure the outbound and inbound degree of the nodes of the attack graph and screen out nodes with high correlation with other nodes for multi-copy deployment and dynamic rotation. Multi-copy deployment and dynamic rotation are required.

Suppose we have screened out m microservices to set the protection mechanism, the microservice call chain $H=\{V_1,V_2,\cdots ,V_m\}$ composed of these m microservices and the corresponding rotation cycle $T=\{T_1,T_2,\cdots ,T_m\}$ of microservices. The rotation period of the microservice $V_i$ is $T_i$, which means that $d_i$ microservice replicas are created every $T_i$ time, and the old replicas are deleted after all the new replicas are successfully created.

For a node with multiple replica deployment and dynamic replica rotation, assuming that an attacker wants to re-attack each time the dynamic replica rotation is performed, the vulnerability of the node is as follows:

$$W^{\prime }\left(e_{ab}\right)=\frac{W\left(e_{ab}\right)\times {\delta }_i}{T_i^{max}}$$

(5)

In this paper, it is assumed that the attacker needs to breach ${\delta }_i$ microservice replicas to control the node. Therefore, if the attacker successfully attacks ${\delta }_i$ replicas, the security quantization gain of the node of the defender does not increase.

Because we cannot judge the attack target of the attacker or the path from which the attacker will launch the attack on the attack target, to avoid wasting resources, we adopt the strategy of multi-copy deployment and dynamic copy rotation on nodes with high dependence. Therefore, this paper adopts the key nodes defined in the previous article to carry out multi-copy deployment and copies the dynamic rotation strategy to evaluate the effectiveness of the strategy. The security gains from the multi-copy deployment and the replica dynamic rotation policy can be measured by the incremental $\Delta W(V_{att},V_{tar})$ of the vulnerability of all nodes where the policy is deployed, i.e.:

$$\Delta W(V_{att},V_{tar})=\sum _{KP}W’\left(V_{att},V_{tar}\right)-\sum _{KP}W\left(V_{att},V_{tar}\right)$$

(6)

3.4. Resource Overhead Model

The data overhead of microservices mainly comes from the resources used in the process of multi-copy deployment and the resources occupied during the dynamic rotation of replicas. In this article, regardless of resource type, it is assumed that replicas of the same microservice occupy the same resources, which are referred to as $R_i$. Because microservice $V_i$ has a $d_i$ copy, the resource occupied by microservice $V_i$ is $d_i·R_i$. This paper assumes that during the dynamic rotation of microservice copies, the original microservice copy runs normally, and the original microservice copy can be offline only after the new microservice copy is successfully started. As a result, the dynamic rotation of microservice replicas takes up twice as many resources as normal operation. The rotation cycle of microservice $V_i$ is $t_i$. Assuming that $T_i^{cre}$ is consumed during the creation of microservice copies, the total amount of system resources occupied by multi-copy deployment and dynamic cleaning of copies in the attack diagram is as follows:

$${\xi }_t=\sum _{V_i\in V}{d}_i{R}_i\left(1+\frac{T_i^{cre}}{T_i}\right)$$

(7)

3.5. Optimization Problem

The main task of this paper is to solve the number of replicas $V_n=\{d_1,d_2,\cdots ,d_n\}$ and the dynamic rotation cycle $T_t=\{t_1,t_2,\cdots ,t_n\}$ of microservices at time t for the nodes with multi-replica deployment and dynamic rotation of replicas. Under the corresponding conditions, it is necessary to maximize the security gain as much as possible and minimize the consumption of system resources. Therefore, the optimization problem can be summarized as:

$$max\frac{\Delta W(V_{att},V_{tar})}{{\xi }_t},T_i\in T,d_i\in V_n$$

(8)

4. Security Configuration Algorithm Based on ASAGA

The Adaptive Simulated Annealing Genetic Algorithm (ASAGA) is an improved optimization selection algorithm based on the traditional genetic algorithm, which combines the global search ability of the simulated annealing algorithm and the local search ability of the genetic algorithm.

4.1. Simulated Annealing Algorithm

The Simulated Annealing algorithm (SA) is an evolutionary algorithm based on probability, derived from the principle of solid annealing. By heating the solid to a sufficiently high temperature and then letting it slowly cool, in the process of heating, the particles inside the solid will change into a disordered state with the constant change in temperature. When the temperature of the solid slowly drops, the internal particles gradually reorder. The SA algorithm starts from a high initial temperature and searches for the global optimal solution of the objective function in the solution space combined with the characteristics of probability mutation in the process of decreasing the cooling rate. The SA algorithm can effectively avoid the possibility of local optimization by giving a time-varying and zero-oriented probability mutability to the search process.

The SA algorithm consists of two important parts, namely the Metropolis algorithm and the annealing process, which correspond to the internal and external loops of the SA algorithm. The external cycle is the process of defining: first, set the initial temperature to a relatively high temperature so that under the influence of the cooling rate cooling_rate, it decreases in a certain proportion until it drops to the termination temperature—the whole process is called the simulated annealing process. The metropolis algorithm is an internal loop, that is, it iterates a certain number of times at each temperature to find the optimal solution at that temperature.

4.2. Adaptive Simulated Annealing Genetic Algorithm

Based on the traditional genetic algorithm, ASAGA combines an adaptive mechanism and simulated annealing algorithm to improve the optimization selection algorithm, which broadens the search space of the algorithm and improves the searchability of the algorithm, so it is widely used to solve constrained optimization problems [33]. Different from the traditional GA algorithm, the traditional GA algorithm often has a slow convergence rate or is “premature” in the actual situation. Because its crossover probability and mutation probability are fixed, in each cycle, regardless of whether the selected individual is the optimal solution, the chromosome will cross and mutate with a constant probability. This will affect the efficiency of the algorithm and will fall into the local optimal situation. The main reason for the above problems is that for excellent chromosomes, the probability of crossover and mutation should be reduced as far as possible to preserve excellent individuals. For inferior individuals, the probability of crossover and mutation should be as large as possible, to further search for good individuals. In addition, in the early stage of evolution, it is necessary to quickly find the range of the optimal solution existing in the population with as large a probability of crossover and mutation as possible, while in the later stage of evolution, it is necessary to reduce the probability of crossover and mutation as much as possible, to quickly reach convergence after finding the global optimal solution. Only in this way can the efficiency and accuracy of the algorithm be submitted as far as possible.

By adding an adaptive mechanism and simulated annealing algorithm based on the traditional GA algorithm, ASAGA can autonomously adjust the probability of crossover and mutation according to the fitness function in the evolution process. The SA algorithm can effectively avoid the algorithm falling into the local optimal solution by giving the search process a time-varying probability mutagenicity that gradually approaches zero.

ASAGA combines the characteristics of AGA and SA and adopts two basic operations: genetic operation and simulated annealing operation. The genetic operation is the global search part of ASAGA by applying the genetic algorithm. Through the selection, crossover, and variation of GA, the fitness of individuals is gradually improved through the evolution process of the population to search for the global optimal solution. The simulated annealing operation is a local search operation of ASAGA, which uses the random search characteristic of SA to carry out a local search in the solution space; its purpose is to accept the inferior solution to avoid falling into the local optimal solution.

4.3. Security Configuration Algorithm Based on ASAGA

A population is a set of feasible solutions for the search space. The individual is a feasible solution in the population; chromosome refers to the code of each feasible solution, generally using binary, decimal, or hexadecimal encoding; a gene represents each piece of information encoded in a chromosome; the fitness function is used to assess how well each individual fits into the population.

In this paper, the population is all feasible solutions to the security configuration of microservices in the cloud, the individual represents the security configuration information of microservices on key nodes screened from the population, and the chromosome represents the encoding of the security configuration information in the individual, and the hexadecimal encoding is adopted in this paper. Formula (8) is the fitness function.

Adaptive mechanism: The selection mechanism of the GA algorithm is improved accordingly, and individual selection and retention are determined according to individual adaptability. The adaptive expression should be:

$$f\left(x\right)=af\left(x_i\right)+\frac{e-e^{g/g_{max}}}{e+e^{g/g_{max}}}(f_{max}-f_{min})$$

(9)

Among them, $f_{max}$ is the largest fitness function value, and $f_{min}$ is the smallest fitness function value. g is the algebra of the current iteration, and $g_{max}$ is the maximum number of iterations; a is a constant greater than 0. Improved simulated annealing mechanism in crossover and variation: use the Boltzmann mechanism to accept new individuals, when $p_a$ >  random.random(), use new individuals $x_a$ to replace $x_1$; otherwise, do not replace. If $p_b$ >  random.random(), let the new individual $x_b$ replace $x_2$, and vice versa. The calculation formula of $p_a$ and $p_b$ is as follows:

$$p_a={(1+e^{(f_{x_a}-f_{x_1})/T})}^{-1}$$

(10)

$$p_{\mathfrak{b}}={(1+e^{(f_{x_b}-f_{x_2})/T})}^{-1}$$

(11)

where, $f_{x_a}$, $f_{x_b}$, $f_{x_1}$, $f_{x_2}$ are the corresponding individual fitness function values, and T is the current simulated annealing temperature.

In the initial stage of the Algorithm 1, ASAGA will randomly generate an initial population, that is, the parent population, calculate the initial fitness function value in front of it, and then generate a new population, that is, the child population, after a series of operations such as selection, crossover, mutation, and simulated annealing, and repeat the above process until the end of the iteration. Finally, the individual with the highest fitness function value is the optimal individual.

Algorithm 1 ASAGA operation process.

Input:  population size popsize, number of iterations NGEN, initial temperature T, and cooling rate cooling_rate; Output:  Optimal security configuration information for the microservice;   1: Security range R for randomly generated microservices.   2: pop ← R, popsize;                    ▷ Initialize population size pop.   3: $in{d}_{best}$ ← selectBest(pop);    ▷ Select the individual with the greatest fitness from pop.   4: for episode = 0 to NGEN do   5:    selectpop = selection(pop, popsize);      ▷ Randomly generate a new generation of    population.   6:    While len(nextoff) != popsize;   7:    offs = [selectpop.pop() for _ in range(2)]    ▷ Generation of progeny populations. The    new generation population was sorted in ascending order according to fitness, and the    two individuals with the least fitness were deleted.   8:    r = random.random();   9:    if $r<P_c$ then 10:      $i_1,i_2=Crossoperate\left(offs\right)$;     ▷ Two individuals are randomly selected from offs for      crossover. 11:      if $r<P_m$ then 12:         $i_3=Mutation\left(i_{random}\right)$; 13:         $i_4=Mutation\left(i_{random}\right)$;          ▷ The crossover individuals are mutated. 14:         nextoff ← $i_3$, $i_4$;       ▷ The mutated individuals are added to the next generation         population. 15:      else 16:         nextoff ← $i_1,i_2$;      ▷ The crossed individuals are added to the next generation         population. 17:      end if 18:    else 19:      $i_5=Simulate{d}_{a}nnealing\left(i_{random}\right)$; 20:      $i_6=Simulate{d}_{a}nnealing\left(i_{random}\right)$;    ▷ Simulated annealing operation is performed      on the individuals. 21:      nextoff ← $i_5,i_6$;     ▷ The individuals with simulated annealing operation are added      to the next generation population. 22:    end if 23:    pop = nextoff;                    ▷ Updating the current population. 24:    $bes{t}_{ind}=max(in{d}_{best},selectbest\left(pop\right))$;    ▷ The individual with the highest fitness is    selected. 25: end for 26: Finally, obtain the optimal individual and configure the optimal security policy;

5. Experiment and Evaluation

5.1. Security Configuration Algorithm Based on ASAGA

In this paper, Kubernetes, a container cloud arrangement platform, is used to build a container cloud cluster consisting of seven servers, all of which are configured with 40 cores, 1.50 GHz, and 32 G memory, among which one server is a control node and the remaining six are computing nodes. According to the schematic diagram of the microservice attack scenario shown in Figure 1, web applications consisting of five different types of microservices are deployed in the above nodes, respectively. The vulnerability information of microservices is shown in

Table 2. Microservice vulnerability information table.

Microservice	Attack Target	CVE ID	EM	ECM	ED
A	Nginx	CVE-2022-41741	2.8	5.6	3.01
		CVE-2022-41742	3.9	7.8
		CVE-2021-23017	2.1	6.5
D	Make_Post	CVE-2022-24969	2.7	7.1	2.94
		CVE-2021-4034	2.1	8.6
		CVE-2021-25640	3.9	9.2
J	Compose_Post	CVE-2021-3129	2.2	8.3	4.70
		CVE-2022-24828	3.9	8.8
		CVE-2021-29472	3.6	8.9
K	Post_Storage	CVE-2021-3129	2.8	7.9	3.01
		CVE-2024-0195	3.9	8.8
		CVE-2022-27756	2.1	6.8
M	MongoDB	CVE-2023-1409	2.6	7.8	2.96
		CVE-2021-32040	3.9	8.8
		CVE-2021-14786	2.1	6.3

, where the upper limit of vulnerability weight is 10. The greater the value of vulnerability weight, the greater the possibility of vulnerability being exploited by attackers. This paper makes assumptions about the attacker’s attack capability according to the literature [34], and according to Formula (4), there is a corresponding relationship between the probability of the microservice being breached by the attacker and the rotation cycle of the microservice when the difficulty of microservice being attacked by the attacker is known.

This paper assumes that the attacker targets Mysql, a microservice that stores data information. The attacker comes from outside the cloud platform to penetrate the internal network to obtain important data information. This article assumes that all copies of the four microservices—Tomcat, Apache, Memcached, and ImageMagick—will work independently. In the experimental phase, we write the response information of the microservice used in the experiment into the experimental environment in the form of an array.

5.2. Comparison Strategies

In the experiment, the MD2RS proposed in this paper is compared with the common static protection method random configuration strategy and uniform configuration strategy, as well as the DSEOM [26], and SmartSCR [27], respectively. The detailed information of comparison is as follows:

(1)

The random configuration strategy randomly generates the number of replicas and the rotation cycle of the microservice nodes selected in this paper between the set of upper and lower limits and protects the key nodes;

(2)

In the unified configuration strategy in the comparison experiment, the configuration problem of the replica number and rotation cycle of the microservice node is simplified. It is assumed that the replica number and rotation cycle of the microservice of the important nodes selected in this paper are set to the same number, respectively, and the security configuration information is calculated on this basis.

(3)

DSEOM uses the attack graph model to depict the attack difficulty of different microservices, selects important nodes using betweenness centrality, and deploys security policies on the selected key nodes.

(4)

SmartSCR also uses the attack graph model to describe the attack difficulty of different microservices and dynamically cleans all microservice nodes.

5.3. Analysis of Results

To verify the performance of MD2RS, this paper first deployed microservices with different numbers of replicas in the experimental scenario, then gradually increased the number of iterations of ASAGA within the range of the corresponding solution, and finally, calculated the ratio of defense return rate and resource overhead under each iteration number.

Figure 2 shows the convergence of MD2RS when the population size is different and the number of iterations of ASAGA is different. On the whole, the defense rate of return generated by MD2RS will change with the change in population size but eventually converge to the same value. According to (1)–(4) in Figure 2, it can be learned that when the population size is 100, 200, 300, and 400, the defense return rate converges at 77.128. For each subgraph of Figure 2, 50, 100, 200, and 400 iterations are carried out, respectively, when the population size is the same. It is found that when the population size is larger, more iterations are needed for ASAGA to converge to the optimal solution. For example, in the two subgraphs of Figure 2 (1) and Figure 2 (3), when the population size is 100, the number of iterations is increased. ASAGA reached convergence in 31, 40, 147, and 347 instances, respectively. When the population size is 300, ASAGA reaches convergence in 30, 48, 174, and 274 instances, respectively. However, when the population size is fixed, the number of iterations is larger, and it is approximately close to the optimal solution, as shown in Figure 2 (1). When the population size is 200, the convergence is reached at 75.233, 76.910, 76.910, and 77.115, respectively. In summary, ASAGA has a good convergence effect on the optimization problem in this paper, and the optimal solution converges at the defense return of 77.115.

Figure 3 shows the time cost of the execution of ASAGA with different population sizes and a different number of iterations. As shown in Figure 3, (1) when the number of iterations is the same, the larger the population size is, the larger the time overhead is. For example, when the number of iterations is 100, the time overhead corresponding to the population size of 100, 200, 300, and 400 is 0.72, 1.42, 1.95, and 2.35 s, respectively. The main reason for this is that as the population size grows, the search space grows with the population size, which makes each iteration take longer. (2) When the population size is fixed, the more iterations, the greater the time overhead. For example, when the population size is 200, the time overhead of 50, 100, 200, and 400 iterations is 0.69, 1.42, 2.81, and 5.60 s, respectively.

Combining Figure 2 and Figure 3, it can be concluded that when the population size becomes larger, the time cost of ASAGA will increase, but it is easier to converge to the optimal solution. Therefore, it is necessary to select the appropriate population size and iteration number according to the time cost.

In this paper, MD2RS is compared with a random configuration strategy, uniform configuration strategy, DSEOM, and SmartSCR. Figure 4 shows the comparison chart of the defense rate of the above experiment. ASAGA selects the defense rate of return when the population size is 300, and the number of iterations is 200.

The four experimental methods above are based on the attack graph model shown in Figure 1, and the random configuration strategy and uniform configuration strategy deploy protective measures on a global basis. The attack scenario in the original literature of DSEOM and SmartSCR includes physical nodes, a virtualization layer, and a service layer, while this paper only considers the microservice layer and only deploys protective measures on the microservice layer. Considering the betweenness centrality of the attack graph, DSEOM is the number of times that it is used to find the shortest path between any two other nodes in the graph bridged by the current node to quantify the importance of each node in the attack graph, and the D-KIN algorithm is used to screen out the key nodes in the attack graph. SmartSCR deploys protection measures for all microservices in the environment. Although the return rate of defense is increased based on DSEOM, the resource overhead is also relatively large. Considering the diversity of paths from attackers to attack targets in the complex cloud environment, this paper screens out the nodes with in-out degrees greater than two as critical nodes from the perspective of the degree center and only performs the multi-replica deployment and dynamic rotation strategy of microservices for the selected key nodes.

Figure 4 shows the defense return rate of the comparison experiment. It can be seen that the defense return rate of the random configuration strategy is the lowest, mainly due to the randomness of the random configuration strategy, and the aimless deployment of the defense strategy will lead to a relatively low return rate. The standard deviation of the unified configuration strategy is the largest, mainly because the unified configuration strategy is fixed and uniformly changes in the number of deployed microservice replicas and the dynamic rotation cycle. DSEOM is equivalent to selecting nodes on the shortest path to deploy defense measures. When attackers recognize the deployment, they may bypass important nodes to attack. SmartSCR deploys protection measures against all microservice nodes in the cloud environment, so the return on defense is improved compared with DSEOM. This paper also protects the selected important nodes, but according to the degree centrality, the nodes with an in-out degree greater than 2 can all cover the paths of the attack graph, which can prevent the attacker from bypassing the nodes that deploy the defense strategy to attack the target microservice through other paths. Moreover, the screening of nodes for protection can also reduce the system resource overhead as much as possible. Compared with the other four experiments, the standard deviation of MD2RS is the smallest, basically achieving a stable defense effect.

6. Conclusions

This paper studies the problem that the fine-grained separation of microservices and frequent communication between microservices have led to the explosive growth of the attack surface exposed by microservices and provides convenience for attackers to move laterally between microservices. To solve the above problems, this paper proposed a moving target defense method for microservices based on an adaptive simulated annealing genetic algorithm. Firstly, the attack scenario of microservices in the cloud environment was modeled according to the attack graph model, and the relationship between the probability of a successful breach of microservices and the rotation cycle was analyzed. Then, combined with the attack graph and according to the number of deployed replicas of microservices and the rotation cycle of microservices, the defense reward and the required resource overhead of the deployed defense strategy in the current state were solved. Finally, ASAGA is used to solve the optimization problem to verify the effectiveness of MD2RS. Experimental results show that MD2RS can improve defense efficiency, which is 230.7%, 65.20%, 32.26%, and 15.63% higher than that of the random configuration strategy, unified configuration strategy, DSEOM, and SmartSCR, respectively.

The following improvements are proposed: (1) Heterogeneous processing of microservice replicas. In this paper, for the same microservice, the same microservice replica is temporarily adopted, which makes the attack difficulty of the unified microservice replica the same for the attacker. (2) Due to the complex and changeable environment in the cloud, this paper only deploys the active defense strategy for the selected important nodes, which is not very dynamic.