Toward scalable graph-based security analysis for cloud networks

Cloud-based systems and services are seeing exponential growth in the last few years. Many companies and digital services are actively migrating their storage and computational needs to the cloud. With such an expansion of virtual services, security threats are also significantly increasing. Utilizing the Attack Representation Methods (ARMs) and Attack Graph (AG) enables the security administrator to understand the cloud network's current security situation. However, the AG suffers from scalability challenges. It relies on the connectivity between the services and the vulnerabilities associated with the services to allow the system administrator to realize its security state. This approach caused the AG to be vast and challenging to generate and analyze. To address the scalability challenges, we propose a segmentation-based scalable security state (S3) framework for the network. Our framework utilizes the well-known divide-and-conquer approach to divide the large network region into smaller, manageable segments. We follow a well-known segmentation approach derived from the K-means clustering algorithm to partition the system into segments based on the similarity between the services. A distributed firewall (DFW) separates the segments to ensure the attacker cannot move laterally and compromise them. Our evaluation shows that the separation of segments not only preserves the original reachability and connectivity but also enhances the scalability of the AG. The presented framework (a) provides a scalable attack graph generation algorithm by reducing attack graph generation time and density, which in turn reduces the complexity of security analysis on an extensive cloud network, (b) ensures a loop-free attack graph through the utilization of cycle detection and removal algorithm, and (c) presents an approach to provide the optimal number of segments based on the cost of implementing the segmentation using the distributed firewall rules.