AFRL Patent Wall Details

9832220

2017-11-28

View Full Patent

" A method for enhancing security in a cloud computing system by allocating virtual machines over hypervisors, in a cloud computing environment, in a security-aware fashion. The invention solves the cloud user risk problem by inducing a state such that, unless there is a change in the conditions under which the present invention operates, the cloud users do not gain by deviating from the allocation induced by the present invention. The invention's methods include grouping virtual machines of similar loss potential on the same hypervisor, creating hypervisor environments of similar total loss, and implementing a risk tiered system of hypervisors based on expense factors. "

BACKGROUND OF THE INVENTION Cloud computing is the use of computing resources (hardware and software) delivered as a service over a network, such as the Internet. Cloud computing services can provide computational capacity, data storage, networking/routing via a large pool of shared resources operated by an independent provider. Since the computing resources are delivered over a network, and control of the physical resources are separated from control of the computing resources, cloud computing is location-independent. This has allowed for end users of cloud resources to achieve quick, dynamic scalability without accruing much overhead costs or many long-term commitments to purchasing of computing resources. There are different approaches to the setup cloud computing systems, each structured to the needs of the end user. The different approaches are usually referred to as "public clouds," "private clouds." "hybrid clouds," and "multi-vendor clouds." However, one of the largest discouragements from using cloud services, particularly public cloud services, comes from the inherent and unknown danger stemming from a shared platform--namely, the hypervisor. A hypervisor acts as the central manager of all end user\'s resources on a cloud network. These resources usually are embodied as virtual machines (VM), where VMs act as an implementation of a computer system and can run and execute programs as though they were running on a physical computer. A cloud computing facility can have hundreds of hypervisors that run thousands of virtual machines for many different end users. Since many different users can run VMs on the same physical hardware, this can allow for possible exploitation from malicious entities. An attacker can launch an attack onto a VM and then compromise the underlying hypervisor and hardware. The attack can then be distributed throughout the hypervisor and onto all VMs running on that hypervisor. Under these conditions, one user\'s VM may be indirectly attacked when a direct attack is successfully launched on a different user\'s VM on the same hypervisor. This is possible based on unknown security vulnerabilities of the hypervisor, which, once compromised, can allow an attacker to permeate every VM on the targeted hypervisor [1]. This creates risk phenomena where a user must be aware not only of their own defenses against compromise, but also the defenses of another user. As a result, users with significant information assets could be discouraged from using the cloud since the potential loss associated with a successful attack is too large compared to the cost savings from switching to cloud resources. This phenomenon exhibits the game theoretic problem of negative externalities and interdependency, where the security of one player affects the security of another. As previously stated, a cloud provider can have hundreds of hypervisors and thousands of VMs at any given time to manage. One of the largest tasks a cloud provider must undertake on a constant basis is the proper assignment of newly created instances of VMs to hypervisors. This process is referred to as allocation. The allocation process and the determination of what hypervisor a VM is assigned to usually includes several variables that are tailored to the individual cloud provider\'s preferences. Most methods for VM allocation consist of several quantifiable metrics such as load balancing and energy consumption. There have also been several patented methods for VMs based on market demand [U.S. Pat. No. 9,027,024] or scarcity of resources [U.S. Pat. No. 8,464,267]. However, there exists no current allocation process that considers cloud security in an efficient or systematic manner. With security becoming an increasingly more important concern among both public and private interests, cloud providers must begin to consider security allocation mechanisms. The invention serves to provide a VM allocation process based on security needs in order for cloud providers to further improve the utility that cloud resources have to offer end users. Due to the interacting and interdependent nature between the cloud users and infiltrators, the present invention is based on the mathematical discipline of game theory. Game theory has been used in economics and business. In the present invention, a method has been devised for allocating VMs over hypervisors in a security-aware fashion. The result is equilibrium among users of VMs in a cloud computing environment. The equilibrium is stable because, unless there is a change in the conditions under which the present invention operates, the cloud users do not gain by deviating from the allocation induced by the present invention. OBJECTS AND SUMMARY OF THE INVENTION The features and advantages described in this summary and the following detailed description are not all-inclusive. Many additional features and advantages will be apparent to one of ordinary skill in the art in view of the drawings, specifica