Keywords

1 Introduction

It is commonly agreed that cloud computing has revolutionized the IT sector by pushing companies to opt a pay-per-use model for access on-demand services [1]. Concretely, a third-party vendor manages a huge range of functions from storage to processing. Despite its successes, cloud faces numerous obstacles that could affect its large-scale deployment and effective integration.

On the one hand, security concerns remain one of the most significant challenges facing public cloud [2, 3]. Note that traditional security measures focus considerably more on an access control and a secured communication channel between two sides (clients and cloud servers). Unfortunately, these encryption approaches are not suitable for the cloud environment since the end-users may lose control over their outsourced data. Such situation would reduce the ability of cloud providers to run the arbitrary computations and execute queries over encrypted data as well [4]. Besides, cloud storage may confront all kinds of attacks, i.e. insiders and outsiders [5]. Hence, robust data security strategies are deployed before uploading data to the cloud computing [6]. Based upon this consideration, cloud providers should strive to protect their clients’ privacy through standards that take into account the following factors: confidentiality assurance, integrity protection, availability, secure access, compliance with laws and regulation, service audition [7]. Obviously, the implementation of security measures is necessary to boost the large-scale adoption of this new technology. In fact, it is clearly evident that there is an economic gain for cloud providers when building customer trust and loyalty [8].

On the other hand, the required cybersecurity measures to tackle cloud threats are often considered a large investment with a low profit margin. In practice, developing efficient countermeasures that creates a win-win situation comes with new challenges linked to the exponential increase of cyber attacks. The adopted policy is usually updated by comparing the payoff with the cost of the chosen defense mechanisms. In this case, risk analysis and the decision-making process is applied in cloud environment to answer the question regarding how the cloud providers will react to the attacker actions and then select appropriate security policy.

Based on the circumstances described above, game theory models are used to address potentially conflictual issues between cloud providers and attackers by exploring and analyzing the interactions among [9,10,11]. Notably, these models can successfully overcome many limitations of traditional solutions as they are characterized by the following attributes: proven mathematics, reliable defense, timely action, distributed solutions [12]. Logically, threats modeling process is done at an early stage to determine the potential loss or damage when adversaries exploit cloud vulnerabilities to gain unauthorized access to an asset. In fact, the most difficult challenges influencing the adoption of the cloud multi-tenancy and distributed nature of this environment. In the next step, game-theory models are extensively applied in cloud computing to analyze the interactions between attackers and defenders [13]. This stage is very crucial in choosing the defense mechanisms that ensure the right balance between security and profit [14]. In this chapter, we concentrate on two major constraints during the problem formulation. First, robust security measures are required to attract more consumers and generate higher returns on investment. Second, this strategy may necessitate a heavy investment in terms of the operating costs of security countermeasures. In light of this fact, this study suggests a game theory model based on minimum expenses made on security measures, as well as high-profit margin services. Additionally, we show how existing models in each field are being adapted to deal with security and privacy concerns and their limitation as well. In this respect, we propose an improved attacker-defender game model to elaborate an optimal strategy that figures out the right balance between data security measures and the profitability. Unlike existing models, we suggest a hybrid approach based on threats modeling and zero-sum games for decision-making in cloud threats.

The rest of this paper is organized as follows. Section 2 examines and analyzes the related work in this field. Section 3 provides background information on cloud threats and the principle of game theory, and we formulate and discuss the proposed game model. In Sect. 4, we highlight the major limitations of existing models as well as the fundamentals of the improved approach to tackle cybersecurity threats in cloud computing. Conclusion and perspectives are given in Sect. 5.

2 Related Work

This section briefly discusses the existing body of other researches related cyber-security game, and mentions how this method is used to analyze cloud market. In [12, 15], a comprehensive survey is provided especially the main difference between the existing game models applied to cyberspace security issues. To deal with complex systems, agent-based modeling and game theory are used to find the appropriate solution for attackers/defenders strategy [16]. In dynamic systems, stochastic game theoretic method and weighted directed graphs are used to detect intrusions in the case of computer networks [17]. Usually, game theory is used in risk analysis for strategic decision-making in the presence of adversarial attacks [18, 19]. In this respect, this technique is used for defending against a distributed denial of service attack in cloud computing [20]. In the same line, stackelberg games [21, 22] evolutionary game theory [23] are used to establish an optimal protection strategy by using game model of attack-defense scenarios. The authors in [24] rely on game theoretical analysis to determine the minimum verification requirement for cloud resources, and the optimal strategy of security policy. To this aim, they use Stackelberg game for deterministic verification model, and a probabilistic model as well. Alternatively, fuzzy inference method is used for selecting storage solutions in cloud [25]. In [26], the authors suggested a stackelberg game to find an optimal strategy that checks the outsourced data regarding its integrity and availability. In [27], game theory is used to define an optimal strategy for pricing scheme and resource allocation in cloud computing. They use mainly stackelberg equilibrium to obtain near optimal state for system’s performance. Kamhoua in [28] use game theory to deal with cyber security interdependency in cloud computing. Basically, they analyze the impact of successful attacks on VM availability as well as the required expense associated with countermeasures. Besides, game theoretic model is used to ensure truth-telling ones among cloud providers. Tosh et al. use in [29] an evolutionary game theoretic model to share, among cloud providers, solutions that limit cyber attacks. More specifically, they use both dynamic cost scheme and distributed learning heuristic method to analyze how security investment affects the cybersecurity information sharing decisions.

As outlined above, significant progress has been realized in the analysis of cybersecurity in cloud computing by using game theoretic models. However, the majority of existing approaches attempt to find the most generic solution that will work with all of the cloud threats. Besides, rigorous cloud threats evaluation methodology was not used. Unlike existing models, this study considers the importance of probabilistic risk models to analyze cloud threats. Additionally, we extend the traditional attacker-defender model by using a zero-sum game-theoretic to capture the dynamic nature of safety and security in cloud computing.

3 Background and Problem Statement

Overall, cyber-security is a critical process to successful identification of essential vulnerabilities and threats in cloud services so as to protect them. It is recognized that traditional methods usually involve a never-ending cycle of detection and response to new attacks taxonomy and countermeasures. Because of the cost involved in deploying security measures, we suggest game theory to make the analysis and then put forward suggestions for cloud providers to invest in optimal security strategies. In this section, we first introduce the case study that illustrates security risks in cloud computing. Afterwards, we discuss how to model these threats and potential countermeasures.

3.1 Scenario

As stated in the ISO/IEC 27005 guidelines [30], a formal risk management process is fundamental to identify, estimate and evaluate the potential attacks that affect data confidentiality, integrity, and availability. In general, one of the underlying principles of security is ensuring that all entities involved in data management should strongly consider compliance with regulations and privacy standards. Hence, data protection is crucial for a successful implementation and use of remote cloud applications.

Basically, the entire cloud ecosystem consists of four different entities [31]: (1) the data owner, who is also a cloud user and has large amount of data to be stored in the cloud computing. (2) The cloud consumer, who is authorized by the data owner to access his data. (3) The cloud server, which is managed by cloud providers to offer remote services like storage, data sharing and processing. (4) The third party auditor (TPA), which is the trusted entity that assesses the cloud storage security on behalf of the data owner upon request. The system architecture for cloud services can be depicted as in Fig. 1.

Fig. 1.
figure 1

The main parties involved in cloud ecosystem

Full size image

In general, cloud service providers implement the necessary data protection mechanisms for online services to ensure compliance with cyber security regulations and the fulfilment of Service Level Agreement (SLA). Unfortunately, users and cloud providers may also cause vulnerabilities to distributed systems. In fact, user vigilance, information leakage by social engineering, and unawareness of security threats can lead to damage [32]. Thus, users should be aware of risk factors that can lead to potential cloud vulnerabilities; among these are poor access management, data breach and data leak, data loss, insecure API, misconfigured cloud storage, DoS attacks, malicious insiders, account hijacking, hared dangers, etc. [33]. In this context, Table 1 provides the main threats and its impacts in cloud computing.

Table 1. The major cloud threats [34]
Full size table

Briefly, security risk can be formally defined as the possibility of a threat to exploit particular cloud vulnerability. Based on the nature of countermeasures, each risk correctly represents the relationship between the probability of security threat event and magnitude of its consequence, using their product [35].

$$ {\text{Risk}} = {\text{Threat}}\;{\text{probability}}\, \times \,{\text{Potential}}\;{\text{loss}} $$

Let’s consider two events X1 and X2 associated with two threats with different attack densities λ1 and λ2 respectively.

The probability of two attacks, which are observed in t time units, can be estimated as follows [36].

$$ {\text{X}}\left( {\text{t}} \right) = {\text{X}}_{{1}} \left( {\text{t}} \right){\text{ + X}}_{{2}} \left( {\text{t}} \right)\;{\text{and}}\;{\text{for}}\;{\text{t}} \ge {0} $$
$$ {\text{P }}\left\{ {{\text{X}}_{{1}} \left( {\text{t}} \right){\text{ = n}}_{{1}} } \right\} \, = e^{{ - \lambda_{1} }} \frac{{\left( {\lambda_{{1{ }}} t} \right)^{{n_{1} }} }}{{n_{1} !}} $$
$$ {\text{P }}\left\{ {{\text{X}}_{{2}} \left( {\text{t}} \right){\text{ = n}}_{{2}} } \right\} \, = e^{{ - \lambda_{2} }} \frac{{\left( {\lambda_{{2{ }}} t} \right)^{{n_{1} }} }}{{n_{2} !}} $$

As the X (t) is a Poisson process, the probability of these attacks is.

$$ \begin{aligned} P{ }\left\{ {X{ }\left( t \right){ } = { }n} \right\}{ } = & \,\sum\nolimits_{{n_{2} }}^{n} {P{ }\left\{ {{\text{X}}_{1} \left( t \right){ } = { }n{ } = { }n_{2} } \right\}{ }P{ }\left\{ {X_{2} \left( t \right){ } = { }n_{2} } \right\}} \\ = & \,\sum\nolimits_{{n_{2} = 0}}^{n} {e^{{ - \lambda_{1} t}} \frac{{\left( {\lambda_{1 } t} \right)^{{n - n_{2} }} }}{{\left( {n - n_{2} } \right)!}} e^{{ - \lambda_{1} t}} \frac{{\left( {\lambda_{2 } t} \right)^{{n_{2} }} }}{{\left( {n_{2} } \right)!}}} \\ = & e^{( \lambda_{1}t + \lambda_{2})t}\,\frac{{\left\{ {\left( {\lambda_{1} + \lambda_{2} } \right)t} \right\}^{n} }}{\left( n \right)!} \\ \end{aligned} $$
(1)

Hence, Hyper-Erlang distribution is used to model the effect of cloud attacks [36]:

$$ G\left( x \right) = \sum\nolimits_{i = 0}^{n} {P_{i} { }E_{i}^{r} \left( x \right)\;0 < P_{i} \le 1} $$
(2)

Where \({\text{E}}_{{\text{i}}}^{{\text{r}}}\) is the r-stage Erlang distribution with the probability \( {\text{P}}_{{\text{i}}}\).

We suppose that security attacks on cloud computing assumed to be a Poisson distribution with the effect parameters λ. Hence, the effect of security attacks in cloud computing can be expressed as [36]:

$$ P\left\{ {G_{t} = \frac{r}{t}} \right\} = { }\frac{{e^{ - \lambda t} \lambda t^{r} }}{r!}\,\text{where}\; \uplambda , \, \text{r} \, \ge \, 0 $$
(3)

3.2 Game Theory for Modeling Cloud Attacks

Basically, we can perform risk analysis more accurately if we place the situation in the form of a ‘game’ with two players, i.e. attackers and defenders. The central idea behind using game analysis is to find out how the players choose their strategies in different situations that maximize their own utility. At its simplest level, game theory would help cloud providers define their security policy and understand the return of an investment compared to its risk.

Formally, there is two players P1 and P2 (attacker and defender) in the cloud security game. In this case, the player i selects a security strategy from \(S_{j}\) that generates the payoff/utility \(u_{j}\). In this context, the combination of the selected strategies of the attacker or defender is considered as a strategy profile. Cyber-security game in cloud can therefore be formulated as follows:

$$ Game = (P,{ }(S_{j} )_{i \in P} ,{ }(u_{j} )_{i \in P} ). $$
(4)

Obviously it is impossible for cloud providers to act against all the defensive attacks at all times. Moreover, each player's payoff is affected by both the actions taken by him and the other player. In fact, the attacker is trying to maximize the amount of damage and effect of security attacks in cloud computing, which are expressed in Eq. 3. In the same line, cloud providers need to invest in securing their data by implementing robust measures to reduce the risk of cyber attacks.

As a consequence, a good investment decision rule has to maintain a fair balance between the cost of each security policy and its generated revenue. The maximum utility is achieved if all players are expected to converge to the state represented by the Nash equilibrium. At this steady state of cloud market, there is no player who can improve its profit by unilaterally modifying its strategies if the actions of the other are fixed. Mathematically, the Nash equilibrium strategy is a best reaction for both services provider and attacker. A strategic form of a state is formalized as follows:

$$ U_{j} \left( {\gamma_{j}^{*} ,{ }\gamma_{ - i}^{{* }} } \right) \ge { }U_{j} { }\left( {s_{j} ,\gamma_{ - i}^{{* }} } \right)\;\;\forall s_{j} \in S_{j} ,{ }\forall j{ } $$
(5)

Where the strategy \(\gamma^{*}\) is the Nash equilibrium.

For the sake of simplification, the used security game models in this study share the following key assumptions: (1) protection costs are identical for all cloud entities, (2) attackers launch only one kind of attack at a time, (3) all players’ decision are made simultaneously.

It may be the case when a cloud provider wants to generate the expected profit B by choosing the appropriate measures that maintains trust level φ, where 0 ≤ φ ≤ 1. In this case, a successful cyber-attack can cause major damage to cloud, which is denoted L. Additionally, the most common cybersecurity attacks carried out against cloud have the probability distribution p, where 0 ≤ ρ ≤ 1.

Based on the circumstances of this case, the generic utility function [37] has the following structure:

$$ {\text{U}} = B - pL\left( {1 - \varphi } \right) $$
(6)

Note that the defender and the attacker strategy is limited by cost. Hence, we use a cost function f (x) [16] to define the relationship between security expenses and trust level \(\varphi\).

figure a

Where a and b are the scaling and asymptote parameters, respectively.

The attacker aims to maximize the amount of damage he causes, while the defender is trying to protect the targets and minimize the loss as well. Besides, this occurs because the attacker and the defender play simultaneously. An attacker-defender game represents the situation of a perfectly competitive in which one player can win something only by causing another player to lose it. The interactions of the attacker and the defender are typically modelled with a two-player zero-sum game aimed at more accurately predicting appropriate countermeasures against threats.

4 Improved Attacker-Defender Game Model

On the whole, attacker-defender game is a fairly new methodology for modeling security in highly complex distributed systems. The main feature of this modeling approach is the presence of a set of entities with different attributes and behaviors, and also the relationships between attackers and defenders.

In this case study, we will use a set of simple strategies for a non-cooperative game between a cloud provider and attacker. Logically, cloud providers can choose investing in protecting their data from cyber-attacks, recognizing that their choices will affect the expected profit. That is, each defender has two strategies: Invest in security (IS) or Not to Invest (NIS). In the same vein, the attacker has two strategies: launch an attack (A) on the cloud provider or Not launch an attack (NA). As security is the most principal factor in influencing the take-up of cloud services, end-users have two variants: trust (T) or (2) distrust (D) the cloud provider. After analyzing the interactions among players involved in cloud security, we use game theory models to produce an optimal decision-making for the adopted security policy.

Based on the circumstances described above, considering the case of a three-player game with a 3-tuple (T, IS, A) that represent a strategy profile, the utility function can be described as follows [38]:

The cloud payoff:

$$ {\text{U}}\left( {{\text{T}},{\text{IS}},{\text{A}}} \right) = {\text{G}} -\uplambda + {\text{a}}\uplambda $$
(7)

Where

  • G: refers to the total costs of the delivered services

  • λ represents the total loss after attacks, which is calculated using Eq. 3

  • α is the probability of these attacks, which is calculated using Eq. 1

Naturally, each cloud provider would expect to get an outcome R obtained after investing in security measures and also incurs a cost e for the security expenses. Here the attacker can cause damage λ with a probability α by launching attacks against a particular cloud resource.

For Nash equilibria, it can help predict the behavior of the cloud provider wanting to maximize their payoff in the game [38].

$$ R - e - \lambda \left( {1 - { }\alpha } \right) > { }R - \lambda ,{\text{where}}\,\,{\text{e}} < \uplambda \alpha $$
(8)

It means that investing in security measures is the best option for the cloud provider in order to reduce risk of users’ data leakage and improve the profit margin.

A survey of current game models applied in cloud demonstrates the importance of understanding the relation between the two parties involved in data security, i.e. providers and attackers. In general, the attacker’s objective is in conflict with that of the cloud provider that aims at minimizing the damage of cyberspace. Thus, the issue between the provider and the attacker is commonly formulated as a non-cooperative model so as to capture the dynamic nature of the two parties’ behavior. However, despite the importance of the existing models, most of them did not take into account other requirements linked to security’s assumptions and constraints.

Based on this consideration, we are interested in dynamic non-cooperative model [39] because it is very useful in modelling and evaluating multiple actions taken by individual players. More precisely, we suggest zero-sum games for decision-making problems involving competition between cloud providers and attackers; where there is one winner and one lose. In fact, cloud providers have a strong interest in defending their facilities against intentional attacks, assuming the attacker will adopt a best response to defender's strategy. In other words, each cloud provider's gain or loss of utility is exactly balanced by the loss or gain of the attackers. Consequently, there is a single optimal strategy that is preferable to cloud provider to prevent data disclosure, while maintaining a reasonably high security level at low cost. This work introduced the idea that this conflict of interests could be formally expressed and analyzed by zero-sum games [40, 41]. For cloud threats, we rely on the study carried on the Sect. 3.1. For simplicity reasons, we only consider three elements to model the relation or competition in cloud market game: players, actions for implementing security strategy, and payoff matrix. Before giving the formal description of the game model, we first define the role of each player:

  • Players. We consider two players: (1) attackers which benefit from harming cloud services (2) cloud provider utilize countermeasures to reduce the impact of attacks so as to protect clients' data.

  • Action sets. It represents the sets of actions for each player. For cloud provider, we consider D = {d1, d2, …, dm} as m refers to the number of the implemented security mechanism to protect outsourced data. Meanwhile, the attacker can conduct malicious actions that exploit n vulnerabilities in cloud computing; these actions are represented as A = {a1, a2, …, an}.

  • Payoff matrix. We use a reward function to essentially model the attacker’s motivation and provider’s payoff for an action \(\Upsilon _{ij}\) (the action i for attacker and reaction j of cloud provider). This function is n × m matrix; each row represents the attacker action while each column is the possible cloud provider's reaction corresponding to this action. The payoff matrix can be expressed in the following way in mathematical terms:

    (9)

The payoff function regarding cybersecurity in cloud computing can be expressed as follows [39]:

$$ \Upsilon_{{{\text{ij}}}} = {\text{s}}_{{\text{j}}} - \left( {{\text{s}}_{{\text{i}}} \times {\text{e}}_{{{\text{ij}}}} } \right) + {\text{U}} \times {\text{p}}_{{\text{i}}} \times \left( {1 - {\text{e}}_{{{\text{ij}}}} } \right) + {\text{r}}_{{\text{i}}} \times \left( {1 - {\text{e}}_{{{\text{ij}}}} } \right),\forall {\text{i, j}} $$
(10)

Where

  • si is the cost of implementing a defense strategy

  • eij is the metric to measure efficacy of a defense mechanism

  • U is the total production (the availability) of cloud services

  • pi is the rate of the loss in the cloud services caused by attack type i

  • ri is the recovery cost associated with action i due to a specific attack

To efficiently predict the behavior of attacker and defender, threat detection has evolved from static to dynamic behavioral analysis. Accordingly, the proposed approach to secure cloud computing is essentially composed of two stages: (1) threats modeling and (2) game theory optimization, as illustrated in Fig. 2.

Fig. 2.
figure 2

The flowchart of the proposed approach

Full size image

5 Conclusion

Despite still being in its infancy, the usage of game theory in cloud computing is a promising approach to promote this new paradigm. There have been several attempts to adopt game theory to ensure a healthy balance between productivity and security. Originally, game theory can successfully model the interaction between attackers and services providers. This work summarizes the advantages and limitations of existing game models to address cyber security risks in the cloud environment. Even though these models are extremely useful to find the most optimal solution, there are still improvements that need to be made to meet the expectations of both the providers and the end-users. In this respect, threats modeling methodology is an initial stage towards improving the elaboration of any security policy. Besides, it is important to select the most appropriate game theory model that well capture the essential characteristics of cloud computing and cyber security features. To this aim, we suggest zero-sum game model for selecting the most appropriate countermeasure options to a given threat in argue-scale cloud data centers. More precisely, the proposed strategy would undoubtedly help cloud providers take decisive and appropriate actions against adversary attacks. In the future work, we plan to analyze cybersecurity issues in cloud computing using zero-sum game with rational players and the proposed threats model [42]. Besides, we intend to study the influence of the suggested countermeasures on each player’s payoff through numerical simulation and experimental validation. Another interesting and promising approach is the utilization of evolutionary games [43, 44] to analyze the dynamic relationship between attacker and defender, a process which clearly follows the evolutionary models more closely. Besides, stackelberg game is also a promising technique to simulate attacker/defender behavior for situation where the defender only knows the prior probabilities of different types of attackers.