We develop a hybrid CTMC and queueing model that takes into account the behavior of both the system and the attacker, to proceed to a quantitative assessment of the performance and security attributes of the mobile cloud offloading system under the threat of timing attacks.
Figure 4.1 depicts the diagram of a performance and security model formulated of a CTMC and an open queueing model for describing dynamic behavior of a mobile offloading system. As compared to the model proposed in the last chapter, which only considers the security attributes of offloading systems, the proposed hybrid CTMC and queueing model here takes the performance properties of a generic offloading system into account. In the SMP model, we cannot represent the system rekeying rate with a single model parameter. Here, we improve our proposed security model and represent the system rekeying rate with a transition rate in the CTMC model.
In the upper part of Figure 4.1 is a CTMC model (theSecurity Model) proposed to depict the se-curity attributes of an offloading system. It is a state transition model represents the system behavior under a specific attack and given system configuration that depends on the actual security require-ments. We assume that the server is configured as to renew its key regularly to prevent or handle timing attacks. Whereas the lower part of Figure 4.1 is the open queueing model (thePerformance Model), which is proposed to exhibit the offloading decision and job processing operation.
In our scenario, the offloading system is under timing attacks. If the attacker successfully com-promises the system through time analysis, all jobs dispatched to offload are not secure any more, therefore they must be repeated and do not contribute to the throughput. That means only jobs processed locally contribute to the system throughput.
The aim of an attacker is to hack the master secret stored in the server. The attacker records each response time for a certain query and tries to guess the master secret of the server by comparing time
4.2. THE HYBRID MODEL
Figure 4.1: The hybrid CTMC and queueing model
differences from several request queues. Obviously, this requires the attacker to spend effort, where we use time to represent the attacking effort. We use exponential distribution to model the attacker arrival time and the time a timing attack takes.
The upper part of Figure 4.1 shows the CTMC model representing the states of the mobile cloud offloading system. The operational states of an offloading system are abstracted from the system lifetime analysis discussed in Section 3.3.2. The CTMC states are the same as the SMP model listed on page 42. We summarize the parameters of the CTMC model here:
• 1 rate at which the system launches the rekeying process in stateGand stateT
• 2 rate at which an attacker triggers a timing attack to the system
• 3 rate at which a timing attack succeeds to break the system secret
• 4 rate at which the system is brought back to the good state by the rekeying process
• 5 rate at which the system launches the rekeying process in stateC
• 6 rate at which the attacker successfully breaks the key, while fails at accessing the data or he just fails to conduct a successful timing attack
We describe the events that trigger transitions among states in terms of transition rates. We assume that the time the system spent in each state is exponentially distributed. We also assume that there is only one attacker in the system at a time. If an attacker starts a timing attack to the cloud server, the system is brought to the timing attack stateT at rate 2. The attacker has to make an effort before he successfully cracks the system secret by a timing attack, and the system moves to the compromised stateC at rate 3. Consequently the mean time a timing attack takes is represented by 31. If the attacker fails to conduct a successful timing attack, the system will go back to the good stateGby the arc 6.
The rekeying rate is the parameter one can tune as a system administrator. It indicates how often the system launches the rekeying process. The rate 1is the rekeying rate when the system is in the good state Gor in the timing attack stateT. The considered mobile cloud offloading system has intrusion detection mechanisms running on it that can find indicators of compromised behavior, in which case the system will trigger the rekeying process more frequently. The intrusion detection mechanism does not trigger the rekeying immediately because of the rekeying cost to the service performance. So in the compromised state C, we assume the rekeying process is triggered at a different rate, 5 =n 1, n > 1. The parameternrepresents the relationship between the rekeying rate (or rekeying frequency) in good state and the rekeying rate in compromised state. The rekeying process will bring the system back to the initial stateGat rate 4.
The challenge is to find an optimal value for the rekeying interval. The rekeying rate should be high to reduce the security lost cost in the stateC, but triggering the rekeying process too often will lead to high system effort cost. We optimize this tradeoff in Section 5.5.
4.2.1 Performance Analysis
When jobs are generated by a mobile application, they are either offloaded to the cloud or executed locally. In the rekeying stateR, the system refuses all user requests and all jobs are processed locally on the mobile device. Consequently all the jobs are dispatched to the Mobile device queue and some jobs will be lost. As a result, the system throughput is degraded. So the rekeying period should be as short as possible. When the system is in the compromised state C, which means the attacker successfully compromises the system through a timing attack, all jobs dispatched to offload are not secure any more. Hence they must be repeated and do not contribute to the throughput. The lost jobs are represented by the red arc in Figure 4.1. In this state, only jobs processed locally on the mobile device contribute to system throughput.
The lower part of Figure 4.1 shows the queueing model proposed to exhibit the performance attribute of the system. The two queues express the job processing by the cloud server and the
4.3. MODEL ANALYSIS