A. Continuous Monitoring

To continuously monitor their infrastructure, the MNOs must have the ability to uninterruptedly verify the status of the computing, storage, and network components in the physical and virtual planes as well as the VNFs in the security service plane running on their multiple cloud systems. For an effective 24/7 monitoring to take place, the NFV MANO must have services in place that navigate seamlessly throughout the three planes and provide an updated status of the physical servers, the hypervisors, the virtual servers, the network connections, and the interactions between planes. It also should be able to take the right action when a malicious intent is found or a threshold is reached.

The success of a continuous monitoring depends on the pervasive capillarity of security services, which in turns implies the ability to reach every network segment of the virtual and physical ultra-dense 5G infrastructure. Additionally, the health of VNFs that deliver security services should be monitored and fault-tolerance procedures, which will ensure an interrupted service delivery in case of a failure, should be operational. Furthermore, a deep inspection of the virtualized infrastructure is paramount for securing the three planes holistically. In this respect, hypervisor introspection procedures that parse the running VMs can be applied to secure the operations of the VMs, the corresponding hypervisor, and consequently the corresponding physical server [1], [4]. By monitoring the communication services, storage services, and computing services of a VM, introspection techniques provide the hypervisors with the ability to detect abnormal activities that is critical for the success of a continuous monitoring.

B. Ubiquitous Monitoring

Given the comprehensiveness and the densified nature of 5G systems, ubiquitous monitoring will be possible only if the MNOs have enough networking and computing resources in every network segment to support the execution of security services, the system operation, and the MCC services simultaneously. Nonetheless, due to the proximity to end users, openness and freedom of wireless communications, intricacies of cloud configurations, and inherent resource-constrained nature, it is likely that hackers are going to primarily focus on the edge servers. In this sense, the MNOs can respond proactively by creating security policies and mechanisms that intelligently exploit the presence of multiple cloud layers and wireless connections to cooperatively mitigate the risk across the entire infrastructure. For instance, secure VM migration techniques can be triggered to transfer latency-insensitive applications to the back-up cloud to free up enough capacity at the edge network in such a way that a SSC comprised of virtual IDP/IPS and virtual firewalls could be leveraged.

Since ubiquitous monitoring will require the instantiation, monitoring, and possibility the chaining of VNFs in an on-the-fly manner, it is paramount to prevent the tampering of VNFs from happening while its image is transferred to the edge server. The detection of a malfunctioning or corrupted security service, which is supposed to safeguard the system, might be a difficult undertaking, which can potentially wreak havoc the entire MEC site while creating a security hole for hackers to exploit to. The use of a private key infrastructure to verify the integrity of the secure VNFs prior to their launching arises as a viable solution to this issue [4].

It is worth noting that a failure in the provisioning of ubiquitous monitoring might put extra pressure on the continuous monitoring which may take longer to detect a malicious activity (or its effect) that occurs in an unmonitored network segment. This delayed detection might be just the time that hackers need to adversely affect the system or exfiltrate the user data.

C. Proactive Monitoring

Proactive monitoring refers to the ability of anticipating the threats and mitigating their risks. To this end, the MNOs should offensively attack their own infrastructures using ethical hacking and implement the respective system controls to avoid the erosion of the system security.

Several benefits can be harvested from a proactive monitoring. Firstly, the MNOs will raise their awareness on their own architecture and exploitable vulnerabilities. Secondly, by discovering and fixing the security flaws in the earlier stages, they can reduce the system exposition, which will give less time for hackers to take advantage of the security holes. Thirdly, they can minimize the uncertainty of handling an attack by anticipating potential incidents and devising a plan that will save them from experiencing financial losses due to data theft, system unavailability, damage to brand reputation, to name a few. Last but not least, proactive monitoring is a practice that will incrementally enhance the continuous and ubiquitous monitoring. For instance, the red team will systematically attack the building blocks of the physical plane, the virtual plane, and the security service plane while the blue team will defend against these attacks by leveraging the omnipresence and orchestration ability of the NFV MANO. In this respect, the blue team can customize innovative security services for a specific attack such as creating a chain of detection, prevention, and firewalling services on-demand or apply security controls such as disconnecting virtual network segments, or replacing an existing compromised physical server while distributing its operational and healthy VMs across multiple cloud layers. As a consequence, the outcome of every red-blue team simulation is a more effective defense system.

A. Risk Identification

As stated earlier, there is no risk without an asset. By the same token, without a vulnerability, a threat cannot endanger an asset. Bearing these principles in mind, the risk identification phase aims at creating an inventory of the MNO’s assets, vulnerabilities, and threats. In a 5G-driven MEC network like the one in Fig. 1, assets are defined by the components of the NFVI physical and virtual planes, the VNFs in the form of security services, and the NFV MANO. Taking into account the myriad of systems from the physical layer to the application layer, a full characterization of the threat landscape and the way that threats can potentially exploit an existing vulnerability might become an intricate task. For example, considering the Openstack and KVM hypervisors, which are fundamental 5G infrastructure systems [5], the Common Vulnerabilities and Exposures (CVE) website has listed for these technologies a number of 271 and 157 publicly known cybersecurity vulnerabilities, respectively [6]. Moving to the application layer, Google Chrome and Maps, which are popular Web technologies, have a total of 2366 and 21 CVE entries while Twitter and Instagram account for 60 and 18 CVE entries, respectively [6]. In addition to taking advantage of known vulnerabilities, adversaries still can perform social engineering attacks to penetrate the system or to spread a malware infection. In fact, the Anti-Phishing Working Group (APWG) Q1 2020 report has shown that SaaS/Webmail represents 35% of the most targeted sectors for phishing attacks [7].

B. Risk Assessment

With a thorough characterization of the assets, threats, and known vulnerabilities pertaining to the MNO, the next step consists of quantitatively or qualitatively assigning a score to the risk. A score corresponds to a risk level that collectively enables the creation of a ranking of risks, which will ultimately be used to guide the agile security decision making process.

In a quantitative risk assessment approach, there is a need to derive the likelihood or probability that a specific vulnerability will be successfully exploited. Recall that an agile security framework requires a rapid risk-centric response to the changes in cyberspace. To accomplish such a task with a high degree of efficiency, the infrastructure should be continuously and ubiquitously monitored to trigger the application of adequate action as discussed in Section III. Thus, to accurately compute the probability of successful exploits across the entire infrastructure and services, the risk model must satisfy these requirements. Initiatives such as those reported in [8] in which a OPTIMIS-oriented risk assessor uses measurable data from a cloud infrastructure to compute the likelihood of events and the corresponding risk might pave the way for the application of an agile security framework on a 5G-MEC driven infrastructure.

To complete the security risk calculation, an analysis of the loss impact must be put forward. This step is featured by an educated choice for the loss impact. Traditionally, scales are used to quantify or qualify it. Instances of impact loss scales are: low, medium, and high [8] as well as very low (1), low (2), medium (3), high (4), and very high (5) [9].

C. Risk Control

The last phase of a risk-aware operation defines the risk-handling posture adopted by the MNO that might be the risk avoidance where the MNO decides to circumvent the business activities that unfold the risk, the risk acceptance where the MNO decides to accept the exploit and its impact on the system; the risk transference where the MNO decides to shift to a third party, traditionally an insurance company, part or the total cost that the MNO will incur if a successful exploitation takes place, and the risk mitigation where the MNO decides to reduce the harmful impact of the risk by applying security controls and countermeasures that will keep the risk within the MNO’s risk appetite [10].

In Section V, we present a stochastic risk-aware edge server orchestration that applies a risk mitigation strategy to handle the operational risks that the edge servers might be exposed to in a 5G-driven MEC deployment. The proposed risk-aware agile security method makes use of the loss impact scale introduced in [9].

A. Related Works

Virtual machine (VM) allocation for cloudified infrastructure has been an intensive field of research. However, most of breakthroughs have neglected the role played by the security awareness and the risk awareness when it comes to the admission and placement of the task execution and services. In fact, when it comes to security risk-awareness, there is a scarcity of works in the literature. To enlarge our review of the literature, we address MEC, mobile cloud computing (MCC), and cloud computing.

Djemame et al. [8] proposed a OPTIMIS-aware risk assessor that collects measurable data from a cloud infrastructure to quantify the risk level. The cloud optimizer, which works continuously, takes into consideration the events of DoS, flash network traffic, hardware failure, and SLA violations and displays their risk levels. Due to the resource sharing nature of multi-tenancy, co-resident attacks become a serious threat to virtualized cloud infrastructure. Considering the stable and fluctuating features of a workload, Chhetri et al. [11] proposed a risk- and cost-aware resource allocation for cloud applications that seeks to minimize cloud costs while mitigating the resource revocation risks. Experimental results showed that transient resources can be leveraged to accomplish such objective.

In order to minimize the risk of data leakage among tenants, Almutairi et al. [12] proposed risk-aware virtual resource assignment mechanism targeting Software-as-a-Service (SaaS) cloud service providers (CSP). The authors proposed two cost functions (RASP-MAX and RASP-PAR) and different heuristic models (best fit heuristic, single move heuristic, and multi move heuristic) to solve the risk aware VM assignment problem. Considering metrics such as efficiency and coverage, Han et al. [13] proposed VM allocation policy to mitigate the risk of co-residence. The proposed scheme also took into account power consumption and workload balance as optimization goals. Similarly, the work in [14] proposed a security-aware VM placement mechanism to proactively avoid co-residency between malicious and benign VMs. Using a conflict index as a risk indicator, Miao et al. applied VM migration to protect benign users. Considering the learnings from [13] and [14], Han et al. [13] proposed a co-resident threat defense system, which comprises of security-aware VM management mechanisms and threat score mechanism, that mitigated the risk of attack while leading to balanced workload with little impact on power consumption. A commonality among [13], [14], and [15] is the use of CloudSim as the testing tool.

Within the purview of MEC and MCC, there has been a few initiatives for security- and risk-centric managers to support the orchestration of the cloud resources. A optimized allocation of the virtual resources to ensure performant and secure execution stand out as the major contributions behind the works [16], [17], and [18], where the differences lie in the fact that [16] applies to a system with multiple cloud layers while the others emphasized a standalone wireless and cloud system. Additionally, the authors provided a detailed cost function that can be used by MNOs to estimate the economical benefits of providing security services. Security risk takes the form of an user taxonomy in [19], where Raei et al. classified the users requests into three categories, namely: low risk, high risk, and critical risk. In this respect, the low risk category specifies applications that can be processed without cryptography and privacy concerns. On the other hand, the high risk category requires multiple VMs to safeguard the execution of the offloaded task while the critical risk category demands an exclusive physical server to isolate the application. Considering the overhead that is needed to execute security services, Huang et al. proposed SEECO [20] and SCACO [21] mechanisms for secure task offloading in MEC. When it comes to the optimization problem, SEECO takes into account energy and security as design requirements while the SCACO additionally copes with processing delay. The papers are also dissimilar in the way that the authors solve the optimization problem. In this respect, SEECO is formulated as a genetic algorithm while SCAC is solved using deep reinforcement learning.

Taking the computation and communication uncertainties at each MEC server as the risk figure, Apostolopoulos et al. [22] formulated the problem of task offloading as a non-cooperative game among the users and solved it by means of the pure Nash Equilibrium. A risk-centric broker mechanism is proposed by Iyer et al. [23] in which the decision making problem is formulated to decide about the computing task placement between a cloud data center or a fog data center taking into account the user risk profile, price, and reputation of the cloud and fog service provider. With the goal of supporting security services at the edge of the network, Hui et al. [24] proposed a resource allocation scheme to efficiently share the edge resources between data processing services and security services, more specifically, intrusion detection system (IDS).

Service survivability in the presence of failure is addressed in [25] and [26] from a perspective of a NFV deployment. In [25], Kanizo et al. proposed to use a VNF to implement and deploy backup schemes for network functions that ensure high levels of survivability while reducing resource consumption. He et al. [26] proposed a backup resource allocation model where both network services and backup servers fail. Given the limited capacity of backup and the fact the network functions differ in terms of importance, the authors proposed to backup network functions based on their importance.

Table 1 summarizes the related works and shows how our proposal stands out in the literature. Firstly, like [8] it copes with resource exhaustion and SLA violation. In our case; however, a breach to SLA leads to an increased latency that might degrade the QoS and QoE inasmuch as we are dealing with MEC while [8] is not. Similar to [16]–​[19], our work applies a user taxonomy to raise the awareness about the risk that a service request is posing to the system. However, we classify users rather than the applications. Additionally, the proposed algorithm takes advantage of multiple cloud layers to augment the capacity and the degree of availability and dependability of the edge servers as our previous work [16]. However, the current proposition specifies an implementation-friendly mechanism that can be integrated in a production system more effectively than an optimal controller that requires a sophisticate architecture. Furthermore, this work addresses the security risks at physical and virtual levels rather than a cloud level as [16]. The practicality of proposed orchestrator relies on the use of a load balancing mechanism and multiple thresholds to efficiently orchestrate the services requests while satisfying the security and latency requirements. The load balancing mechanism is proposed to choose the appropriate edge server to host the offloaded application and migrate VMs between the cloud layers taking into account the aforementioned requirements while the thresholds are designed to limit the number of untrusted users into the system.

TABLE 1 Summary of Related Works

B. Proposed Mechanism

The proposed security risk-aware edge server orchestrator is designed to work in an mobile cloud computing (MCC) environment such as the one presented in Fig. 1, which is featured by a MEC and a back-up cloud. Under this assumption, it aims at mitigating the risk of resource exhaustion caused by a DoS attack (malicious activity) or a sudden spike in the traffic load (non-malicious activity) as well as the risk of SLA violation caused by a growth in latency due to the placement of the offloaded task in the remote back-up cloud. To mitigate the aforementioned risks, the proposed orchestrator applies two security controls, namely: load balancing mechanism and multiple thresholds, which work synergistically to keep the security risks under acceptable levels.

Fig. 2 depicts the proposed risk-aware edge server orchestrator from an operational standpoint. As we can see, upon an user arrival ① the system classifies the user into trusted and untrusted ones ②. This is necessary since the decision making process regarding the provisioning and deprovisioning of cloud resources is user-centric. Regardless of the user type, the next step is the application of a load balancing mechanism to place the offloaded task ③. For a trusted user, capacity constraint is the only condition used to admit the service request. Edge servers are tested in a round-robin manner, one at time, until a server is found to accommodate the request. If there is no edge server available to supply the computing demand, the load balancing will route it to the back-up cloud, where its admission depends on the idle capacity in this layer. For an untrusted user, the system additionally verifies the threshold condition, i.e., whether or not the number of untrusted user in the targeted computing node (edge server or back-up cloud) is below a threshold. If and only if both conditions are valid, the service request will be accepted. When the offloaded task is completed, the user releases the used VM independently of the cloud layer it is. In this respect, if the departure takes place in the MEC ④, the orchestrator will migrate an existing user from the back-up cloud to the MEC in order to thwart the SLA violation ⑤ - priority will be given to the trusted users. Since the VM migration from the back-up cloud to an edge server represents a new admission decision in an edge server, it must abide by threshold security control in the target node. Finally, if a departure is from the back-up cloud ⑥, the system updates its resource availability.

FIGURE 2.

Proposed risk-aware orchestrator operation.

Show All

C. System Assumption

We assume a 5G-driven MEC deployment such as the one in Fig. 1., where users under a small cell regions A₁ and A₂ benefit from a double coverage area to offload their computing tasks to either the MEC or the back-up cloud while users within the macro-cell only region A₀ can solely rely on the latter. For the sake of risk management, the users are grouped into two categories, namely the trusted category and the untrusted category. The former comprises of well-behaved and well-known clients and connected-devices and the latter comprises of unknown or misbehaving clients and connected-devices.

From an operational standpoint, Fig. 1 shows that the NFV MANO plays a key role in leveraging a risk-aware orchestration of the cloud resources since it acts perversely across the physical plane, the virtual plane, and the security service plane. Therefore, the proposed risk mitigation method should be performed by the NFV MANO.

For a risk-centric edge server MANO, the proposed mitigation method copes with the risk reduction at the MEC sites only. In this regard, the objective of the proposed risk-centric cloud orchestration is to augment the virtual capacity and enhance the security and dependability of edge servers through a cooperation with the back-up cloud. Therefore, we assume that the NFV MANO is accountable for the location-aware provisioning and placement of VMs, the VM migration between the MEC and the back-up cloud, and the execution of security controls to avoid the risk inflation. Similar to [27]–​[29], we emphasize exclusively the management and operation of the computing resources and disregard the allocation of the wireless resources.

D. Risk Management

2) Risk Assessment

The role of a risk assessor is to compute a risk by identifying the probability of a successful exploit to occur and its loss impact. The probability of a successful exploit will be discussed in the Sub-section V-E while the loss impact in conjunction with the vulnerability exploitation event is shown in Table 2.

TABLE 2 Vulnerability Exploitation Events and Loss Impact

3) Risk Control

The MEC sites have been designed considering that the exceeding workload is served by a subsequent MEC layer when the computing demand spikes [29], [33]. This procedure ensures a slow increase in the latency while promoting a high service availability and dependability. However, there is a need to embed the risk-awareness into the admission control decision; otherwise, a MEC site might end up being highly populated with untrusted users who can wreak havoc a physical server or an entire MEC site. To safeguard the system, security controls that limit the presence of untrusted users and keep the risk level within acceptable levels should be put forward. Thus, the cooperation between the MEC sites and the back-up cloud must be orchestrated in such a way that low-latency, high service availability, dependability, and security are holistically accomplished and agilely operated by the NFV MANO. In this work, the following security controls are used to mitigate the risks:

• Multiple thresholds: thresholds are used to limit the number of untrusted users connected to a edge server and the back-up cloud. As for the admission decision at the MEC layer, no untrusted user will be admitted into an edge server when its occupancy matches the threshold level. This control will cause the load balancing to seek another server, which can satisfy this condition, within the same MEC site in a round-robin manner. At the back-up cloud, the threshold applies to the number of untrusted in the whole layer.

• Load balancing: due to the latency sensitiveness, users within a MEC site are primarily assigned to it. However, if the edge servers are running out of capacity, the back-up cloud will supply the computing demand. To minimize the risk of SLA violation, the location-aware load balancing will bring back the trusted and untrusted users that are served by the back-up cloud to the MEC site whenever there exists room to do so. In this respect, the trusted users have the priority while the untrusted users can only be migrated if there is no trusted user running its application at the back-up cloud and the migrating VM does not violate the occupancy threshold condition.

By taking these two security controls into consideration, the proposed cloud orchestrator reduces the risk of vulnerability exploitation due to event $e_{1}$ , $e_{2}$ , $e_{3}$ that are shown in Table 2 and eliminates the risk of DoS attack due to untrusted users ($e_{4}$ ). Fig. 3 and Fig. 4 show the application of the security controls in the provisioning and deprovisioning of cloud resources in the system under analysis based on the type of event, whether it is an arrival or departure of a service, the security profile of the user, the user location, and the serving cloud layer. Remarkably, the proposed risk-aware cloud orchestrator is agile because it responds in the same timescale of arrivals and departures by leveraging the multiple thresholds and load balancing which jointly prevent the risk from inflating in an unrestrained way.

FIGURE 3.

Proposed risk-aware orchestrator: user arrival decision making and controls.

Show All

FIGURE 4.

Proposed Risk-aware orchestrator: user departure decision making and controls.

Show All

E. Stochastic Model

Let $\mathbb {C} \triangleq \{0,1,2,\cdots,C-1\}$ be the set of clouds where $|\mathbb {C}|$ is the cardinality of $\mathbb {C}$ . The first index of $\mathbb {C}$ corresponds to the back-up cloud while the $j^{\text {th}}$ ($1\leq j \leq |\mathbb {C}|-1$ ) ones represent the deployed MEC sites. Let $N_{S}$ and $S_{VM}^{E}$ denote the number of edge servers and VMs per edge server, respectively. The capacity of the $j^{\text {th}}$ MEC site is given by $N_{S} \times S_{VM}^{E}$ VMs. Given the resourcefulness of the back-up cloud, its capacity is measured by the total number of available VMs as seen by the edge sites. In this regard, it is $S_{VM}^{B}$ VMs.

It is assumed that the arrivals at the macro-cell only region follow a Poisson process with rate $\lambda _{b}$ while the service time is assumed to be exponentially distributed with mean $1/\mu _{b}$ . Recall that the proposed risk-aware orchestrator focuses on the MEC operation. In this respect, the computing demand in this region is assumed to be a background traffic. As for the $j^{\text {th}}$ MEC site, arrivals take place according to independent Poisson processes with rates $\lambda _{j}^{t}$ and $\lambda _{j}^{u}$ for the trusted and untrusted user, respectively, while the service times are exponentially distributed with mean $1/\mu _{t}$ and $1/\mu _{u}$ for the respective category. The notations that are used throughout this article is summarized in Table 3.

TABLE 3 Notations

Let the tuple $(\mathbb {S},\mathbf {Q})$ represents the proposed multi-dimensional Markov model for the a 5G-Driven MEC deployment where $\mathbb {S}$ specifies the state space and $\mathbf {Q}$ the infinitesimal generator. Let \begin{align*}&\hspace {-.5pc} s= \Big \{s_{0},s_{1}^{t},s_{1}^{u},\cdots, s_{j}^{t},s_{j}^{u}, \cdots, s_{|\mathbb {C}|-1}^{t},s_{|\mathbb {C}|-1}^{u}, s_{1 1}^{t}, s_{1 1}^{u}, \\&\quad \qquad \qquad \qquad \displaystyle { \cdots, s_{i j}^{t},s_{i j}^{u}, \cdots, s_{N_{S} |\mathbb {C}|-1}^{t}, s_{N_{S} |\mathbb {C}|-1}^{u} \Big \} } \tag{1}\end{align*} View Source\begin{align*}&\hspace {-.5pc} s= \Big \{s_{0},s_{1}^{t},s_{1}^{u},\cdots, s_{j}^{t},s_{j}^{u}, \cdots, s_{|\mathbb {C}|-1}^{t},s_{|\mathbb {C}|-1}^{u}, s_{1 1}^{t}, s_{1 1}^{u}, \\&\quad \qquad \qquad \qquad \displaystyle { \cdots, s_{i j}^{t},s_{i j}^{u}, \cdots, s_{N_{S} |\mathbb {C}|-1}^{t}, s_{N_{S} |\mathbb {C}|-1}^{u} \Big \} } \tag{1}\end{align*} denote the state of the system in every region of the 5G network, where $s_{0}$ represents the number of VMs of the back-up cloud that are allocated to users within the macro-cell region only; $s_{j}^{t}$ and $s_{j}^{u}$ denote the number of trusted and untrusted VMs within the $j^{\text {th}}$ MEC site that are using resources of the back-up cloud system. For instance, $s_{1}^{t}$ and $s_{1}^{u}$ represent the number of trusted and untrusted users within the first MEC site that are consuming resources of back-up cloud. Finally, $s_{i j}^{t}$ and $s_{i j}^{u}$ represent, respectively, the number of trusted and untrusted VMs that are using resources from the $i^{\text {th}}$ ($1\leq i \leq N_{S}$ ) physical server at the $j^{\text {th}}$ MEC. For example, $s_{1 1}^{t}$ and $s_{1 1}^{u}$ specify the number of trusted and untrusted users using the first edge server in the first MEC site, respectively. The scope of $\mathbb {S}$ must abide by the capacity constraints of the back-up cloud and edge servers as well as the fact that number of untrusted users in the back-up cloud and the edge server are capped by the security thresholds $T$ and $T_{ij}$ , respectively. Thus, $\mathbb {S}$ is given by \begin{align*}&\hspace {-.5pc} \mathbb {S} \!=\! \Bigg \{ s: s_{0} \!+\!\!\sum _{j=1}^{|\mathbb {C}|-1} (s_{j}^{t}\!+\!s_{j}^{u}) \!\leq \! S_{VM}^{B}; s_{i j}^{t} \!+ \!s_{i j}^{u} \!\leq \! S_{VM}^{E}; \!\!\sum _{j=1}^{|\mathbb {C}|-1}s_{j}^{u} \!\leq \! T; \\&\quad \qquad \qquad \displaystyle { s_{i j}^{u} \leq T_{ij}; 1\leq i \leq N_{S}, 1\leq j \leq |\mathbb {C}|-1 \Bigg \}. } \tag{2}\end{align*} View Source\begin{align*}&\hspace {-.5pc} \mathbb {S} \!=\! \Bigg \{ s: s_{0} \!+\!\!\sum _{j=1}^{|\mathbb {C}|-1} (s_{j}^{t}\!+\!s_{j}^{u}) \!\leq \! S_{VM}^{B}; s_{i j}^{t} \!+ \!s_{i j}^{u} \!\leq \! S_{VM}^{E}; \!\!\sum _{j=1}^{|\mathbb {C}|-1}s_{j}^{u} \!\leq \! T; \\&\quad \qquad \qquad \displaystyle { s_{i j}^{u} \leq T_{ij}; 1\leq i \leq N_{S}, 1\leq j \leq |\mathbb {C}|-1 \Bigg \}. } \tag{2}\end{align*}

Let $q(s,s')$ be an entry of the infinitesimal generator $\mathbf {Q}$ that represents the transition rate from the state $s$ to the state $s'$ in $\mathbb {S}$ . To populate $\mathbf {Q}$ with $q(s,s')$ for all permissible states in the state space $\mathbb {S}$ , the following events are considered:

1. Arrival of a background user at the back-up cloud: Upon an arrival with rate $\lambda _{b}$ , the state variable $s_{0}$ will be incremented if the $\scriptstyle s_{0} +\sum _{j=1}^{|\mathbb {C}|-1} (s_{j}^{t}+s_{j}^{u}) < S_{VM}^{B}$ condition holds.

2. Departure of a background user from the back-up cloud: A service completion for a background user, which happens with the service rate of $s_{0}\mu _{b}$ , will decrement state variable $s_{0}$ .

3. Departure of a trusted user within a MEC site using the resources of the backup cloud: A service completion for a trusted user, which happens with the service rate of $s_{j}^{t}\mu _{t}$ , will decrement state variable $s_{j}^{t}$ .

4. Departure of a untrusted user within a MEC site using the resources of the backup cloud: A service completion for a untrusted user, which happens with the service rate of $s_{j}^{u}\mu _{u}$ , will decrement state variable $s_{j}^{u}$ .

5. Arrival of a trusted user at the MEC site: The service request will be admitted in the $i^{\text {th}}$ ($1\leq i \leq N_{S}$ ) edge server if the condition $s_{i j}^{t} + s_{i j}^{u} < S_{VM}^{E}$ holds, which will increment the state variable $s_{i j}^{t}$ with rate $\lambda _{t}$ . However, if the condition fails, the $l^{\text {th}}$ edge server will be verified. Again, the capacity constraint condition $s_{l j}^{t} + s_{l j}^{u} < S_{VM}^{E}$ is checked and if a true outcome is revealed, the service request will be housed at that server. If no server at the $j^{\text {th}}$ MEC site can accept the service request, then it goes to the back-up cloud. In this case, the condition $s_{0} +\sum _{j=1}^{|\mathbb {C}|-1} (s_{j}^{t}+s_{j}^{u}) < S_{VM}^{B}$ is tested and a positive outcome will lead to an increment of the state variable $s_{j}^{t}$ .

6. Arrival of an untrusted user at the MEC site: The user will be hosted by the $i^{\text {th}}$ ($1\leq i \leq N_{S}$ ) edge server if the capacity constraint condition $s_{i j}^{t} + s_{i j}^{u} < S_{VM}^{E}$ and security control condition $s_{ij}^{u} < T_{ij}$ are true. Similar to the previous case, a round-robin scheduling is applied until an edge server that fulfills both conditions is found in the $j^{\text {th}}$ MEC site. If no edge server satisfies the conditions, the service request goes to the back-up cloud and again the capacity constraint condition $s_{0} +\sum _{j=1}^{|\mathbb {C}|-1} (s_{j}^{t}+s_{j}^{u}) < S_{VM}^{B}$ and the security control condition $\sum _{j=1}^{|\mathbb {C}|-1} s_{j}^{u} < T$ are verified. If the outcome is positive the state variable $s_{j}^{u}$ will be incremented. Regardless the user placement, the transition is triggered with rate $\lambda _{u}$ .

7. Departure of a trusted user from the MEC site: A service completion of this user will make the load balancing to search for users that are camped within the same $j^{\text {th}}$ MEC site but who are served by the back-up cloud. If a trusted user is found, then it will be brought to an edge server, which will decrement the state variable $s_{j}^{t}$ . However, if no trusted user is found and an untrusted user is, then it will be migrated to the MEC site if the security control condition $s_{ij}^{u} < T_{ij}$ is held. This event will simultaneously decrement the state variable $s_{j}^{u}$ , increment $s_{i j}^{u}$ , and decrement $s_{i j}^{t}$ . If no user is found, the state variable $s_{i j}^{t}$ will be decremented only. Regardless of the destination state, the transition will occur with service rate $s_{i j}^{t}\mu _{t}$ .

8. Departure of an untrusted user from the MEC site: Similar to the previous event, a service completion using edge servers computing resources will make the load balancing to migrate a user from the back-up cloud to the MEC site. If a trusted user is found $s_{j}^{t}>0$ , then following changes in the state variables will occur simultaneously: $s_{j}^{t}$ will decrement, $s_{i j}^{t}$ will increment, and $s_{i j}^{u}$ will decrement. If no trusted user is found and an untrusted is $s_{i j}^{u}>0$ , then it will be brought to the MEC. If no user is found at the back-up cloud, the state variable $s_{i j}^{u}$ will be decremented with service rate $s_{i j}^{u}\mu _{u}$ .

Table 4 presents the stochastic model for the proposed risk-aware orchestrator for the aforementioned events. For simplicity, it takes the state $s=(s_{0}, s_{j}^{t},s_{j}^{u}, s_{i j}^{t},s_{i j}^{u}) \in \mathbb {S}$ as the present state and formally specifies the successor state $s' \in \mathbb {S}$ , the transition rate $q(s,s')$ , and the conditions under which the state transition is triggered for the events previously stated. It is noteworthy that the risk-aware orchestrator follows the procedures described in Fig. 3 and Fig. 4.

TABLE 4 Transitions From the State $s=(s_{0}, s_{j}^{t},s_{j}^{u}, s_{i j}^{t},s_{i j}^{u}) \in\mathbb{S}$

Fig. 5 illustrates a small-scale state transition diagram for all transitions from and to the state $(3,1,0,2,0,0,1) \in \mathbb {S}$ considering a system with a MEC site with two edge servers each with capacity of 3 VMs where the threshold is 1 as well as a back-up cloud with capacity of 5 VMs with the threshold equal to 2. An arrival of the background traffic will make the system to transit to the state (4, 1, 0, 2, 0, 0, 1). By the same token, a departure of such user will evolve the system to the state (2, 1, 0, 2, 0, 0, 1). A departure of a trusted user within the MEC site using resources from the back-up cloud will move the system to the state (3, 0, 0, 2, 0, 0, 1) while an arrival of the same category of user will be admitted into the edge server, which will cause the state transition to (3, 1, 0, 3, 0, 0, 1). As for the untrusted user, its arrival in the system will be accepted into the first server that will lead the system to (3, 1, 0, 2, 1, 0, 1). A departure of the a trusted user from the MEC site triggers the load balancing security control that will bring a trusted user from the back-up cloud to the MEC. In this respect, the final state will be (3, 0, 0, 2, 0, 0, 1). Similarly, a service completion of an untrusted user will trigger the load balancing that will cause the transition to the state (3, 0, 0, 2, 0, 1, 0). Note that there are two ways to reach the state (3, 1, 0, 2, 0, 0, 1) from the state (3, 2, 0, 2, 0, 0, 1). Despite the same service rate, the reasons are distinguishable. For first case, the trusted user using resources from the back-up cloud departs with rate $2\mu _{t}$ and the resource availability is updated - see Fig. 4. For the second case, a trusted user departs from the MEC site using resources from the first edge server. For this case, the load balancing opportunistically acts which decrements the number of trusted users using resources from the back-up cloud. By using the same rationale, the remaining state transitions can be similarly explained.

FIGURE 5.

State transition diagram: $|\mathbb {C}|=2$ , $N_{S}=2$ edge servers, $S_{VM}^{E}=3$ VMS, $S_{VM}^{B}=5$ VMs, $T_{11}=T_{21}=1$ untrusted VMs, and $T_{1}=2$ .

Show All

F. Risk Metrics

Denote $\boldsymbol {\pi _{s}}$ the steady-state probability of the proposed stochastic model that can be determined by solving the system of linear equations $\boldsymbol {\pi _{s}\mathbf {Q}}=0$ along with the normalization condition $\sum _{s \in \mathbb {S}} \pi _{s} = 1$ [35]. With $\boldsymbol {\pi _{\mathbf {s}}}$ , the total risk can be computed as follows. The events of vulnerability exploitation $e_{1}$ , $e_{2}$ , and $e_{3}$ , which are described in Table 2, can be formally specified considering the following subset of states:\begin{align*} e_{1}=&\Big \{ s | s_{i j}^{t} + s_{i j}^{u} = S_{VM}^{E} \land s_{j}^{t}>0 \lor s_{j}^{u}>0; 1\leq i \leq N_{S}, \\&1\leq j \leq |\mathbb {C}|-1 \Big \} \subseteq \mathbb {S}, \tag{3}\\ e_{2}=&\Big \{ s | s_{i j}^{t} + s_{i j}^{u} = S_{VM}^{E} < S_{VM}^{E} \land s_{i j}^{u} < T_{ij}; 1\leq i \leq N_{S}, \\&1\leq j \leq |\mathbb {C}|-1 \Big \} \subseteq \mathbb {S}, \tag{4}\\ e_{3}=&\Big \{ s | s_{i j}^{t} + s_{i j}^{u} = S_{VM}^{E}; 1\!\leq \! i \!\leq \! N_{S}, 1\!\leq \! j \!\leq \! |\mathbb {C}|\!-\!1 \Big \} \\\subseteq&\mathbb {S}.\tag{5}\end{align*} View Source\begin{align*} e_{1}=&\Big \{ s | s_{i j}^{t} + s_{i j}^{u} = S_{VM}^{E} \land s_{j}^{t}>0 \lor s_{j}^{u}>0; 1\leq i \leq N_{S}, \\&1\leq j \leq |\mathbb {C}|-1 \Big \} \subseteq \mathbb {S}, \tag{3}\\ e_{2}=&\Big \{ s | s_{i j}^{t} + s_{i j}^{u} = S_{VM}^{E} < S_{VM}^{E} \land s_{i j}^{u} < T_{ij}; 1\leq i \leq N_{S}, \\&1\leq j \leq |\mathbb {C}|-1 \Big \} \subseteq \mathbb {S}, \tag{4}\\ e_{3}=&\Big \{ s | s_{i j}^{t} + s_{i j}^{u} = S_{VM}^{E}; 1\!\leq \! i \!\leq \! N_{S}, 1\!\leq \! j \!\leq \! |\mathbb {C}|\!-\!1 \Big \} \\\subseteq&\mathbb {S}.\tag{5}\end{align*}

Note that a state $s \in e_{1}$ is violating the SLA since the applications are running at the back-up cloud. By the same token, a state $s \in e_{2}$ is at risk of accepting an untrusted user. Finally, a state $s \in e_{3}$ is denying the service to users due to the MEC resource exhaustion. Let $\boldsymbol {\pi _{s}}$ denote the steady-state probability vector of the proposed stochastic model. With $\boldsymbol {\pi _{s}}$ , the total security risk $R_{T}$ can be computed as \begin{equation*} R_{T}=R_{e_{1}} + R_{e_{2}}+R_{e_{3}},\tag{6}\end{equation*} View Source\begin{equation*} R_{T}=R_{e_{1}} + R_{e_{2}}+R_{e_{3}},\tag{6}\end{equation*} where $R_{e_{1}} = \sum _{\displaystyle \scriptstyle {s \in e_{1}}}\pi _{s} \times I_{e_{1}}$ , $R_{e_{2}} = \sum _{\displaystyle \scriptstyle {s \in e_{2}}}\pi _{s} \times I_{e_{2}}$ , and $R_{e_{3}} = \sum _{\displaystyle \scriptstyle {s \in e_{3}}}\pi _{s} \times I_{e_{3}}$ are the events of vulnerability exploitation risk times their loss impact numeric scales as presented in Table 2.