Integrated QoS- and Vulnerability-Driven Self-adaptation for Microservices Applications

Prioritizing security concerns in modern (micro)service-based applications is paramount to protecting sensitive data and maintaining end-user trust. Self-adaptation can strengthen security measures at runtime by autonomously adjusting the configuration and behavior of the managed system with limited, or even without, human intervention. In this paper, we present AQUA, a novel approach to orchestrate microservices jointly considering Quality of Service (QoS) and vulnerabilities. The framework maintains an architectural model of the system at runtime expressed through a Discrete-Time Markov Chain (DTMC). Probabilistic model checking is then used to evaluate and compare alternative DTMCs to identify the adaptation actions that reduce security threats (reducing the attack surface preventively) while increasing the delivered QoS (availability and response time). We evaluate the cost-effectiveness of AQUA using a microservice application benchmark. We show that the framework outperforms existing baseline methods by consistently planning better adaptation decisions that consider QoS and security aspects. However, this comes with higher computational costs, which increase linearly with the problem size.