容器云中基于信号博弈的容器迁移与蜜罐部署策略

doi:10.11959/j.issn.2096-109x.2021042

摘要/Abstract

摘要：

SaaS 云中的多租户共存和资源共享模式会带来严重的安全隐患。一方面逻辑上命名空间的软隔离容易被绕过或突破，另一方面由于共享宿主机操作系统和底层物理资源容易遭受同驻攻击，对容器云中数据可用性、完整性、机密性产生严重威胁。针对 SaaS 云服务容易遭受容器逃逸、侧信道等同驻攻击的问题，网络欺骗技术通过隐藏执行体的业务功能和特征属性，增加云环境的不确定度，降低攻击的有效性。针对容器易遭受同驻攻击的安全威胁，结合动态迁移、虚拟蜜罐等安全技术，研究经济合理的网络欺骗方法降低同驻攻击带来的安全威胁。具体而言，提出一种基于信号博弈的容器迁移与蜜罐部署策略。依据容器面临的安全威胁分析，使用容器迁移和蜜罐两种技术作为防御方法，前者基于移动目标防御的思想提高系统的不可探测性，后者通过布置诱饵容器或提供虚假服务来迷惑攻击者；鉴于网络嗅探是网络攻击链的前置步骤，将攻防过程建模为双人不完整信息的信号博弈，发送者根据自己类型选择释放一个信号，接收者仅能够获取到发送者释放的信号，而不能确定其类型。对这个完全但不完美的信息动态博弈构建博弈树，设置攻防双方不同策略组合的开销和收益；对攻防模型进行均衡分析确定最优的欺骗策略。实验结果表明，所提策略能够有效提高系统安全性，同时能够降低容器迁移频率和防御开销。

关键词: 云计算, 容器迁移, 蜜罐, 信号博弈

Abstract:

Multi-tenant coexistence and resource sharing in the SaaS cloud pose serious security risks.On the one hand, soft isolation of logical namespaces is easy to be bypassed or broken.On the other hand, it is easy to be subjected to co-resident attacks due to sharing of the host operating system and underlying physical resources.Therefore it poses a serious threat to data availability, integrity and confidentiality in the container cloud.Given the problem that SaaS cloud services are vulnerable to container escape and side-channel equivalent resident attack, network deception technology increases the uncertainty of the cloud environment and reduces the effectiveness of attack by hiding the business function and characteristic attributes of the executor.Aiming at the security threat caused by the co-resident attack, combining dynamic migration and virtual honeypot security technology, the economical and reasonable network deception method was studied.Specifically, a container migration and honeypot deployment strategy based on the signal game was proposed.According to the security threat analysis, container migration and honeypot were used as defense methods.The former improved the undetectability of the system based on the idea of moving to target defense, while the latter confused attackers by placing decoy containers or providing false services.Furthermore, since network reconnaissance was the pre-step of the network attack chain, the attack and defense process was modeled as a two-person signal game with incomplete information.The sender chose to release a signal according to his type, and the receiver could only obtain the signal released by the sender but could not determine the type.Then, a game tree was constructed for the complete but imperfect information dynamic game, and the costs and benefits of different strategy combinations were set.The optimal deception strategy was determined by equilibrium analysis of attack-defense model.Experimental results show that the proposed strategy can effectively improve system security.Besides, it can also reduce container migration frequency and defense cost.

Key words: cloud computing, container migration, honeypot, signal game

中图分类号:

TN915.08

李凌书, 邬江兴, 曾威, 刘文彦. 容器云中基于信号博弈的容器迁移与蜜罐部署策略[J]. 网络与信息安全学报, 2022, 8(3): 87-96.

Lingshu LI, Jiangxing WU, Wei ZENG, Wenyan LIU. Strategy of container migration and honeypot deployment based on signal game in cloud environment[J]. Chinese Journal of Network and Information Security, 2022, 8(3): 87-96.

图/表 5

图1

图2

表1

表2

G$lt@span sub=1$gt@cm$lt@/span$gt@的完美贝叶斯纳什均衡Table 2 Perfect Bayesian Nash equilibrium G$lt@span sub=1$gt@cm$lt@/span$gt@"

编号	G_cm参数要求	θ的取值范围	PBE
PBE1	ε > ω₂	$[\max (\frac{(δ_{1} + δ_{2})}{α}, \frac{α + δ_{1}}{2 α}), 1]$	{(M, M), (a₂, a₂), p=θ, q}
PBE2	ε > ω₃	$[0, \min (\frac{α + δ_{1}}{2 α}, 1 - \frac{δ_{2}}{α})]$	{(NM, NM), (a₁, a₁), p, q=θ}

表2

图3

参考文献 24

[1]	JITHIN R , CHANDRAN P . Virtual machine isolation[C]// International Conference on Security in Computer Networks and Distributed Systems, 2014.
[2]	JAJODIA S , SUBRAHMANIAN V S , SWARUP V ,et al. Cyber deception[R]. 2016.
[3]	VINCENT E U , . Computer network deception as a moving target defense[C]// 2015 International Carnahan Conference on Security Technology (ICCST), 2015: 1-6.
[4]	NAAGAS M A . Defense-through-deception network security model:securing university campus network from DoS/DDoS attack[J]. Bulletin of Electrical Engineering and Informatics, 2018: 593-600.
[5]	SI-YAO L , QIANG L I , BIN LI . Research on isolation of container based on docker technology[J]. Computer Engineering ＆ Software, 2015.
[6]	ZHENG Z . Virtual machine security isolation and protection based on cloud platform[J]. China Computer ＆ Communication, 2018.
[7]	ABDELRAHEM O , BAHAA-ELDIN A M , TAHA A . Virtualization security:a survey[C]// International Conference on Computer Engineering ＆ Systems. 2017.
[8]	SONG X , MA Y , TENG D . A load balancing scheme using federate migration based on virtual machines for cloud simulations[J]. Mathematical Problems in Engineering, 2015,5: 1-11.
[9]	PRASAD T S , MALLIKARJUNA A , RAMAKRISHNA S . From cloud to fog computing:a review and a conceptual live VM migration framework[J]. IEEE Access, 2017,99: 1-1.
[10]	ZHANG Y , LI M , BAI K ,et al. Incentive compatible moving target defense against VM-colocation attacks in clouds[C]// IFIP International Information Security Conference. 2012.
[11]	PENNER T , GUIRGUIS M . Combating the bandits in the cloud:a moving target defense approach[C]// IEEE/ACM International Symposium on Cluster, 2017.
[12]	YANG C , GUO Y , HU H ,et al. An effective and scalable VM migration strategy to mitigate cross-VM side-channel attacks in cloud[J]. Networks ＆ Security, 2019: 151-171.
[13]	HORáK K , . Manipulating adversary’s belief:a dynamic game approach to deception by design for proactive network security[C]// 8th International Conference on Decision and Game Theory for Security. 2017: 273-294.
[14]	XIAO Z , JIANG J , ZHU Y ,et al. A solution of dynamic VMs placement problem for energy consumption optimization based on evolutionary game theory[J]. Journal of Systems ＆ Software, 2015,101(3): 260-272.
[15]	LEI C , ZHANG H Q , WAN L M ,et al. Incomplete information markov game theoretic approach to strategy generation for moving target defense[J]. Computer Communications, 2018,116(1): 184-199.
[16]	ADILI M T , MOHAMMADI A , MANSHAEI M H ,et al. A cost-effective security management for clouds:a game-theoretic deception mechanism[C]// Integrated Network ＆ Service Management. 2017: 98-106.
[17]	冷强, 杨英杰, 常德显 ,等. 面向网络实时对抗的动态防御决策方法[J]. 网络与信息安全学报, 2019,5(6): 58-66.
	LENG Q , YANG Y J , CHANG D X ,et al. Dynamic defense decision method for network real-time confrontation[J]. Chinese Journal of Network and Information Security, 2019,5(6): 58-66.
[18]	ALNAIM A , ALWAKEEL A , FERNANDEZ E B . A misuse pattern for compromising VMs via virtual machine escape in NFV[C]// The 14th International Conference. 2019.
[19]	FENGW , SHI X H , WANG W R . Eliminating object reference checks by escape analysis on real-time Java virtual machine[J]. Cluster Computing:The Journal of Networks,Software Tools and Applications, 2019,22(3).
[20]	KOCHER P . Spectre attacks:exploiting speculative execution[J]. Communications of the ACM, 2018.
[21]	ALMOHANNADI H , . Cyber threat intelligence from honeypot data using elasticsearch[C]// 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA). 2018: 900-906.
[22]	SARKALE V V , RAD P , LEE W . Secure cloud container:runtime behavior monitoring using most privileged container (MPC)[C]// IEEE International Conference on Cyber Security ＆ Cloud Computing. 2017.
[23]	KRISHNAVENI S , PRABAKARAN S , SIVAMOHAN S . A survey on honeypot and honeynet systems for intrusion detection in cloud environment[J]. Journal of Computational and Theoretical Nanoence, 2018.
[24]	SAXENA A , . Virtual public cloud model in honeypot for data security:a new technique[C]// 5th International Conference on Computing and Artificial Intelligence. 2019: 66-71.

数学符号	含义
θ	IDS检测到威胁的概率（自然）
M	防御者对容器进行迁移
NM	防御者不对容器进行迁移
a₁	攻击者认为目标容器没有迁移，并发起攻击
a₂	攻击者认为目标容器进行了迁移，并发起攻击
a₀	攻击者不进行攻击
ω₁	容器迁移的开销
ω₂	容器不迁移时，模拟迁移行为的开销
ω₃	容器迁移时，模拟不迁移行为的开销
δ₁	攻击者进行扫描、窃听等开销
δ₂	攻击者进行木马注入后，攻击的开销
φ	防御者保护容器不受攻击的收益
ε	当攻击者攻击蜜罐时，防御者获得的额外收益
β	防御者未能成功保护容器的损失
α	攻击者成功攻击目标容器的收益