面向多租户的关键虚拟机动态迁移方法研究

doi:10.11959/j.issn.2096-109x.2017.00191

网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (8): 8-17.doi: 10.11959/j.issn.2096-109x.2017.00191

面向多租户的关键虚拟机动态迁移方法研究

赵硕¹(),季新生¹,程国振¹,毛宇星²

¹ 国家数字交换系统工程技术研究中心，河南郑州 450002
² 解放军理工大学指挥信息系统学院，江苏南京 210007

修回日期:2017-08-03 出版日期:2017-08-01 发布日期:2017-12-26
作者简介:赵硕（1993-），男，河南安阳人，国家数字交换系统工程技术中心硕士生，主要研究方向为虚拟网安全、软件定义网络。|季新生（1968-），男，江苏南通人，国家数字交换系统工程技术中心教授、博士生导师，主要研究方向为网络空间安全、拟态安全。|程国振（1986-），男，山东定陶人，国家数字交换系统工程技术中心助理研究员，主要研究方向为网络空间安全、软件定义网络。|毛宇星（1989-），男，河北唐山人，解放军理工大学博士生，主要研究方向为网络空间安全、软件定义网络。
基金资助:
国家自然科学基金创新研究群体基金资助项目(61521003);信息工程大学新兴方向培育基金资助项目(2016610708);国家重点研发计划项目(2016YFB0800100);国家重点研发计划项目(2016YFB0800101);河南省科技攻关计划项目(172102210615);国家自然科学基金资助项目(61602509)

Research on dynamic migration of critical virtual machines for multi-tenancy

Shuo ZHAO¹(),Xin-sheng JI¹,Guo-zhen CHENG¹,Yu-xing MAO²

¹ National Digital Switching System Engineering and Technological Research Center,Zhengzhou 450002,China
² Command Information System Institute,PLA University of Science and Technology,Nanjing 210007,China

Revised:2017-08-03 Online:2017-08-01 Published:2017-12-26
Supported by:
The Foundation for Innovative Research Groups of the National Natural Science Foundation of China(61521003);The Emerging Direction Nurturing Foundation in Information Engineering University(2016610708);The National Key R＆D Program of China(2016YFB0800100);The National Key R＆D Program of China(2016YFB0800101);The Science and Technology Research Project of Henan Province(172102210615);The National Science Foundation for Distinguished Young Scholars of China(61602509)

摘要/Abstract

摘要：

提出一种面向多租户的关键虚拟机动态迁移方法。首先，根据租户对虚拟机的安全需求设定关键虚拟机的比例，减少虚拟机动态迁移的数量；然后，通过虚拟机之间共存时间约束条件最大化降低虚拟机动态迁移的频率；最后，以最小化迁移开销作为虚拟机迁移的目标函数，进一步降低虚拟机迁移带来的开销。实验表明，与现有的防御方法相比，该方法在有效防御侧信道攻击的前提下，能够减少对网络服务性能的影响，降低虚拟机迁移的成本，更加适用于大规模的网络场景。

关键词: 侧信道攻击, 关键虚拟机, 动态迁移, 迁移算法, 迁移开销

Abstract:

A dynamic migration method of critical virtual machines for multi-tenancy was proposed.Firstly,the tenants can set ratio of critical virtual machines according to tenant's security requirements,then the dynamic migration frequency of virtual machines were maximized by the coexistence time constraints between virtual machines,finally the migration cost was minimized as an object function for the virtual machines migrated to further reduce the migration cost.Simulation experiments demonstrate that the proposed approach can reduce the impact on the performance of network services and the cost of virtual machines migration,and is more suitable for large-scale network scenarios under the premise of effective defense side-channel attacks.

Key words: side-channel attacks, critical virtual machines, dynamic migration, migration algorithm, migration cost

中图分类号:

TP302

赵硕,季新生,程国振,毛宇星. 面向多租户的关键虚拟机动态迁移方法研究[J]. 网络与信息安全学报, 2017, 3(8): 8-17.

Shuo ZHAO,Xin-sheng JI,Guo-zhen CHENG,Yu-xing MAO. Research on dynamic migration of critical virtual machines for multi-tenancy[J]. Chinese Journal of Network and Information Security, 2017, 3(8): 8-17.

图/表 9

图1

图2

表1

图3

图4

图5

图6

图7

图8

参考文献 23

[1]	ZHANG Q , CHENG L , BOUTABA R . Cloud computing:state-ofthe-art and research challenges[J]. Journal of Internet Services and Applications, 2010,1(1): 7-18.
[2]	BUTT S , SRIVASTAVA A , GANAPATHY V . Self-service cloud computing[C]// ACM Conference on Computer and Communications Security. 2015: 253-264.
[3]	JAIN R , PAUL S . Network virtualization and software defined networking for cloud computing:a survey[J]. IEEE Communications Magazine, 2013,51(11): 24-31.
[4]	CHOWDHURY N M M K , BOUTABA R . Network virtualization:state of the art and research challenges[J]. IEEE Communications Magazine, 2009,47(7): 20-26.
[5]	CHOWDHURY N M M K , BOUTABA R . A survey of network virtualization[J]. Computer Networks, 2010,54(5): 862-876.
[6]	FISCHER A , BOTERO J F , TILL B M ,et al. Virtual network embedding:a survey[J]. IEEE Communications Surveys ＆ Tutorials, 2013,15(4): 1888-1906.
[7]	余涛, 毕军, 吴建平 . 未来互联网虚拟化研究[J]. 计算机研究与发展, 2015,52(9): 2069-2082.
	YU T , BI J , WU J P ,et al. Research on the virtualization of future internet[J]. Journal of Computer Research and Development, 2015,52(9): 2069-2082.
[8]	RISTENPART T , TROMER E , SHACHAM H ,et al. Hey,you,get off of my cloud:exploring information leakage in third-party compute clouds[C]// ACM Conference on Computer and Communications Security,CCS 2009,Chicago,Illinois,USA,November. 2009: 199-212.
[9]	GILLANI F , AL-SHAER E , LO S ,et al. Agile virtualized infrastructure to proactively defend against cybe attacks[C]// 2015 IEEE Conference on Computer Communications. 2015: 729-737.
[10]	张玉清, 王晓菲, 刘雪峰 ,等. 云计算环境安全综述[J]. 软件学报, 2016,27(6): 1328-1348.
	ZHANGY Y Q , WANG X F , LIU X F ,et al. Survey on cloud computing security[J]. Journal of Software, 2016,27(6): 1328-1348.
[11]	WU Z , XU Z , WANG H . Whispers in the Hyper-space:high-speed covert channel attacks in the cloud[C]// USENIX Security symposium. 2012: 159-173.
[12]	IRAZOQUI G , EISENBARTH T , SUNAR B . S$A:a shared cache attack that works across cores and defies VM sandboxing-and its application to AES[C]// IEEE Symposium on Security ＆ Privacy. 2015: 591-604.
[13]	ZHANG Y , LI M , BAI K ,et al. Incentive compatible moving target defense against vm-colocation attacks in clouds[C]// IFIP International Information Security Conference. 2012: 388-399.
[14]	LI P , GAO D , REITER M K . Stopwatch:a cloud architecture for timing channel mitigation[J]. ACM Transactions on Information and System Security (TISSEC), 2014,17(2): 1-28.
[15]	ZHANG Y , REITER M K . Düppel:retrofitting commodity operating systems to mitigate cache side channels in the cloud[C]// ACM Sigsac Conference on Computer ＆ Communications Security. 2013: 827-838.
[16]	PATTUK E , KANTARCIOGLU M , LIN Z ,et al. Preventing cryptographic key leakage in cloud virtual machines[C]// The 23rd USENIX Security Symposium (USENIX Security 14). 2014: 703-718.
[17]	GILLANI F , AL-SHAER E , LO S ,et al. Agile virtualized infrastructure to proactively defend against cyber attacks[C]// Computer Communications. 2015: 729-737.
[18]	WANG Y , CHAU P , CHEN F . A framework for security-aware virtual network embedding[C]// 2015 24th International Conference on Computer Communication and Networks (ICCCN). 2015: 1-7.
[19]	HAN Y , ALPCAN T , CHAN J ,et al. Security games for virtual machine allocation in cloud computing[C]// International Conference on Decision and Game Theory for Security. 2013: 99-118.
[20]	MOON S J , SEKAR V , REITER M K . Nomad:mitigating arbitrary cloud side channels via provider-assisted migration[C]// The 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 1595-1606.
[21]	LIU F , YAROM Y , GE Q ,et al. Last-level cache side-channel attacks are practical[C]// 2015 IEEE Symposium on Security and Privacy (SP). 2015: 605-622.
[22]	SUZAKI K , IIJIMA K , YAGI T ,et al. Memory deduplication as a threat to the guest OS[C]// The Fourth European Workshop on System Security. 2011: 1-6.
[23]	OWENS R , WANG W . Non-interactive OS fingerprinting through memory de-duplication technique in virtual machines[C]// 2011 IEEE 30th International Performance Computing and Communications Conference (IPCCC). 2011: 1-8.

符号	含义
K	信息泄露速率
Γ	共存的时间间隔数量
ε	最小的时间间隔

面向多租户的关键虚拟机动态迁移方法研究

Research on dynamic migration of critical virtual machines for multi-tenancy

在线阅读

pdf下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 23

相关文章 6

Metrics

推荐阅读 0

[1]	裘佳浩, 邱卫东, 王杨德, 查言, 谢宇明, 李岩. 智能化的安卓手势密码取证关键技术[J]. 网络与信息安全学报, 2022, 8(1): 118-127.
[2]	李玎, 祝跃飞, 芦斌, 林伟. 网络加密流量侧信道攻击研究综述[J]. 网络与信息安全学报, 2021, 7(4): 114-130.
[3]	潘启润,黄开枝,游伟. 基于隔离等级的网络切片部署方法[J]. 网络与信息安全学报, 2020, 6(2): 96-105.
[4]	孔凡玉,乔咏,刘蓬涛,刘晓东,周大水. RSA-CRT密码防御算法的故障注入攻击[J]. 网络与信息安全学报, 2019, 5(1): 30-36.
[5]	任君,熊金波,姚志强. 基于差分隐私模型的云数据副本安全控制方案[J]. 网络与信息安全学报, 2017, 3(5): 38-46.
[6]	贾徽徽,王潮,顾健,宋好好,唐迪. ECC计时攻击研究与仿真[J]. 网络与信息安全学报, 2016, 2(4): 56-63.