网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (1): 101-112.doi: 10.11959/j.issn.2096-109x.2021011
普黎明, 卫红权, 李星, 江逸茗
修回日期:
2020-07-05
出版日期:
2021-02-15
发布日期:
2021-02-01
作者简介:
普黎明(1976- ),男,云南嵩明人,信息工程大学副研究员,主要研究方向为网络安全、网络体系结构。基金资助:
Liming PU, Hongquan WEI, Xing LI, Yiming JIANG
Revised:
2020-07-05
Online:
2021-02-15
Published:
2021-02-01
Supported by:
摘要:
针对单执行体的云应用服务缺乏异构性和动态性,难以应对未知漏洞和后门的安全威胁问题,提出一种拟态云服务架构,把云平台向用户提供的应用服务节点构造成基于拟态防御技术的服务包,使应用服务具有拟态构造带来的内生安全特性和鲁棒性,同时讨论了策略调度和裁决机制等两项关键的拟态云服务运行机制。经实验分析表明,拟态云服务具有较好的安全性,可以通过减小执行体的性能差异降低其响应时延。
中图分类号:
普黎明, 卫红权, 李星, 江逸茗. 面向云应用的拟态云服务架构[J]. 网络与信息安全学报, 2021, 7(1): 101-112.
Liming PU, Hongquan WEI, Xing LI, Yiming JIANG. Mimic cloud service architecture for cloud applications[J]. Chinese Journal of Network and Information Security, 2021, 7(1): 101-112.
[35] | QI Q , WU J X , HU H C ,et al. An intensive security architecture with multi-controller for SDN[C]// 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). 2016: 401-402. |
[36] | 李文彬, 刘璇, 张建畅 ,等. 基于随机抽样一致性的误匹配剔除方法研究[J]. 计算机仿真, 2019,36(10): 233-237. |
LI W B , LIU X , ZHANG J C ,et al. Mismatching culling algorithm based on minimum distance and RANSAC fusion[J]. Computer Simulation, 2019,36(10): 233-237. | |
[37] | CHRISTENSEN J H , . Using RESTful Web-services and cloud computing to create next generation mobile applications[C]// Proceedings of the 24th ACM SIGPLAN Conference Companion on Object Oriented Programming Systems Languages and Applications. 2009: 627-634. |
[38] | 巴斌, 郑娜娥, 朱世磊 ,等. 利用蒙特卡洛的最大似然时延估计算法[J]. 西安交通大学学报, 2015,49(8): 24-30. |
BA B , ZHENG N E , ZHU S L ,et al. A maximum likelihood time delay estimation algorithm using monte carlo method[J]. Journal of Xi'an JiaoTong University, 2015,49(8): 24-30. | |
[39] | VIRTANEN P , GOMMERS R , OLIPHANT T E ,et al. SciPy 1.0:fundamental algorithms for scientific computing in Python[J]. Nature Methods, 2020,17(3): 261-272. |
[40] | WANG Y W , WU J X , GUO Y F ,et al. Scientific workflow execution system based on mimic defense in the cloud environment[J]. Frontiers of Information Technology & Electronic Engineering, 2018,19(12): 1522-1537. |
[1] | GIRMA A , GARUBA M , LI J . Analysis of security vulnerabilities of cloud computing environment service models and its main characteristics[C]// 2015 12th International Conference on Information Technology-New Generations. 2015: 206-211. |
[2] | CHOU T S . Security threats on cloud computing vulnerabilities[J]. International Journal of Computer Science and Information Technology, 2013,5: 79-88. |
[41] | 聂德雷, 赵博, 王崇 ,等. 拟态多执行体架构下的超时阈值计算方法[J]. 网络与信息安全学报, 2018,4(10): 68-76. |
NIE D L , ZHAO B , WANG C ,et al. Timeout threshold estimation algorithm in mimic multiple executors architecture[J]. Chinese Journal of Network and Information Security, 2018,4(10): 68-76. | |
[3] | DARWISH M , OUDA A , CAPRETZ L F . Cloud-based DDoS attacks and defenses[C]// International Conference on Information Society (i-Society 2013). 2013: 67-71. |
[4] | BARAKA H B , TIANFIELD H . Intrusion detection system for cloud environment[C]// Proceedings of the 7th International Conference on Security of Information and Networks. 2014: 399-404. |
[42] | CALHEIROS RN , RANJAN R , BELOGLAZOV A ,et al. CloudSim:a toolkit for modeling and simulation of cloud computing environments and evaluation of resource provisioning algorithms[J]. Software:Practice and Experience, 2011,41(1): 23-50. |
[43] | 周清雷, 冯峰, 朱维军 . 基于功能切片的拟态防御体系结构及安全等级评估方法[J]. 通信学报, 2018,39(S2): 95-105. |
[5] | AL-SALEH M I , HAMDAN H M . On studying the antivirus behavior on kernel activities[C]// Proceedings of the 2018 International Conference on Internet and E-Business. 2018: 158-161. |
[6] | MAVROMOUSTAKOS S , PATEL A , CHAUDHARY K ,et al. Causes and prevention of SQL injection attacks in web applications[C]// Proceedings of the 4th International Conference on Information and Network Security. 2016: 55-59. |
[7] | OUSMANE S B , MBACKE B C S , IBRAHIMA N . A game theoretic approach for virtual machine allocation security in cloud computing[C]// Proceedings of the 2nd International Conference on Networking,Information Systems & Security. 2019: 1-6. |
[8] | ALNAIM A , ALWAKEEL A , FERNANDEZ E B . A misuse pattern for compromising VMs via virtual machine escape in NFV[C]// Proceedings of the 14th International Conference on Availability,Reliability and Security. 2019: 1-6. |
[9] | LINDEMANN J , . Towards abuse detection and prevention in IaaS cloud computing[C]// 2015 10th International Conference on Availability,Reliability and Security. 2015: 211-217. |
[10] | YANG C , GUO Y F , HU H C ,et al. An effective and scalable VM migration strategy to mitigate cross-VM side-channel attacks in cloud[J]. China Communications, 2019,16(4): 151-171. |
[11] | ZHANG Y , JUELS A , REITER M K ,et al. Cross-tenant side-channel attacks in PaaS clouds[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 990-1003. |
[12] | YOUNIS Y A , KIFAYAT K , HUSSAIN A . Preventing and detecting cache side-channel attacks in cloud computing[C]// Proceedings of the Second International Conference on Internet of Things,Data and Cloud Computing. 2017: 1-8. |
[13] | Common vulnerabilities and exposures[EB]. 2015. |
[14] | ANAND V , . Intrusion detection:tools,techniques and strategies[C]// Proceedings of the 42nd Annual ACM SIGUCCS Conference on User Services. 2014: 69-73. |
[15] | PENG W , LI F , HUANG C T ,et al. A moving-target defense strategy for cloud-based services with heterogeneous and dynamic attack surfaces[C]// 2014 IEEE International Conference on Communications. 2014. |
[16] | ZHOU X , LU Y , WANG Y ,et al. Overview on moving target network defense[C]// 2018 IEEE 3rd International Conference on Image,Vision and Computing (ICIVC). 2018: 821-827. |
[17] | WANG S , ZHANG L , TANG C . A new dynamic address solution for moving target defense[C]// 2016 IEEE Information Technology,Networking,Electronic and Automation Control Conference. 2016: 1149-1152. |
[18] | ZHANG J Z F , FENG X W , WANG D X ,et al. Web service applying moving target defense[C]// 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC). 2018: 640-645. |
[19] | 邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10. |
WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10 | |
[20] | 张铮, 刘浩, 谭力波 ,等. 工控拟态安全处理器验证系统测试及安全分析[J]. 通信学报, 2018,39(S2): 131-137. |
ZHANG Z , LIU H , TAN L B ,et al. Industrial control mimic security processor verification system test and security analysis[J]. Journal on Communications, 2018,39(S2): 131-137. | |
[21] | ZHENG J , WU G , WEN B ,et al. Research on SDN-based mimic server defense technology[C]// Proceedings of the 2019 International Conference on Artificial Intelligence and Computer Science. 2019: 163-169. |
[22] | 李传煌, 任云方, 汤中运 ,等. SDN中服务部署的拟态防御方法[J]. 通信学报, 2018,39(S2): 121-130. |
LI C H , REN Y F , TANG Z Y ,et al. Mimic defense method for service deployment in SDN[J]. Journal on Communications, 2018,39(S2): 121-130. | |
[23] | 顾泽宇, 张兴明, 林森杰 . 基于拟态防御理论的 SDN 控制层安全机制研究[J]. 计算机应用研究, 2018,35(7): 2148-2152. |
GU Z Y , ZAHNG X M , LIN S J . Research on security mechanism for SDN control layer based on mimic defense theory[J]. Application Research of Computers, 2018,35(7): 2148-2152. | |
[24] | 王禛鹏, 扈红超, 程国振 . 一种基于拟态安全防御的 DNS 框架设计[J]. 电子学报, 2017,45(11): 139-148. |
WANG Z P , HU H C , CHENG G Z . A DNS architecture based on mimic security defense[J]. Acta Electronica Sinica, 2017,45(11): 139-148. | |
[25] | 陈越, 王龙江, 严新成 ,等. 基于再生码的拟态数据存储方案[J]. 通信学报, 2018,39(4): 21-34. |
CHEN Y , WANG L J , YAN X C ,et al. Mimic storage scheme based on regenerated code[J]. Journal on Communications, 2018,39(4): 21-34. | |
[26] | 仝青, 张铮, 张为华 ,等. 拟态防御 Web 服务器设计与实现[J]. 软件学报, 2017,28(4): 883-897. |
TONG Q , ZHANG Z , ZHANG W H ,et al. Design and implementation of mimic defense Web server[J]. Journal of Software, 2017,28(4): 883-897. | |
[27] | HU H C , WU J X , WANG Z P ,et al. Mimic defense:a designed-in cybersecurity defense framework[J]. IET Information Security, 2018,12(3): 226-237. |
[28] | GARCIA M , BESSANI A , GASHI I ,et al. Analysis of operating system diversity for intrusion tolerance[J]. Software-practice &Experience, 2014,44(6): 735-770. |
[29] | JOHNSTON W , . Increasing system reliability-a survey of redundant control methods[C]// Fourth Annual Canadian Conference Proceedings.,Programmable Control and Automation Technology Conference and Exhibition. 1988. |
[30] | 潘计辉, 张盛兵, 张小林 ,等. 三余度机载计算机设计与实现[J]. 西北工业大学学报, 2013,31(5): 798-802. |
PANG J H , ZHANG S B , ZHANG X L ,et al. Design and realization of treble-redundancy management method of flight control system[J]. Journal of Northwestern Polytechnical University, 2013,31(5): 798-802. | |
[31] | 普黎明, 刘树新, 丁瑞浩 ,等. 面向拟态云服务的异构执行体调度算法[J]. 通信学报, 2020,41(3): 17-24. |
PU L M , LIU S X , DING R H ,et al. Heterogeneous executor scheduling algorithm for mimic cloud service[J]. Journal on Communications, 2020,41(3): 17-24. | |
[32] | 张杰鑫, 庞建民, 张铮 ,等. 面向拟态构造Web服务器的执行体调度算法[J]. 计算机工程, 2019,45(8): 14-21. |
ZHANG J X , PANG J M , ZHANG Z ,et al. The executors scheduling algorithm for the Web server with mimic construction[J]. Computer Engineering, 2019,45(8): 14-21. | |
[33] | 武兆琪, 张帆, 郭威 ,等. 一种基于执行体异构度的拟态裁决优化方法[J]. 计算机工程, 2019,10: 1-8. |
WU Z Q , ZHANG F , GUO W ,et al. A mimic ruling optimization method based on executive heterogeneity[J]. Computer Engineering, 2019,10: 1-8. | |
[34] | 刘文彦, 霍树民, 陈扬 ,等. 网络攻击链模型分析及研究[J]. 通信学报, 2018,39(S2): 88-94. |
LIU W Y , HUO S M , CHEN Y ,et al. Analysis and study of cyber attack chain model[J]. Journal on Communications, 2018,39(S2): 88-94. | |
[43] | ZHOU Q L , FENG F , ZHU W J . Mimic defense organization structure based on functional slice and method of evaluating security level[J]. Journal on Communications, 2018,39(S2): 95-105. |
[1] | 李凤华, 李晖, 牛犇, 邱卫东. 隐私计算的学术内涵与研究趋势[J]. 网络与信息安全学报, 2022, 8(6): 1-8. |
[2] | 应作斌, 方一晨, 张怡文. 动态聚合权重的隐私保护联邦学习框架[J]. 网络与信息安全学报, 2022, 8(5): 56-65. |
[3] | 姜涛, 徐航, 王良民, 马建峰. 支持受损数据定位与恢复的动态群用户可证明存储[J]. 网络与信息安全学报, 2022, 8(5): 75-87. |
[4] | 李聪, 季新生, 刘树新, 李劲松, 李海涛. 基于节点匹配度的动态网络链路预测方法[J]. 网络与信息安全学报, 2022, 8(4): 131-143. |
[5] | 高凡, 王健, 刘吉强. 基于动态浏览器指纹的链接检测技术研究[J]. 网络与信息安全学报, 2022, 8(4): 144-156. |
[6] | 马海龙, 王亮, 胡涛, 江逸茗, 曲彦泽. 网络空间拟态防御发展综述:从拟态概念到“拟态+”生态[J]. 网络与信息安全学报, 2022, 8(2): 15-38. |
[7] | 何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55. |
[8] | 李响, 王浩, 刘千歌, 王超, 毛剑, 刘建伟. 面向服务监管的信息服务标识生成与管理方案[J]. 网络与信息安全学报, 2021, 7(5): 169-177. |
[9] | 李沛杰, 张丽, 夏云飞, 许立明. 基于软件定义的可重构卷积神经网络架构设计[J]. 网络与信息安全学报, 2021, 7(3): 29-36. |
[10] | 张青青, 汤红波, 游伟, 李英乐. 基于免疫算法的网络功能异构冗余部署方法[J]. 网络与信息安全学报, 2021, 7(1): 46-56. |
[11] | 赵明烽, Lei Chen, 钟洋, 熊金波. 移动边缘群智感知动态隐私度量模型与评价机制[J]. 网络与信息安全学报, 2021, 7(1): 157-166. |
[12] | 郭京城,舒辉,熊小兵,康绯. 基于代码碎片化的软件保护技术[J]. 网络与信息安全学报, 2020, 6(6): 57-68. |
[13] | 赵学磊,季新生,刘树新,赵宇. 基于广义共同邻居的有向网络链路预测方法[J]. 网络与信息安全学报, 2020, 6(5): 89-100. |
[14] | 何康,祝跃飞,刘龙,芦斌,刘彬. 敌对攻击环境下基于移动目标防御的算法稳健性增强方法[J]. 网络与信息安全学报, 2020, 6(4): 67-76. |
[15] | 鲁迁迁,朱友文,蒋炎. 无须重注册的单向通信动态口令认证[J]. 网络与信息安全学报, 2020, 6(3): 99-107. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|