面向云应用的拟态云服务架构

doi:10.11959/j.issn.2096-109x.2021011

Abstract

Abstract:

In order to solve the problem of the lack of heterogeneity and dynamics of cloud application services with a single executor, and the difficulty of dealing with the security threats of unknown vulnerabilities and backdoors, a mimic cloud service architecture was proposed.In this architecture, the application services provided by the cloud platform were constructed into a service package based on mimic defense technology, so that the application services had the endogenous security features and robustness brought by mimic structure.At the same time, two key mimic cloud services operating mechanism，policy scheduling and adjudication mechanism were discussed.The experimental results and analysis show that the mimic cloud service obtains better security and its response time delay can be reduced by reducing the performance difference of the executor.

Key words: mimic cloud service, response delay, dynamic, heterogeneous

CLC Number:

TP309

Liming PU, Hongquan WEI, Xing LI, Yiming JIANG. Mimic cloud service architecture for cloud applications[J]. Chinese Journal of Network and Information Security, 2021, 7(1): 101-112.

Figures/Tables 13

References 43

[35]	QI Q , WU J X , HU H C ,et al. An intensive security architecture with multi-controller for SDN[C]// 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). 2016: 401-402.
[36]	李文彬, 刘璇, 张建畅 ,等. 基于随机抽样一致性的误匹配剔除方法研究[J]. 计算机仿真, 2019,36(10): 233-237.
	LI W B , LIU X , ZHANG J C ,et al. Mismatching culling algorithm based on minimum distance and RANSAC fusion[J]. Computer Simulation, 2019,36(10): 233-237.
[37]	CHRISTENSEN J H , . Using RESTful Web-services and cloud computing to create next generation mobile applications[C]// Proceedings of the 24th ACM SIGPLAN Conference Companion on Object Oriented Programming Systems Languages and Applications. 2009: 627-634.
[38]	巴斌, 郑娜娥, 朱世磊 ,等. 利用蒙特卡洛的最大似然时延估计算法[J]. 西安交通大学学报, 2015,49(8): 24-30.
	BA B , ZHENG N E , ZHU S L ,et al. A maximum likelihood time delay estimation algorithm using monte carlo method[J]. Journal of Xi'an JiaoTong University, 2015,49(8): 24-30.
[39]	VIRTANEN P , GOMMERS R , OLIPHANT T E ,et al. SciPy 1.0:fundamental algorithms for scientific computing in Python[J]. Nature Methods, 2020,17(3): 261-272.
[40]	WANG Y W , WU J X , GUO Y F ,et al. Scientific workflow execution system based on mimic defense in the cloud environment[J]. Frontiers of Information Technology ＆ Electronic Engineering, 2018,19(12): 1522-1537.
[1]	GIRMA A , GARUBA M , LI J . Analysis of security vulnerabilities of cloud computing environment service models and its main characteristics[C]// 2015 12th International Conference on Information Technology-New Generations. 2015: 206-211.
[2]	CHOU T S . Security threats on cloud computing vulnerabilities[J]. International Journal of Computer Science and Information Technology, 2013,5: 79-88.
[41]	聂德雷, 赵博, 王崇 ,等. 拟态多执行体架构下的超时阈值计算方法[J]. 网络与信息安全学报, 2018,4(10): 68-76.
	NIE D L , ZHAO B , WANG C ,et al. Timeout threshold estimation algorithm in mimic multiple executors architecture[J]. Chinese Journal of Network and Information Security, 2018,4(10): 68-76.
[3]	DARWISH M , OUDA A , CAPRETZ L F . Cloud-based DDoS attacks and defenses[C]// International Conference on Information Society (i-Society 2013). 2013: 67-71.
[4]	BARAKA H B , TIANFIELD H . Intrusion detection system for cloud environment[C]// Proceedings of the 7th International Conference on Security of Information and Networks. 2014: 399-404.
[42]	CALHEIROS RN , RANJAN R , BELOGLAZOV A ,et al. CloudSim:a toolkit for modeling and simulation of cloud computing environments and evaluation of resource provisioning algorithms[J]. Software:Practice and Experience, 2011,41(1): 23-50.
[43]	周清雷, 冯峰, 朱维军 . 基于功能切片的拟态防御体系结构及安全等级评估方法[J]. 通信学报, 2018,39(S2): 95-105.
[5]	AL-SALEH M I , HAMDAN H M . On studying the antivirus behavior on kernel activities[C]// Proceedings of the 2018 International Conference on Internet and E-Business. 2018: 158-161.
[6]	MAVROMOUSTAKOS S , PATEL A , CHAUDHARY K ,et al. Causes and prevention of SQL injection attacks in web applications[C]// Proceedings of the 4th International Conference on Information and Network Security. 2016: 55-59.
[7]	OUSMANE S B , MBACKE B C S , IBRAHIMA N . A game theoretic approach for virtual machine allocation security in cloud computing[C]// Proceedings of the 2nd International Conference on Networking,Information Systems ＆ Security. 2019: 1-6.
[8]	ALNAIM A , ALWAKEEL A , FERNANDEZ E B . A misuse pattern for compromising VMs via virtual machine escape in NFV[C]// Proceedings of the 14th International Conference on Availability,Reliability and Security. 2019: 1-6.
[9]	LINDEMANN J , . Towards abuse detection and prevention in IaaS cloud computing[C]// 2015 10th International Conference on Availability,Reliability and Security. 2015: 211-217.
[10]	YANG C , GUO Y F , HU H C ,et al. An effective and scalable VM migration strategy to mitigate cross-VM side-channel attacks in cloud[J]. China Communications, 2019,16(4): 151-171.
[11]	ZHANG Y , JUELS A , REITER M K ,et al. Cross-tenant side-channel attacks in PaaS clouds[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 990-1003.
[12]	YOUNIS Y A , KIFAYAT K , HUSSAIN A . Preventing and detecting cache side-channel attacks in cloud computing[C]// Proceedings of the Second International Conference on Internet of Things,Data and Cloud Computing. 2017: 1-8.
[13]	Common vulnerabilities and exposures[EB]. 2015.
[14]	ANAND V , . Intrusion detection:tools,techniques and strategies[C]// Proceedings of the 42nd Annual ACM SIGUCCS Conference on User Services. 2014: 69-73.
[15]	PENG W , LI F , HUANG C T ,et al. A moving-target defense strategy for cloud-based services with heterogeneous and dynamic attack surfaces[C]// 2014 IEEE International Conference on Communications. 2014.
[16]	ZHOU X , LU Y , WANG Y ,et al. Overview on moving target network defense[C]// 2018 IEEE 3rd International Conference on Image,Vision and Computing (ICIVC). 2018: 821-827.
[17]	WANG S , ZHANG L , TANG C . A new dynamic address solution for moving target defense[C]// 2016 IEEE Information Technology,Networking,Electronic and Automation Control Conference. 2016: 1149-1152.
[18]	ZHANG J Z F , FENG X W , WANG D X ,et al. Web service applying moving target defense[C]// 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC). 2018: 640-645.
[19]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10
[20]	张铮, 刘浩, 谭力波 ,等. 工控拟态安全处理器验证系统测试及安全分析[J]. 通信学报, 2018,39(S2): 131-137.
	ZHANG Z , LIU H , TAN L B ,et al. Industrial control mimic security processor verification system test and security analysis[J]. Journal on Communications, 2018,39(S2): 131-137.
[21]	ZHENG J , WU G , WEN B ,et al. Research on SDN-based mimic server defense technology[C]// Proceedings of the 2019 International Conference on Artificial Intelligence and Computer Science. 2019: 163-169.
[22]	李传煌, 任云方, 汤中运 ,等. SDN中服务部署的拟态防御方法[J]. 通信学报, 2018,39(S2): 121-130.
	LI C H , REN Y F , TANG Z Y ,et al. Mimic defense method for service deployment in SDN[J]. Journal on Communications, 2018,39(S2): 121-130.
[23]	顾泽宇, 张兴明, 林森杰 . 基于拟态防御理论的 SDN 控制层安全机制研究[J]. 计算机应用研究, 2018,35(7): 2148-2152.
	GU Z Y , ZAHNG X M , LIN S J . Research on security mechanism for SDN control layer based on mimic defense theory[J]. Application Research of Computers, 2018,35(7): 2148-2152.
[24]	王禛鹏, 扈红超, 程国振 . 一种基于拟态安全防御的 DNS 框架设计[J]. 电子学报, 2017,45(11): 139-148.
	WANG Z P , HU H C , CHENG G Z . A DNS architecture based on mimic security defense[J]. Acta Electronica Sinica, 2017,45(11): 139-148.
[25]	陈越, 王龙江, 严新成 ,等. 基于再生码的拟态数据存储方案[J]. 通信学报, 2018,39(4): 21-34.
	CHEN Y , WANG L J , YAN X C ,et al. Mimic storage scheme based on regenerated code[J]. Journal on Communications, 2018,39(4): 21-34.
[26]	仝青, 张铮, 张为华 ,等. 拟态防御 Web 服务器设计与实现[J]. 软件学报, 2017,28(4): 883-897.
	TONG Q , ZHANG Z , ZHANG W H ,et al. Design and implementation of mimic defense Web server[J]. Journal of Software, 2017,28(4): 883-897.
[27]	HU H C , WU J X , WANG Z P ,et al. Mimic defense:a designed-in cybersecurity defense framework[J]. IET Information Security, 2018,12(3): 226-237.
[28]	GARCIA M , BESSANI A , GASHI I ,et al. Analysis of operating system diversity for intrusion tolerance[J]. Software-practice ＆Experience, 2014,44(6): 735-770.
[29]	JOHNSTON W , . Increasing system reliability-a survey of redundant control methods[C]// Fourth Annual Canadian Conference Proceedings.,Programmable Control and Automation Technology Conference and Exhibition. 1988.
[30]	潘计辉, 张盛兵, 张小林 ,等. 三余度机载计算机设计与实现[J]. 西北工业大学学报, 2013,31(5): 798-802.
	PANG J H , ZHANG S B , ZHANG X L ,et al. Design and realization of treble-redundancy management method of flight control system[J]. Journal of Northwestern Polytechnical University, 2013,31(5): 798-802.
[31]	普黎明, 刘树新, 丁瑞浩 ,等. 面向拟态云服务的异构执行体调度算法[J]. 通信学报, 2020,41(3): 17-24.
	PU L M , LIU S X , DING R H ,et al. Heterogeneous executor scheduling algorithm for mimic cloud service[J]. Journal on Communications, 2020,41(3): 17-24.
[32]	张杰鑫, 庞建民, 张铮 ,等. 面向拟态构造Web服务器的执行体调度算法[J]. 计算机工程, 2019,45(8): 14-21.
	ZHANG J X , PANG J M , ZHANG Z ,et al. The executors scheduling algorithm for the Web server with mimic construction[J]. Computer Engineering, 2019,45(8): 14-21.
[33]	武兆琪, 张帆, 郭威 ,等. 一种基于执行体异构度的拟态裁决优化方法[J]. 计算机工程, 2019,10: 1-8.
	WU Z Q , ZHANG F , GUO W ,et al. A mimic ruling optimization method based on executive heterogeneity[J]. Computer Engineering, 2019,10: 1-8.
[34]	刘文彦, 霍树民, 陈扬 ,等. 网络攻击链模型分析及研究[J]. 通信学报, 2018,39(S2): 88-94.
	LIU W Y , HUO S M , CHEN Y ,et al. Analysis and study of cyber attack chain model[J]. Journal on Communications, 2018,39(S2): 88-94.
[43]	ZHOU Q L , FENG F , ZHU W J . Mimic defense organization structure based on functional slice and method of evaluating security level[J]. Journal on Communications, 2018,39(S2): 95-105.

Metrics

Recommended 0

No Suggested Reading articles found!

配置项	描述
MSP_IP	云服务的IP地址
MSC_IP	拟态服务控制器的IP地址
MSA_IP	服务代理面向执行体的IP地址
VN_POOL	异构资源池
SCHEDULING_POLICY	预定义的调度策略
DECISION_POLICY	预定义的裁决策略

配置项	描述
API_ID	API识别ID号
PATTERN	数据格式（JSON 、XML、自定义）
FIELDS_NUMBER	API返回字段数量
FIELDS	字段列表

攻击者	E1	E2	E3	MSP
A1	3	2	2	2
A2	2	3	2	2
A3	2	2	3	2
注：“3”表示攻击成功，“2”表示攻击失败。

Mimic cloud service architecture for cloud applications

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 43

Related Articles 15

Metrics

Recommended 0

[1]	Fenghua LI, Hui LI, Ben NIU, Weidong QIU. Academic connotation and research trends of privacy computing [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 1-8.
[2]	Zuobin YING, Yichen FANG, Yiwen ZHANG. Privacy-preserving federated learning framework with dynamic weight aggregation [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 56-65.
[3]	Tao JIANG, Hang XU, Liangmin WANG, Jianfeng MA. Proof of storage with corruption identification and recovery for dynamic group users [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 75-87.
[4]	Cong LI, Xinsheng JI, Ushuxin LI, Jinsong LI, Haitao LI. Link prediction method for dynamic networks based on matching degree of nodes [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 131-143.
[5]	Fan GAO, Jian WANG, Jiqiang LIU. Research on link detection technology based on dynamic browser fingerprint [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 144-156.
[6]	Hailong MA, Liang WANG, Tao HU, Yiming JIANG, Yanze QU. Survey on the development of mimic defense in cyberspace:from mimic concept to “mimic+” ecology [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 15-38.
[7]	Weizhen HE, Fucai CHEN, Jie NIU, Jinglei TAN, Shumin HUO, Guozhen CHENG. Research progress on dynamic hopping technology for network layer [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 44-55.
[8]	Liuqian SUN, Yuliang WEI, Bailing WANG. Novel similarity calculation method of multisource ontology based on graph convolution network [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 149-155.
[9]	Xiang LI, Hao WANG, Qiange LIU, Chao WANG, Jian MAO, Jianwei LIU. Information service identity generation and management scheme for service supervision [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 169-177.
[10]	Peijie LI, Li ZHANG, Yunfei XIA, Liming XU. Architecture design of re-configurable convolutional neural network on software definition [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 29-36.
[11]	Qingqing ZHANG, Hongbo TANG, Wei YOU, Yingle LI. Network function heterogeneous redundancy deployment method based on immune algorithm [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 46-56.
[12]	Mingfeng ZHAO, Chen LEI, Yang ZHONG, Jinbo XIONG. Dynamic privacy measurement model and evaluation system for mobile edge crowdsensing [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 157-166.
[13]	Jingcheng GUO,Hui SHU,Xiaobing XIONG,Fei KANG. Software protection technology based on code fragmentation [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 57-68.
[14]	Xuelei ZHAO,Xinsheng JI,Shuxin LIU,Yu ZHAO. Link prediction methods based on generalized common neighbor in directed network [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 89-100.
[15]	Kang HE,Yuefei ZHU,Long LIU,Bin LU,Bin LIU. Improve the robustness of algorithm under adversarial environment by moving target defense [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 67-76.