基于虚拟散列安全访问路径VHSAP的云计算路由平台防御DDoS攻击方法

doi:10.11959/j.issn.1000-436x.2015004

通信学报 ›› 2015, Vol. 36 ›› Issue (1): 30-37.doi: 10.11959/j.issn.1000-436x.2015004

基于虚拟散列安全访问路径VHSAP的云计算路由平台防御DDoS攻击方法

吴志军,崔奕,岳猛

中国民航大学天津市智能信号处理重点实验室，天津 300300

出版日期:2015-01-25 发布日期:2017-06-21
基金资助:
国家自然科学基金资助项目;国家自然科学基金资助项目;天津市应用基础与前沿技术研究计划基金资助项目;2013年民航科技引导基金资助项目;中国民航大学科研平台建设基金资助项目;中央高校基本科研业务费基金资助项目;中央高校基本科研业务费基金资助项目;中央高校基本科研业务费基金资助项目

VHSAP-based approach of defending against DDoS attacks for cloud computing routing platforms

UZhi-jun W,UIYi C,UEMeng Y

Tianjin Key Laboratory for Advanced Signal Processing,Civil Aviation University of China,Tianjin 300300,China

Online:2015-01-25 Published:2017-06-21
Supported by:
The National Natural Science Foundation of China;The National Natural Science Foundation of China;The Key Project of Tianjin Natural Science Foundation;Civil Aviation Science and Technology Innovation Fund;Research Laboratory Construction Funds of Civil Aviation University of China;Fundamental Research Funds for the Central Universities;Fundamental Research Funds for the Central Universities;Fundamental Research Funds for the Central Universities

摘要/Abstract

摘要：

防御分布式拒绝服务DDoS（distributed denial of service）攻击是云计算平台安全保护中的一个关键问题。在研究大规模网络防御DDoS攻击的安全覆盖服务SOS（security overlay service）方法的基础上，揭示了SOS在节点被攻击时退出机制存在的安全漏洞，根据云计算路由策略改进了一致性散列算法 Chord，提出了适用于云计算路由平台3层架构的虚拟散列安全访问路径VHSAP（virtualization hash security access path），在安全访问路径中引入了心跳机制，利用虚拟机技术实现弹性的虚拟节点，完成在云平台中被攻击节点之间的无缝切换，保证用户对云计算平台的安全访问。针对VHSAP防御DDoS的性能进行了仿真实验，重点研究了在散列安全访问路径HSAP中被攻击节点数和切换时延等参数，并将实验结果与SOS方法进行了比较。实验结果表明在DDoS攻击下，VHSAP具有较高的数据通过率，可以提高云计算平台的安全性。

关键词: 云计算, 路由平台, DDoS, 一致性散列, 虚拟化, 无缝切换

Abstract:

Based on the analysis of security overlay service (SOS) approach of defending against DDoS attacks in large scale network,the vulnerability in the exit mechanism of being attacked nodes in SOS approach is explored.The vulnerability is solved by improving the Chord algorithm according to the routing strategy in cloud computing.Hence,the virtualization hash security access path (VHSAP) in three-layer structure is proposed to protect the cloud computing platform.In VHSAP,the heartbeat mechanism is applied to realize virtual nodes by using the virtual technology.Therefore,the virtual nodes have the ability of resilience,which can complete the seamless switching between being attacked nodes in cloud computing platform,and guarantee the legitimate user's authority of accessing to the resource in cloud computing platform.Experiments of VHSAP defending against DDoS attacks are carried out in simulation network environment.The parameters,such as the number of being attacked nodes in hash secure access path (HSAP),and the switching time and the handoff delay between nodes,are focused in experiments.The result shows that VHSAP achieves a higher data pass rate than that of SOS approach,and enhances the security of cloud computing platform.

Key words: cloud computing, routing platforms, DDoS, consistent hashing algorithm, virtualization; seamless switch

吴志军,崔奕,岳猛. 基于虚拟散列安全访问路径VHSAP的云计算路由平台防御DDoS攻击方法[J]. 通信学报, 2015, 36(1): 30-37.

UZhi-jun W,UIYi C,UEMeng Y. VHSAP-based approach of defending against DDoS attacks for cloud computing routing platforms[J]. Journal on Communications, 2015, 36(1): 30-37.

图/表 11

图1

图2

表1

图3

图4

图5

图6

图7

图8

表2

表3

参考文献 14

[1]	孙长华，刘斌．分布式拒绝服务攻击研究新进展综述[J]．电子学报， 2009,37(7):1563-1568. SUN C H , LIU B . Survey on new solutions against distributed denial of service attacks[J]. ACTA Electronica Sinica, 2009,37(7):1563-1568.
[2]	冯登国，张敏，张妍等．云计算安全研究[J]．软件学报， 2012,22(1):72-81. FENG D G , ZHANG M , ZHANG Y , et al. Study on cloud computing security[J]. Journal of Software, 2012,22(1):72-81.
[3]	KEROMYTIS A D , MISRA V , RUBENSTEIN D . SOS:an architecture for mitigating DDoS attacks[J]. IEEE Journal on Selected Areas in Communications, 2004,22(1): 176-187.
[4]	STAVROU A , KEROMYTIS A D . Countering DoS attacks with stateless multipath overlays[A]. Proceedings of the 12th ACM Conference on Computer and Communications Security CCS '05, Alexandria,Virginia,USA, 2005. 249-259.
[5]	XUAN D , CHELLAPPAN S , WANG X , et al. Analyzing the secure overlay services architecture under intelligent DDoS attacks[A]. Proceedings of the 24th International Conference on Distributed Computing Systems, Tokyo Japan, 2004. 408-417.
[6]	WANG X , CHELLAPPAN S , BOYER P , et al. On the effectiveness of secure overlay forwarding systems under intelligent distributed DoS attacks[J]. IEEE Transactions on Parallel and Distributed Systems, Tokyo Japan, 2006,17(7): 619-632.
[7]	IN C H , HONG C S , WEI J , et al. An enhanced SOS architecture for DDoS attack defense using active network technology[A]. Proceedings of Advanced Industrial Conference on Telecommunications/ Service Assurance with Partial and Intermittent Resources Conference/ELearning on Telecommunications Workshop[C]. Lisbon,Portugal, 2005. 90-95.
[8]	KAUR R , SANGA A L , KUMAR K . Secure overlay services (SOS):a critical analysis[A]. 2012 2nd IEEE International Conference on Parallel,Distributed and Grid Computing[C]. Ottawa,Canada, 2012. 457-462.
[9]	卢国强．云计算泛联路由平台[J]．信息安全与技术， 2010,(8):106-108. LU G Q . Tum routing platform in cloud computing[J]. Information Security and Technology, 2010,(8):106-108.
[10]	DING S L , ZHAO X H . Analysis and improvement on Chord protocol for structured P2P[A]. IEEE 3rd International Conference on Communication Software and Networks, 2011. 214-218.
[11]	THIRUVATHUKAL G K , HINSEN K , L?UFER K , et al. Virtualization for computational scientists[J]. Computing in Science ＆ Engineering, 2010,12(4): 52-60.
[12]	邓谦．基于Hadoop的云计算安全机制研究[D]．南京：南京邮电大学， 2013. DENG Q . Research on Security Mechanism of Cloud Computing Based on Hadoop[D]. Nanjing: Nanjing University, 2013.
[13]	ZHU H , CHEN H P . Adaptive failure detection VIA heartbeat under hadoop[A]. 2011 IEEE Asia-Pacific Services Computing Conference[C]. Jeju,Korea, 2011. 231-238.
[14]	赵永利，张杰． OMNeT++与网络仿真[M]．北京：人民邮电出版社， 2012. ZHAO Y L , ZHANG J . OMNeT++and Network Simulation[M]. Beijing: Posts ＆Telecom Press 2012.

改变前		改变后
查询标识符项	后向节点	查询标识符项	后向节点
16+2⁰	25	16+2⁰	25
16+2¹	25	16+2¹	25
16+2³	25	16+2³	25
16+2³	25	16+2³	25
16+2⁴	34	16+2⁴	34
16+2⁵	58	16+2⁵	46

参数配置/方法名称	通过率
参数配置/方法名称	VHSAP	SOS
N=100,Na=30,w=1	60%	11%
N=1000,Na=30,w=1	91%	65%
N=1000,Na=100,w=1	90%	60%
N=1000,Na=500,w=1	62%	2%
N=1000,Na=300,w=1	60%	14%
N=1000,Na=300,w=2	93%	30%

名称/项目	无需大量样本训练	应对更新快	无需进行大量计算	针对平台节点的防御
聚类分析	×	×	×	×
小波分析	√	√	×	×
心跳机制	√	√	√	√

[1]	马玲, 樊漆亮, 许婷, 郭冠琛, 张圣林, 孙永谦, 张玉志. 基于强化学习的在线离线混部云环境下的调度框架[J]. 通信学报, 2023, 44(6): 90-102.
[2]	陈浩, 杨芫, 徐明伟, 裴丹, 尤艺霖. 支持多模态网络的可扩展异构服务功能链并行编排部署系统[J]. 通信学报, 2022, 43(9): 1-11.
[3]	徐泽汐, 庄雷, 张坤丽, 桂明宇. 基于知识图谱的服务功能链在线部署算法[J]. 通信学报, 2022, 43(8): 41-51.
[4]	杨力, 潘成胜, 孔相广, 黄琦龙, 戚耀文. 5G融合卫星网络研究综述[J]. 通信学报, 2022, 43(4): 202-215.
[5]	邱航, 汤红波, 游伟, 赵宇, 柏溢. NFV中基于量子遗传算法的网络服务扩展算法[J]. 通信学报, 2022, 43(11): 44-52.
[6]	王化群, 刘哲, 何德彪, 李继国. 公有云中身份基多源IoT终端数据PDP方案[J]. 通信学报, 2021, 42(7): 52-60.
[7]	张键红, 武梦龙, 王晶, 刘沛, 姜正涛, 彭长根. 云环境下安全的可验证多关键词搜索加密方案[J]. 通信学报, 2021, 42(4): 139-149.
[8]	李瑞琪, 贾春福, 王雅飞. 基于NTRU的多密钥同态代理重加密方案及其应用[J]. 通信学报, 2021, 42(3): 11-22.
[9]	王泽南, 张娇, 汪硕, 黄韬, F.RichardYu. 端到端时延上限确定的服务链部署算法[J]. 通信学报, 2021, 42(11): 66-78.
[10]	张嘉伟, 马建峰, 马卓, 李腾. 云计算中基于时间和隐私保护的可撤销可追踪的数据共享方案[J]. 通信学报, 2021, 42(10): 81-94.
[11]	王文娟, 杜学绘, 单棣斌. 基于动态概率攻击图的云环境攻击场景构建方法[J]. 通信学报, 2021, 42(1): 1-17.
[12]	田有亮,骆琴. 基于改进Merkle-Tree认证方法的可验证多关键词搜索方案[J]. 通信学报, 2020, 41(9): 118-129.
[13]	王娜,郑坤,付俊松,李剑. 基于分块的移动边缘计算密文检索方法[J]. 通信学报, 2020, 41(7): 95-102.
[14]	赵临东,庄文芹,陈建新,周亮. 异构蜂窝网络中分层任务卸载：建模与优化[J]. 通信学报, 2020, 41(4): 34-44.
[15]	梁冰,纪雯. 基于次模优化的边云协同多用户计算任务迁移方法[J]. 通信学报, 2020, 41(10): 25-36.

基于虚拟散列安全访问路径VHSAP的云计算路由平台防御DDoS攻击方法

VHSAP-based approach of defending against DDoS attacks for cloud computing routing platforms

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 14

相关文章 15

Metrics

推荐阅读 0