容器云中基于Stackelberg博弈的动态异构调度方法

doi:10.11959/j.issn.2096-109x.2021063

网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (3): 95-104.doi: 10.11959/j.issn.2096-109x.2021063

• 专栏Ⅱ：SDN与云计算安全 • 上一篇下一篇

容器云中基于Stackelberg博弈的动态异构调度方法

曾威, 扈红超, 李凌书, 霍树民

信息工程大学，河南郑州 450001

修回日期:2021-04-23 出版日期:2021-06-15 发布日期:2021-06-01
作者简介:曾威（1997- ），男，河南信阳人，信息工程大学硕士生，主要研究方向为移动目标防御和拟态安全防御
扈红超（1982- ），男，河南商丘人，信息工程大学研究员，主要研究方向为云计算和网络安全
李凌书（1992- ），男，湖北恩施人，信息工程大学博士生，主要研究方向为拟态安全防御和网络欺骗
霍树民（1985- ），男，山西长治人，信息工程大学副研究员，主要研究方向为网络空间安全和人工智能安全
基金资助:
国家重点研发计划(2018YFB0804004);国家自然科学基金(62002383)

Dynamic heterogeneous scheduling method based on Stackelberg game model in container cloud

Wei ZENG, Hongchao HU, Lingshu LI, Shumin HUO

Information Engineering University, Zhengzhou 450001, China

Revised:2021-04-23 Online:2021-06-15 Published:2021-06-01
Supported by:
The National Key R＆D Program of China(2018YFB0804004);The National Natural Science Foundation of China(62002383)

摘要/Abstract

摘要：

容器技术以其灵活、高效的特性促进了云计算的快速发展，但同时引入了如同驻攻击、逃逸攻击和共模攻击等安全威胁。针对这些安全威胁，提出一种容器云中基于 Stackelberg 博弈的动态异构式调度方法。首先，构建异构镜像资源池以抑制云上基于共模漏洞的攻击扩散；进而，将攻防交互过程建模为Stackelberg博弈模型；最后，对攻防模型进行分析，将系统调度问题建模为混合整数非线性规划问题以求解系统最优调度策略。实验证明，所提方法能够提升云平台的防御效果，降低系统防御开销。

关键词: 云安全, 容器调度, Stackelberg博弈, 移动目标防御

Abstract:

Container technology promotes the rapid development of cloud computing with its flexible and efficient features, but it also introduces security threats such as co-resident attacks, escape attacks, and common mode attacks.In response to these security threats, a dynamic heterogeneous scheduling method based on Stackelberg game in the container cloud was proposed.First, a heterogeneous mirrored resource pool is constructed to suppress the spread of attacks based on common-mode vulnerabilities on the cloud.Then, the offensive and defense interaction process is modeled as a Stackelberg game model.Finally, the offensive and defensive model is analyzed, and the system scheduling problem is modeled as a mixed integer non-linear programming problem to solve the system's optimal scheduling strategy.Experiments show that the proposed method can improve the defense effect of the cloud platform and reduce the system defense overhead.

Key words: cloud security, container scheduling, Stackelberg game, moving target defense

曾威, 扈红超, 李凌书, 霍树民. 容器云中基于Stackelberg博弈的动态异构调度方法[J]. 网络与信息安全学报, 2021, 7(3): 95-104.

Wei ZENG, Hongchao HU, Lingshu LI, Shumin HUO. Dynamic heterogeneous scheduling method based on Stackelberg game model in container cloud[J]. Chinese Journal of Network and Information Security, 2021, 7(3): 95-104.

图/表 9

图1

图2

表1

图3

图4

图5

图6

图7

图8

参考文献 31

[1]	JITHIN R , CHANDRAN P . Virtual machine isolation[C]// International Conference on Security in Computer Networks and Distributed Systems. 2014.
[2]	JIN H , LI Z , ZOU D ,et al. DSEOM:a framework for dynamic security evaluation and optimization of MTD in container-based cloud[J]. IEEE Transactions on Dependable and Secure Computing, 2019,(99): 1-1.
[3]	CHOWDHARY A , . Adaptive MTD security using Markov game modeling[C]// 2019 International Conference on Computing,Networking and Communications (ICNC). 2019: 577-581.
[4]	WANG J W , ZHANG X L , LI Q ,et al. Network function virtualization technology:a survey[J]. Chinese Journal of Computers, 2019,42(2): 415-436.
[5]	LI S Y , LI Q , LI B . Research on isolation of container based on docker technology[J]. Computer engineering ＆ Software, 2015,(4): 110-113.
[6]	ABDELRAHEM O , BAHAA-ELDIN A M , TAHA A . Virtualization security:a survey[C]// International Conference on Computer Engineering ＆ Systems. 2016: 32-40.
[7]	ZHENG Z . Virtual machine security isolation and protection based on cloud platform[J]. China Computer ＆ Communication, 2018,417(23): 174-177.
[8]	AZAB M , . Toward smart moving target defense for Linux container resiliency[C]// 2016 IEEE 41st Conference on Local Computer Networks (LCN). 2016: 619-622.
[9]	HUANG R , . RELOCATE:a container based moving target defense approach[C]// Proceedings of The 7th International Conference on Computer Engineering and Networks — PoS(CENet2017). 2017:8.
[10]	SARKALE V V , RAD P , LEE W . Secure cloud container:runtime behavior monitoring using most privileged container (MPC)[C]// IEEE International Conference on Cyber Security ＆Cloud Computing. 2017: 351-356.
[11]	杨爽 . 基于改进遗传算法的动态虚拟机调度策略研究[D]. 哈尔滨:哈尔滨工程大学, 2019.
	YANG S . Research on dynamic virtual machine scheduling strategy based on improved genetic algorithm[D]. Harbin:Harbin Engineering University, 2019.
[12]	TONG K , LIMING W , ZHEN X ,et al. Design of a container-based security cloud computing platform[J]. e-Science Technology ＆ Application, 2017,8(1): 10-18.
[13]	蔡雨彤, 常晓林, 石禹 ,等. 动态平台技术防御攻击的瞬态效能量化分析[J]. 信息安全学报, 2019,(4): 59-67.
	CAI Y T , CHANG X L , SHI Y ,et al. Quantitative analysis of transient effectiveness of dynamic platform technology in defense against attacks[J]. Journal of Information Security, 2019,(4): 59-67.
[14]	ZHANG Y . Cost-effective migration-based dynamic platform defense technique:a CTMDP approach[J]. Peer-to-Peer Networking and Applications, 2021: 1-11.
[15]	SOUROUR D , . Platform moving target defense strategy based on trusted dynamic logical heterogeneity system[C]// Proceedings of the 2019 International Conference on Artificial Intelligence 1and Computer Science. 2019: 643-648.
[16]	CAI Z Y , XIE X L . An improved container cloud resource scheduling strategy[C]// Proceedings of the 2019 4th International Conference on Intelligent Information Processing. 2019: 383-387.
[17]	XIAO Z , JIANG J , ZHU Y ,et al. A solution of dynamic VMs placement problem for energy consumption optimization based on evolutionary game theory[J]. Journal of Systems ＆ Software, 2015,101(3): 260-272.
[18]	HASAN M G M M , RAHMAN M A . Protection by detection:a signaling game approach to mitigate co-resident attacks in cloud[C]// Proc IEEE 10th Int Conf Cloud Comput (CLOUD), 2017: 552-559.
[19]	LEI C , ZHANG H Q , WAN L M ,et al. Incomplete information Markov game theoretic approach to strategy generation for moving target defense[J]. Computer Communications, 2018,116(1): 184-199.
[20]	季新生, 徐水灵, 刘文彦 ,等. 一种面向安全的虚拟网络功能动态异构调度方法[J]. 电子与信息学报, 2019,41(10).
	JI X S , XU S L , LIU W Y ,et al. A security-oriented dynamic heterogeneous scheduling method of virtual network functions[J]. Journal of Electronics ＆ Information Technology, 2019,41(10).
[21]	HAN Y , CHAN J , ALPCAN T ,et al. Using virtual machine allocation policies to defend against co-resident attacks in cloud computing[J]. IEEE Transactions on Dependable ＆ Secure Computing, 2017,14(1): 95-108.
[22]	ALNAIM A , ALWAKEEL A , FERNANDEZ E B . A misuse pattern for compromising VMs via virtual machine escape in NFV[C]// The 14th International Conference. 2019: 1-6.
[23]	WU J . An access control model for preventing virtual machine escape attack[J]. Future Internet, 2017,9(2): 20.
[24]	王禛鹏 . 拟态网络操作系统调度与裁决机制研究及实现[D]. 郑州：信息工程大学, 2017.
	WANG Z P . Research and implementation of mimic network operating system scheduling and adjudication mechanism[D]. Zhengzhou:Information Engineering University, 2017.
[25]	WU M GUAN H , ZANG B ,et al. POSTER:quantitative security assessment method based on entropy for moving target defense[J]. ACM SIGPLAN Notices, 2017,52(8): 457-458.
[26]	GARCIA M . Analysis of operating system diversity for intrusion tolerance[J]. Software-Practice and Experience, 2014,44(6): 735-770.
[27]	张杰鑫, 庞建民, 张铮 . 拟态构造的 Web 服务器异构性量化方法[J]. 软件学报, 2020(2): 564-577.
	ZHANG J X , PANG J M , ZHANG Z . Quantification method for heterogeneity on Web server with mimic construction[J]. Journal of Software, 2020(2): 564-577.
[28]	PARUCHURI P , PEARCE J P , TAMBLE M ,et al. An efficient heuristic approach for security against multiple adversaries[C]// Proc 6th Int Joint Conf Auton Agents Multiagent Syst. 2007: 1-8.
[29]	PARUCHURI P , PEARCE J P , MARECKI J ,et al. Playing games for security:An efficient exact algorithm for solving Bayesian Stackelberg games[C]// Proc 7th Int Joint Conf Auton Agents Multiagent Syst. 2008: 895-902.
[30]	PLADD:deterring attacks on cyber systems and moving target defense[P]. 2017.
[31]	IBM Ins. CPLEX optimization studio 12.10[EB]. 2019

数学符号	含义
V	云资源池
T	系统调度周期
M	容器异构资源池大小
ω	容器的价值权重
D	云资源池的异构度
λ	容器调度概率
p	异构容器元特征
k	攻击者的组数
s	攻击者最大攻击能力

容器云中基于Stackelberg博弈的动态异构调度方法

Dynamic heterogeneous scheduling method based on Stackelberg game model in container cloud

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 31

相关文章 9

Metrics

推荐阅读 0

[1]	何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55.
[2]	王滨, 陈靓, 钱亚冠, 郭艳凯, 邵琦琦, 王佳敏. 面向对抗样本攻击的移动目标防御[J]. 网络与信息安全学报, 2021, 7(1): 113-120.
[3]	何康,祝跃飞,刘龙,芦斌,刘彬. 敌对攻击环境下基于移动目标防御的算法稳健性增强方法[J]. 网络与信息安全学报, 2020, 6(4): 67-76.
[4]	谭晶磊, 张红旗, 雷程, 刘小虎, 王硕. 面向SDN的移动目标防御技术研究进展[J]. 网络与信息安全学报, 2018, 4(7): 1-12.
[5]	周余阳, 程光, 郭春生. 基于贝叶斯攻击图的网络攻击面风险评估方法[J]. 网络与信息安全学报, 2018, 4(6): 11-22.
[6]	刘丹军,蔡桂林,王宝生. AMTD：一种适应性移动目标防御方法[J]. 网络与信息安全学报, 2018, 4(1): 15-25.
[7]	施江勇,杨岳湘,李文华,王森. 基于SDN的云安全应用研究综述[J]. 网络与信息安全学报, 2017, 3(5): 10-25.
[8]	张淼,季新生,艾健健,刘文彦,扈红超,霍树民. 基于操作系统多样性的虚拟机安全部署策略[J]. 网络与信息安全学报, 2017, 3(10): 35-43.
[9]	徐鹏,金海. 可搜索加密的研究进展[J]. 网络与信息安全学报, 2016, 2(10): 8-16.