容器云中基于信号博弈的容器迁移与蜜罐部署策略

doi:10.11959/j.issn.2096-109x.2021042

Abstract

Abstract:

Multi-tenant coexistence and resource sharing in the SaaS cloud pose serious security risks.On the one hand, soft isolation of logical namespaces is easy to be bypassed or broken.On the other hand, it is easy to be subjected to co-resident attacks due to sharing of the host operating system and underlying physical resources.Therefore it poses a serious threat to data availability, integrity and confidentiality in the container cloud.Given the problem that SaaS cloud services are vulnerable to container escape and side-channel equivalent resident attack, network deception technology increases the uncertainty of the cloud environment and reduces the effectiveness of attack by hiding the business function and characteristic attributes of the executor.Aiming at the security threat caused by the co-resident attack, combining dynamic migration and virtual honeypot security technology, the economical and reasonable network deception method was studied.Specifically, a container migration and honeypot deployment strategy based on the signal game was proposed.According to the security threat analysis, container migration and honeypot were used as defense methods.The former improved the undetectability of the system based on the idea of moving to target defense, while the latter confused attackers by placing decoy containers or providing false services.Furthermore, since network reconnaissance was the pre-step of the network attack chain, the attack and defense process was modeled as a two-person signal game with incomplete information.The sender chose to release a signal according to his type, and the receiver could only obtain the signal released by the sender but could not determine the type.Then, a game tree was constructed for the complete but imperfect information dynamic game, and the costs and benefits of different strategy combinations were set.The optimal deception strategy was determined by equilibrium analysis of attack-defense model.Experimental results show that the proposed strategy can effectively improve system security.Besides, it can also reduce container migration frequency and defense cost.

Key words: cloud computing, container migration, honeypot, signal game

CLC Number:

TN915.08

Lingshu LI, Jiangxing WU, Wei ZENG, Wenyan LIU. Strategy of container migration and honeypot deployment based on signal game in cloud environment[J]. Chinese Journal of Network and Information Security, 2022, 8(3): 87-96.

Figures/Tables 5

编号	G_cm参数要求	θ的取值范围	PBE
PBE1	ε > ω₂	$[\max (\frac{(δ_{1} + δ_{2})}{α}, \frac{α + δ_{1}}{2 α}), 1]$	{(M, M), (a₂, a₂), p=θ, q}
PBE2	ε > ω₃	$[0, \min (\frac{α + δ_{1}}{2 α}, 1 - \frac{δ_{2}}{α})]$	{(NM, NM), (a₁, a₁), p, q=θ}

References 24

[1]	JITHIN R , CHANDRAN P . Virtual machine isolation[C]// International Conference on Security in Computer Networks and Distributed Systems, 2014.
[2]	JAJODIA S , SUBRAHMANIAN V S , SWARUP V ,et al. Cyber deception[R]. 2016.
[3]	VINCENT E U , . Computer network deception as a moving target defense[C]// 2015 International Carnahan Conference on Security Technology (ICCST), 2015: 1-6.
[4]	NAAGAS M A . Defense-through-deception network security model:securing university campus network from DoS/DDoS attack[J]. Bulletin of Electrical Engineering and Informatics, 2018: 593-600.
[5]	SI-YAO L , QIANG L I , BIN LI . Research on isolation of container based on docker technology[J]. Computer Engineering ＆ Software, 2015.
[6]	ZHENG Z . Virtual machine security isolation and protection based on cloud platform[J]. China Computer ＆ Communication, 2018.
[7]	ABDELRAHEM O , BAHAA-ELDIN A M , TAHA A . Virtualization security:a survey[C]// International Conference on Computer Engineering ＆ Systems. 2017.
[8]	SONG X , MA Y , TENG D . A load balancing scheme using federate migration based on virtual machines for cloud simulations[J]. Mathematical Problems in Engineering, 2015,5: 1-11.
[9]	PRASAD T S , MALLIKARJUNA A , RAMAKRISHNA S . From cloud to fog computing:a review and a conceptual live VM migration framework[J]. IEEE Access, 2017,99: 1-1.
[10]	ZHANG Y , LI M , BAI K ,et al. Incentive compatible moving target defense against VM-colocation attacks in clouds[C]// IFIP International Information Security Conference. 2012.
[11]	PENNER T , GUIRGUIS M . Combating the bandits in the cloud:a moving target defense approach[C]// IEEE/ACM International Symposium on Cluster, 2017.
[12]	YANG C , GUO Y , HU H ,et al. An effective and scalable VM migration strategy to mitigate cross-VM side-channel attacks in cloud[J]. Networks ＆ Security, 2019: 151-171.
[13]	HORáK K , . Manipulating adversary’s belief:a dynamic game approach to deception by design for proactive network security[C]// 8th International Conference on Decision and Game Theory for Security. 2017: 273-294.
[14]	XIAO Z , JIANG J , ZHU Y ,et al. A solution of dynamic VMs placement problem for energy consumption optimization based on evolutionary game theory[J]. Journal of Systems ＆ Software, 2015,101(3): 260-272.
[15]	LEI C , ZHANG H Q , WAN L M ,et al. Incomplete information markov game theoretic approach to strategy generation for moving target defense[J]. Computer Communications, 2018,116(1): 184-199.
[16]	ADILI M T , MOHAMMADI A , MANSHAEI M H ,et al. A cost-effective security management for clouds:a game-theoretic deception mechanism[C]// Integrated Network ＆ Service Management. 2017: 98-106.
[17]	冷强, 杨英杰, 常德显 ,等. 面向网络实时对抗的动态防御决策方法[J]. 网络与信息安全学报, 2019,5(6): 58-66.
	LENG Q , YANG Y J , CHANG D X ,et al. Dynamic defense decision method for network real-time confrontation[J]. Chinese Journal of Network and Information Security, 2019,5(6): 58-66.
[18]	ALNAIM A , ALWAKEEL A , FERNANDEZ E B . A misuse pattern for compromising VMs via virtual machine escape in NFV[C]// The 14th International Conference. 2019.
[19]	FENGW , SHI X H , WANG W R . Eliminating object reference checks by escape analysis on real-time Java virtual machine[J]. Cluster Computing:The Journal of Networks,Software Tools and Applications, 2019,22(3).
[20]	KOCHER P . Spectre attacks:exploiting speculative execution[J]. Communications of the ACM, 2018.
[21]	ALMOHANNADI H , . Cyber threat intelligence from honeypot data using elasticsearch[C]// 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA). 2018: 900-906.
[22]	SARKALE V V , RAD P , LEE W . Secure cloud container:runtime behavior monitoring using most privileged container (MPC)[C]// IEEE International Conference on Cyber Security ＆ Cloud Computing. 2017.
[23]	KRISHNAVENI S , PRABAKARAN S , SIVAMOHAN S . A survey on honeypot and honeynet systems for intrusion detection in cloud environment[J]. Journal of Computational and Theoretical Nanoence, 2018.
[24]	SAXENA A , . Virtual public cloud model in honeypot for data security:a new technique[C]// 5th International Conference on Computing and Artificial Intelligence. 2019: 66-71.

Metrics

Recommended 0

No Suggested Reading articles found!

数学符号	含义
θ	IDS检测到威胁的概率（自然）
M	防御者对容器进行迁移
NM	防御者不对容器进行迁移
a₁	攻击者认为目标容器没有迁移，并发起攻击
a₂	攻击者认为目标容器进行了迁移，并发起攻击
a₀	攻击者不进行攻击
ω₁	容器迁移的开销
ω₂	容器不迁移时，模拟迁移行为的开销
ω₃	容器迁移时，模拟不迁移行为的开销
δ₁	攻击者进行扫描、窃听等开销
δ₂	攻击者进行木马注入后，攻击的开销
φ	防御者保护容器不受攻击的收益
ε	当攻击者攻击蜜罐时，防御者获得的额外收益
β	防御者未能成功保护容器的损失
α	攻击者成功攻击目标容器的收益

Strategy of container migration and honeypot deployment based on signal game in cloud environment

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 24

Related Articles 15

Metrics

Recommended 0

[1]	Jie YI, Tengfei CAO, Shuai GAO, Jianqiang HUANG. Honeypot defense and transmission strategy based on offensive and defensive games in vehicular networks [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 157-167.
[2]	Shang LIU, Yinzhang GUO. Multi-authority based CP-ABE proxy re-encryption scheme for cloud computing [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 176-188.
[3]	Yi ZHANG, Liqin TIAN, Zenan WU, Wenxing WU. Trust evaluation optimization mechanism for cloud user behavior based on FANP [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 175-182.
[4]	Ying WU,Xuan LI,Biao JIN,Rongrong JIN. Survey on the privacy-preserving content based image retrieval [J]. Chinese Journal of Network and Information Security, 2019, 5(4): 14-28.
[5]	Ying LI, Chunguang MA. Overview of searchable encryption research [J]. Chinese Journal of Network and Information Security, 2018, 4(7): 13-21.
[6]	Mengyang YU,Hui LIN,Youliang TIAN. New cross-layer reputation mechanism for mobile cloud computing [J]. Chinese Journal of Network and Information Security, 2018, 4(3): 51-58.
[7]	Yuanhao WANG,Hongbo LI,Yuzhao CUI,Qingwen GUO,Qiong HUANG. Survey on public key encryption with equality test [J]. Chinese Journal of Network and Information Security, 2018, 4(11): 13-22.
[8]	Jianbiao ZHANG,Yuanxi ZHU,Jun HU,Xiao WANG. Scheme of virtual machine trusted migration in cloud environment [J]. Chinese Journal of Network and Information Security, 2018, 4(1): 6-14.
[9]	Weifeng LI,Weizhong QIANG,Weiming LI,Deqing ZOU. Research on forensics of privacy violations in cloud environment [J]. Chinese Journal of Network and Information Security, 2018, 4(1): 26-35.
[10]	Dequan YANG,Weimin LIU,Zhou YU. Research on active defense application based on honeypot [J]. Chinese Journal of Network and Information Security, 2018, 4(1): 57-62.
[11]	Yuan-zhao GAO,Xue-juan LI,Bing-long LI,Xi-xi WU. Cloud computing forensic model [J]. Chinese Journal of Network and Information Security, 2017, 3(9): 13-23.
[12]	Xing-lan ZHANG,Xiang LIU. Secure efficient and verifiable large linear equations solve outsourcing computing scheme [J]. Chinese Journal of Network and Information Security, 2017, 3(6): 1-7.
[13]	De-yu YUAN,Xiao-juan WANG,Jian-chao WAN. Influence of Internet plus on cyberspace security and the technology development trend in Internet plus era [J]. Chinese Journal of Network and Information Security, 2017, 3(5): 1-9.
[14]	Jiang-yong SHI,Yue-xiang YANG,Wen-hua LI,Sen WANG. Research on SDN-based cloud security application [J]. Chinese Journal of Network and Information Security, 2017, 3(5): 10-25.
[15]	Fei CHEN,Xiao-hong BI,Jing-jing WANG,Yuan LIU. Survey of DDoS defense:challenges and directions [J]. Chinese Journal of Network and Information Security, 2017, 3(10): 16-24.