基于风险感知的关键虚拟网络功能动态迁移方法

doi:10.11959/j.issn.1000-436x.2020063

Abstract

Abstract:

Aiming at the problems that traditional dynamic migration methods have many migration nodes,high migration frequency,and long service function chain (SFC) link path after migration when dealing with side channel attack,a dynamic migration method of critical virtual network function (VNF) based on risk awareness was proposed.In order to reduce the number of migrated nodes,only the key VNF with private information was migrated.Combined with the side channel attack detection system,the triggering migration was performed on the critical VNF which were under attack,and the key VNF was also periodically migrated according to the side channel information leakage model.Finally,a multi-attribute node sorting method base on the technique for order preference by similarity to ideal solution was used to select the migration destination server to avoid the path being too long after migration.Experiments show that the proposed method has a lower number of migration nodes and migration frequency when achieving the same side channel attack defense performance,and effectively avoids the problem that the SFC path is too long after migration.

Key words: service function chain, virtual network function, side-channel attack, dynamic migration, multi-attribute node sorting

CLC Number:

TP393

Shaohu DING,Jichao XIE,Peng ZHANG,Liming PU,Yunjie GU. Dynamic migration method of key virtual network function based on risk awareness[J]. Journal on Communications, 2020, 41(4): 102-113.

Figures/Tables 14

符号	描述	符号	描述
$\bar{G} = (\bar{N}, \bar{S}, \bar{L})$	底层物理网络	${\bar{u}}_{}^{r}, {\bar{v}}_{}^{r}$	接入交换机和出口交换机
$\bar{N}, \bar{S}, \bar{L}$	通用服务器集合、交换机集合和物理链路集合	β^r	服务链r所需处理的流量大小
n ,s,l	底层网络中服务器、交换机和物理链路总数	τ^r	请求r的生命周期
$B_{s \times s}^{}$	交换机连接矩阵	ψ^r	处理流量所需的VNF序列
Bi ,j∈R⁺	交换机节点i到 j的通信链路容量	m	请求中VNF的总数量
V =Λ(u)={v\|B_{u ,v}>0}	与交换机u直连的交换机集合	${VNF}_{i}^{r} \in P = {1, 2, \dots, p}$	请求r中第i∈{1,2,…,m}个VNF的类型
$H_{n \times s}^{}$	服务器与交换机连接矩阵	${VNF}_{i}^{r} \in P = {1, 2, \dots, p}$	SFC请求有向图
H_{i ,j}∈{0,1}	服务器节点i是否连接在交换机j上	N^r	节点（接入交换机、VNF、出口交换机）集合
K,k	服务器资源类型集合和资源类型总数量	L^r	连接节点的虚拟链路集合
Cn×k	底层服务器资源容量矩阵	$M : G_{}^{r} \to {\bar{G}}_{}^{r} \subseteq \bar{G}$	SFC请求拓扑G^r映射到物理网络拓扑 $\bar{G}$ 之上
Ci,j∈R⁺	服务器节点i上可提供的第 j类资源的数量	$F_{m \times n}^{r}$	请求r 中m个VNF与n个服务器节点间的映射关系矩阵
$C_{n \times k}^{rem} ， B_{s \times s}^{rem}$	当前网络服务器资源和链路资源的剩余情况	$F_{i, j}^{r} \in {0, 1}$	${VNF}_{i}^{r}$ 是否部署在服务器节点 j上
P,p	VNF类型集合和VNF类型总数量	$n_{i}^{r} \in \bar{N}$	${VNF}_{i}^{r}$ 部署的服务器节点
$Q_{p \times k}^{}$	VNF资源需求系数矩阵	$s_{i}^{r} \in \bar{S}$	$V N F_{i}^{r}$ 部署的服务器节点 $n_{i}^{r}$ 所直连的交换机
Qi ,j	i类型VNF处理单位带宽流量所占用 j类资源数量	$s_{0}^{r} = {\bar{u}}_{}^{r}, s_{m + 1}^{r} = {\bar{v}}_{}^{r}$	接入交换机和出口交换机
$S_{n \times p}$	服务器节点可承载的VNF类型矩阵	l_{i 1}r ,i+∈L^r	请求r 中 ${VNF}_{i}^{r}$ 与 ${VNF}_{i + 1}^{r}$ 之间的虚拟链路
S_{i ,j}∈{0,1}	服务器节点i是否支持j类型VNF的部署	${VNF}_{i + 1}^{r}$	交换机u 与交换机v之间的物理链路
R	租户SFC的请求集合	$E_{s \times s}^{s_{i}^{r}, s_{i + 1}^{r}}$	虚拟链路 $l_{i, i + 1}^{r}$ 与物理链路 ${\bar{l}}_{u, v}^{}$ 之间的映射关系矩阵
$r = < {\bar{u}}_{}^{r}, {\bar{v}}_{}^{r}, β_{}^{r}, τ_{}^{r}, ψ_{}^{r} >$	租户SFC请求信息	${\bar{l}}_{u, v}^{}$	虚拟链路 $l_{i, i + 1}^{r}$ 是否部署在物理链路 ${\bar{l}}_{u, v}^{}$ 之上

References 21

[1]	MIJUMBI R , SERRAT J , GORRICHO J ,et al. Network function virtualization:state-of-the-art and research challenges[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(1): 236-262.
[2]	WU J X . Thoughts on the development of novel network technology[J]. Science China (Information Sciences), 2018,61(10): 144-154.
[3]	FIROOZJAEI M D , JEONG J P , KO H ,et al. Security challenges with network functions virtualization[J]. Future Generation Computer Systems, 2017,67(7): 315-324.
[4]	胡威 . 基于 SGX 的虚拟网络功能安全保护机制研究[D]. 武汉:武汉大学, 2017.
	HU W . Research on security protection mechanism of virtual network function based on SGX[D]. Wuhan:Wuhan University, 2017.
[5]	BAZM M , LACOSTE M , SUDHOLT M . Isolation in cloud computing infrastructures:new security challenges[J]. Annals of Telecommunications, 2019,74(1): 197-209.
[6]	梁鑫, 桂小林, 戴慧珺 ,等. 云环境中跨虚拟机的 Cache 侧信道攻击技术研究[J]. 计算机学报, 2017,40(2): 317-336.
	LIANG X , GUI X L , DAI H J ,et al. Cross-VM cache side channel attacks in cloud:a survey[J]. Chinese Journal of Computer, 2017,40(2): 317-336.
[7]	LYU Y , MISHRA P . A survey of side-channel attacks on caches and countermeasures[J]. Journal of Hardware and Systems Security, 2018,2(1): 33-50.
[8]	何佩聪, 黄汝维, 陈宁江 ,等. 云环境中的侧通道攻击研究进展[J]. 计算机应用研究, 2018,35(4): 969-973.
	HE P C , HUANG R W , CHEN N J ,et al. Research progress on side-channel attacks in cloud environment[J]. Application Research of Computer, 2018,35(4): 969-973.
[9]	LIU S , CAI Z , XU H ,et al. Towards security-aware virtual network embedding[J]. Computer Networks, 2015,91(11): 151-163.
[10]	HAN Y , CHAN J , ALPCAN T ,et al. Using virtual machine allocation policies to defend against co-resident attacks in cloud computing[J]. IEEE Transactions on Dependable and Secure Computing, 2017,14(1): 95-108.
[11]	HAN Y , ALPCAN T , CHAN J ,et al. A game theoretical approach to defend against co-resident attacks in cloud computing:preventing co-residence using semi-supervised learning[J]. IEEE Transactions on Information Forensics and Security, 2016,11(3): 556-570.
[12]	XU Z , WAND H , WU Z . A measurement study on co-residence threat inside the cloud[C]// Proceedings of the 24th USENIX Conference on Security Symposium. Berkeley:USENIX Association, 2015: 929-944.
[13]	AINAPURE B S , SHAH D , RAO A A . Understanding perception of cache-based side-channel attack on cloud environment[M]. Berlin: SpringerPress, 2017.
[14]	赵硕, 季新生, 毛宇星 ,等. 基于安全等级的虚拟机动态迁移方法[J]. 通信学报, 2017,38(7): 165-174.
	ZHAO S , JI X S , MAO Y S ,et al. Research on dynamic migration of virtual machine based on security level[J]. Journal on Communications, 2017,38(7): 165-174.
[15]	MOON S , SEKAR V , REITER M . Nomad:mitigating arbitrary cloud side channels via provider-assisted migration[C]// The 22nd ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2015: 1595-1606.
[16]	ATYA A O F , QIAN Z , KRISHNAMURTHY S V ,et al. Malicious co-residency on the cloud:attacks and defense[C]// IEEE Conference on Computer Communications. Piscataway:IEEE Press, 2017: 1-9.
[17]	ZHANG T , ZHANG Y , LEE R B . CloudRadar:a real-time side-channel attack detection system in clouds[C]// International Symposium on Research in Attacks,Intrusions,and Defenses. Berlin:Springer, 2016: 118-140.
[18]	伊鹏, 谢记超, 张震 ,等. 抗侧信道攻击的服务功能链部署方法[J]. 电子与信息学报, 2019,41(11): 2699-2707.
	YI P , XIE J C , ZHANG Z ,et al. A service function chain deployment method against side channel attack[J]. Journal of Electronics and Information Technology, 2019,41(11): 2699-2707.
[19]	龚水清, 陈靖, 黄聪会 ,等. 信任感知的安全虚拟网络映射算法[J]. 通信学报, 2015,36(11): 180-189.
	GONG S Q , CHEN J , HUANG H C ,et al. Trust-aware secure virtual network embedding algorithm[J]. Journal on Communications, 2015,36(11): 180-189.
[20]	LI D , HONG P , XUE K ,et al. Virtual network function placement considering resource optimization and SFC requests in cloud datacenter[J]. IEEE Transactions on Parallel and Distributed Systems, 2018,29(7): 1664-1677.
[21]	BARI F , CHOWDHURY S R , AHMED R ,et al. Orchestrating virtualized network functions[J]. IEEE Transactions on Network and Service Management, 2016,13(4): 725-739.

Metrics

Recommended 0

No Suggested Reading articles found!

VNF类型	计算资源需求/单位带宽
AT	1
Firewall	2
Proxy	2
IDS	6
UD1	1
UD2	2
UD3	3
UD4	4

特征是否已知	窃取速率分类	单位时间间隔信息窃取量δ
特征已知	慢速	{1,2,3}
特征已知	中速	{4,5,6}
特征已知	快速	{7,8,9}
特征未知	慢速	{1,2,3}
特征未知	中速	{4,5,6}
特征未知	快速	{7,8,9}

Dynamic migration method of key virtual network function based on risk awareness

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 14

References 21

Related Articles 15

Metrics

Recommended 0

[1]	Hao CHEN, Yuan YANG, Mingwei XU, Dan PEI, Yilin YOU. Parallel orchestration and deployment system for scalable heterogeneous service function chain supporting polymorphic network [J]. Journal on Communications, 2022, 43(9): 1-11.
[2]	Zexi XU, Lei ZHUANG, Kunli ZHANG, Mingyu GUI. Online placement algorithm of service function chain based on knowledge graph [J]. Journal on Communications, 2022, 43(8): 41-51.
[3]	Julong LAN, Di ZHU, Dan LI. Intelligent prediction method of virtual network function resource capacity for polymorphic network service slicing [J]. Journal on Communications, 2022, 43(6): 143-155.
[4]	Zhuo CHEN,Gang FENG,Yijing LIU,Yang ZHOU. Virtual network function deployment strategy based on improved genetic simulated annealing algorithm in MEC [J]. Journal on Communications, 2020, 41(4): 70-80.
[5]	Kan WANG,Nan ZHAO,Junhuai LI,Huaijun WANG. Service function chain embedding algorithm with wireless multicast in mobile edge computing network [J]. Journal on Communications, 2020, 41(10): 37-47.
[6]	Zhongnan ZHAO,Jian WANG,Hongwei GUO. Adaptive routing and wavelength assignment method based on SDN [J]. Journal on Communications, 2019, 40(9): 95-105.
[7]	Dan LI,Julong LAN,Peng WANG,Yuxiang HU. Service function chain deployment algorithm based on optimal weighted graph matching [J]. Journal on Communications, 2019, 40(3): 10-18.
[8]	Tong DUAN,Julong LAN,Yuxiang HU,Hongwei FAN. Orchestration mechanism for VNF hardware acceleration resources in SDN/NFV architecture [J]. Journal on Communications, 2018, 39(6): 98-108.
[9]	Xiaorong ZHU,Qian ZHANG. Resource optimization algorithm of combination of NFV and SDN for application of multiple services [J]. Journal on Communications, 2018, 39(11): 54-62.
[10]	Quan YUAN,Hong-bo TANG,Kai-zhi HUANG,Xiao-lei WANG,Yu ZHAO. Deployment method for vEPC virtualized network function via Q-learning [J]. Journal on Communications, 2017, 38(8): 172-182.
[11]	Shuo ZHAO,Xin-sheng JI,Yu-xing MAO,Guo-zhen CHENG,Hong-chao HU. Research on dynamic migration of virtual machine based on security level [J]. Journal on Communications, 2017, 38(7): 165-174.
[12]	Min WANG,Zhen WU,Jin-tao RAO,Zhi-bo DU. Mutual information power analysis attack in the frequency domain of the crypto chip [J]. Journal on Communications, 2015, 36(Z1): 131-135.
[13]	. Simple power analysis attack against cryptosystemsbased on Montgomery algorithm [J]. Journal on Communications, 2013, 34(Z1): 20-161.
[14]	Gang GAN,Min WANG,Zhi-bo DU,Zhen WU. Simple power analysis attack against cryptosystems based on Montgomery algorithm [J]. Journal on Communications, 2013, 34(Z1): 156-161.
[15]	Min WANG,Zhen WU. Algorithm of NAF scalar multiplication on ECC against SPA [J]. Journal on Communications, 2012, 33(Z1): 228-232.