云应用程序编程接口安全研究综述:威胁与防护

云时代,云应用程序编程接口(API)是服务交付、能力复制和数据输出的最佳载体。然而,云API在开放服务和数据的同时,增加了暴露面和攻击面,攻击者通过数据劫持和流量分析等技术获取目标云API的关键资源,能够识别用户的身份和行为,甚至直接造成背后系统的瘫痪。当前,针对云API的攻击类型繁多,威胁与防护方法各异,缺乏对现有攻击和防护方法的系统总结。该文梳理了云API安全研究中云API面临的威胁和防护方法,分析了云API的演化历程和类别划分;讨论了云API的脆弱性以及云API安全研究的重要性;提出了云API安全研究框架,涵盖身份验证、云API分布式拒绝服务(DDoS)攻击防护、重放攻击防护、中间人(MITM)攻击防护、注入攻击防护和敏感数据防护6个方面相关研究工作综述。在此基础上,探讨了增加人工智能(AI)防护的必要性。最后给出了云API防护的未来挑战和发展趋势。     

面向云攻击的安全防护技术研究

随着信息技术、数字技术和智能技术的不断演进与发展，云计算已经成为了企业数字化转型所依赖的重要基础设施，并日益发挥出重要作用。如今，云计算已经经历了虚机时代和原生时代，即将进入智能时代。新的时代背景下，云计算将面临更多样、更复杂、更大量的攻击。分析云攻击的特点，并针对云攻击构建相应的安全防护能力，对云的安全发展至关重要。分析了当前云计算的特点和所面临的主要威胁，结合云上攻击行为，研究了新形势下面向云攻击的安全防护能力。     

云存储系统可问责机制研究

目前,很多厂商开发了云存储系统供企业和个人使用,但在实际应用中,大部分用户仍然不能完全信任云存储,其核心担忧仍然是云存储的安全,即用户存储在云端的数据被泄露、恶意攻击、窃取的可能性;另外,用户也很关心云存储系统出现问题时,事故责任怎么划分。针对上述问题,本文首先对云存储的安全问题进行了综述,在此基础上研究了云存储可问责机制,从问责的视角提出了解决云存储安全问题的方案。     

赛门铁克:跨终端集中管理能力最重要

"很多企业还是希望安全管理能够支持比较多的平台,并且将传统终端也一起管控起来,对于他们而言,这可能会比某些花哨的功能实际得多。"在赛门铁克的研究和统计中,目前针对智能终端的安全威胁主要包含六大类:基于网站和网络的攻击、恶意软件、社会工程学攻击、网络可用资源和服务滥用、恶意和无意的数据丢失、对设备数据完整性的攻击。在针对智能终端的这些安全威胁日益增多之际,云手机近期又正迅速     

基于云计算的某药企仓储系统的构建

在研究Eucalyptus开源云平台的基础上,针对某药企仓储管理的实情,在降低成本、保障数据安全的基础上,设计基于Eucalyptus单集群模式的企业仓储系统,并采用Ubuntu企业云进行实现。同时,在仓储数据平台的支持下,开发智能化图形式模拟仓库,大大提高了企业仓储管理的效率和质量。     

云资源池在业务应用层的安全控制

从云平台的基本安全架构开始分析,针对网络模型不同层次的安全需求进行介绍,并说明安全部署方法,最后着重对业务应用层面的一些攻击行为进行跟踪采集,并针对性地进行分析.     

云环境下关键词搜索加密算法研究

现有方案将关键词搜索加密和属性基加密相结合,解决了云环境下访问控制问题,但是未充分考虑信道安全以及关键词猜测攻击等安全问题。针对上述问题,提出了一种指派搜索服务器的关键词搜索属性加密方案,实现了关键词搜索访问权限控制,且检索不需要安全信道,可抵抗离线/在线关键词猜测攻击。实验结果表明,方案性能方面可取得较好结果,可应用于云环境。     

云原生下基于深度强化学习的移动目标防御策略优化方案

针对云原生环境下攻击场景的复杂性导致移动目标防御策略配置困难的问题,该文提出一种基于深度强化学习的移动目标防御策略优化方案(SmartSCR)。首先,针对云原生环境容器化、微服务化等特点,对其安全威胁及攻击者攻击路径进行分析;然后,为了定量分析云原生复杂攻击场景下移动目标防御策略的防御效率,提出微服务攻击图模型并对防御效率进行刻画。最后,将移动目标防御策略的优化问题建模为马尔可夫决策过程,并使用深度强化学习解决云原生应用规模较大时带来的状态空间爆炸问题,对最优移动目标防御配置进行求解。实验结果表明,SmartSCR能够在云原生应用规模较大时快速收敛,并实现逼近最优的防御效率。     

区块链上基于云辅助的密文策略属性基数据共享加密方案

针对云存储的集中化带来的数据安全和隐私保护问题,该文提出一种区块链上基于云辅助的密文策略属性基(CP-ABE)数据共享加密方案.该方案采用基于属性加密技术对加密数据文件的对称密钥进行加密,并上传到云服务器,实现了数据安全以及细粒度访问控制;采用可搜索加密技术对关键字进行加密,并将关键字密文上传到区块链(BC)中,由区块链进行关键字搜索保证了关键字密文的安全,有效地解决现有的云存储共享系统所存在的安全问题.该方案能够满足选择明文攻击下的不可区分性、陷门不可区分性和抗串联性.最后,通过性能评估,验证了该方案的有效性.     

区块链上基于云辅助的密文策略属性基数据共享加密方案

针对云存储的集中化带来的数据安全和隐私保护问题,该文提出一种区块链上基于云辅助的密文策略属性基(CP-ABE)数据共享加密方案。该方案采用基于属性加密技术对加密数据文件的对称密钥进行加密,并上传到云服务器,实现了数据安全以及细粒度访问控制;采用可搜索加密技术对关键字进行加密,并将关键字密文上传到区块链(BC)中,由区块链进行关键字搜索保证了关键字密文的安全,有效地解决现有的云存储共享系统所存在的安全问题。该方案能够满足选择明文攻击下的不可区分性、陷门不可区分性和抗串联性。最后,通过性能评估,验证了该方案的有效性。     

A Profile-Based Novel Framework for Detecting EDoS Attacks in the Cloud Environment

The future of information technology mainly depends upon cloud computing. Hence security in cloud computing is highly essential for the consumers as well as the service providers of the particular cloud environment. There are many security threats are challenging the current cloud environment. One of the important security threat ever in cloud environment is considered to be the Distributed Denial of Service (DDoS) attack. Where cloud is of greater benefit in terms of providing on-demand services, a certain kind of attack named as Economic Denial of Sustainability (EDoS) occurs in pay per use payment model. Due to the occurrence of this attack the consumers are forced to pay additional amount for the services offered. EDoS attacks are similar to that of DDoS attacks Which is classified as-attacks associated with bandwidth consuming, application targeted attacks and the exhaustion of the connection layer. The main objective of the proposed work is to design a profile-based novel framework for maximizing the detection of various types of EDoS attacks. During this process, the proposed framework consisting Feature Classification (FC) algorithm ensures that false positives and negatives along with bandwidth and memory consumption are highly minimized. The proposed algorithm allows only the limited resources for allocation to the available virtual machines which increases the chances of the detecting the attack and preventing the misuse propagation of resources. The accuracy and efficiency of this approach is proven to be higher with lesser computational complexity when compare to the existing approaches.

     

云安全研究进展综述

 随着云计算在学术界和工业界的兴起,云计算也不可避免的带来了一些安全问题.本文对云计算的安全需求进行了总结,指出云计算不仅在机密性、数据完整性、访问控制和身份认证等传统安全性上存在需求,而且在可信性、配置安全性、虚拟机安全性等方面具有新的安全需求.我们对云计算的两个典型产品Amazon Web Services和Windows Azure的安全状况进行了总结,并阐述了针对云计算的拒绝服务攻击和旁通道攻击.基于云计算的安全需求和面临的攻击,对现有安全机制进行了优缺点分析,系统的总结了现有的安全机制.     

Continuous leakage–resilient IBE in cloud computing

Cloud computing is an efficient tool in which cloud storage shares plenty of encrypted data with other data owners. In existing cloud computing scenarios, it may suffer from some new attacks like side channel attacks. Therefore, we are eager to introduce a new cryptographic scheme that can resist these new attacks. In this work, we exploit a new technique to build leakage‐resilient identity‐based encryption and use the stronger existing partial leakage model, such as continual leakage model. More specifically, our proposal is based on the underlying decisional bilinear Diffie‐Hellman assumption, but proven adaptively secure against adaptive chosen ciphertext attack in the standard model. Above all, a continuous leakage–resilient IBE scheme with adaptive security meets cloud computing with stronger security.     

Evaluation of Hypervisor Stability towards Insider Attacks

Virtualization technology plays a key role in cloud computing. Thus, the security issues of virtualization tools (hypervisors, emulators, etc.) should be under precise consideration. However, threats of insider attacks are underestimated. The virtualization tools and hypervisors have been poorly protected from this type of attacks. Furthermore, hypervisor is one of the most critical elements in cloud computing infrastructure. Firstly, hypervisor vulnerabilities analysis is provided. Secondly, a formal model of insider attack on hypervisor is developed. Consequently, on the basis of the formal attack model, we propose a new methodology of hypervisor stability evaluation. In this paper, certain security countermeasures are considered that should be integrated in hypervisor software architecture.     

Secure communication in CloudIoT through design of a lightweight authentication and session key agreement scheme

Internet of Things (IoT) is a newly emerged paradigm where multiple embedded devices, known as things, are connected via the Internet to collect, share, and analyze data from the environment. In order to overcome the limited storage and processing capacity constraint of IoT devices, it is now possible to integrate them with cloud servers as large resource pools. Such integration, though bringing applicability of IoT in many domains, raises concerns regarding the authentication of these devices while establishing secure communications to cloud servers. Recently, Kumari et al proposed an authentication scheme based on elliptic curve cryptography (ECC) for IoT and cloud servers and claimed that it satisfies all security requirements and is secure against various attacks. In this paper, we first prove that the scheme of Kumari et al is susceptible to various attacks, including the replay attack and stolen-verifier attack. We then propose a lightweight authentication protocol for secure communication of IoT embedded devices and cloud servers. The proposed scheme is proved to provide essential security requirements such as mutual authentication, device anonymity, and perfect forward secrecy and is robust against security attacks. We also formally verify the security of the proposed protocol using BAN logic and also the Scyther tool. We also evaluate the computation and communication costs of the proposed scheme and demonstrate that the proposed scheme incurs minimum computation and communication overhead, compared to related schemes, making it suitable for IoT environments with low processing and storage capacity.     

SAPA-based approach for defending DoS attacks in cloud computing

Denial of service (DoS) attack was one of the major threats to cloud computing.Security access path algorithm (SAPA) used node route table (NRT) to compose security access path.It simplified role nodes of traditional secure overlay services (SOS),and periodically updated role nodes,and cached security access paths.Therefore,SAPA was more appropriate for cloud computing to defend DoS attacks.Based on the turn routing architecture of cloud computing,the mathematical model of SAPA was built and its performance was analyzed in theory.The performance of SAPA was tested in OMNeT++ experimental platform.Also,the Test-bed experiments were performed to evaluate the effectiveness of SAPA for defending DoS attack.Experimental results show that comparing with SOS,SAPA can degrade the impact of communication success rate caused by DoS attack effectively,and guarantees the access delay small enough.     

云环境中抵御内部关键字猜测攻击的快速公钥可搜索加密方案

随着云计算的发展,以密文检索为核心的安全和搜索性能问题成为研究的重点。在传统的加密方案中,大多只解决了抵御外部关键字猜测攻击问题,往往忽视了诚实且好奇的云服务器问题。为了提高密文安全性,该文提出快速搜索的抵御内部关键字攻击方案。首先,引入高效的加密倒排索引结构的公钥密文搜索方案,实现关键字的并行搜索任务。其次,在构建密文倒排索引时加入数据拥有者的私钥抵御恶意云服务器的关键字攻击。与传统的公钥可搜索加密相比,该方案在很大程度上增强了搜索系统的安全性和搜索效率。     

基于双层信息流控制的云敏感数据安全增强

已有的云安全防护方法如加密、访问控制和虚拟机隔离等不能够提供数据端到端的安全防护。首先,提出了一个面向云环境的双层信息流控制模型,给出了模型的关键要素定义、集中式与分布式信息流控制规则、能力标记调整规则、标记传播规则和降密规则.然后,综合动态污点跟踪和虚拟机自省技术,设计并实现了原型系统IFCloud,可为云租户提供信息流跟踪与控制即服务,为云平台提供常见系统攻击如栈溢出、缓冲区溢出等攻击的防护机制.最后,给出了原型系统IFCloud的功能测试结果.表明IFCloud能够灵活、正确、实时地跟踪和控制云下敏感数据流.可应用于云平台下面向软件即服务的细粒度数据安全保护.