共查询到19条相似文献,搜索用时 125 毫秒
1.
随着虚拟化技术的发展,同驻攻击成为窃取用户敏感信息的重要攻击手段。针对现有虚拟机动态迁移方法对同驻攻击反应的滞后性,在5G网络切片背景下,提出了一种基于安全威胁预测的虚拟网络功能迁移策略。首先,通过隐马尔可夫模型(HMM)对网络切片运行安全进行建模,利用多源异构数据信息对网络安全威胁进行威胁预测;然后,根据安全预测结果,采用相应的虚拟网络功能迁移策略迁移以使迁移开销最小。仿真实验结果表明:利用HMM能对安全威胁进行有效的预测,同时该迁移策略能够有效减少迁移开销与信息泄漏时间,具有较好的同驻攻击防御效果。 相似文献
2.
容器作为虚拟机的轻量级替代产品,以其灵活、高效的特点促进了云计算的发展,但同时也面临着同驻攻击、逃逸攻击等安全威胁。针对云环境中的容器安全威胁,构建了基于移动目标防御的信号博弈模型,并提出了多阶段最优防御策略求解算法,通过博弈模型和求解算法选取最优策略,同时通过容器调度方法对容器进行调度,可以增强容器安全性。仿真实验结果表明,提出的迁移策略获取的防御收益相较于Kubernetes自带迁移策略提升了3.6倍,同时容器同驻率降低了79.62%,对现实容器云环境下的防御策略选取和安全性增强具有一定的借鉴意义。 相似文献
3.
云计算具有使用便捷、可按需定制服务、优化资源利用等特点,成为提供外包服务的主要计算模式。云环境中的虚拟机侧通道攻击是云计算的主要潜在威胁之一,同驻是云环境中侧通道攻击的前提。针对如何在多租户云环境下进行同驻检测,提出基于链式结构的Prime-Probe测量cache负载方法MCLPPLS和针对云环境噪声复杂多变问题的实时噪声分析机制RTNAM。结合MCLPPLS与RTNAM提出一种新型的同驻检测分析方法。实验表明,该方法能减少突发噪声对同驻检测的干扰,有较高的同驻检测正确率及较低的同驻检测时耗,表现出良好的性能。 相似文献
4.
5.
在异构环境下,无线传感器网络的网关部分可能受到的安全威胁大大增大,因此网关内出现的秘密信息可能因此泄露。为了解决这一安全威胁,本文通过使用虚拟机技术,设计了一种基于虚拟机的异构环境下的无线传感器网络网关结构。该结构运用了虚拟机技术中隔离的特性,根据各应用模块的安全特点,将其分别部署在网关中的不同虚拟机内,只有在同一虚拟机内的应用程序才能对此虚拟机内的资源进行访问。通过这种方式,可以有效的避免网关中的非可信程序或者非可信用户对网关中存储的秘密信息的访问,有效的提高了网关系统的安全。 相似文献
6.
7.
8.
虚拟机技术的流行带来了新的、独特的安全风险,不注意虚拟机的安全很可能会危及到主机的安全。本文作者针对微软的Hyper—V虚拟机产品,介绍了几种保证主机及其虚拟机安全的方法。 相似文献
9.
10.
针对当前ERP(Enterprise Resource Plan)项目面临的海量数据处理问题,基于云计算平台的优势,开发了云计算环境下的ERP系统。然而,云计算面临的一个重要难题就是虚拟机系统安全问题。分析了影响虚拟机安全的系统因素,并给出新的虚拟机安全解决方案,实现了虚拟机动态监控下的安全系统。从而解决了传统虚拟机容易受网络攻击、系统安全性能差的问题。 相似文献
11.
12.
Adam Bates Benjamin Mood Joe Pletcher Hannah Pruse Masoud Valafar Kevin Butler 《International Journal of Information Security》2014,13(2):171-189
Virtualization is the cornerstone of the developing third-party compute industry, allowing cloud providers to instantiate multiple virtual machines (VMs) on a single set of physical resources. Customers utilize cloud resources alongside unknown and untrusted parties, creating the co-resident threat—unless perfect isolation is provided by the virtual hypervisor, there exists the possibility for unauthorized access to sensitive customer information through the exploitation of covert side channels. This paper presents co-resident watermarking, a traffic analysis attack that allows a malicious co-resident VM to inject a watermark signature into the network flow of a target instance. This watermark can be used to exfiltrate and broadcast co-residency data from the physical machine, compromising isolation without reliance on internal side channels. As a result, our approach is difficult to defend against without costly underutilization of the physical machine. We evaluate co-resident watermarkingunder a large variety of conditions, system loads and hardware configurations, from a local laboratory environment to production cloud environments (Futuregrid and the University of Oregon’s ACISS). We demonstrate the ability to initiate a covert channel of 4 bits per second, and we can confirm co-residency with a target VM instance in $<$ 10 s. We also show that passive load measurement of the target and subsequent behavior profiling is possible with this attack. We go on to consider the detectability of co-resident watermarking, extending our scheme to create a subtler watermarking attack by imitating legitimate cloud customer behavior. Our investigation demonstrates the need for the careful design of hardware to be used in the cloud. 相似文献
13.
Lu Jiawei Zhao Wei Zhu Haotian Li Jie Cheng Zhenbo Xiao Gang 《The Journal of supercomputing》2022,78(3):3448-3476
The Journal of Supercomputing - In cloud computing, virtual machine placement (VMP) is an important process that identifies the most appropriate physical machine to host the virtual machines (VMs).... 相似文献
14.
虚拟机克隆技术是指在云计算环境下快速复制出多个虚拟机(VM)并将这些VM分发到多台物理主机上,克隆出来的VM共享相同的初始状态然后独立运行提供服务。虚拟机克隆使得云计算提供商能够快速有效地部署系统资源。给出了一种虚拟机快速克隆方法,利用写时拷贝技术来创建虚拟磁盘和内存状态的快照,然后用按需分配内存技术和多点传送技术来请求和传输这些状态信息。在C3云平台上的实验表明,此方法在不中断源虚拟机中运行服务的情况下,实现了云计算中的快速虚拟机克隆。 相似文献
15.
16.
提出云数据中心考虑虚拟机关联性的虚拟机放置策略.在物理主机状态检测和虚拟机选择阶段,采用鲁棒局部归约主机检测方法LRR(Local Regression Robust)和最小迁移时间选择方法MMT(Minimum Migration Time);在虚拟机放置阶段,采用多重相关系数来评价虚拟机之间的关联性.该策略在重新分... 相似文献
17.
The use of virtualization technology (VT) has become widespread in modern datacenters and Clouds in recent years. In spite of their many advantages, such as provisioning of isolated execution environments and migration, current implementations of VT do not provide effective performance isolation between virtual machines (VMs) running on a physical machine (PM) due to workload interference of VMs. Generally, this interference is due to contention on physical resources that impacts performance in different workload configurations. To investigate the impacts of this interference, we formalize the concept of interference for a consolidated multi-tenant virtual environment. This formulation, represented as a mathematical model, can be used by schedulers to estimate the interference of a consolidated virtual environment in terms of the processing and networking workloads of running VMs, and the number of consolidated VMs. Based on the proposed model, we present a novel batch scheduler that reduces the interference of running tenant VMs by pausing VMs that have a higher impact on proliferation of the interference. The scheduler achieves this by selecting a set of VMs that produce the least interference using a 0–1 knapsack problem solver. The selected VMs are allowed to run and other VMs are paused. Users are not troubled by the pausing and resumption of VMs for a short time because the scheduler has been designed for the execution of batch type applications such as scientific applications. Evaluation results on the makespan of VMs executed under the control of our scheduler have shown nearly 33% improvement in the best case and 7% improvement in the worst case compared to the case in which all VMs are running concurrently. In addition, the results show that our scheduling algorithm outperforms serial and random scheduling of VMs as well. 相似文献
18.
在现代基于虚拟化的数据中心中,虚拟机分配是实现云中资源有效调度的首要考虑。已经证明对数据结点分配虚拟机并考虑虚拟机之间的通信延迟,使得最大通信延迟最小的问题是NP-hard问题。目前鲜有在数据中心网络虚拟机分配问题上考虑其安全性和可靠性的研究。针对虚拟机分配中的容错技术,提出了一种具有可控虚拟机冗余度的启发式分配算法。算法以最大通信延迟最小化为优化目标,在可利用的虚拟机集合中通过构造可控冗余度的团来分配处理数据结点。实验结果表明,在Tree、VL2、Fat-tree和BCube四种常用的网络结构中,提出的启发式算法能提供0-200%之间任意冗余度。同时,在冗余度介于0~40%时,虚拟机与数据结点的匹配时间平均降低了67.1%,并且算法运行时间平均降低了12.8%。 相似文献
19.
Xibin Wang Xia Xie Hai Jin Xuanhua Shi Wenzhi Cao Xijiang Ke 《The Journal of supercomputing》2013,66(2):686-699
Virtualization is a popular technology. Services and applications running on each virtual machine have to compete with each other for limited physical computer or network resources. Each virtual machine has different I/O requirement and special priority. Without proper scheduling resource management, a load surge in a virtual machine may inevitably degrade other’s performance. In addition, each virtual machine may run different kinds of application, which have different disk bandwidth demands and service priorities. When assigning I/O resources, we should deal with each case on demand. In this paper, we propose a dynamic virtual machine disk bandwidth control mechanism in virtualization environment. A Disk Credit Algorithm is introduced to support a fine-gained disk bandwidth allocation mechanism among virtual machines. We can assign disk bandwidth according to each virtual machine’s service priority/weight and its requirement. Related experiments show that the mechanism can improve the VMs’ isolation and guarantee the performance of the specific virtual machine well. 相似文献