MTD增强的网络欺骗防御系统

计算机网络正在飞速发展,但随之而来的系统破坏、信息泄露等网络安全问题也日益突出。攻击者在正式攻击前通常进行大量的网络侦查,以发现目标网络和系统上的可利用漏洞,而传统网络系统中的静态配置为攻击者发现网络目标和发起攻击提供了极大的优势。为了减轻攻击者持续性网络侦查攻击的有效性,基于软件定义网络开发了移动目标防御（moving target defense,MTD）增强的网络欺骗防御系统。该系统采用网络欺骗技术,混淆攻击者收集到的目标网络和系统信息,延长攻击者扫描到网络内真实脆弱性主机的时间,提高其时间成本;并在此基础上融合移动目标防御技术,动态随机地变换网络内节点的IP地址,增强网络欺骗系统的防御效能。实现了系统原型并对其进行评估,在虚拟网络拓扑规模为3个网段且地址变换周期为30 s的配置下,该系统将攻击者发现脆弱性主机的时间平均延迟7倍,将攻击者成功攻击脆弱性主机的概率降低83%,同时系统额外开销平均在8%以内。     

基于虚拟机迁移的DoS攻击防御方法

利用云计算资源共享的特性,攻击者可以通过不停消耗带宽资源,使得同一物理主机上的其他用户无法接受正常服务,造成拒绝服务（denial of service,DoS）攻击。这种攻击区别于传统网络体系中的DoS攻击,因此难以应用传统防御方法解决。针对这一问题,提出一种基于虚拟机迁移的DoS攻击防御方法,通过选择迁移目标、设计触发机制和选择迁移目的地,形成迅速减轻DoS攻击影响的虚拟机迁移策略。实验结果表明,针对攻击者的不同攻击方式,该方法均可有效地快速防御DoS攻击,保证云服务的正常运行。相比其他策略,所提方法在迁移开销上略有增加,但防御效果明显,可行性更高。     

云环境下SDN的流量异常检测性能分析

随着复杂的混合云网络逐渐成为云计算发展的瓶颈,软件定义网络(SDN)技术近年来成为学术界和工业界关注的热点。在网络安全领域,对于应用SDN来解决网络攻击的研究尚处于起步阶段,SDN是否能够高效检测来自内部的网络攻击尚无定论。针对该问题,在分析SDN技术框架的基础上,设计基于OpenStack的云环境实验方案。在传统云环境网络和SDN环境下同时测试2种流量异常检测算法,模拟Flood攻击和端口扫描攻击,分析SDN在检测攻击时的精确度和资源使用率。结果表明,在云环境下利用SDN检测内部威胁时比传统网络环境占用更少的物理内存而不影响精确度,但直接在SDN控制器上部署安全应用的方式也存在性能瓶颈。     

基于操作系统多样性的虚拟机安全部署策略

云计算的资源共享模式,在极大提高资源利用率的同时,也带来了诸多安全问题,如虚拟机间的共存攻击。特别是当用户使用单一的操作系统时,攻击者可以在较小的开销下,攻破用户的全部虚拟机,从而窃取隐私和数据。针对这一安全威胁,利用不同操作系统漏洞存在差异的特点,提出一种基于操作系统多样性的虚拟机安全部署策略。该方法首先为申请虚拟机的用户推荐一种多样性程度最高的操作系统配置选择;然后通过一种安全的部署策略,最大化地发挥多样性的特点,使攻击者需要付出更大的开销。实验结果表明,与单一操作系统配置的方法相比,该方法至少可以降低33.46%的攻击效益。     

云环境下基于多虚拟机的在线视频监控系统设计

针对常规视频监控系统在线实时性不强,海量视频数据传输迟滞,任务管理单一等问题,提出了构建在云计算环下基于多虚拟机技术在线视频监控系统;利用云计算平台中的物理资源与服务资源提升在线视频监控系统数据处理能力,虚拟机可同时处理大量的视频监控数据,并将视频数据以云存储的方式存储于云端服务器,降低了设备建设成本,可根据不同用户需求定制相关服务;本系统基于云计算平台设计,应用数十台乃至数百台虚拟机对在线视频监控数据进行处理,设计实现了云平台下在线视频监控系统的结构设计、以太网通信接口设计、服务器硬件配置和虚拟机控制;在软件设计方面通过对各虚拟机资源利用率的计算而动态分配资源,从而可以有效减少网络传输系统状态信息的带宽开销;通过系统功能与性能测试表明,在常规公共网络10 M带宽的情况下,本系统在线视频监控数据的传输延迟时间相比于传统视频监控减少了85％以上,监控视频数据量减少了75％以上.     

一种针对Xen超级调用的入侵防护方法

云计算技术已飞速发展并被广泛应用,虚拟化作为云计算的重要支撑,提高了平台对资源的利用效率与管理能力。作为一款开源虚拟化软件,Xen独特的设计思想与优良的虚拟化性能使其被许多云服务商采用,然而Xen虚拟机监视器同样面临着许多安全问题。Xen为虚拟机提供的特权接口可能被虚拟机恶意代码利用,攻击者可以借此攻击Xen或者运行其上的虚拟机。文章针对Xen向虚拟机提供的超级调用接口面临被恶意虚拟机内核代码利用的问题,提出了一种基于执行路径的分析方法,用以追溯发起该超级调用的虚拟机执行路径,与一个最初的路径训练集进行对比,可以避免超级调用被恶意虚拟机内核代码利用。该方法通过追溯虚拟机内核堆栈信息,结合指令分析与虚拟机内核符号表信息,实现了虚拟化平台下对虚拟机执行路径的动态追踪与重构。在Xen下进行实验,通过创建新的虚拟机并让其单独运行来获得训练集,训练集中包含所有发起该超级调用的虚拟机路径信息。在随后虚拟机运行过程中针对该超级调用动态构造出对应的虚拟机执行路径,将其与训练集对比,避免非正常执行路径的超级调用发生。     

基于软件定义网络的反饱和分组云负载均衡

云计算中统计复用是其显著特点,通过使用虚拟化技术可以提高物理资源利用率。针对云虚拟机集群需要考虑资源利用的负载均衡问题,面向OpenStack云平台,提出基于软件定义网络(SDN)的反饱和分组负载均衡(ASGS)方法。云主机按权值分配到不同的分组,SDN控制器利用探针根据不同分组周期性获取云主机负载。当请求到来时,均衡器以每组云主机平均权值为概率,随机选择一组,并在组内通过轮询选择一台合适的后端。为避免某台后端出现突发请求利用资源过多造成的云主机宕机现象,对较高权值的云主机预先加上一个参数,增高权值,使其处于高负载状态,让其接收更少的请求。实验结果表明,所提算法使各云主机不管请求量如何变化,随着时间的变化集群中云主机的资源利用率的标准方差比随机和轮询波动更小,更趋近于0,使得云主机集群的负载更均衡。     

基于核函数的软件定义网络DDoS实时安全系统

针对软件定义网络中DDoS攻击的检测准确率与延迟较长的问题,提出了一种基于核函数的软件定义网络DDoS实时安全系统。首先,每个周期提取软件定义网络的报文头信息,并组织成矩阵形式;其次,采用马氏距离分析相邻特征向量的显著变化,设计了两个核函数综合评估攻击行为的流量;最终,采用谱聚类技术与协方差统计信息自动地定位攻击者。基于真实软件定义网络进行了实验,结果显示该安全系统实现了较高的检测准确率,并且实现了理想的处理时间。     

云环境中基于cache负载实时定噪的同驻分析方法

云计算具有使用便捷、可按需定制服务、优化资源利用等特点,成为提供外包服务的主要计算模式。云环境中的虚拟机侧通道攻击是云计算的主要潜在威胁之一,同驻是云环境中侧通道攻击的前提。针对如何在多租户云环境下进行同驻检测,提出基于链式结构的Prime-Probe测量cache负载方法MCLPPLS和针对云环境噪声复杂多变问题的实时噪声分析机制RTNAM。结合MCLPPLS与RTNAM提出一种新型的同驻检测分析方法。实验表明,该方法能减少突发噪声对同驻检测的干扰,有较高的同驻检测正确率及较低的同驻检测时耗,表现出良好的性能。     

基于软件定义网络的IaaS虚拟机通信访问控制方法

针对云计算基础设施即服务(IaaS)平台所面临的虚拟机网络通信访问控制问题,提出了一种可适于IaaS平台的虚拟机通信访问控制方法.该通信访问控制方法基于软件定义网络(SDN),实现针对虚拟机通信的L2~L4层访问控制.实验结果表明:该通信访问控制方法能够有效实现对租户虚拟机通信的灵活访问控制,保障IaaS平台中租户网络的安全.     

System cum Program-Wide Lightweight Malicious Program Execution Detection Scheme for Cloud

ABSTRACT

Cloud is prone to a set of well-known network and host-based attacks from cloud insiders, cloud users, and outside attackers. This paper concretely focuses over the detection of malware and program modification-based attacks through identification of malicious program executions and malware at the client virtual machines and hosts in a cloud environment. The paper also focuses on the related techniques for malware detection using system call sequence measures. An immediate system call structure-based program cum system-wide technique is proposed for the detection of anomalous program executions and malwares in the cloud. The algorithm is validated over University of New Mexico sendmail data set. Effective deployment architecture for such an implementation is also presented as a distributed cum centralized intrusion prevention system (IPS). The proposed IPS also solves the problem of individual IPS getting malformed at client virtual machine with the use of both process and system level based detection strategies. The paper provides detailed results and experimentations of the proposed intrusion detection technique on a private cloud with open nebula and virtual box.     

Security-Preserving Live Migration of Virtual Machines in the Cloud

Hypervisor-based process protection is a novel approach that provides isolated execution environments for applications running on untrusted commodity operating systems. It is based on off-the-shelf hardware and trusted hypervisors while it meets the requirement of security and trust for many cloud computing models, especially third-party data centers and a multi-tenant public cloud, in which sensitive data are out of the control of the users. However, as the hypervisor extends semantic protection to the process granularity, such a mechanism also breaks the platform independency of virtual machines and thus prohibits live migration of virtual machines, which is another highly desirable feature in the cloud. In this paper, we extend hypervisor-based process protection systems with live migration capabilities by migrating the protection-related metadata maintained in the hypervisor together with virtual machines and protecting sensitive user contents using encryption and hashing. We also propose a security-preserving live migration protocol that addresses several security threats during live migration procedures including timing-related attacks, replay attacks and resumption order attacks. We implement a prototype system base on Xen and Linux. Evaluation results show that performance degradation in terms of both total migration time and downtime are reasonably low compared to the unmodified Xen live migration system.     

云环境下面向拟态防御的反馈控制方法

云环境下的虚拟化技术,给用户带来了一些数据和隐私安全问题.针对云环境中虚拟机单一性、同质性和静态性等问题,文章提出一种云环境下面向拟态防御的反馈控制方法.该方法以云中虚拟机为基础,利用拟态防御技术对虚拟机进行拟态化封装,通过反馈控制架构对其实现闭环负反馈控制,并基于异构虚拟机动态轮换改变执行环境,保证虚拟机系统环境的随...     

An adaptive resource management scheme in cloud computing

There are various significant issues in resource allocation, such as maximum computing performance and green computing, which have attracted researchers’ attention recently. Therefore, how to accomplish tasks with the lowest cost has become an important issue, especially considering the rate at which the resources on the Earth are being used. The goal of this research is to design a sub-optimal resource allocation system in a cloud computing environment. A prediction mechanism is realized by using support vector regressions (SVRs) to estimate the number of resource utilization according to the SLA of each process, and the resources are redistributed based on the current status of all virtual machines installed in physical machines. Notably, a resource dispatch mechanism using genetic algorithms (GAs) is proposed in this study to determine the reallocation of resources. The experimental results show that the proposed scheme achieves an effective configuration via reaching an agreement between the utilization of resources within physical machines monitored by a physical machine monitor and service level agreements (SLA) between virtual machines operators and a cloud services provider. In addition, our proposed mechanism can fully utilize hardware resources and maintain desirable performance in the cloud environment.     

A security-aware virtual machine placement in the cloud using hesitant fuzzy decision-making processes

The introduction of cloud computing systems brought with itself a solution for the dynamic scaling of computing resources leveraging various approaches for providing computing power, networking, and storage. On the other hand, it helped decrease the human resource cost by delegating the maintenance cost of infrastructures and platforms to the cloud providers. Nevertheless, the security risks of utilizing shared resources are recognized as one of the major concerns in using cloud computing environments. To be more specific, an intruder can attack a virtual machine and consequently extend his/her attack to other virtual machines that are co-located on the same physical machine. The worst situation is when the hypervisor is compromised in which all the virtual machines assigned to the physical node will be under security risk. To address these issues, we have proposed a security-aware virtual machine placement scheme to reduce the risk of co-location for vulnerable virtual machines. Four attributes are introduced to reduce the aforementioned risk including the vulnerability level of a virtual machine, the importance level of a virtual machine in the given context, the cumulative vulnerability level of a physical machine, and the capacity of a physical machine for the allocation of new virtual machines. Nevertheless, the evaluation of security risks, due to the various vulnerabilities’ nature as well as the different properties of deployment environments is not quite accurate. To manage the precision of security evaluations, it is vital to consider hesitancy factors regarding security evaluations. To consider hesitancy in the proposed method, hesitant fuzzy sets are used. In the proposed method, the priorities of the cloud provider for the allocation of virtual machines are also considered. This will allow the model to assign more weights to attributes that have higher importance for the cloud provider. Eventually, the simulation results for the devised scenarios demonstrate that the proposed method can reduce the overall security risk of the given cloud data center. The results show that the proposed approach can reduce the risk of attacks caused by the co-location of virtual machines up to 41% compared to the existing approaches.

     

Accelerator Virtualization Framework Based on Inter-VM Exitless Communication

The increasing deployment of artificial intelligence has placed unprecedent requirements on the computing power of cloud computing. Cloud service providers have integrated accelerators with massive parallel computing units in the data center. These accelerators need to be combined with existing virtualization platforms to partition the computing resources. The current mainstream accelerator virtualization solution is through the PCI passthrough approach, which however does not support fine-grained resource provisioning. Some manufacturers also start to provide time-sliced multiplexing schemes and use drivers to cooperate with specific hardware to divide resources and time slices to different virtual machines, which unfortunately suffer from poor portability and flexibility. One alternative but promising approach is based on API forwarding, which forwards the virtual machine''s request to the back-end driver for processing through a separate driver model. Yet, the communication due to API forwarding can easily become the performance bottleneck. This paper proposes Wormhole, an accelerator virtualization framework based on the C/S architecture that supports rapid delegated execution across virtual machines. It aims to provide upper-level users with an efficient and transparent way to accelerate the virtualization of accelerators with API forwarding while ensuring strong isolation between multiple users. By leveraging hardware virtualization feature, the framework minimizes performance degradation through exitless inter-VM control flow switch. Experimental results show that Wormhole''s prototype system can achieve up to 5 times performance improvement over the traditional open-source virtualization solution such as GVirtuS in the training test of the classic model.     

Providing Virtual Cloud for Special Purposes on Demand in JointCloud Computing Environment

Cloud computing has been widely adopted by enterprises because of its on-demand and elastic resource usage paradigm. Currently most cloud applications are running on one single cloud. However, more and more applications demand to run across several clouds to satisfy the requirements like best cost efficiency, avoidance of vender lock-in, and geolocation sensitive service. JointCloud computing is a new research initiated by Chinese institutes to address the computing issues concerned with multiple clouds. In JointCloud, users’ diverse and dynamic requirements on cloud resources are satisfied by providing users virtual cloud (VC) for special purposes. A virtual cloud for special purposes is in essence a user’s specific cloud working environment having the customized software stacks, configurations and computing resources readily available. This paper first introduces what is JointCloud computing and then describes the design rationales, motivation examples, mechanisms and enabling technologies of VC in JointCloud.     

A game theoretic-based distributed detection method for VM-to-hypervisor attacks in cloud environment

Cloud computing is a pool of scalable virtual resources serving a large number of users who pay fees depending on the extent of utilized service. From payment perspective, cloud is like electricity and water as people who use more of this shared pool should pay larger fees. Cloud computing involves a diverse set of technologies including networking, virtualization and transaction scheduling. Thus, it is vulnerable to a wide range of security threats. Some of the most important security issues threatening the cloud computing systems originate from virtualization technology, as it constitutes the main body and basis of these systems. The most important virtualization-based security threats include VM side channel, VM escape and rootkit attacks. The previous works on the subject of virtualization security rely on hardware approaches such as the use of firewalls, which are expensive, the use of schedulers to control the side channels along with noise injection, which impose high overhead, or the use of agents to collect information and send them back to a central intrusion detection system, which itself can become the target of attacker. In the method presented in this paper, a group of mobile agents act as the sensors of invalid actions in the cloud environment. They start a noncooperative game with the suspected attacker and then calculate the Nash equilibrium value and utility so as to differentiate an attack from legitimate requests and determine the severity of attack and its point of origin. The simulation results show that this method can detect the attacks with 86% accuracy. The use of mobile agents and their trainability feature has led to reduced system overhead and accelerated detection process.     

Mapping of time-consuming multitask applications on a cloud system by multiobjective Differential Evolution

Cloud computing is on-demand provisioning of virtual resources aggregated together so that by specific contracts users can lease access to their combined power.Here we hypothesize a new form of service contract by means of which users do not explicitly require resources, but simply supply information about their time-consuming multitask applications and specify their needs through some quality of service (QoS) parameters. The individuation of the virtual machines (VMs) onto which map and execute them is left to the cloud manager. Unfortunately the task/node mapping, already known as NP-hard for conventional parallel systems, becomes more challenging when application tasks must be run on VMs hosted on heterogeneous and shared cloud nodes, and when it must comply with QoS requests too. To support this new cloud service, a novel mapper tool, based on a multiobjective Differential Evolution algorithm, is proposed. Such a tool defines the mapping of the tasks on the VMs with the aim to exploit as much as possible the available cloud resources without penalizing the execution time of the submitted applications and, at the same time, to respect users’ QoS requests.To reveal the robustness of this evolutionary tool, an experimental analysis on artificial time-consuming parallel applications, modeled as task interaction graphs, has been effected.     

CyberGuarder: A virtualization security assurance architecture for green cloud computing

As the sizes of IT infrastructure continue to grow, cloud computing is a natural extension of virtualisation technologies that enable scalable management of virtual machines over a plethora of physically connected systems. The so-called virtualisation-based cloud computing paradigm offers a practical approach to green IT/clouds, which emphasise the construction and deployment of scalable, energy-efficient network software applications (NetApp) by virtue of improved utilisation of the underlying resources. The latter is typically achieved through increased sharing of hardware and data in a multi-tenant cloud architecture/environment and, as such, accentuates the critical requirement for enhanced security services as an integrated component of the virtual infrastructure management strategy. This paper analyses the key security challenges faced by contemporary green cloud computing environments, and proposes a virtualisation security assurance architecture, CyberGuarder, which is designed to address several key security problems within the ‘green’ cloud computing context. In particular, CyberGuarder provides three different kinds of services; namely, a virtual machine security service, a virtual network security service and a policy based trust management service. Specifically, the proposed virtual machine security service incorporates a number of new techniques which include (1) a VMM-based integrity measurement approach for NetApp trusted loading, (2) a multi-granularity NetApp isolation mechanism to enable OS user isolation, and (3) a dynamic approach to virtual machine and network isolation for multiple NetApp’s based on energy-efficiency and security requirements. Secondly, a virtual network security service has been developed successfully to provide an adaptive virtual security appliance deployment in a NetApp execution environment, whereby traditional security services such as IDS and firewalls can be encapsulated as VM images and deployed over a virtual security network in accordance with the practical configuration of the virtualised infrastructure. Thirdly, a security service providing policy based trust management is proposed to facilitate access control to the resources pool and a trust federation mechanism to support/optimise task privacy and cost requirements across multiple resource pools. Preliminary studies of these services have been carried out on our iVIC platform, with promising results. As part of our ongoing research in large-scale, energy-efficient/green cloud computing, we are currently developing a virtual laboratory for our campus courses using the virtualisation infrastructure of iVIC, which incorporates the important results and experience of CyberGuarder in a practical context.