面向拟态云的异构执行体安全调度算法

随着云服务的应用范围越来越广,基于未知漏洞或后门的攻击成为制约云技术发展的主要安全威胁之一。基于拟态防御建立的拟态云服务通过降低漏洞的持续性暴露概率来保障安全性,当前已有研究提出的拟态调度算法缺乏对执行体自身安全性的考虑,并且无法兼顾动态性和异构性。针对此问题文章通过引入执行池的异构度和安全度定义,提出一种基于异构度和安全度的优先级调度算法,并引入结合时间片的动态调度策略。实验结果表明,文章所提算法具有较好的动态性,能够获得较优的调度效果,实现了动态性、异构性和安全性之间的平衡,并且时间复杂度较低。     

云环境下面向拟态防御的反馈控制方法

云环境下的虚拟化技术,给用户带来了一些数据和隐私安全问题.针对云环境中虚拟机单一性、同质性和静态性等问题,文章提出一种云环境下面向拟态防御的反馈控制方法.该方法以云中虚拟机为基础,利用拟态防御技术对虚拟机进行拟态化封装,通过反馈控制架构对其实现闭环负反馈控制,并基于异构虚拟机动态轮换改变执行环境,保证虚拟机系统环境的随...     

拟态通用运行环境的资源管理与调度技术

为达到拟态通用运行环境(MCOE)对已/未知后门和漏洞主动防御、安全威胁攻击及时阻断和数据完整性有效保障等拟态防御目标,提出拟态资源调度准则,基于该准则从拟态资源管理与MCOE框架的交互设计、拟态资源管理与调度等方面论述拟态资源管理服务与调度算法的设计与实现,构造拟态运行节点软硬件资源异构特征分类器及基于三级异构度分类的节点N元组和N异构执行体元组,实现N异构执行体、服务器运行节点资源及其资源对象的随机性、动态性和异构性最大化与资源调度负载均衡,并通过拟态管理服务实例验证了云容器集群上拟态资源管理调度算法的正确性与有效性。     

个人云存储发展迅猛 竞争激烈

目前,面向个人用户的云存储服务主要有两类,一类是像Dropbox的网盘类应用服务,另一类是像Evernote的笔记类应用服务。这两者既有重合也有互补的关系,同时使用两类服务的用户比例也较高。根据艾瑞咨询近期发布的《2012年中国云存储行业及用户行为研究报告》中的研究结果显示,目前的个人云存储应用尚处于起步阶段,积累用户是此阶段的     

云计算的基础结构设计和云应用服务

云计算是基于云结构的信息技术资源消费与利用系统,也是基于互联网的链路传输系统与终端服务系统的集成应用模型。典型的云服务模型包括Saa S/Aaa S、Iaa S、Paa S、Daa S,这些参考模型同时组成云系统应用服务基础架构。云计算开发标准与规则是云结构发展与云数据库的开发参考基准,也是云管理与云进化的参考结构。云系统服务质量关系云应用发展,而云管理的服务配置与监视服务提供反馈信息。云应用服务维护运行与数据安全是云安全提供的基础保障服务。云备份作为领导性企业云的高级服务功能应能适应云灵活多变性与容灾免灾设计,文中深入分析云数据备份技术应用与程序算法,细述实用数据应用处理方法。动态开发环境是企业云对云计算开放研究平台,在全球推进云环境的开发测试。云计算风险分析与管理同时促进云应用进化。     

政务云构建与安全问题研究

文章提出将云计算、物联网、网格化、虚拟现实等新技术综合应用,构筑政务云信息化基础平台。文章从技术层面分析了政务云面临的风险,从数据安全、应用服务安全和认证管理方面提出了相关安全策略。     

面向云网融合SaaS安全的虚拟网络功能映射方法

在云网融合背景下,承载软件即服务（SaaS）业务功能的云基础设施可能横跨多个数据中心和归属网络,难以保证云资源安全可控。为缩短SaaS业务服务的处理时延,设计基于冗余执行和交叉检验的SaaS组合服务模式,并对容器、Hypervisor和云基础设施的安全威胁进行建模,建立拟态化虚拟网络功能映射模型和安全性优化机制。在此基础上,提出基于近端策略优化的PJM算法。实验结果表明,与CCMF、JEGA和QVNE算法相比,PJM算法在满足安全性约束的条件下,能够降低约12.2%业务端到端时延。     

基于主备监视的拟态云代理设计实现方法

针对拟态云系统中代理的安全威胁和单点故障问题,提出一种主备监视的高可用拟态云代理实现方法。首先,在云环境分布式代理基础之上,提出一种主备用监视机制来构建异构的主备代理,备用代理通过镜像流方式分析到达主用代理的流量,并对主用代理输出结果进行交叉验证;其次,基于数据平面开发套件（DPDK）平台设计备用代理的同步裁决机制和无缝的主备切换机制,实现云代理的安全加固与性能优化;最后,提出一种主备切换判决算法以避免主备频繁切换造成的资源浪费。实验结果分析表明,该拟态云代理相较于基于Nginx的云代理,在高并发下的流量处理时延损耗为毫秒级。可见该设计能够大幅提升云代理的安全性和稳定性,减少单点故障对代理稳定性造成的影响。     

三网融合下图书云服务个性化推荐

随着云计算技术的飞速发展,数字图书馆云平台 SaaS 层的图书应用服务数量将会快速增长,为图书用户选择个性化的云服务带来困难。通过建立偏好树,构建了三网融合环境下的图书用户模型和图书云服务模型。为了确定图书云服务对图书用户的推荐度,设计了服务选择算法。经过实验数据分析,该算法可以根据图书用户模型的偏好需求,为用户推荐匹配度较高的图书云服务。     

基于云平台的防御性软件测试服务系统北大核心CSCD

云计算由于具备强大的资源处理能力与高效的计算能力而在当今快速发展,且云计算因可以为用户提供廉价可定制的服务而受到人们的青睐。伴随着云计算技术的进步,云平台承载了越来越多繁杂的应用服务。软件测试作为一种常见而普遍的应用服务,其规模与复杂度近年来不断增长。云平台相比传统的测试模式更能满足软件测试的需求。文章将云平台的软件测试系统分为测试任务的上传、管理、资源分配、执行以及测试任务数据库5个模块,并探讨与测试任务特性相适应的调度原则以高效完成测试任务。文章还探讨了面向云测试平台的安全防护模型,从需求与技术两方面分析了该模型对云测试平台的安全保障。     

A security evaluation framework for cloud security auditing

Cloud computing is clearly one of today’s most enticing technologies due to its scalable, flexible, and cost-efficient access to infrastructure and application services. Despite these benefits, cloud service users (CSUs) have serious concerns about the data security and privacy. Currently, there are several cloud service providers (CSPs) offering a wide range of services to their customers with varying levels of security strengths. Due to the vast diversity in the available cloud services, from the customer’s perspective, it has become difficult to decide which CSP they should use and what should be the selection criteria. Presently, there is no framework that can allow CSUs to evaluate CSPs based on their ability to meet the customer’s security requirements. We propose a framework and a mechanism that evaluate the security strength of CSPs based on the customer’s security preferences. We have shown the applicability of our security evaluation framework using a case study.     

基于移动Agent的移动云计算系统构建方法

针对移动云计算面临的一系列问题,如应用程序在网络上迁移问题、远程设备上执行时的网络延迟和非持续连接问题、跨云服务问题以及安全风险和隐私问题,提出了一种基于移动Agent范型的移动云计算架构,其中,在应用程序迁移中引入断点保存思想和事件重播机制,在移动Agent协同过程中使用优化过的合同网协议,利用移动Agent交换密钥进行身份认证。用有色嵌套Petri网描述了此架构的执行流程,并在此基础上设计了移动电子图书销售系统。     

Multi-tenant intrusion detection system for public cloud (MTIDS)

Cloud computing is an innovative paradigm technology that is known for its versatility. It provides many creative services as requested, and it is both cost efficient and reliable. More specifically, cloud computing provides an opportunity for tenants to reduce cost and raise effectiveness by offering an alternative method of service utilization. Although these services are easily provided to tenants on demand with minor infrastructure investment, they are significantly exposed to intrusion attempts since the services are offered under the administration of diverse supervision over the Internet. Moreover, the security mechanisms offered by cloud providers do not take into consideration the variation of tenants’ needs as they provide the same security mechanism for all tenants. So, meeting tenants’ security requirements are still a major challenge for cloud providers. In this paper, we concentrate on the security service offered to cloud tenants and service providers and their infrastructure to restrain intruders. We intend to provide a flexible, on-demand, scalable, and pay-as-you-go multi-tenant intrusion detection system as a service that targets the security of the public cloud. Further, it is designed to deliver appropriate and optimized security taking into consideration the tenants’ needs in terms of security service requirements and budget.     

CyberGuarder: A virtualization security assurance architecture for green cloud computing

As the sizes of IT infrastructure continue to grow, cloud computing is a natural extension of virtualisation technologies that enable scalable management of virtual machines over a plethora of physically connected systems. The so-called virtualisation-based cloud computing paradigm offers a practical approach to green IT/clouds, which emphasise the construction and deployment of scalable, energy-efficient network software applications (NetApp) by virtue of improved utilisation of the underlying resources. The latter is typically achieved through increased sharing of hardware and data in a multi-tenant cloud architecture/environment and, as such, accentuates the critical requirement for enhanced security services as an integrated component of the virtual infrastructure management strategy. This paper analyses the key security challenges faced by contemporary green cloud computing environments, and proposes a virtualisation security assurance architecture, CyberGuarder, which is designed to address several key security problems within the ‘green’ cloud computing context. In particular, CyberGuarder provides three different kinds of services; namely, a virtual machine security service, a virtual network security service and a policy based trust management service. Specifically, the proposed virtual machine security service incorporates a number of new techniques which include (1) a VMM-based integrity measurement approach for NetApp trusted loading, (2) a multi-granularity NetApp isolation mechanism to enable OS user isolation, and (3) a dynamic approach to virtual machine and network isolation for multiple NetApp’s based on energy-efficiency and security requirements. Secondly, a virtual network security service has been developed successfully to provide an adaptive virtual security appliance deployment in a NetApp execution environment, whereby traditional security services such as IDS and firewalls can be encapsulated as VM images and deployed over a virtual security network in accordance with the practical configuration of the virtualised infrastructure. Thirdly, a security service providing policy based trust management is proposed to facilitate access control to the resources pool and a trust federation mechanism to support/optimise task privacy and cost requirements across multiple resource pools. Preliminary studies of these services have been carried out on our iVIC platform, with promising results. As part of our ongoing research in large-scale, energy-efficient/green cloud computing, we are currently developing a virtual laboratory for our campus courses using the virtualisation infrastructure of iVIC, which incorporates the important results and experience of CyberGuarder in a practical context.     

Contract RBAC in cloud computing

Cloud computing is a fast growing field, which is arguably a new computing paradigm. In cloud computing, computing resources are provided as services over the Internet and users can access resources based on their payments. The issue of access control is an important security scheme in the cloud computing. In this paper, a Contract RBAC model with continuous services for user to access various source services provided by different providers is proposed. The Contract RBAC model extending from the well-known RBAC model in cloud computing is shown. The extending definitions in the model could increase the ability to meet new challenges. The Contract RBAC model can provide continuous services with more flexible management in security to meet the application requirements including Intra-cross cloud service and Inter-cross cloud service. Finally, the performance analyses between the traditional manner and the scheme are given. Therefore, the proposed Contract RBAC model can achieve more efficient management for cloud computing environments.     

我国云服务发展现状分析及思考

在目前云端应用蓬勃发展的时期,认清应用服务、云计算平台和结合能效的关系尤为必要。应用服务是基础,云端架构是平台,两者结合的能效高低是才是云端服务成败的关键,指出云计算架构不一定能够解决应用的性能问题,低效无序的扩展云计算平台下的应用服务只能造成电力、网络等社会资源的巨大浪费和重复投资。本文观点是云端应用应该立足应用服务,绿色高效的整合云平台才能构建良好的云端应用生态环境。     

云计算数据服务主动安全防御系统探讨

随着云计算数据服务的快速发展和应用,大大地改变了人们的工作、学习和生活模式。云计算数据服务带来极大便利的同时,也给人们带来了潜在的威胁,因此需要构建网络安全主动防御系统,提高网络安全性能。文章详细地分析了云计算数据服务面临的安全威胁,阐述了云计算服务平台主动安全防御系统及采用的技术,提高了云计算数据服务平台的安全性能。     

Providing efficient SSO to cloud service access in AAA-based identity federations

The inclusion of cloud services within existing identity federations has gained interest in the last years, as a way to simplify the access to them, reducing the user management costs, and increasing the utilization of the cloud resources. Whereas several federation technologies have been developed along the years for the Web world (e.g. SAML, Oauth, OpenID), non-web application services have been largely forgotten. The ABFAB IETF WG was created to define an architecture and a set of technologies for providing identity federation to non-Web application services, such as the cloud. ABFAB provides a way to use the existing EAP/AAA infrastructure to perform federated access control to any kind of application service, thanks to the definition of a new GSS-API mechanism called GSS-EAP. However, the ABFAB architecture does not define an efficient way of providing SSO. This paper defines a way to include such an SSO support into ABFAB, by introducing the required extensions to make use of the EAP Re-authentication Protocol (ERP), the IETF standard for providing fast re-authentication in EAP. Moreover, to demonstrate the feasibility of the proposed extensions, we have implemented a proof-of-concept based on Moonshot, the open-source implementation of ABFAB, and OpenStack as an example of cloud service. Finally, using this prototype we have completed a performance analysis that compares our proposal with the standard ABFAB operation. This analysis confirms the substantial reduction in terms of computational time and network traffic that can be achieved using ERP for providing efficient SSO to cloud service access in ABFAB-based identity federations.     

云环境面向虚拟域的安全状态一致性保障机制研究

由于云环境虚拟化特性及高动态性（回滚、迁移等操作）给虚拟域带来了时间、空间状态不一致,从而造成了严重的安全威胁。针对该问题,提出了云环境虚拟域安全基础架构、时间安全状态一致性机制、空间安全状态一致性机制,有效地保障了云虚拟域安全状态的一致性,有助于提高公共服务效率和信息安全可控性。