一种基于虚拟机的安全监测方法

随着虚拟化广泛应用于如云计算等各种领域,渐渐成为各种恶意攻击的目标.虚拟机的运行时安全是重中之重.针对此问题,提出一种适用于虚拟化环境下的监测方法,并且在Xen中实现虚拟机的一个安全监测原型系统.通过这个系统,特权虚拟机可以对同一台物理机器上的大量客户虚拟机进行动态、可定制的监控.特别地,本系统对于潜伏在操作系统内核中的rootkit的检测十分有效.这种安全监测方法能有效提高客户虚拟机以及整个虚拟机系统的安全性.     

基于硬件虚拟化的虚拟机进程代码分页式度量方法

云环境下恶意软件可利用多种手段篡改虚拟机（VM）中关键业务代码,威胁其运行的稳定性。传统的基于主机的度量系统易被绕过或攻击而失效,针对在虚拟机监视器（VMM）层难以获取虚拟机中运行进程完整代码段并对其进行完整性验证的问题,提出基于硬件虚拟化的虚拟机进程代码分页式度量方法。该方法以基于内核的虚拟机（KVM）作为虚拟机监视器,在VMM层捕获虚拟机进程的系统调用作为度量流程的触发点,基于相对地址偏移解决了不同版本虚拟机之间的语义差异,实现了分页式度量方法在VMM层透明地验证虚拟机中运行进程代码段的完整性。实现的原型系统——虚拟机分页式度量系统（VMPMS）能有效度量虚拟机中进程,性能损耗在可接受范围内。     

基于虚拟服务的SSL VPN研究

基于对标准SSL VPN（Secure Socket Layer Virtual Private Network）的研究分析，提出了基于虚拟服务的SSLVPN结构．该结构包含两项关键性技术：虚拟服务和基于VPN流的访问控制模型．一方面，通过在客户端动态生成虚拟服务来支持传统应用软件安全透明地访问VPN内部服务群；另一方面，针对VPN流的特点，将访问控制与VPN隧道、转发机制紧耦合，从而实现了细粒度的访问控制及应用层入侵检测．最后，给出了一个实现原型及相关性能测试．     

基于Linux和IPSec的VPN安全网关设计与实现

IPSec协议通过对IP数据包的加密和认证能够提供网络层的安全服务，可以保证数据在传输过程中的安全；Linux是一个开放的操作系统，在开放的操作系统平台上开发的安全系统具有更高的可靠性和安全性。在此基础上设计了一种基于Linux和IPSec协议的VPN安全网关，并详细阐述设计原则、功能、安全机制以及VPN安全网关实现过程，同时对这种安全网关性能进行了分析。     

基于FreeSWAN的VPN安全网关的构建

随着电子商务、政府上网工程、虚拟企业等的发展,在公网上架构虚拟私有网(VPN)的需求日益迫切。文章对免费的FreeSWAN软件进行了二次开发,结合所研制的客户端VPN软件NetGuard能方便、经济、灵活地建立自己的VPN网络。该文在对FreeSWAN的编译、安装、配置,以及管理等进行分析和讨论的基础上,详细地介绍了VPN网关的具体实现。     

基于硬件队列扩展的网卡虚拟化方案

多核架构的虚拟平台对偏重于I/O访问的应用普遍存在虚拟化性能开销大的问题。为此,提出一种基于驱动域的网卡虚拟化方案。通过具有独立中断的硬件队列对网卡进行硬件扩展,减少网卡I/O访问中虚拟机监控器的参与,提高访问效率。测试结果表明,在消息长度达到1 024 Byte时,使用虚拟接口的时延仅比非虚拟化环境高10%。     

面向云计算的数据中心网络体系结构设计

近年来,云计算技术的蓬勃发展为整个IT行业带来了巨大变革.传统数据中心网络拓扑构建方式及网络层控制平面的运行机制存在固化性,已经难以满足新形势下日益增长的高性能及高性价比需求,并且无法支持云环境下更加灵活的按带宽租赁数据中心网络的运营方式.因此,提出了一种通过低造价的可编程交换机来构建具有高连通性的非树状数据中心网络的方式,并设计了可编程交换机与服务器2.5层代理协同工作的基于凸优化的虚拟网络带宽控制管理机制,从而提供足够的灵活性以对资源虚拟化技术提供更好的支持.实验表明,新型体系结构在降低构建成本的同时大幅提高了数据中心网络的吞吐量并提供了更加灵活的网络带宽分配机制.     

Edge Provisioning and Fairness in VPN-DiffServ Networks

Customers of Virtual Private Networks (VPNs) over Differentiated Services (DiffServ) infrastructure are most likely to demand not only security but also guaranteed Quality-of-Service (QoS) in pursuance of their desire to have leased-line-like services. However, expectedly they will be unable or unwilling to predict the load between VPN endpoints. This paper proposes that customers specify their requirements as a range of quantitative services in the Service Level Agreements (SLAs). To support such services Internet Service Providers (ISPs) would need an automated provisioning system that can logically partition the capacity at the edges to various classes (or groups) of VPN connections and manage them efficiently to allow resource sharing among the groups in a dynamic and fair manner. While with edge provisioning a certain amount of resources based on SLAs (traffic contract at edge) are allocated to VPN connections, we also need to provision the interior nodes of a transit network to meet the assurances offered at the boundaries of the network. We, therefore, propose a two-layered model to provision such VPN-DiffServ networks where the top layer is responsible for edge provisioning, and drives the lower layer in charge of interior resource provisioning with the help of a Bandwidth Broker (BB). Various algorithms with examples and analyses are presented to provision and allocate resources dynamically at the edges for VPN connections. We have developed a prototype BB performing the required provisioning and connection admission.     

虚拟专用网与防火墙集成的设计

虚拟专用网和防火墙是当前网络安全防御体系中两个非常重要和常见的防御设施。首先提出了集成实现虚拟专用网和防火墙两者功能时,VPN网关和防火墙的相对放置位置的几种方案,并分析了每种方案的优缺点。最后给出了将VPN网关和防火墙作为一个整体设备,实际安装到内部局域网与互联网之间时一个比较好的实现方案。     

桌面虚拟化方案选型与实践研究

虚拟化技术是现代计算机应用中的重要技术之一,其改变了传统计算机应用的方式,以互联网作为中间媒介 构建服务器与客户端交互的数据及软件应用模式。近些年,虚拟化技术得到了迅猛的发展,虚拟化产品类型不断更新,桌面虚 拟化方案也形成了以VMware和Citrix 两大主体的云桌面解决方案。为此本文对两种方案进行分析,比较二者之间的差别,从 资源利用和架构特点的角度探索桌面虚拟化方案选型计算方法,提出符合实际应用需求的解决方案,并在具体实践中探讨方 案的可行性。结果表明,本文提出的桌面虚拟化方案选型方案能够很好地实现跨网办公,提升系统的应用效率,保证数据的安 全性。     

基于Xen的I／O准虚拟化驱动研究

针对全虚拟化下客户端虚拟机无法“感知”虚拟机监视器的问题,对基于Xen的I／O准虚拟化驱动进行研究,通过实验可知,准虚拟化驱动能够消除全虚拟化方式下虚拟机监视器“黑箱”特性的限制,可以实现和虚拟机监视器的密切配合,从而提高I／O性能。在虚拟机Xen的全虚拟化环境中加入准虚拟化驱动,采用对比测试方法验证了该驱动能大幅提升网络性能。     

一种基于协作博弈的虚拟网络嵌入策略

针对现有云服务中虚拟网络嵌入方法无法有效处理硬件故障的不足,提出一种基于协作博弈的高可靠性虚拟网络嵌入策略CG-VNE（virtual network embedding strategy based on cooperative game）,其目标是通过使客户们的接受率最大化使云供应方的收入最大,同时将底层路由器或链路故障导致的虚拟网络中断率降到最低．为了回避虚拟网络映射过程的指数级复杂度,CG-VNE将虚拟网络嵌入问题阐述为两个互相交错的协作博弈：第1个博弈处理虚拟节点映射问题,第2个博弈处理虚拟链路的嵌入问题．通过这两种博弈,虚拟博弈方通过合作即可达到纳什平衡,在提升云提供商的收入的同时有效地处理了路由器和链路的物理故障．全面的仿真实验结果表明,在新客户拒绝率、云服务收入及受到物理故障影响的客户率3个方面,相比于目前大多数虚拟网络嵌入算法而言,CG-VNE的性能提升明显．     

基于KVM虚拟桌面的透明消息通道设计

云管理平台和虚拟机终端用户间的通信一般采用代理软件或插件,便捷性和抗干扰能力较低。针对该问题,利用基于内核的虚拟机(KVM)虚拟桌面,提出一种云服务提供节点(虚拟机所在物理主机)和虚拟机终端用户之间双向交互的透明消息通道设计方案。在云管理平台中建立消息控制端,用于接收和处理服务节点发往虚拟机终端用户的消息,并将消息转换为图像,使图像内容以位图像素数据格式的方式读出到特定文件中,作为消息发送模块的消息来源。通过修改KVM虚拟化平台中Qemu-KVM集成的VNC Server端源码,在源码中添加消息发送模块和反馈接收模块,将消息集成融入到虚拟机桌面图像中,并对VNC Client远程终端反馈的消息进行处理,从而得到一条对虚拟机自身系统透明的,可在云平台和终端用户间双向交互的消息通道。实验结果验证了该设计方案的可行性。     

基于Matlab物联网网关的Modbus协议实现

实现了一种基于Matlab的物联网网关原型开发平台,以应用层协议——Modbus协议作为公共协议来解决多种传感网络协议不统一问题,实现了Modbus ZigBee网络、ModbusTCP/IP网络、Modbus串行链路的数据采集、传输和存储,以及对传感网的设备控制,最终通过Matlab中的Web服务发布技术将数据发布到Internet,以方便客户查询和控制.     

Joint study on VMs deployment,assignment and migration in geographically distributed data centers

Enterprises build private clouds to provide IT resources for geographically distributed subsidiaries or product divisions. Public cloud providers like Amazon lease their platforms to enterprise users, thus, enterprises can also rent a number of virtual machines (VMs) from their data centers in the service provider networks. Unfortunately, the network cannot always guarantee stable connectivity for their clients to access the VMs or low-latency transfer among data centers. Usually, both latency and bandwidth are in unstable network environment. Being affected by background traffics, the network status can be volatile. To reduce the latency uncertainty of client accesses, enterprises should consider the network status when they deploy data centers or rent virtual data centers from cloud providers. In this paper, we first develop a data center deployment and assignment scheme for an enterprise to meet its users’ requirements under uncertain network status. To accommodate to the changes of the network status and users’ demands, a VMs migration-based redeployment scheme is adopted. These two schemes work in a joint way, and lay out a framework to help enterprises make better use of private or public clouds.     

分布式云的研究进展综述

云计算作为全新的计算模式,将数据中心的资源包括计算、存储等基础设施资源通过虚拟化技术以服务的形式交付给用户,使得用户可以通过互联网按需访问云内计算资源来运行应用.为面向用户提供更好的服务,分布式云跨区域联合多个云站点,创建巨大的资源池,同时利用地理分布优势改善服务质量.近年来分布式云的研究逐渐成为学术界和工业界的热点.文中围绕分布式云系统中研究的基本问题,介绍了国际国内的研究现状,包括分布式云系统的架构设计、资源调度与性能优化策略和云安全方案等,并展望分布式云的发展趋势.     

Evaluation for distance learning scheme on distributed multiple server system

A distributed multiple server system is designed and implemented with Web-DB based services for distance learning as well as emergency communication. The system has employed multiple servers located in a distributed campus network environment. Each server of the system has multi-core processors. With so-called “server virtualization” technology, some programs are executed in parallel (on the virtual servers) so that such a system can efficiently perform several functions. For example, two or more application services can be performed simultaneously as “cloud services” on the whole system. The system can provide distance learning scheme for educational tool, at the same time it can also support Web-based surveillance facilities for emergency contact. With qualitative and quantitative approach, trial evaluation of system has been performed in some classrooms of distributed campus. And users can obtain some good results from the above evaluation.     

A machine learning based intrusion detection scheme for data fusion in mobile clouds involving heterogeneous client networks

The combination of traditional cloud computing and mobile computing leads to the novel paradigm of mobile cloud computing. Due to the mobility of network nodes in mobile cloud computing, security has been a challenging problem of paramount importance. When a mobile cloud involves heterogeneous client networks, such as Wireless Sensor Networks and Vehicular Networks, the security problem becomes more challenging because the client networks often have different security requirements in terms of computational complexity, power consumption, and security levels. To securely collect and fuse the data from heterogeneous client networks in complex systems of this kind, novel security schemes need to be devised. Intrusion detection is one of the key security functions in mobile clouds involving heterogeneous client networks. A variety of different rule-based intrusion detection methods could be employed in this type of systems. However, the existing intrusion detection schemes lead to high computation complexity or require frequent rule updates, which seriously harms their effectiveness. In this paper, we propose a machine learning based intrusion detection scheme for mobile clouds involving heterogeneous client networks. The proposed scheme does not require rule updates and its complexity can be customized to suit the requirements of the client networks. Technically, the proposed scheme includes two steps: multi-layer traffic screening and decision-based Virtual Machine (VM) selection. Our experimental results indicate that the proposed scheme is highly effective in terms of intrusion detection.     

T—YUN：云提供商可信性审计与验证

云计算被广泛认为是信息技术发展的必然趋势。然而,由于在云计算模式下用户失去了对托管在云端的数据和应用的直接控制能力,产生了云服务的可信性问题,严重影响了云计算与云服务的推广。文章设计实现了一种新的通过可信第三方TTP（TrustedTMrdParty）对云提供商可信性进行审计和验证的模型。为了防止TTP成为单点瓶颈或单点故障,通过云计算技术构建TTP云验证平台实现了原型系统,并对其进行定量测试、分析和评价。实验结果表明,T—YUN在有效验证可信性的同时没有引入过多的额外代价。