|
|||||
|
|
| 创建软件定义网络中的进程级纵深防御体系结构 | |
| 引用本文: | 崔竞松,郭迟,陈龙,张雅娜,DijiangHUANG.创建软件定义网络中的进程级纵深防御体系结构[J].软件学报,2014,25(10):2251-2265. |
| 作者姓名: | 崔竞松 郭迟 陈龙 张雅娜 DijiangHUANG |
| 作者单位: | 1. 武汉大学计算机学院,湖北武汉 430072; 软件工程国家重点实验室 武汉大学,湖北武汉 430072 2. 武汉大学卫星定位导航技术研究中心,湖北武汉,430079 3. 中山大学 珠海校区 移动信息工程学院,广东珠海,519000 4. 武汉大学计算机学院,湖北武汉,430072 5. School of Computing Informatics and Decision Systems Engineering,Arizona State University,AZ,USA |
| 基金项目: | 国家高技术研究发展计划(863)(2013AA12A206,2013AA12A204);国家自然科学基金(41104010,91120002);高等学校学科创新引智计划(B07037) |
| 摘 要: | 云计算因其资源的弹性和可拓展性,在为用户提供各项服务时,相对于传统方式占据了先机。在用户考虑是否转向云计算时,一个极其重要的安全风险是:攻击者可以通过共享的云资源对云用户发起针对虚拟机的高效攻击。虚拟机作为云服务的基本资源,攻击者在攻击或者租用了某虚拟机之后,通过在其中部署恶意软件,并针对云内其他虚拟机发起更大范围的攻击行为,如分布式拒绝服务型攻击。为防止此种情况的发生,提出基于软件定义网络的纵深防御系统,以及时检测可疑虚拟机并控制其发出的流量,抑制来自该虚拟机的攻击行为并减轻因攻击所受到的影响。该系统以完全无代理的非侵入方式检测虚拟机状态,且基于软件定义网络,对同主机内虚拟机间或云主机间的网络流量进行进程级的监控。实验结果表明了该系统的有效性。 |
| 关 键 词: | 无代理技术 内网防火墙 虚拟机纵深防御 网络虚拟化 软件定义网络 |
| 收稿时间: | 2014/2/28 0:00:00 |
| 修稿时间: | 7/7/2014 12:00:00 AM |
Establishing Process-Level Defense-in-Depth Framework for Software Defined Networks |
|
| CUI Jing-Song,GUO Chi,CHEN Long,ZHANG Ya-Na and Dijiang HUANG.Establishing Process-Level Defense-in-Depth Framework for Software Defined Networks[J].Journal of Software,2014,25(10):2251-2265. | |
| Authors: | CUI Jing-Song GUO Chi CHEN Long ZHANG Ya-Na and Dijiang HUANG |
| Affiliation: | Computer School, Wuhan University, Wuhan 430072, China;State Key Laboratory of Software Engineering(Wuhan University), Wuhan 430072, China;Global Navigation Satellite System Research Center, Wuhan University, Wuhan 430079, China;School of Mobile Information Engineering, Sun Yet-Sen University(Zhuhai Campus), Zhuhai 519000, China;Computer School, Wuhan University, Wuhan 430072, China;School of Computing Informatics and Decision Systems Engineering, Arizona State University, AZ, USA |
| Abstract: | Cloud computing is gaining momentum against traditional method in providing users various services with greater flexibility and scalability. Before switching to cloud computing, users must take into account the security of cloud as an extremely important factor. That is because in the cloud environment, attackers can initiate efficient attacks to cloud users through the shared cloud resources such as virtual machines. Since virtual machines (VM) are basic resources of cloud service, by compromising or renting several virtual machines, attackers may deploy malicious software into those machines and launch a wider range of attacks to other virtual machines such as distributed denial of service (DDoS). To tackle this issue, this paper proposes a defense in depth system based on software defined networking to be able to detect suspicious virtual machines and monitor the flow they issued in time, and inhibit the aggressive behavior from the suspected virtual machines to mitigate the attack consequences. The system detects the virtual machines' running state in a completely non-intrusive and agent-free way, and monitors network traffic between virtual machines on the same host or between cloud hosts at process level based on software defined networking. Experimental results demonstrate the effectiveness of the system. |
| Keywords: | agent-free inside network firewall virtual machines’ defense in depth network virtualization software defined networking |
| 本文献已被 万方数据 等数据库收录! | |
| 点击此处可从《软件学报》浏览原始摘要信息 | |
| 点击此处可从《软件学报》下载全文 | |