容器云中基于信号博弈的容器迁移与蜜罐部署策略

SaaS 云中的多租户共存和资源共享模式会带来严重的安全隐患。一方面逻辑上命名空间的软隔离容易被绕过或突破，另一方面由于共享宿主机操作系统和底层物理资源容易遭受同驻攻击，对容器云中数据可用性、完整性、机密性产生严重威胁。针对 SaaS 云服务容易遭受容器逃逸、侧信道等同驻攻击的问题，网络欺骗技术通过隐藏执行体的业务功能和特征属性，增加云环境的不确定度，降低攻击的有效性。针对容器易遭受同驻攻击的安全威胁，结合动态迁移、虚拟蜜罐等安全技术，研究经济合理的网络欺骗方法降低同驻攻击带来的安全威胁。具体而言，提出一种基于信号博弈的容器迁移与蜜罐部署策略。依据容器面临的安全威胁分析，使用容器迁移和蜜罐两种技术作为防御方法，前者基于移动目标防御的思想提高系统的不可探测性，后者通过布置诱饵容器或提供虚假服务来迷惑攻击者；鉴于网络嗅探是网络攻击链的前置步骤，将攻防过程建模为双人不完整信息的信号博弈，发送者根据自己类型选择释放一个信号，接收者仅能够获取到发送者释放的信号，而不能确定其类型。对这个完全但不完美的信息动态博弈构建博弈树，设置攻防双方不同策略组合的开销和收益；对攻防模型进行均衡分析确定最优的欺骗策略。实验结果表明，所提策略能够有效提高系统安全性，同时能够降低容器迁移频率和防御开销。

Strategy of container migration and honeypot deployment based on signal game in cloud environment

Multi-tenant coexistence and resource sharing in the SaaS cloud pose serious security risks.On the one hand, soft isolation of logical namespaces is easy to be bypassed or broken.On the other hand, it is easy to be subjected to co-resident attacks due to sharing of the host operating system and underlying physical resources.Therefore it poses a serious threat to data availability, integrity and confidentiality in the container cloud.Given the problem that SaaS cloud services are vulnerable to container escape and side-channel equivalent resident attack, network deception technology increases the uncertainty of the cloud environment and reduces the effectiveness of attack by hiding the business function and characteristic attributes of the executor.Aiming at the security threat caused by the co-resident attack, combining dynamic migration and virtual honeypot security technology, the economical and reasonable network deception method was studied.Specifically, a container migration and honeypot deployment strategy based on the signal game was proposed.According to the security threat analysis, container migration and honeypot were used as defense methods.The former improved the undetectability of the system based on the idea of moving to target defense, while the latter confused attackers by placing decoy containers or providing false services.Furthermore, since network reconnaissance was the pre-step of the network attack chain, the attack and defense process was modeled as a two-person signal game with incomplete information.The sender chose to release a signal according to his type, and the receiver could only obtain the signal released by the sender but could not determine the type.Then, a game tree was constructed for the complete but imperfect information dynamic game, and the costs and benefits of different strategy combinations were set.The optimal deception strategy was determined by equilibrium analysis of attack-defense model.Experimental results show that the proposed strategy can effectively improve system security.Besides, it can also reduce container migration frequency and defense cost.