软件学报
軟件學報
연건학보
JOURNAL OF SOFTWARE
2014年
10期
2251-2265
,共15页
崔竞松%郭迟%陈龙%张雅娜%Dijiang HUANG
崔競鬆%郭遲%陳龍%張雅娜%Dijiang HUANG
최경송%곽지%진룡%장아나%Dijiang HUANG
无代理技术%内网防火墙%虚拟机纵深防御%网络虚拟化%软件定义网络
無代理技術%內網防火牆%虛擬機縱深防禦%網絡虛擬化%軟件定義網絡
무대리기술%내망방화장%허의궤종심방어%망락허의화%연건정의망락
agent-free%inside network firewall%virtual machines’ defense in depth%network virtualization%software defined networking
云计算因其资源的弹性和可拓展性,在为用户提供各项服务时,相对于传统方式占据了先机。在用户考虑是否转向云计算时,一个极其重要的安全风险是:攻击者可以通过共享的云资源对云用户发起针对虚拟机的高效攻击。虚拟机作为云服务的基本资源,攻击者在攻击或者租用了某虚拟机之后,通过在其中部署恶意软件,并针对云内其他虚拟机发起更大范围的攻击行为,如分布式拒绝服务型攻击。为防止此种情况的发生,提出基于软件定义网络的纵深防御系统,以及时检测可疑虚拟机并控制其发出的流量,抑制来自该虚拟机的攻击行为并减轻因攻击所受到的影响。该系统以完全无代理的非侵入方式检测虚拟机状态,且基于软件定义网络,对同主机内虚拟机间或云主机间的网络流量进行进程级的监控。实验结果表明了该系统的有效性。
雲計算因其資源的彈性和可拓展性,在為用戶提供各項服務時,相對于傳統方式佔據瞭先機。在用戶攷慮是否轉嚮雲計算時,一箇極其重要的安全風險是:攻擊者可以通過共享的雲資源對雲用戶髮起針對虛擬機的高效攻擊。虛擬機作為雲服務的基本資源,攻擊者在攻擊或者租用瞭某虛擬機之後,通過在其中部署噁意軟件,併針對雲內其他虛擬機髮起更大範圍的攻擊行為,如分佈式拒絕服務型攻擊。為防止此種情況的髮生,提齣基于軟件定義網絡的縱深防禦繫統,以及時檢測可疑虛擬機併控製其髮齣的流量,抑製來自該虛擬機的攻擊行為併減輕因攻擊所受到的影響。該繫統以完全無代理的非侵入方式檢測虛擬機狀態,且基于軟件定義網絡,對同主機內虛擬機間或雲主機間的網絡流量進行進程級的鑑控。實驗結果錶明瞭該繫統的有效性。
운계산인기자원적탄성화가탁전성,재위용호제공각항복무시,상대우전통방식점거료선궤。재용호고필시부전향운계산시,일개겁기중요적안전풍험시:공격자가이통과공향적운자원대운용호발기침대허의궤적고효공격。허의궤작위운복무적기본자원,공격자재공격혹자조용료모허의궤지후,통과재기중부서악의연건,병침대운내기타허의궤발기경대범위적공격행위,여분포식거절복무형공격。위방지차충정황적발생,제출기우연건정의망락적종심방어계통,이급시검측가의허의궤병공제기발출적류량,억제래자해허의궤적공격행위병감경인공격소수도적영향。해계통이완전무대리적비침입방식검측허의궤상태,차기우연건정의망락,대동주궤내허의궤간혹운주궤간적망락류량진행진정급적감공。실험결과표명료해계통적유효성。
Cloud computing is gaining momentum against traditional method in providing users various services with greater flexibility and scalability. Before switching to cloud computing, users must take into account the security of cloud as an extremely important factor. That is because in the cloud environment, attackers can initiate efficient attacks to cloud users through the shared cloud resources such as virtual machines. Since virtual machines (VM) are basic resources of cloud service, by compromising or renting several virtual machines,attackers may deploy malicious software into those machines and launch a wider range of attacks to other virtual machines such as distributed denial of service (DDoS). To tackle this issue, this paper proposes a defense in depth system based on software defined networking to be able to detect suspicious virtual machines and monitor the flow they issued in time, and inhibit the aggressive behavior from the suspected virtual machines to mitigate the attack consequences. The system detects the virtual machines’ running state in a completely non-intrusive and agent-free way, and monitors network traffic between virtual machines on the same host or between cloud hosts at process level based on software defined networking. Experimental results demonstrate the effectiveness of the system.
