Journal of Software:2014.25(10):2251-2265

(武汉大学 计算机学院, 湖北 武汉 430072;软件工程国家重点实验室 武汉大学, 湖北 武汉 430072;武汉大学 卫星定位导航技术研究中心, 湖北 武汉 430079;中山大学 珠海校区 移动信息工程学院, 广东 珠海 519000;School of Computing Informatics and Decision Systems Engineering, Arizona State University, AZ, USA)
Establishing Process-Level Defense-in-Depth Framework for Software Defined Networks
CUI Jing-Song,GUO Chi,CHEN Long,ZHANG Ya-Na,Dijiang HUANG
(Computer School, Wuhan University, Wuhan 430072, China;State Key Laboratory of Software Engineering(Wuhan University), Wuhan 430072, China;Global Navigation Satellite System Research Center, Wuhan University, Wuhan 430079, China;School of Mobile Information Engineering, Sun Yet-Sen University(Zhuhai Campus), Zhuhai 519000, China;School of Computing Informatics and Decision Systems Engineering, Arizona State University, AZ, USA)
Chart / table
Similar Articles
Article :Browse 4506   Download 3581
Received:February 28, 2014    Revised:July 07, 2014
> 中文摘要: 云计算因其资源的弹性和可拓展性,在为用户提供各项服务时,相对于传统方式占据了先机.在用户考虑是否转向云计算时,一个极其重要的安全风险是:攻击者可以通过共享的云资源对云用户发起针对虚拟机的高效攻击.虚拟机作为云服务的基本资源,攻击者在攻击或者租用了某虚拟机之后,通过在其中部署恶意软件,并针对云内其他虚拟机发起更大范围的攻击行为,如分布式拒绝服务型攻击.为防止此种情况的发生,提出基于软件定义网络的纵深防御系统,以及时检测可疑虚拟机并控制其发出的流量,抑制来自该虚拟机的攻击行为并减轻因攻击所受到的影响.该系统以完全无代理的非侵入方式检测虚拟机状态,且基于软件定义网络,对同主机内虚拟机间或云主机间的网络流量进行进程级的监控.实验结果表明了该系统的有效性.
Abstract:Cloud computing is gaining momentum against traditional method in providing users various services with greater flexibility and scalability. Before switching to cloud computing, users must take into account the security of cloud as an extremely important factor. That is because in the cloud environment, attackers can initiate efficient attacks to cloud users through the shared cloud resources such as virtual machines. Since virtual machines (VM) are basic resources of cloud service, by compromising or renting several virtual machines, attackers may deploy malicious software into those machines and launch a wider range of attacks to other virtual machines such as distributed denial of service (DDoS). To tackle this issue, this paper proposes a defense in depth system based on software defined networking to be able to detect suspicious virtual machines and monitor the flow they issued in time, and inhibit the aggressive behavior from the suspected virtual machines to mitigate the attack consequences. The system detects the virtual machines' running state in a completely non-intrusive and agent-free way, and monitors network traffic between virtual machines on the same host or between cloud hosts at process level based on software defined networking. Experimental results demonstrate the effectiveness of the system.
文章编号:     中图分类号:    文献标志码:
基金项目:国家高技术研究发展计划(863)(2013AA12A206,2013AA12A204);国家自然科学基金(41104010,91120002);高等学校学科创新引智计划(B07037) 国家高技术研究发展计划(863)(2013AA12A206,2013AA12A204);国家自然科学基金(41104010,91120002);高等学校学科创新引智计划(B07037)
Foundation items:
Reference text:


CUI Jing-Song,GUO Chi,CHEN Long,ZHANG Ya-Na,Dijiang HUANG.Establishing Process-Level Defense-in-Depth Framework for Software Defined Networks.Journal of Software,2014,25(10):2251-2265