基于安全等级的虚拟机动态迁移方法

赵硕; 季新生; 毛宇星; 程国振; 扈红超

doi:10.11959/j.issn.1000-436x.2017091

您当前的位置：

首页 >

文章列表页 >

基于安全等级的虚拟机动态迁移方法

学术通信 | 更新时间：2024-06-05

- 基于安全等级的虚拟机动态迁移方法
- Research on dynamic migration of virtual machine based on security level
- 通信学报 2017年38卷第7期页码：165-174
- 作者机构：
  
  1. 国家数字交换系统工程技术研究中心，河南郑州 450002
  2. 解放军理工大学指挥信息系统学院，江苏南京 210007
- 作者简介：
  
  [ "赵硕（1993-），男，河南安阳人，国家数字交换系统工程技术中心硕士生，主要研究方向为虚拟网安全、软件定义网络等。" ]
  [ "季新生（1968-），男，江苏南通人，国家数字交换系统工程技术中心教授、博士生导师，主要研究方向为网络空间安全、拟态安全等。" ]
  [ "毛宇星（1989-），男，河北唐山人，解放军理工大学博士生，主要研究方向为网络空间安全、软件定义网络等。" ]
  [ "程国振（1986-），男，山东定陶人，国家数字交换系统工程技术中心助理研究员，主要研究方向为网络空间安全、软件定义网络等。" ]
  [ "扈红超（1982-），男，河南商丘人，国家数字交换系统工程技术中心副研究员，主要研究方向为网络空间安全、云数据中心等。" ]
- 基金信息：
  
  国家自然科学基金创新群体基金资助项目(61521003);国家自然科学基金资助项目(61602509);国家重点研发计划基金资助项目(2016YFB0800100);国家重点研发计划基金资助项目(2016YFB0800101)
- DOI：10.11959/j.issn.1000-436x.2017091
  中图分类号： TP302
- 网络出版日期：2017-07，
  
  纸质出版日期：2017-07-25
- 稿件说明：
移动端阅览
赵硕, 季新生, 毛宇星, 等. 基于安全等级的虚拟机动态迁移方法[J]. 通信学报, 2017,38(7):165-174.

Shuo ZHAO, Xin-sheng JI, Yu-xing MAO, et al. Research on dynamic migration of virtual machine based on security level[J]. Journal on communications, 2017, 38(7): 165-174.
赵硕, 季新生, 毛宇星, 等. 基于安全等级的虚拟机动态迁移方法[J]. 通信学报, 2017,38(7):165-174. DOI： 10.11959/j.issn.1000-436x.2017091.

Shuo ZHAO, Xin-sheng JI, Yu-xing MAO, et al. Research on dynamic migration of virtual machine based on security level[J]. Journal on communications, 2017, 38(7): 165-174. DOI： 10.11959/j.issn.1000-436x.2017091.

摘要

侧信道攻击是当前云计算与数据中心环境下多租户间信息泄露的主要途径，现有基于虚拟机动态迁移的防御方法存在迁移算法收敛时间长，开销大的问题，为此，提出一种基于安全等级的虚拟机动态迁移方法。首先，对虚拟机进行安全等级分类，减少虚拟机动态迁移的数量；然后采用相应的虚拟机映射策略，降低虚拟机迁移的频率。实验表明，与现有基于虚拟机动态迁移的防御方法相比，该方法能够降低虚拟机迁移算法的收敛时间和迁移开销。

Abstract

Side-channel attacks were the main ways of multi-tenant information leakage in the cloud computing and data center environments.The existing defense approaches based on dynamic migration of virtual machine have long convergence time of migration algorithm and high migration cost.Hence

a dynamic migration of virtual machine based on security level was proposed.Firstly

security level classification of virtual machines was used to reduce the number of migrating virtual machines.Then the corresponding virtual machines embedding strategy was used to reduce the frequency of virtual machines migration.Simulation experiments demonstrate that the proposed approach can reduce convergence time of migration algorithm and migration cost.

关键词

Keywords

references

SONG B , HASSAN M M , HUH E N . Delivering IPTV service over a virtual network:a study on virtual network topology [J ] . Journal of Communications ＆ Networks , 2012 , 14 ( 14 ): 319 - 335 .

CHOWDHURY N M M K , BOUTABA R . A survey of network virtualization [J ] . Computer Networks , 2010 , 54 ( 5 ): 862 - 876 .

FISCHER A , BOTERO J F , TILL B M , et al . Virtual network embedding:a survey [J ] . IEEE Communications Surveys ＆ Tutorials , 2013 , 15 ( 4 ): 1888 - 1906 .

CHOWDHURY N M M K , BOUTABA R . Network virtualization:state of the art and research challenges [J ] . IEEE Communications Magazine , 2009 , 47 ( 7 ): 20 - 26 .

WANG Y , CHAU P , CHEN F . A framework for security-aware virtual network embedding [C ] // International Conference on Computer Communication and Networks . IEEE , 2015 .

PIGNOLET Y A , SCHMID S , TREDAN G . Adversarial VNet embeddings:a threat for ISPs? [J ] . Proceedings - IEEE INFOCOM , 2013 , 12 ( 11 ): 415 - 419 .

CHAU P , WANG Y . Security-awareness in network virtualization:a classified overview [C ] // IEEE,International Conference on Mobile Ad Hoc and Sensor Systems . IEEE Computer Society , 2014 : 545 - 550 .

TAHIR R , KHAN M T , GONG X , et al . Sneak-peek:high speed covert channels in data center networks [C ] // 2016 IEEE Conference on Computer Communications (INFOCOM) . IEEE , 2016 .

RISTENPART T , TROMER E , SHACHAM H , et al . Hey,you,get off of my cloud:exploring information leakage in third-party compute clouds [C ] // ACM Conference on Computer and Communications Security , 2009 : 199 - 212 .

IRAZOQUI G , EISENBARTH T , SUNAR B . S$A:a shared cache attack that works across cores and defies VM sandboxing--and its application to AES [C ] // IEEE Symposium on Security ＆ Privacy . IEEE , 2015 : 591 - 604 .

LIU F , YAROM Y , GE Q , et al . Last-level cache side-channel attacks are practical [J ] . IEEE Symposium on Security ＆ Privacy , 2015 : 605 - 622 .

张玉清 , 王晓菲 , 刘雪峰 , 等 . 云计算环境安全综述 [J ] . 软件学报 , 2016 , 27 ( 6 ): 1328 - 1348 .

ZHANGY Y Q , WANG X F , LIU X F , et al . survey on cloud computing security [J ] . Journal of Software , 2016 , 27 ( 6 ): 1328 - 1348 .

VARADARAJAN V , RISTENPART T , SWIFT M . Scheduler-based defenses against cross-VM side-channels [C ] // 23rd USENIX Security Symposium (USENIX Security 14) . 2014 : 687 - 702 .

MOON S J , SEKAR V , REITER M K . Nomad:mitigating arbitrary cloud side channels via provider-assisted migration [C ] // The 22nd ACM SIGSAC Conference on Computer and Communications Security . ACM , 2015 : 1595 - 1606 .

ZHANG Y , LI M , BAI K , et al . Incentive compatible moving target defense against VM-colocation attacks in clouds [M ] // Information Security and Privacy Research . Springer Berlin Heidelberg , 2012 : 388 - 399 .

EVANS D , NGUYENTUONG A , KNIGHT J . Effectiveness of moving target defenses [M ] // Moving Target Defense , 2011 : 29 - 48 .

龚水清 , 陈靖 , 黄聪会 , 等 . 信任感知的安全虚拟网络映射算法 [J ] . 通信学报 , 2015 , 36 ( 11 ): 180 - 189 .

GONG S Q , CHEN J , HUANG C H , et al . Trust-aware secure virtual network embedding algorithm [J ] . Journal on Communications , 2015 , 36 ( 11 ): 180 - 189 .

SUZAKI K , IIJIMA K , YAGI T , et al . Memory deduplication as a threat to the guest OS [C ] // The Fourth European Workshop on System Security (EUROSEC) . 2011 : 1 - 6 .

OWENS R , WANG W . Non-interactive OS fingerprinting through memory de-duplication technique in virtual machines [J ] . IEEE International Performance Computing ＆ Communications , 2011 , 8069 ( 5 ): 1 - 8 .

LI P , GAO D , REITER M K . Stopwatch:a cloud architecture for timing channel mitigation [J ] . ACM Transactions on Information ＆System Security , 2014 , 17 ( 2 ): 1 - 28 .

ZHANG Y , REITER M K . Düppel:retrofitting commodity operating systems to mitigate cache side channels in the cloud [C ] // ACM Sigsac Conference on Computer ＆ Communications Security . 2013 : 827 - 838 .

PATTUK E , KANTARCIOGLU M , LIN Z , et al . Preventing cryptographic key leakage in cloud virtual machines [C ] // 23rd USENIX Security Symposium (USENIX Security 14) . 2014 : 703 - 718 .

WANG Z , LEE R B . A novel cache architecture with enhanced performance and security [C ] // 2008 41st IEEE/ACM International Symposium on Microarchitecture . IEEE , 2008 : 83 - 93 .

GILLANI F , AL-SHAER E , LO S , et al . Agile virtualized infrastructure to proactively defend against cyber attacks [C ] // 2015 IEEE Conference on Computer Communications (INFOCOM) . IEEE , 2015 : 729 - 737 .

浏览量

1067

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于风险感知的关键虚拟网络功能动态迁移方法

感知应用特征与网络带宽的虚拟机在线迁移优化策略

针对密码芯片频域互信息能量分析攻击

基于Montgomery算法安全漏洞的SPA攻击算法

视频数据库多级访问控制