基于风险感知的关键虚拟网络功能动态迁移方法

丁绍虎; 谢记超; 张鹏; 普黎明; 谷允捷

doi:10.11959/j.issn.1000-436x.2020063

您当前的位置：

首页 >

文章列表页 >

基于风险感知的关键虚拟网络功能动态迁移方法

学术论文 | 更新时间：2024-06-05

- 基于风险感知的关键虚拟网络功能动态迁移方法
- Dynamic migration method of key virtual network function based on risk awareness
- 通信学报 2020年41卷第4期页码：102-113
- 作者机构：
  
  信息工程大学信息技术研究所，河南郑州 450002
- 作者简介：
  
  [ "丁绍虎（1979- ），男，北京人，信息工程大学博士生，主要研究方向为网络安全、新型网络体系结构" ]
  [ "谢记超（1993- ），男，河南周口人，信息工程大学实习研究员，主要研究方向为网络安全、网络功能虚拟化" ]
  [ "张鹏（1982- ），男，河南郑州人，信息工程大学副研究员，主要研究方向为网络安全" ]
  [ "普黎明（1976- ），男，云南崇明人，信息工程大学副研究员，主要研究方向为网络安全、网络体系结构" ]
  [ "谷允捷（1994- ），男，山东济宁人，信息工程大学工程师，主要研究方向为网络功能虚拟化" ]
- 基金信息：
  
  国家自然科学基金资助项目(61802429);国家自然科学基金资助项目(61872382);国家自然科学基金创新群体基金资助项目(61521003);国家重点研发计划基金资助项目(2017YFB0803201);国家网络空间安全专项基金资助项目(2017YFB0803204)
- DOI：10.11959/j.issn.1000-436x.2020063
  中图分类号： TP393
- 网络出版日期：2020-04，
  
  纸质出版日期：2020-04-25
- 稿件说明：
移动端阅览
丁绍虎, 谢记超, 张鹏, 等. 基于风险感知的关键虚拟网络功能动态迁移方法[J]. 通信学报, 2020,41(4):102-113.

Shaohu DING, Jichao XIE, Peng ZHANG, et al. Dynamic migration method of key virtual network function based on risk awareness[J]. Journal on communications, 2020, 41(4): 102-113.
丁绍虎, 谢记超, 张鹏, 等. 基于风险感知的关键虚拟网络功能动态迁移方法[J]. 通信学报, 2020,41(4):102-113. DOI： 10.11959/j.issn.1000-436x.2020063.

Shaohu DING, Jichao XIE, Peng ZHANG, et al. Dynamic migration method of key virtual network function based on risk awareness[J]. Journal on communications, 2020, 41(4): 102-113. DOI： 10.11959/j.issn.1000-436x.2020063.

摘要

针对传统动态迁移方法在应对侧信道攻击问题时存在迁移节点多、迁移频率高、迁移后服务功能链路径过长的问题，提出了一种基于风险感知的关键虚拟网络功能动态迁移方法。所提方法仅对含隐私信息的关键虚拟网络功能进行迁移，以减少迁移节点数量；结合侧信道攻击检测系统，对遭受攻击的关键虚拟网络功能执行触发式迁移，同时依据侧信道信息泄露模型对关键虚拟网络功能进行定期式迁移；采用基于逼近理想解排序的多属性节点排序方法选择迁移目的服务器，以避免迁移后路径过长。实验结果表明，所提方法在达到相同的侧信道攻击防御性能的情况下，具有更低的节点迁移数量与迁移频率，同时有效避免了迁移后服务功能链路径过长问题。

Abstract

Aiming at the problems that traditional dynamic migration methods have many migration nodes

high migration frequency

and long service function chain (SFC) link path after migration when dealing with side channel attack

a dynamic migration method of critical virtual network function (VNF) based on risk awareness was proposed.In order to reduce the number of migrated nodes

only the key VNF with private information was migrated.Combined with the side channel attack detection system

the triggering migration was performed on the critical VNF which were under attack

and the key VNF was also periodically migrated according to the side channel information leakage model.Finally

a multi-attribute node sorting method base on the technique for order preference by similarity to ideal solution was used to select the migration destination server to avoid the path being too long after migration.Experiments show that the proposed method has a lower number of migration nodes and migration frequency when achieving the same side channel attack defense performance

and effectively avoids the problem that the SFC path is too long after migration.

关键词

Keywords

references

MIJUMBI R , SERRAT J , GORRICHO J , et al . Network function virtualization:state-of-the-art and research challenges [J ] . IEEE Communications Surveys ＆ Tutorials , 2016 , 18 ( 1 ): 236 - 262 .

WU J X . Thoughts on the development of novel network technology [J ] . Science China (Information Sciences) , 2018 , 61 ( 10 ): 144 - 154 .

FIROOZJAEI M D , JEONG J P , KO H , et al . Security challenges with network functions virtualization [J ] . Future Generation Computer Systems , 2017 , 67 ( 7 ): 315 - 324 .

胡威 . 基于 SGX 的虚拟网络功能安全保护机制研究 [D ] . 武汉:武汉大学 , 2017 .

HU W . Research on security protection mechanism of virtual network function based on SGX [D ] . Wuhan:Wuhan University , 2017 .

BAZM M , LACOSTE M , SUDHOLT M . Isolation in cloud computing infrastructures:new security challenges [J ] . Annals of Telecommunications , 2019 , 74 ( 1 ): 197 - 209 .

梁鑫 , 桂小林 , 戴慧珺 , 等 . 云环境中跨虚拟机的 Cache 侧信道攻击技术研究 [J ] . 计算机学报 , 2017 , 40 ( 2 ): 317 - 336 .

LIANG X , GUI X L , DAI H J , et al . Cross-VM cache side channel attacks in cloud:a survey [J ] . Chinese Journal of Computer , 2017 , 40 ( 2 ): 317 - 336 .

LYU Y , MISHRA P . A survey of side-channel attacks on caches and countermeasures [J ] . Journal of Hardware and Systems Security , 2018 , 2 ( 1 ): 33 - 50 .

何佩聪 , 黄汝维 , 陈宁江 , 等 . 云环境中的侧通道攻击研究进展 [J ] . 计算机应用研究 , 2018 , 35 ( 4 ): 969 - 973 .

HE P C , HUANG R W , CHEN N J , et al . Research progress on side-channel attacks in cloud environment [J ] . Application Research of Computer , 2018 , 35 ( 4 ): 969 - 973 .

LIU S , CAI Z , XU H , et al . Towards security-aware virtual network embedding [J ] . Computer Networks , 2015 , 91 ( 11 ): 151 - 163 .

HAN Y , CHAN J , ALPCAN T , et al . Using virtual machine allocation policies to defend against co-resident attacks in cloud computing [J ] . IEEE Transactions on Dependable and Secure Computing , 2017 , 14 ( 1 ): 95 - 108 .

HAN Y , ALPCAN T , CHAN J , et al . A game theoretical approach to defend against co-resident attacks in cloud computing:preventing co-residence using semi-supervised learning [J ] . IEEE Transactions on Information Forensics and Security , 2016 , 11 ( 3 ): 556 - 570 .

XU Z , WAND H , WU Z . A measurement study on co-residence threat inside the cloud [C ] // Proceedings of the 24th USENIX Conference on Security Symposium . Berkeley:USENIX Association , 2015 : 929 - 944 .

AINAPURE B S , SHAH D , RAO A A . Understanding perception of cache-based side-channel attack on cloud environment [M ] . Berlin : SpringerPress , 2017 .

赵硕 , 季新生 , 毛宇星 , 等 . 基于安全等级的虚拟机动态迁移方法 [J ] . 通信学报 , 2017 , 38 ( 7 ): 165 - 174 .

ZHAO S , JI X S , MAO Y S , et al . Research on dynamic migration of virtual machine based on security level [J ] . Journal on Communications , 2017 , 38 ( 7 ): 165 - 174 .

MOON S , SEKAR V , REITER M . Nomad:mitigating arbitrary cloud side channels via provider-assisted migration [C ] // The 22nd ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2015 : 1595 - 1606 .

ATYA A O F , QIAN Z , KRISHNAMURTHY S V , et al . Malicious co-residency on the cloud:attacks and defense [C ] // IEEE Conference on Computer Communications . Piscataway:IEEE Press , 2017 : 1 - 9 .

ZHANG T , ZHANG Y , LEE R B . CloudRadar:a real-time side-channel attack detection system in clouds [C ] // International Symposium on Research in Attacks,Intrusions,and Defenses . Berlin:Springer , 2016 : 118 - 140 .

伊鹏 , 谢记超 , 张震 , 等 . 抗侧信道攻击的服务功能链部署方法 [J ] . 电子与信息学报 , 2019 , 41 ( 11 ): 2699 - 2707 .

YI P , XIE J C , ZHANG Z , et al . A service function chain deployment method against side channel attack [J ] . Journal of Electronics and Information Technology , 2019 , 41 ( 11 ): 2699 - 2707 .

龚水清 , 陈靖 , 黄聪会 , 等 . 信任感知的安全虚拟网络映射算法 [J ] . 通信学报 , 2015 , 36 ( 11 ): 180 - 189 .

GONG S Q , CHEN J , HUANG H C , et al . Trust-aware secure virtual network embedding algorithm [J ] . Journal on Communications , 2015 , 36 ( 11 ): 180 - 189 .

LI D , HONG P , XUE K , et al . Virtual network function placement considering resource optimization and SFC requests in cloud datacenter [J ] . IEEE Transactions on Parallel and Distributed Systems , 2018 , 29 ( 7 ): 1664 - 1677 .

BARI F , CHOWDHURY S R , AHMED R , et al . Orchestrating virtualized network functions [J ] . IEEE Transactions on Network and Service Management , 2016 , 13 ( 4 ): 725 - 739 .

浏览量

182

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

支持多模态网络的可扩展异构服务功能链并行编排部署系统

基于知识图谱的服务功能链在线部署算法

面向多模态网络业务切片的虚拟网络功能资源容量智能预测方法

移动边缘计算网络中联合无线多播的服务功能链部署算法

MEC中基于改进遗传模拟退火算法的虚拟网络功能部署策略