Research On Security Mechanism For The Internal Network Of Cloud

Cloud computing enables massive computing resources, storage resources and software resources a unified entity by providing users with the necessary resources via the Internet. It liberates enterprises from the huge cost of IT infrastructure management and consumption of maintenance and makes them more focused on their core business, and thus it has attracted more and more attention of users. However, as virtualization technology, outsourcing services, as well as multi-tenant of cloud computing, which makes it have to face unprecedented security challenges. The importance of cloud security issues are on theirise, and gradually become a main factor in the development of cloud computing. DCN is the internal network of cloud platform, and also the core support. The topology of the DCN determines the cost of operation and maintenance for data center and the QoS (Quality of service) of the upper applications. Therefore, it is significant for the research of DCN security.Although there are protection in cloud computing platform for certain attacks, such as Distributed Denial of Service and Side-Channel-Attack, the protection of internal network still in a preliminary stage. And this also has attracted more attention from academic and industry. Thus, in this paper, we mainly focus on the key technologies protection of DCN and reach the following results:1. As vita nodes are the focus of attack and defense, it is important for the cloud service provider to find the vita nodes and give special protection, and then improve the capabilities of network defense.For node protection in the static network scenario, we present a critical minimum spanning tree method. This method based on the issue that the node importance can be evaluated by the difference of network connectivity before and after the node under test is removed, the smaller of number of spanning tree of the network when the node is removed, the more important that the node manifests. Firstly, we use an undirected graph to represent the topology of DCN; secondly we establish the correlation matrix for the two types of DCN, and then we use get the value of spanning tree by using improved algebraic, last but not the least, we obtain the value of the importance of each node by normalization.And then, for node protection in the dynamic network scenario, in order to solve the problem that the changes of network topology by removing nodes in the network, we propose contribution matrix method based on information entropy theory. Firstly, we use adjacency matrix of undirected graph to describe DCN topology. Secondly, we create the evaluation matrix of betweenness and degree as the input parameters and calculate their weights by using information entropy theory, and then get the contribution matrix. Last but not the least; we obtain the value of the importance of each node by normalization. We conduct an experimental assessment of hierarchical network architecture, such as Tree architecture, Fat-tree and VL2; recursive network structure, such as BCube and FiConn. The results show that our proposed two methods are effective. Compared with other method, our contribution matrix method not only preserves the integrity of the network topology, but also has a much higher accuracy.2. The same with the vita nodes, the critical links are also the focus of network defense, and need to be given special attention.In order to improve the protection of critical network links, in this paper, we propose a critical link protection method based on Maximum Flow. Firstly, we choose four kinds of typical DCN architectures and then formulate and convert the issue of critical link protection into a maximum-flow problem by adding a supersource and a supersink. And then establish traffic cost function for each network structure. Thirdly, we get the value of maximum-flow by using Edmonds and Goldberg algorithm. Last but not the least, based on the theory of maximum-flow and minimal cut sets, we get the critical edges for each architecture. Extended experiments and analysis show that our method is effective and indeed introduce low overhead on computation.3. In order to further improve the overall protection of DCN, as well as the strengthening of previous research, we investigated the invulnerability of DCN in this paper. We conduct an experimental assessment of hierarchical network architecture, such as Tree architecture, Fat-tree and VL2; recursive network structure, such as BCube and FiConn. Based on the indicators of degrees and betweenness, we analysis the invulnerability of data center networks by choosing deliberate attack and random attack. The results in this paper provide a guiding for the establishment of invulnerability feature library in DCN.