Research On Key Technologies Of Mimic SaaS Cloud Security Architecture

Cloud computing transfers computing power and storage capability from user terminals to cloud service providers,significantly reducing users' cost of deploying and managing applications.Software as a Service(Saa S)cloud,as a relatively mature cloud computing delivery model,has the characteristics of multi-tenancy,transparent access,flexible on-demand use,and composite services.In the Saa S cloud,the control rights of resources,programs,and data are transferred to the cloud.While the Saa S cloud suffers from some traditional network security threats,it faces many new security challenges,owing to its multi-tenant coexistence,functional virtualization,physical boundaries disappearance,and internal communication mechanism exposure.Existing research of Saa S cloud security mainly focuses on the migration of traditional plug-in security technologies to the cloud or dynamic mechanism design.Based on the comprehensive utilization of dynamic,heterogeneous,and redundant mechanism,Cyberspace Mimic Defense(CMD)has recently received extensive attention.Based on the mimic structure and mimic strategy to generate structural endogenous security gains,CMD achieves the security protection of the Saa S service in Mimic Interface.The research on applying Cyberspace Mimic Defense to Saa S cloud scenarios is interesting,and many problems need to be solved urgently.This article mainly focuses on the following two key issues.1)How to establish a Saa S cloud architecture with endogenous security effects to improve the security performance of cloud infrastructure and cloud services.2)How to reduce the impact of introducing security frameworks and mimic disguise technology on Saa S services without unduly affection on the regular operation of Saa S services.Targeted at the problems mentioned above,this dissertation focuses on Saa S cloud endogenous security architecture,mimic Saa S service deployment and mimic disguise technology.First,based on the Dynamic Heterogeneous Redundancy(DHR)architecture,a Kubernetes-based mimic Saa S cloud endogenous security architecture is proposed.The mimic Saa S cloud system takes realizability,implementation cost and security gains into consideration.Three core security mechanisms are designed based on the characteristics of the container cloud.Then,in the multi-cloud integration scenario,the heterogeneity is further improved in the Saa S service deployment stage.A mimic Saa S service deployment method is proposed.The end-to-end service latency is reduced by a reasonable selection of physical resources.Finally,we try to use technologies such as dynamic migration,honeypot deployment and fingerprint modification to defend network reconnaissance and co-resident attacks in the cloud,for which a signal game-based container migration and a honeypot deployment method and a multi-container collaborative mimicry disguise method based on fingerprint anonymity are proposed,respectively.The main research fields of this subject are as follows:1.In response to the increasing attack surface of Saa S cloud services and the difficulty of security management and control,a mimic Saa S cloud endogenous security system architecture(Mimicloud)is proposed.First of all,Mimicloud is based on the traditional Saa S system and DHR model.Cloud computing technology can reduce the implementation cost of constructing mimic systems.Secondly,Mimicloud introduces security mechanisms such as dynamic reconstruction,multi-dimensional reconstruction,and cross-checking to eliminate attackers' accumulated knowledge.It prevents multiple containers from being compromised due to isomorphic vulnerabilities and improves Saa S services' intrusion tolerance.Finally,based on the queuing theory,the service status of Mimicloud is dynamically analyzed.Then the mimic rotation strategy and service redundancy strategy are adjusted according to the analyzed result to compromise safety and performance.Experimental tests on the prototype system show that Mimicloud can effectively enhance the security of Saa S cloud services with the a 28% increase of the service delay cost.2.Considering the problems of homology vulnerabilities and the untrustworthiness of cloud service providers,a mimic Saa S service deployment method based on multi-cloud integration(PJM)is proposed.First,we improve the mimic Saa S system's heterogeneity through multi-cloud deployment and fragmented execution.The heterogeneous pooled resource configuration and dynamic allocation mechanism make it difficult for attackers to get the cross-platform configuration and find the vulnerability that can be used.Second,the Saa S service deployment process is modeled as a virtual network embedding problem.The container co-resident penalty mechanism and the multi-cloud deployment reward mechanism are proposed to reduce attackers' escaping possibility by choosing reasonable cloud infrastructure.Finally,to reduce the adverse impact on system performance caused by mimic mechanism and cross-cloud data transmission,a mimic virtual network function embedding algorithm based on Proximal Policy Optimization is proposed.Experimental results show that the mimic Saa S service deployed in multi-cloud can reduce the attack success rate by about 80%.The proposed algorithm PJM can reduce the business end-to-end service delay by about 12.2% compared with the comparison algorithms.3.Aiming at Saa S cloud services' vulnerability to container escape and side-channel equivalent attacks,a container mimic disguise method(CDMFS)based on dynamic migration and false signals is proposed.First of all,through environment perception and iterative disguise to mislead the attackers,a container mimic disguise method based on network deception is proposed to improve the uncertainty effect of the cloud system.Secondly,comprehensively using moving target defense technique and honeypot technique to reconstruct defense scenarios,CDMFS reduces attack accessibility and induces attackers to invade the honeypot container to expose more attack intentions and methods.Finally,a signal game model is established to analyze the behavior and benefits to provide a reference for choosing the best mimic disguise type and defense timing.The experimental results show that the proposed strategy can reduce the probability of co-location attacks and obtain a 19% increase in defense revenue compared with the comparison algorithms.4.Aiming at the problem that attackers locate target containers through multi-dimensional fingerprint information cross-verification,a multi-container collaborative mimic disguise method based on fingerprint anonymity(CFDAA)is proposed.First of all,based on research topic 3,the Saa S service's deceptiveness is improved by the modification of the container's fingerprint in the resource pool to meet the anonymization standard.It creates a false cloud resource view and resists the attacker's network reconnaissance.Secondly,by establishing a semantic classification tree of the container fingerprint data set,the cost of container fingerprint modification is quantitatively evaluated.Finally,for the real-time and online processing of many newly created containers,a dynamic fingerprint deception algorithm based on data stream anonymity is proposed through delay control and cluster segmentation.The experimental results show that the proposed method can significantly increase the attack cost to locate the target cloud resource under an acceptable extra time cost.