Font Size: a A A

Research On The Key Technologies Of Security Isolation And Control Of Cloud Multi-tenant Data

Posted on:2021-02-21Degree:MasterType:Thesis
Country:ChinaCandidate:X LuFull Text:PDF
GTID:2428330623482238Subject:Computer Science and Technology
Abstract/Summary:PDF Full Text Request
Cloud computing is a new computing mode based on distributed computing,grid computing and other technologies,which realizes multi-tenant resource sharing and on-demand allocation.Due to the highly shared storage,network,server and other infrastructure of multi-tenants,coupled with the characteristics of cloud platform openness and virtualization,tenant data is facing security threats such as leakage,malicious attack,illegal access,etc.,so it is urgent to study security isolation technology to ensure data security.The existing tenant isolation technology has the problems of poor isolation granularity and high complexity,and multi-tenant data is distributed in different shared resources,lacking the design of integrated and multi-dimensional tenant security isolation technology.Therefore,this paper makes an in-depth study on the key technologies of multi tenant data,such as isolation management and logical isolation access of multi-tenants under cloud computing,boundary identification and isolation of tenants in shared virtual machine,and aggregation inference control of tenant data,the main works are as follows:1.A multi tenant data security isolation model based on multi-dimensional control is proposed.Aiming at the security isolation problem of multi-tenant data under different shared resources,by introducing model elements such as virtual domain,security label and security channel,the security constraints such as logical storage isolation,virtual network isolation and process operation isolation are designed to ensure the security isolation and interaction within and outside the tenant virtual domain under different isolation dimensions;By designing the control rules of secure access,aggregation inference,information flow and secure communication of tenant data,an independent,logical and multi-dimensional tenant virtual isolation domain is constructed,which realizes the logical isolation access of tenant data,and solves the security isolation and sharing of multi-tenant data network transmission and operation.Finally,the model is proved to be safe and effective by using the intransitive noninterference theory based on TA-security.2.A multi-tenant data security isolation method based on L-DHT(Label-Distributed Hash Table)is proposed.To solve the problems of complex multi tenant management,uneven resource mapping,data leakage and cross access when sharing storage,firstly,based on the consistent hash ring,divide the virtual nodes on the ring,complete the balanced mapping of tenant resources according to the hash of tenant identity,negotiate the security label of virtual domain,and realize the distributed isolation management of multi tenant;Through the binding of data storage label and storage data,the encryption logic operation and matching authentication of label predicate and tenant access attribute,the fast retrieval and access authentication of multi-tenant data on the same storage node are realized;The binding method of data package and data control tag is designed.Combined with the isolation management and authentication access of multi-tenant,the virtual network isolation domain between multi-tenant is constructed,which solves the security isolation problem of multi-tenant data network access.The simulation results show that the mapping algorithm can achieve better dynamic load balance,and through the comparative analysis of data retrieval efficiency and access security,verify the security and efficiency of tenant access data.3.A dynamic control method of multi-tenant sensitive information flow based on virtual boundary recognition is proposed.Aiming at the problem of information leakage caused by data flow interference and interaction among multi tenant services in shared virtual machine,by analyzing the operation log of tenant,constructing the behavior characteristic vector of tenant,based on the classification characteristic of impulse neural network,an automatic recognition algorithm of tenant security boundary is designed,which realizes the dynamic identification of tenant security boundary when the service demand changes dynamically;Based on the idea of information flow control,the security label of tenant information flow is formally defined by lattice structure,the control and adjustment rules of tenant sensitive information flow are given,which realize the autonomous,dynamic and secure isolation and control of data flow inside and outside the multi-tenant boundary.The simulation results show that the tenant boundary recognition algorithm can accurately identify the multi-tenant security boundary in the virtual machine,and prove the security of the information flow control rules with the help of the non-interference theory.4.A method of multi-tenant data aggregation based on granular analysis is proposed.Aiming at the leakage problem caused by the information aggregation inference of tenant data in shared storage,firstly,a tenant data clustering algorithm based on particle granulars is proposed.Data granulars are formed according to the tenant data attributes.By calculating the granular mass and particle gravity,the matrix of granular characteristics and eigenvalues is constructed to achieve the accurate clustering of tenant similar data;A dynamic update algorithm of tenant data approximation set is designed to realize the dynamic clustering of data granulars when tenant data changes.Finally,a inference algorithm for aggregation information sensitivity is designed,based on the possibility measure of attribute fuzzy set and the contribution of granulars to sensitive particle cloud,the possibility of sensitive information is inferred by aggregating similar data.The experimental results show that the data clustering algorithm and the dynamic update algorithm have high clustering accuracy and efficiency,and the inference algorithm has high inference accuracy,which provides a basis for the formulation of similar data aggregation control strategy for tenants.
Keywords/Search Tags:cloud computing security, isolation control, storage isolation, network isolation, security boundary identification, information flow control, aggregate inference
PDF Full Text Request
Related items