Research On Security Architecture And Proactive Defense Technology Of Enterprise Cloud Computing Data Center

Along with the rapid development of cloud computing technology,more and more enterprises speed up the process of building cloud computing data centers.While enterprises enjoy the dividends brought by emerging technologies,they also inevitably need to face the fastest-changing cyber security threats.How to effectively protect cloud computing data center under the increasingly severe network security situation is an important issue in the field of information security research.Traditional security protection means are generally passive defense based on the prior knowledge,which belong to static hierarchical defense system.They have excellent protection performance against general attack means,but cannot deal with malicious attacks by using unknown vulnerability or back door.Nevertheless,proactive defense can realize the identification and break the attack chain through the dynamic linkage security protection to effectively alleviate this contradiction.In this way,enterprises could build a multi-dimensional defense-in-depth architecture and greatly improve the ability of enterprise cloud computing data centers to resist network attacks.This thesis is based on the requirements of the classified protection of cyber security in the period of 2.0,an overall security architecture of enterprise cloud computing data center is proposed by analyzing the characteristics of current enterprise cloud computing data center security protection requirements and combining the advantages of proactive defense and passive defense architecture.Firstly,aiming at the defect that the Honeynet technology in the traditional attack trapping technology is unable to achieve fine-grained data control in the proactive defense area.The Honeypot system has many problems such as complex deployment,large resource consumption and so on.A SDN Honeynet based on dynamic Docker deployed in proactive defense area is proposed and implemented by combining Docker and SDN technology.The Honeynet is composed of dynamic Docker Honeypot system and SDN Honeynet Gateway.Dynamic Docker Honeypot system realized the dynamic deployment of the Honeypot system by utilizing advantages of the rapid deployment of Docker technology and combining with the attack distribution detection algorithm.SDN Honeynet Gateway combined with the IDS module of Docker Honeypot system to recognize malicious traffic,and used the advantage of flexible control of SDN technology to realize the data flow redirection of malicious traffic.The data control problem of fine-grained corresponding to traffic in Honeynet is effectively solved.Next,aiming at the defect that traditional security devices cannot realize the dynamic linkage defense in the proactive defense area,a SDN firewall based on the dynamic linkage mechanism is designed and implemented with the advantages of IDS for real-time monitoring of malicious attacks and centralized control of SDN.This architecture effectively makes up for the defect that the original firewall control core is easy to be attacked by unknown vulnerabilities with the design of heterogeneous SDN control cluster core.Through the linkage architecture of SDN controllers and IDS,the automatic security policy deployment for malicious attack traffic is realized.Experiments have proved that the proposed SDN firewall can realize automatic attack intercept by linking the SDN controller to send down the dynamic flow table according to the identification characteristics of IDS against malicious attacks,and has efficient protection performance in the face of large-scale DDo S attacks.This thesis designed a security architecture of enterprise cloud computing data center based on the classified protection of cyber security in the period of 2.0,combining proactive defense and passive defense means,and verified the effectiveness of the scheme through experiments.It is an effective attempt to explore the research on information security protection of enterprise cloud computing data center.