Research On Method Of Dynamic Policy Control In Cloud Environment

In recent years,the application of cloud computing technology advantages has been widely favored,but at the same time,cloud security issues have become the main factor restricting its development.In terms of improving the security of infrastructure cloud,the use of SELinux and software-defined network technology to implement access control mechanism has become the future development trend.However,due to the dynamic cloud environment,the large number of network devices,and the large and complex policy scale,static permission assignment becomes increasingly complicated.Therefore,this thesis proposes an objective and feasible dynamic policy control method in cloud environment to solve the above problems.(1)In the cloud environment,the SELinux host restricts the resource access of the local machine according to the security policy.However,due to the complex policy and the large scale of the audit log generated,it is inefficient and error-prone to manually analyze the access operations in the log to optimize the policy.For dealing with the problem,using the ensemble learning,this thesis proposes a SELinux policy adaptation method,including the construction of knowledge base,the design of individual classification method,the fusion calculation of classification results and the design of policy adaptation method.Through multiple rounds of iterative learning,new rules are mined from audit logs,and SELinux policy optimization is completed in an adaptive way.(2)In the research on the dynamic policy control of resource access in SELinux,this thesis extends the scope of resource access control from the local machine to end-to-end hosts.The resource access across hosts in the cloud environment will be captured and decided by various network devices.With numerous devices and heterogeneous and complex policy models,it is difficult and untimely to configure policies statically.For solving the problem,this thesis proposes a dynamic policy control method based on multi-decision model collaboration.The reachability of the access request is judged by the collaborative computing method of the multidecision model,and new rules can be dynamically generated for the network equipment.Finally,a policy adaptation method for network equipment is proposed,which can automatically analyze,detect and repair conflicts brought about by the new rules,and realize dynamic policy control of multiple devices.In this thesis,three sets of simulation experiments are designed for the core method of dynamic policy control.Through simulation scheme design,data acquisition and result comparison,the advantages and disadvantages of the method are verified from different perspectives.Experiments show that the SELinux ensemble classification method has an accuracy of 96.5% and an unrecognized rate of 4.4% in the classification of unknown access patterns;the policy adaptation method of firewalls and switches also has good performance.The method proposed in this thesis can effectively improve the resource protection ability of the dynamically changing cloud environment,and to a certain extent alleviate the dependence of policy configuration on policy experts.