Virtual Migration-based Active Defense System Against Side Channel Attacks In The Cloud

Cloud computing technology is the third revolution of the Internet and has been one of the most talked about topics in computing for years.At the same time,a variety of security threats have emerged in the cloud.Cachebased Side Channel Attack(CSCA)is one of them,which takes advantage of shared resources in the cloud to steal sensitive data such as users’ keys and private information,causing great losses to users who co-resident with them.The existing defense schemes have limitations in terms of detection dimension and application scope,which are not sufficient to defend against this new attack method,and do not take into account the security,availability and load balancing requirements of the cloud platform.To address the above issues,this thesis designs and implements a virtual migration-based active defense system against side channel attacks in the cloud,using the idea of Moving Target Defense(MTD)to consider the side channel threats and co-resident risks faced by physical hosts and virtual machines,while taking migration costs and load balancing into account to guide The migration engine is guided to make the optimal VM scheduling policy according to the current threat of side channel attack.In addition,the Concept Drift phenomenon in the defense system due to the large number of live migration seriously affects the accuracy of traditional anomaly detection methods.To address this problem,this thesis designs an anomaly detection framework in the monitoring system to accommodate continuous Concept Drift,which improves the monitoring and alerting capability and further enhances the security of the private cloud platform.The main work of this thesis is as follows.(1)This thesis proposes a migration priority evaluation system combining virtual and physical machines,which detects the side channel threats faced by VMs by collecting time series under different dimensions of multiple services,constructs a deep-level VM migration priority evaluation system,makes dynamic characterization of VM scheduling priorities in migration algorithms,and improves the cognitive intelligence of the system.(2)This thesis proposes an active migration and blocking algorithm for VMs,which gives priority to the system security performance while taking into account the migration cost and load balancing of the defense platform,effectively responds to the threat of side channel attacks in the cloud,guides the migration engine to give active scheduling strategies for VM nodes in the current environment,and completes the blocking of malicious VMs to cut off the chain of side channel attacks and improve the system security.(3)This thesis proposes a real-time anomaly detection framework that adapts to continuous concept drift.By combining spectral residual and S VM(Support Vector Machines)algorithms,the impact of live migration on anomaly detection results is eliminated to the maximum extent,making the anomaly detection algorithm applicable to the monitoring service of this system and improving the alerting capability of the monitoring system.(4)According to the intelligent defense-in-depth method against side channel attacks in the cloud proposed in this thesis,a private cloud system is built in a laboratory environment using Openstack,and each module is integrated and deployed in the platform,and each module of the whole system is experimentally tested to verify the feasibility and effectiveness of the method proposed in this thesis.Finally,this thesis summarizes the whole thesis and give an outlook on the future research directions for the current unsolved problems.