高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

抗侧信道攻击的服务功能链部署方法

伊鹏 谢记超 张震 谷允捷 赵丹

伊鹏, 谢记超, 张震, 谷允捷, 赵丹. 抗侧信道攻击的服务功能链部署方法[J]. 电子与信息学报, 2019, 41(11): 2699-2707. doi: 10.11999/JEIT190127
引用本文: 伊鹏, 谢记超, 张震, 谷允捷, 赵丹. 抗侧信道攻击的服务功能链部署方法[J]. 电子与信息学报, 2019, 41(11): 2699-2707. doi: 10.11999/JEIT190127
Peng YI, Jichao XIE, Zhen ZHANG, Yunjie GU, Dan ZHAO. A Service Function Chain Deployment Method Against Side Channel Attack[J]. Journal of Electronics & Information Technology, 2019, 41(11): 2699-2707. doi: 10.11999/JEIT190127
Citation: Peng YI, Jichao XIE, Zhen ZHANG, Yunjie GU, Dan ZHAO. A Service Function Chain Deployment Method Against Side Channel Attack[J]. Journal of Electronics & Information Technology, 2019, 41(11): 2699-2707. doi: 10.11999/JEIT190127

抗侧信道攻击的服务功能链部署方法

doi: 10.11999/JEIT190127
基金项目: 国家自然科学基金(61802429, 61872382, 61521003),国家重点研发计划(2017YFB0803201, 2017YFB0803204)
详细信息
    作者简介:

    伊鹏:男,1977年生,博士,研究员,研究方向为网络空间安全

    谢记超:男,1993年生,硕士生,研究方向为网络安全

    张震:男,1985年生,博士,讲师,研究方向为新型网络体系结构

    谷允捷:男,1994年生,博士生,研究方向为网络功能虚拟化

    赵丹:女,1992年生,助理工程师,研究方向为新一代信息通信网

    通讯作者:

    谢记超 912104210329@njust.edu.cn

  • 中图分类号: TP393

A Service Function Chain Deployment Method Against Side Channel Attack

Funds: The National Science Foundation of China (61802429, 61872382, 61521003), The National Key R&D Program of China (2017YFB0803201, 2017YFB0803204)
  • 摘要: 侧信道攻击是当前云计算环境下多租户间信息泄露的主要途径,针对现有服务功能链(SFC)部署方法未充分考虑多租户环境下虚拟网络功能(VNF)面临的侧信道攻击问题,该文提出一种抗侧信道攻击的服务功能链部署方法。引入基于时间均值的租户分类策略以及结合历史信息的部署策略,在满足服务功能链资源约束条件下,以最小化租户所能覆盖的服务器数量为目标建立相应的优化模型,并设计了基于贪婪选择的部署算法。实验结果表明,与其他部署方法相比,该方法显著提高了恶意租户实现共存的难度与代价,降低了租户面临的侧信道攻击风险。
  • 图  2  恶意租户实现共存过程

    图  3  恶意租户实施侧信道攻击

    图  1  基于云环境的服务功能链部署示意图

    图  4  覆盖服务器数量的变化趋势

    图  5  实现共存所请求的SFC数量情况

    图  6  成功实现共存的概率

    图  7  MA对覆盖服务器数量的影响

    图  8  MA对实现共存所请求SFC数量的影响

    图  9  MA对共存概率的影响

    图  10  实现共存所租用资源累计时间的平均值图

    图  11  MA对租用资源累计时间平均值的影响

    图  12  时间参数对租用资源累计时间平均值的影响

    表  1  基于租户分类和历史信息的部署算法

     输入:服务功能链请求信息$r$
     输出:请求$r$的部署方案
     (1) #租户分类
     (2)计算平均运行时间${\rm{AVG}}_\eta ^{}$,确定请求所属租户${\eta ^r}$的分类XT;
     (3)依据分类结果,确定可部署服务器集合$\bar N_{}^{{\rm{XT}}}$以及租户${\eta ^r}$在该
    区域已占用的服务器集合$\bar N_{{\eta ^r}}^{{\rm{XT}}}$;
     (4) #VNF部署
     (5) SFCdpsucc=0, nodedpsucc=0#设置部署成败状态标志;
     (6) For each ${\rm{VNF}}_i^{\rm{r}}$in $\psi _{}^r$#遍历SFC请求中所有的m个VNF;
     (7)   筛选出$\bar N_{}^{{\rm{XT}}},\bar N_{{\eta ^r}}^{{\rm{XT}}}$中支持该类型VNF且剩余资源足够的
    服务器集合$\bar N_{{\rm{VNF}}_i^{{r}}}^{{\rm{XT}}},\bar N_{{\eta ^r},{\rm{VNF}}_i^{{r}}}^{{\rm{XT}}}$;
     (8)   If $\bar N_{{\eta ^r},{\rm{VNF}}_i^r}^{{\rm{XT}}}$不为空,则从中选取剩余资源最多的服务器
    节点部署${\rm{VNF}}_i^r$;
     (9)   If $\bar N_{{\eta ^r},{\rm{VNF}}_i^r}^{{\rm{XT}}}$为空,则从$\bar N_{{\rm{VNF}}_i^r}^{{\rm{XT}}}$中选取剩余资源最多的服
    务器节点部署${\rm{VNF}}_i^r$;
     (10)   记录${\rm{VNF}}_i^r$所部属的服务器节点$n_i^r$,并对节点$n_i^r$资源
    余量和$\bar N_{{\eta ^r}}^{{\rm{XT}}}$进行预更新;
     (11) If $\psi _{}^r$中所有的VNF均找到可部署服务器节点;
     (12)   nodesucc=1,并对相关服务器节点资源余量和$\bar N_{{\eta ^r}}^{{\rm{XT}}}$进
    行更新。
     (13) #虚拟链路部署
     (14) linkdpsucc=0#设置链路部署成败状态标志;
     (15) If nodedpsucc==1;
     (16)   For each $l_{i,i + 1}^r$ in $L_{}^r$#遍历该SFC请求中所有的虚拟
    链路;
     (17)      确定节点$n_i^r$与$n_{i + 1}^r$之间带宽余量足够的可用链
    路集合$\bar L_{n_i^r,n_{i + 1}^r}^{}$;
     (18)      从中筛选出部署代价$B_{\cos t}^r$最小的链路集合#存
    在多条同等长度的链路;
     (19)       从中选取带宽资源余量最大的链路;
     (20)      记录所使用的链路,并对链路资源余量进行预
    更新;
     (21)   If $L_{}^r$中所有的虚拟链路找到可部署的物理链路;
     (22)      linkdpsucc=1,并对相关物理链路资源余量进
    行更新;
     (23) If (nodedpsucc and linkdpsucc)==1;
     (24)   SFCdpsucc=1#该SFC请求部署成功;
    下载: 导出CSV

    表  2  VNF资源需求系数

    VNF类型NATFirewallProxyIDSUD_1UD_2UD_3UD_4
    计算资源需求/(单位带宽)12261234
    下载: 导出CSV
  • MEDHAT A M, TALEB T, ELMANGOUSH A, et al. Service function chaining in next generation networks: State of the art and research challenges[J]. IEEE Communications Magazine, 2017, 55(2): 216–223. doi: 10.1109/MCOM.2016.1600219RP
    周伟林, 杨芫, 徐明伟. 网络功能虚拟化技术研究综述[J]. 计算机研究与发展, 2018, 55(4): 675–688. doi: 10.7544/issn1000-1239.2018.20170937

    ZHOU Weilin, YANG Yuan, and XU Mingwei. Network function virtualization technology research[J]. Journal of Computer Research and Development, 2018, 55(4): 675–688. doi: 10.7544/issn1000-1239.2018.20170937
    BO Yi, WANG Xingwei, LI Keqin, et al. A comprehensive survey of Network Function Virtualization[J]. Computer Networks, 2018, 133: 212–262. doi: 10.1016/j.comnet.2018.01.021
    袁泉, 汤红波, 黄开枝, 等. 基于Q-learning算法的vEPC虚拟网络功能部署方法[J]. 通信学报, 2017, 38(8): 172–182. doi: 10.11959/j.issn.1000-436x.2017173

    YUAN Quan, TANG Hongbo, HUANG Kaizhi, et al. Deployment method for vEPC virtualized network function via Q-learning[J]. Journal on Communications, 2017, 38(8): 172–182. doi: 10.11959/j.issn.1000-436x.2017173
    GHAZNAVI M, KHAN A, SHAHRIAR N, et al. Elastic virtual network function placement[C]. Proceedings of the IEEE 4th International Conference on Cloud Networking, Niagara Falls, Canada, 2015: 1–7.
    MIJUMBI R, HASIJA S, DAVY S, et al. Topology-aware prediction of virtual network function resource requirements[J]. IEEE Transactions on Network and Service Management, 2017, 14(1): 106–120. doi: 10.1109/TNSM.2017.2666781
    陈卓, 冯钢, 刘蓓, 等. 运营商网络中面向资源碎片优化的网络服务链构建策略[J]. 电子与信息学报, 2018, 40(4): 763–769. doi: 10.11999/JEIT170641

    CHEN Zhuo, FENG Gang, LIU Bei, et al. Construction policy of network service chain oriented to resource fragmentation optimization in operator network[J]. Journal of Electronics &Information Technology, 2018, 40(4): 763–769. doi: 10.11999/JEIT170641
    QU Long, ASSI C, SHABAN K, et al. A reliability-aware network service chain provisioning with delay guarantees in NFV-enabled enterprise datacenter networks[J]. IEEE Transactions on Network and Service Management, 2017, 14(3): 554–568. doi: 10.1109/TNSM.2017.2723090
    FIROOZJAEI M D, JEONG J, KO H, et al. Security challenges with network functions virtualization[J]. Future Generation Computer Systems, 2017, 67: 315–324. doi: 10.1016/j.future.2016.07.002
    梁鑫, 桂小林, 戴慧珺, 等. 云环境中跨虚拟机的Cache侧信道攻击技术研究[J]. 计算机学报, 2017, 40(2): 317–336. doi: 10.11897/SP.J.1016.2017.00317

    LIANG Xin, GUI Xiaolin, DAI Huijun, et al. Cross-VM cache side channel attacks in cloud: A survey[J]. Chinese Journal of Computers, 2017, 40(2): 317–336. doi: 10.11897/SP.J.1016.2017.00317
    ZHANG Xu, WANG Haining, and WU Zhenyu. A measurement study on co-residence threat inside the cloud[C]. Proceedings of the 24th USENIX Conference on Security Symposium, Washington, USA, 2015: 929–944.
    ATYA A O F, QIAN Zhiyun, KRISHNAMURTHY S V, et al. Malicious co-residency on the cloud: Attacks and defense[C]. Proceedings of IEEE Conference on Computer Communications, Atlanta, USA, 2017: 1–9.
    赵硕, 季新生, 毛宇星, 等. 基于安全等级的虚拟机动态迁移方法[J]. 通信学报, 2017, 38(7): 165–174. doi: 10.11959/j.issn.1000-436x.2017091

    ZHAO Shuo, JI Xinsheng, MAO Yuxing, et al. Research on dynamic migration of virtual machine based on security level[J]. Journal on Communications, 2017, 38(7): 165–174. doi: 10.11959/j.issn.1000-436x.2017091
    ZHANG Tianwei, ZHANG Yinqian, and LEE R B. CloudRadar: A real-time side-channel attack detection system in clouds[C]. Proceedings of 19th International Symposium on Research in Attacks, Intrusions, and Defenses, Paris, France, 2016: 118–140.
    NOSHY M, IBRAHIM A, and ALI H A. Optimization of live virtual machine migration in cloud computing: A survey and future directions[J]. Journal of Network and Computer Applications, 2018, 110: 1–10. doi: 10.1016/j.jnca.2018.03.002
    LIU Shuhao, CAI Zhiping, XU Hong, et al. Towards security-aware virtual network embedding[J]. Computer Networks, 2015, 91: 151–163. doi: 10.1016/j.comnet.2015.08.014
    HAN Yi, CHAN J, ALPCAN T, et al. Using virtual machine allocation policies to defend against co-resident attacks in cloud computing[J]. IEEE Transactions on Dependable and Secure Computing, 2017, 14(1): 95–108. doi: 10.1109/TDSC.2015.2429132
    HAN Yi, ALPCAN T, CHAN J, et al. A game theoretical approach to defend against co-resident attacks in cloud computing: Preventing co-residence using semi-supervised learning[J]. IEEE Transactions on Information Forensics and Security, 2016, 11(3): 556–570. doi: 10.1109/TIFS.2015.2505680
    LI Defang, HONG Peilin, XUE Kaiping, et al. Virtual network function placement considering resource optimization and SFC requests in cloud datacenter[J]. IEEE Transactions on Parallel and Distributed Systems, 2018, 29(7): 1664–1677. doi: 10.1109/TPDS.2018.2802518
    BARI F, CHOWDHURY S R, AHMED R, et al. Orchestrating virtualized network functions[J]. IEEE Transactions on Network and Service Management, 2016, 13(4): 725–739. doi: 10.1109/TNSM.2016.2569020
  • 加载中
图(12) / 表(2)
计量
  • 文章访问数:  2795
  • HTML全文浏览量:  1164
  • PDF下载量:  67
  • 被引次数: 0
出版历程
  • 收稿日期:  2019-03-01
  • 修回日期:  2019-06-11
  • 网络出版日期:  2019-06-20
  • 刊出日期:  2019-11-01

目录

    /

    返回文章
    返回