抗側(cè)信道攻擊的服務(wù)功能鏈部署方法
doi: 10.11999/JEIT190127
-
國家數(shù)字交換系統(tǒng)工程技術(shù)研究中心 ??鄭州 ??450002
基金項目: 國家自然科學(xué)基金(61802429, 61872382, 61521003),國家重點研發(fā)計劃(2017YFB0803201, 2017YFB0803204)
A Service Function Chain Deployment Method Against Side Channel Attack
-
National Digital Switching System Engineering & Technological Research Center, Zhengzhou 450002, China
Funds: The National Science Foundation of China (61802429, 61872382, 61521003), The National Key R&D Program of China (2017YFB0803201, 2017YFB0803204)
-
摘要: 側(cè)信道攻擊是當(dāng)前云計算環(huán)境下多租戶間信息泄露的主要途徑,針對現(xiàn)有服務(wù)功能鏈(SFC)部署方法未充分考慮多租戶環(huán)境下虛擬網(wǎng)絡(luò)功能(VNF)面臨的側(cè)信道攻擊問題,該文提出一種抗側(cè)信道攻擊的服務(wù)功能鏈部署方法。引入基于時間均值的租戶分類策略以及結(jié)合歷史信息的部署策略,在滿足服務(wù)功能鏈資源約束條件下,以最小化租戶所能覆蓋的服務(wù)器數(shù)量為目標(biāo)建立相應(yīng)的優(yōu)化模型,并設(shè)計了基于貪婪選擇的部署算法。實驗結(jié)果表明,與其他部署方法相比,該方法顯著提高了惡意租戶實現(xiàn)共存的難度與代價,降低了租戶面臨的側(cè)信道攻擊風(fēng)險。Abstract: Side channel attack is the primary way to leak information between tenants in current cloud computing environment. However, existing Service Function Chain (SFC) deployment methods do not fully consider the side channel attack problem faced by the Virtual Network Function (VNF) in the multi-tenant environment. A SFC deployment method is proposed against side channel attack. A tenant classification strategy based on average time and a deployment strategy considering historical information are introduced. Under the resource constraints of the SFC, the optimization model is established with the goal of minimizing the number of servers that the tenant can cover. And a deployment algorithm is designed based on the greedy choice. The experimental results show that, compared with other deployment methods, this method can significantly improve the difficulty and cost of malicious tenant to realize co-residence, and reduces the risk of side channel attack faced by tenants.
-
表 1 基于租戶分類和歷史信息的部署算法
輸入:服務(wù)功能鏈請求信息$r$ 輸出:請求$r$的部署方案 (1) #租戶分類 (2)計算平均運行時間${\rm{AVG}}_\eta ^{}$,確定請求所屬租戶${\eta ^r}$的分類XT; (3)依據(jù)分類結(jié)果,確定可部署服務(wù)器集合$\bar N_{}^{{\rm{XT}}}$以及租戶${\eta ^r}$在該
區(qū)域已占用的服務(wù)器集合$\bar N_{{\eta ^r}}^{{\rm{XT}}}$;(4) #VNF部署 (5) SFCdpsucc=0, nodedpsucc=0#設(shè)置部署成敗狀態(tài)標(biāo)志; (6) For each ${\rm{VNF}}_i^{\rm{r}}$in $\psi _{}^r$#遍歷SFC請求中所有的m個VNF; (7) 篩選出$\bar N_{}^{{\rm{XT}}},\bar N_{{\eta ^r}}^{{\rm{XT}}}$中支持該類型VNF且剩余資源足夠的
服務(wù)器集合$\bar N_{{\rm{VNF}}_i^{{r}}}^{{\rm{XT}}},\bar N_{{\eta ^r},{\rm{VNF}}_i^{{r}}}^{{\rm{XT}}}$;(8) If $\bar N_{{\eta ^r},{\rm{VNF}}_i^r}^{{\rm{XT}}}$不為空,則從中選取剩余資源最多的服務(wù)器
節(jié)點部署${\rm{VNF}}_i^r$;(9) If $\bar N_{{\eta ^r},{\rm{VNF}}_i^r}^{{\rm{XT}}}$為空,則從$\bar N_{{\rm{VNF}}_i^r}^{{\rm{XT}}}$中選取剩余資源最多的服
務(wù)器節(jié)點部署${\rm{VNF}}_i^r$;(10) 記錄${\rm{VNF}}_i^r$所部屬的服務(wù)器節(jié)點$n_i^r$,并對節(jié)點$n_i^r$資源
余量和$\bar N_{{\eta ^r}}^{{\rm{XT}}}$進(jìn)行預(yù)更新;(11) If $\psi _{}^r$中所有的VNF均找到可部署服務(wù)器節(jié)點; (12) nodesucc=1,并對相關(guān)服務(wù)器節(jié)點資源余量和$\bar N_{{\eta ^r}}^{{\rm{XT}}}$進(jìn)
行更新。(13) #虛擬鏈路部署 (14) linkdpsucc=0#設(shè)置鏈路部署成敗狀態(tài)標(biāo)志; (15) If nodedpsucc==1; (16) For each $l_{i,i + 1}^r$ in $L_{}^r$#遍歷該SFC請求中所有的虛擬
鏈路;(17) 確定節(jié)點$n_i^r$與$n_{i + 1}^r$之間帶寬余量足夠的可用鏈
路集合$\bar L_{n_i^r,n_{i + 1}^r}^{}$;(18) 從中篩選出部署代價$B_{\cos t}^r$最小的鏈路集合#存
在多條同等長度的鏈路;(19) 從中選取帶寬資源余量最大的鏈路; (20) 記錄所使用的鏈路,并對鏈路資源余量進(jìn)行預(yù)
更新;(21) If $L_{}^r$中所有的虛擬鏈路找到可部署的物理鏈路; (22) linkdpsucc=1,并對相關(guān)物理鏈路資源余量進(jìn)
行更新;(23) If (nodedpsucc and linkdpsucc)==1; (24) SFCdpsucc=1#該SFC請求部署成功; 下載: 導(dǎo)出CSV
-
MEDHAT A M, TALEB T, ELMANGOUSH A, et al. Service function chaining in next generation networks: State of the art and research challenges[J]. IEEE Communications Magazine, 2017, 55(2): 216–223. doi: 10.1109/MCOM.2016.1600219RP 周偉林, 楊芫, 徐明偉. 網(wǎng)絡(luò)功能虛擬化技術(shù)研究綜述[J]. 計算機研究與發(fā)展, 2018, 55(4): 675–688. doi: 10.7544/issn1000-1239.2018.20170937ZHOU Weilin, YANG Yuan, and XU Mingwei. Network function virtualization technology research[J]. Journal of Computer Research and Development, 2018, 55(4): 675–688. doi: 10.7544/issn1000-1239.2018.20170937 BO Yi, WANG Xingwei, LI Keqin, et al. A comprehensive survey of Network Function Virtualization[J]. Computer Networks, 2018, 133: 212–262. doi: 10.1016/j.comnet.2018.01.021 袁泉, 湯紅波, 黃開枝, 等. 基于Q-learning算法的vEPC虛擬網(wǎng)絡(luò)功能部署方法[J]. 通信學(xué)報, 2017, 38(8): 172–182. doi: 10.11959/j.issn.1000-436x.2017173YUAN Quan, TANG Hongbo, HUANG Kaizhi, et al. Deployment method for vEPC virtualized network function via Q-learning[J]. Journal on Communications, 2017, 38(8): 172–182. doi: 10.11959/j.issn.1000-436x.2017173 GHAZNAVI M, KHAN A, SHAHRIAR N, et al. Elastic virtual network function placement[C]. Proceedings of the IEEE 4th International Conference on Cloud Networking, Niagara Falls, Canada, 2015: 1–7. MIJUMBI R, HASIJA S, DAVY S, et al. Topology-aware prediction of virtual network function resource requirements[J]. IEEE Transactions on Network and Service Management, 2017, 14(1): 106–120. doi: 10.1109/TNSM.2017.2666781 陳卓, 馮鋼, 劉蓓, 等. 運營商網(wǎng)絡(luò)中面向資源碎片優(yōu)化的網(wǎng)絡(luò)服務(wù)鏈構(gòu)建策略[J]. 電子與信息學(xué)報, 2018, 40(4): 763–769. doi: 10.11999/JEIT170641CHEN Zhuo, FENG Gang, LIU Bei, et al. Construction policy of network service chain oriented to resource fragmentation optimization in operator network[J]. Journal of Electronics &Information Technology, 2018, 40(4): 763–769. doi: 10.11999/JEIT170641 QU Long, ASSI C, SHABAN K, et al. A reliability-aware network service chain provisioning with delay guarantees in NFV-enabled enterprise datacenter networks[J]. IEEE Transactions on Network and Service Management, 2017, 14(3): 554–568. doi: 10.1109/TNSM.2017.2723090 FIROOZJAEI M D, JEONG J, KO H, et al. Security challenges with network functions virtualization[J]. Future Generation Computer Systems, 2017, 67: 315–324. doi: 10.1016/j.future.2016.07.002 梁鑫, 桂小林, 戴慧珺, 等. 云環(huán)境中跨虛擬機的Cache側(cè)信道攻擊技術(shù)研究[J]. 計算機學(xué)報, 2017, 40(2): 317–336. doi: 10.11897/SP.J.1016.2017.00317LIANG Xin, GUI Xiaolin, DAI Huijun, et al. Cross-VM cache side channel attacks in cloud: A survey[J]. Chinese Journal of Computers, 2017, 40(2): 317–336. doi: 10.11897/SP.J.1016.2017.00317 ZHANG Xu, WANG Haining, and WU Zhenyu. A measurement study on co-residence threat inside the cloud[C]. Proceedings of the 24th USENIX Conference on Security Symposium, Washington, USA, 2015: 929–944. ATYA A O F, QIAN Zhiyun, KRISHNAMURTHY S V, et al. Malicious co-residency on the cloud: Attacks and defense[C]. Proceedings of IEEE Conference on Computer Communications, Atlanta, USA, 2017: 1–9. 趙碩, 季新生, 毛宇星, 等. 基于安全等級的虛擬機動態(tài)遷移方法[J]. 通信學(xué)報, 2017, 38(7): 165–174. doi: 10.11959/j.issn.1000-436x.2017091ZHAO Shuo, JI Xinsheng, MAO Yuxing, et al. Research on dynamic migration of virtual machine based on security level[J]. Journal on Communications, 2017, 38(7): 165–174. doi: 10.11959/j.issn.1000-436x.2017091 ZHANG Tianwei, ZHANG Yinqian, and LEE R B. CloudRadar: A real-time side-channel attack detection system in clouds[C]. Proceedings of 19th International Symposium on Research in Attacks, Intrusions, and Defenses, Paris, France, 2016: 118–140. NOSHY M, IBRAHIM A, and ALI H A. Optimization of live virtual machine migration in cloud computing: A survey and future directions[J]. Journal of Network and Computer Applications, 2018, 110: 1–10. doi: 10.1016/j.jnca.2018.03.002 LIU Shuhao, CAI Zhiping, XU Hong, et al. Towards security-aware virtual network embedding[J]. Computer Networks, 2015, 91: 151–163. doi: 10.1016/j.comnet.2015.08.014 HAN Yi, CHAN J, ALPCAN T, et al. Using virtual machine allocation policies to defend against co-resident attacks in cloud computing[J]. IEEE Transactions on Dependable and Secure Computing, 2017, 14(1): 95–108. doi: 10.1109/TDSC.2015.2429132 HAN Yi, ALPCAN T, CHAN J, et al. A game theoretical approach to defend against co-resident attacks in cloud computing: Preventing co-residence using semi-supervised learning[J]. IEEE Transactions on Information Forensics and Security, 2016, 11(3): 556–570. doi: 10.1109/TIFS.2015.2505680 LI Defang, HONG Peilin, XUE Kaiping, et al. Virtual network function placement considering resource optimization and SFC requests in cloud datacenter[J]. IEEE Transactions on Parallel and Distributed Systems, 2018, 29(7): 1664–1677. doi: 10.1109/TPDS.2018.2802518 BARI F, CHOWDHURY S R, AHMED R, et al. Orchestrating virtualized network functions[J]. IEEE Transactions on Network and Service Management, 2016, 13(4): 725–739. doi: 10.1109/TNSM.2016.2569020 -