Recently,virtualization technologies have been widely used in industry.In order to monitor the security of target systems in virtualization environments,conventional methods usually put the security monitoring mechani...Recently,virtualization technologies have been widely used in industry.In order to monitor the security of target systems in virtualization environments,conventional methods usually put the security monitoring mechanism into the normal functionality of the target systems.However,these methods are either prone to be tempered by attackers or introduce considerable performance overhead for target systems.To address these problems,in this paper,we present a concurrent security monitoring method which decouples traditional serial mechanisms,including security event collector and analyzer,into two concurrent components.On one hand,we utilize the SIM framework to deploy the event collector into the target virtual machine.On the other hand,we combine the virtualization technology and multi-core technology to put the event analyzer into a trusted execution environment.To address the synchronization problem between these two concurrent components,we make use of Lamport's ring buffer algorithm.Based on the Xen hypervisor,we have implemented a prototype system named COMO.The experimental results show that COMO can monitor the security of the target virtual machine concurrently within a little performance overhead.展开更多
Infrastructure as a Service(IaaS)provides logical separation between data,network,applications and machines from the physical constrains of real machines.IaaS is one of the basis of cloud virtualization.Recently,secur...Infrastructure as a Service(IaaS)provides logical separation between data,network,applications and machines from the physical constrains of real machines.IaaS is one of the basis of cloud virtualization.Recently,security issues are also gradually emerging with virtualization of cloud computing.Different security aspects of cloud virtualization will be explored in this research paper,security recognizing potential threats or attacks that exploit these vulnerabilities,and what security measures are used to alleviate such threats.In addition,a dis-cussion of general security requirements and the existing security schemes is also provided.As shown in this paper,different components of virtualization environ-ment are targets to various attacks that in turn leads to security issues compromis-ing the whole cloud infrastructure.In this paper an overview of various cloud security aspects is also provided.Different attack scenarios of virtualization envir-onments and security solutions to cater these attacks have been discussed in the paper.We then proceed to discuss API security concerns,data security,hijacking of user account and other security concerns.The aforementioned discussions can be used in the future to propose assessment criteria,which could be useful in ana-lyzing the efficiency of security solutions of virtualization environment in the face of various virtual environment attacks.展开更多
Currently, different kinds of security devices are deployed in the cloud datacenter environment and tenants may choose their desired security services such as firewall and IDS (intrusion detection system). At the sa...Currently, different kinds of security devices are deployed in the cloud datacenter environment and tenants may choose their desired security services such as firewall and IDS (intrusion detection system). At the same time, tenants in cloud computing datacenters are dynamic and have different requirements. Therefore, security device deployment in cloud datacenters is very complex and may lead to inefficient resource utilization. In this paper, we study this problem in a software-defined network (SDN) based multi-tenant cloud datacenter environment. We propose a load-adaptive traffic steering and packet forwarding scheme called LTSS to solve the problem. Our scheme combines SDN controller with TagOper plug-in to determine the traffic paths with the minimum load for tenants and allows tenants to get their desired security services in SDN-based datacenter networks. We also build a prototype system for LTSS to verify its functionality and evaluate performance of our design.展开更多
With the continuous advancement of virtualization technology and the widespread adoption of 5G networks,the application of the Network Function Virtualization (NFV) architecture has become increasingly popular and pre...With the continuous advancement of virtualization technology and the widespread adoption of 5G networks,the application of the Network Function Virtualization (NFV) architecture has become increasingly popular and prevalent.While the NFV architecture brings a lot of advantages, it also introduces security challenges, including the effectiveand efficient verification of the integrity of deployed Virtual Network Functions (VNFs) and ensuring the secureoperation of VNFs. To address the challenge of efficiently conducting virtual remote attestation for VNFs and establishingtrust in virtualized environments like NFV architecture, we propose TVRAVNF, which is a highly efficientand low-cost TEE-based virtual remote attestation scheme for VNFs. The scheme we proposed ensures the securityand effectiveness of the virtual remote attestation process by leveraging TEE. Furthermore, we introduces a novellocal attestation mechanism, which not only reduces the overall overhead of the virtual remote attestation processbut also shortens the attestation interval to mitigate Time-Of-Check-Time-Of-Use attacks, thereby enhancing overallsecurity. We conduct experiments to validate the overhead of the TVRAVNF scheme and compare its performancewith that of a typical remote attestation process within a maximum unattested time interval. The experimental resultsdemonstrate that, by employing the local attestation mechanism, our solution achieves nearly an 80% significantperformance improvement with a relatively small time overhead for small to medium-sized files. This further substantiatesthe significant advantages of our approach in both security and efficiency.展开更多
Software-Defined Networking(SDN) decouples the control plane and the data plane in network switches and routers, which enables the rapid innovation and optimization of routing and switching configurations. However,t...Software-Defined Networking(SDN) decouples the control plane and the data plane in network switches and routers, which enables the rapid innovation and optimization of routing and switching configurations. However,traditional routing mechanisms in SDN, based on the Dijkstra shortest path, do not take the capacity of nodes into account, which may lead to network congestion. Moreover, security resource utilization in SDN is inefficient and is not addressed by existing routing algorithms. In this paper, we propose Route Guardian, a reliable securityoriented SDN routing mechanism, which considers the capabilities of SDN switch nodes combined with a Network Security Virtualization framework. Our scheme employs the distributed network security devices effectively to ensure analysis of abnormal traffic and malicious node isolation. Furthermore, Route Guardian supports dynamic routing reconfiguration according to the latest network status. We prototyped Route Guardian and conducted theoretical analysis and performance evaluation. Our results demonstrate that this approach can effectively use the existing security devices and mechanisms in SDN.展开更多
基金supported in part by National Natural Science Foundation of China(NSFC)under Grant No.61100228 and 61202479the National High-tech R&D Program of China under Grant No.2012AA013101+1 种基金the Strategic Priority Research Program of the Chinese Academy of Sciences under Grant No.XDA06030601 and XDA06010701Open Found of Key Laboratory of IOT Application Technology of Universities in Yunnan Province Grant No.2015IOT03
文摘Recently,virtualization technologies have been widely used in industry.In order to monitor the security of target systems in virtualization environments,conventional methods usually put the security monitoring mechanism into the normal functionality of the target systems.However,these methods are either prone to be tempered by attackers or introduce considerable performance overhead for target systems.To address these problems,in this paper,we present a concurrent security monitoring method which decouples traditional serial mechanisms,including security event collector and analyzer,into two concurrent components.On one hand,we utilize the SIM framework to deploy the event collector into the target virtual machine.On the other hand,we combine the virtualization technology and multi-core technology to put the event analyzer into a trusted execution environment.To address the synchronization problem between these two concurrent components,we make use of Lamport's ring buffer algorithm.Based on the Xen hypervisor,we have implemented a prototype system named COMO.The experimental results show that COMO can monitor the security of the target virtual machine concurrently within a little performance overhead.
文摘Infrastructure as a Service(IaaS)provides logical separation between data,network,applications and machines from the physical constrains of real machines.IaaS is one of the basis of cloud virtualization.Recently,security issues are also gradually emerging with virtualization of cloud computing.Different security aspects of cloud virtualization will be explored in this research paper,security recognizing potential threats or attacks that exploit these vulnerabilities,and what security measures are used to alleviate such threats.In addition,a dis-cussion of general security requirements and the existing security schemes is also provided.As shown in this paper,different components of virtualization environ-ment are targets to various attacks that in turn leads to security issues compromis-ing the whole cloud infrastructure.In this paper an overview of various cloud security aspects is also provided.Different attack scenarios of virtualization envir-onments and security solutions to cater these attacks have been discussed in the paper.We then proceed to discuss API security concerns,data security,hijacking of user account and other security concerns.The aforementioned discussions can be used in the future to propose assessment criteria,which could be useful in ana-lyzing the efficiency of security solutions of virtualization environment in the face of various virtual environment attacks.
基金The work is supported by the National Natural Science Foundation of China under Grant Nos. 61572137 and 61728202, and Shanghai Innovation Action Project under Grant No. 16DZ1100200.
文摘Currently, different kinds of security devices are deployed in the cloud datacenter environment and tenants may choose their desired security services such as firewall and IDS (intrusion detection system). At the same time, tenants in cloud computing datacenters are dynamic and have different requirements. Therefore, security device deployment in cloud datacenters is very complex and may lead to inefficient resource utilization. In this paper, we study this problem in a software-defined network (SDN) based multi-tenant cloud datacenter environment. We propose a load-adaptive traffic steering and packet forwarding scheme called LTSS to solve the problem. Our scheme combines SDN controller with TagOper plug-in to determine the traffic paths with the minimum load for tenants and allows tenants to get their desired security services in SDN-based datacenter networks. We also build a prototype system for LTSS to verify its functionality and evaluate performance of our design.
基金supported by the project“Technology Cooperation Project of Cross Network Lightweight Adaptive Trust System in ubiquitous network”,the National Key Research and Development Program of China under Grant 2023YFB3107605 and Key Laboratory of Trusted Distributed Computing and Services,Ministry of Education(Beijing University of Posts and Telecommunications).
文摘With the continuous advancement of virtualization technology and the widespread adoption of 5G networks,the application of the Network Function Virtualization (NFV) architecture has become increasingly popular and prevalent.While the NFV architecture brings a lot of advantages, it also introduces security challenges, including the effectiveand efficient verification of the integrity of deployed Virtual Network Functions (VNFs) and ensuring the secureoperation of VNFs. To address the challenge of efficiently conducting virtual remote attestation for VNFs and establishingtrust in virtualized environments like NFV architecture, we propose TVRAVNF, which is a highly efficientand low-cost TEE-based virtual remote attestation scheme for VNFs. The scheme we proposed ensures the securityand effectiveness of the virtual remote attestation process by leveraging TEE. Furthermore, we introduces a novellocal attestation mechanism, which not only reduces the overall overhead of the virtual remote attestation processbut also shortens the attestation interval to mitigate Time-Of-Check-Time-Of-Use attacks, thereby enhancing overallsecurity. We conduct experiments to validate the overhead of the TVRAVNF scheme and compare its performancewith that of a typical remote attestation process within a maximum unattested time interval. The experimental resultsdemonstrate that, by employing the local attestation mechanism, our solution achieves nearly an 80% significantperformance improvement with a relatively small time overhead for small to medium-sized files. This further substantiatesthe significant advantages of our approach in both security and efficiency.
基金supported in part by the National Natural Science Foundation of China (Nos. 61402029, 61370190, and 61379002)the National Key Basic Research Program (973) of China (No. 2012CB315905)
文摘Software-Defined Networking(SDN) decouples the control plane and the data plane in network switches and routers, which enables the rapid innovation and optimization of routing and switching configurations. However,traditional routing mechanisms in SDN, based on the Dijkstra shortest path, do not take the capacity of nodes into account, which may lead to network congestion. Moreover, security resource utilization in SDN is inefficient and is not addressed by existing routing algorithms. In this paper, we propose Route Guardian, a reliable securityoriented SDN routing mechanism, which considers the capabilities of SDN switch nodes combined with a Network Security Virtualization framework. Our scheme employs the distributed network security devices effectively to ensure analysis of abnormal traffic and malicious node isolation. Furthermore, Route Guardian supports dynamic routing reconfiguration according to the latest network status. We prototyped Route Guardian and conducted theoretical analysis and performance evaluation. Our results demonstrate that this approach can effectively use the existing security devices and mechanisms in SDN.
