计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (9): 82-89.doi: 10.11896/jsjkx.221000199

• 数据安全 • 上一篇    下一篇

基于自适应遗传算法的微服务移动目标防御策略

刘轩宇, 张帅, 霍树民, 商珂   

  1. 战略支援部队信息工程大学信息技术研究所 郑州 450000
  • 收稿日期:2022-10-24 修回日期:2023-02-08 出版日期:2023-09-15 发布日期:2023-09-01
  • 通讯作者: 张帅(2012301200229@whu.edu.cn)
  • 作者简介:(13603696199@163.com)
  • 基金资助:
    国家自然科学基金(62072467);国家重点研发计划(2021YFB1006200,2021YFB1006201)

Microservice Moving Target Defense Strategy Based on Adaptive Genetic Algorithm

LIU Xuanyu, ZHANG Shuai, HUO Shumin, SHANG Ke   

  1. Institute of Information Technology,PLA Strategic Support Force Information Engineering University,Zhengzhou 450000,China
  • Received:2022-10-24 Revised:2023-02-08 Online:2023-09-15 Published:2023-09-01
  • About author:LIU Xuanyu,born in 1998,postgra-duate.Her main research interests include cloud computing security and cyberspace security.
    ZHANG Shuai,born in 1994,Ph.D,research assistant.His main research interests include cloud computing security and cyberspace security.
  • Supported by:
    National Natural Science Foundation of China(62072467) and National Key Research and Development Program of China(2021YFB1006200,2021YFB1006201).

PDF (PC)

2174

摘要: 微服务架构因具有灵活、可扩展等特性,能够有效地提高软件的敏捷性,成为目前云中应用交付最主流的方法。然而,微服务化拆分使得应用的攻击面呈爆炸式增长,给以“要地防御”为核心的移动目标防御策略设计带来了巨大的挑战。针对该问题,提出了一种基于自适应遗传算法(AGA)的微服务移动目标防御策略,即动态轮换策略(DRS)。首先,基于微服务的特点,对攻击者的攻击路径进行分析;然后,提出微服务攻击图模型来形式化各种攻击场景,并对移动目标防御策略的安全增益和防御回报率进行定量分析;最后使用AGA求解移动目标防御的最优安全配置,即微服务的最优动态轮换周期。实验表明DRS具有可扩展性,相比统一配置策略、DSEOM以及随机配置策略,其防御回报率分别提高了17.25%,41.01%和222.88%。

关键词: 云计算, 微服务, 自适应遗传算法, 移动目标防御

Abstract: Microservice architecture can effectively improve the agility of software due to its flexible,scalable and other characte-ristics,and has become the most mainstream method of application delivery in the cloud.However,the microservice splitting makes the attack surface of applications grow explosively,which brings great challenges to the design of mobile target defense strategy with the core of “strategic defense”.To solve this problem,a microservice moving target defense strategy based on adaptive genetic algorithm(AGA),namely dynamic rotation strategy(DRS),is proposed.Firstly,based on the characteristics of microservice,the attack path of attackers is analyzed.Then,a microservice attack graph model is proposed to formalize various attack scena-rios,and the security gains and return of defense(RoD) of moving target defense strategies are quantitatively analyzed.Finally,AGA is used to solve the optimal security configuration of mobile target defense,that is,the optimal dynamic rotation cycle of microservices.Experiments show that DRS is scalable,and the defense return rate of DRS increases by 17.25%,41.01% and 222.88% respectively compared with the unified configuration strategy,DSEOM and random configuration strategy.

Key words: Cloud computing, Microservice, Adaptive genetic algorithm, Moving target defense

中图分类号: 

  • TP393
[1]GAO X,STEENKAMER B,GU Z,et al.A study on the security implications of information leakages in container clouds[J].IEEE Transactions on Dependable and Secure Computing,2018,18(1):174-191.
[2]BUZACHIS A,CELESTI A,GALLETTA A,et al.Evaluating an application aware distributed Dijkstra shortest path algorithm in hybrid cloud/edge environments[J].IEEE Transactions on Sustainable Computing,2021,7(2):289-298.
[3]CERNY T,DONAHOO M J,PECHANEC J.Disambiguationand comparison of soa,microservices and self-contained systems[C]//Proceedings of the International Conference on Research in Adaptive and Convergent Systems.2017:228-235.
[4]PRACHITMUTITA I,AITTINONMONGKOL W,POJJANASUKSAKUL N,et al.Auto-scaling microservices on IaaS under SLA with cost-effective framework[C]//2018 Tenth International Conference on Advanced Computational Intelligence(ICACI).IEEE,2018:583-588.
[5]SULTAN S,AHMAD I,DIMITRIOU T.Container security:Issues,challenges,and the road ahead[J].IEEE Access,2019,7:52976-52996.
[6]SOLDANI J,TAMBURRI D A,VAN DEN HEUVEL W J.Thepains and gains of microservices:A systematic grey literature review[J].Journal of Systems and Software,2018,146:215-232.
[7]HEORHIADI V,RAJAGOPALAN S,JAMJOOM H,et al.Gremlin:Systematic resilience testing of microservices[C]//2016 IEEE 36th International Conference on Distributed Computing Systems(ICDCS).IEEE,2016:57-66.
[8]ZHANG S,GUO Y F,SUN P H,et al.Deep ReinforcementLearning based Moving Target Defense Strategy Optimization Scheme for Cloud Native Environment[J].Journal of Electro-nics & Information Technology,2022,44:1-9.
[9]WANG Y,GUO Y,GUO Z,et al.Securing the intermediate data of scientific workflows in clouds with ACISO[J].IEEE Access,2019,7:126603-126617.
[10]ALAVIZADEH H,HONG J B,JANG-JACCARD J,et al.Comprehensive security assessment of combined MTD techniques for the cloud[C]//Proceedings of the 5th ACM Workshop on Mo-ving Target Defense.2018:11-20.
[11]ALAVIZADEH H,HONG J B,KIM D S,et al.Evaluating the effectiveness of shuffle and redundancy mtd techniques in the cloud[J].Computers & Security,2021,102:102091.
[12]ALAVIZADEH H,JANG-JACCARD J,KIM D S.Evaluation for combination of shuffle and diversity on moving target defense strategy for cloud computing[C]//2018 17th IEEE International Conference on Trust,Security And Privacy In Computing And Communications/12th IEEE International Conference on Big Data Science And Engineering(TrustCom/BigDataSE).IEEE,2018:573-578.
[13]CHO J H,SHARMA D P,ALAVIZADEH H,et al.Toward proactive,adaptive defense:A survey on moving target defense[J].IEEE Communications Surveys & Tutorials,2020,22(1):709-745.
[14]WANG L,WU D.Moving target defense against network reconnaissance with software defined networking[C]//International Conference on Information Security.Cham:Springer,2016:203-217.
[15]TORQUATO M,MACIEL P,VIEIRA M.Analysis of vm migration scheduling as moving target defense against insider attacks[C]//Proceedings of the 36th Annual ACM Symposium on Applied Computing.2021:194-202.
[16]JIN H,LI Z,ZOU D,et al.Dseom:A framework for dynamic security evaluation and optimization of mtd in container-based cloud[J].IEEE Transactions on Dependable and Secure Computing,2019,18(3):1125-1136.
[17]YING F,ZHAO S,DENG H.Microservice Security Framework for IoT by Mimic Defense Mechanism[J].Sensors,2022,22(6):2418.
[18]NIFE F N,KOTULSKI Z.Application-aware firewall mecha-nism for software defined networks[J].Journal of Network and Systems Management,2020,28(3):605-626.
[19]BARDAS A G,SUNDARAMURTHY S C,OU X,et al.MTD CBITS:Moving target defense for cloud-based IT systems[C]//European Symposium on Research in Computer Security.Cham:Springer,2017:167-186.
[20]ZENG W,HU H C,LI L S,et al.Dynamic heterogeneous sche-duling method based on Stackelberg game model in container cloud[J].Chinese Journal of Network and Information Security,2021,7(3):95-104.
[21]CONNELL W,MENASCE D A,ALBANESE M.Performancemodeling of moving target defenses with reconfiguration limits[J].IEEE Transactions on Dependable and Secure Computing,2018,18(1):205-219.
[22]MALEKI H,VALIZADEH S,KOCH W,et al.Markov mode-ling of moving target defense games[C]//Proceedings of the 2016 ACM Workshop on Moving Target Defense.2016:81-92.
[23]PENG W,LI F,HUANG C T,et al.A moving-target defense strategy for cloud-based services with heterogeneous and dynamic attack surfaces[C]//2014 IEEE International Conference on Communications(ICC).IEEE,2014:804-809.
[24]HONG J B,KIM D S.Assessing the effectiveness of moving target defenses using security models[J].IEEE Transactions on Dependable and Secure Computing,2015,13(2):163-177.
[25]ALAVIZADEH H,KIM D S,JANG-JACCARD J.Model-based evaluation of combinations of shuffle and diversity MTD techniques on the cloud[J].Future Generation Computer Systems,2020,111:507-522.
[26]HUTCHINS E M,CLOPPERT M J,AMIN R M.Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains[J].Leading Issues in Information Warfare & Security Research,2011,1(1):80.
[27]INGOLS K,LIPPMANN R,PIWOWARSKI K.Practical attack graph generation for network defense[C]//2006 22nd Annual Computer Security Applications Conference(ACSAC'06).IEEE,2006:121-130.
[28]FIRST.Common Vulnerability Scoring System v3.1:Specification Document[EB/OL].https://www.first.org/cvss/v3.1/specification-document.
[29]LI H,GUO Y,SUN P,et al.An optimal defensive deceptionframework for the container-based cloud with deep reinforcement learning[J].IET Information Security,2022,16(3):178-192.
[30]CASAS I,TAHERI J,RANJAN R,et al.GA-ETI:an enhanced genetic algorithm for the scheduling of scientific workflows in cloud environments[J].Journal of Computational Science,2018,26:318-331.
[31]TAHIR M,SARDARAZ M,MEHMOOD Z,et al.CryptoGA:a cryptosystem based on genetic algorithm for cloud data security[J].Cluster Computing,2021,24(2):739-752.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发