面向云网融合SaaS安全的虚拟网络功能映射方法

doi:10.19678/j.issn.1000-3428.0061203

摘要/Abstract

摘要： 在云网融合背景下，承载软件即服务（SaaS）业务功能的云基础设施可能横跨多个数据中心和归属网络，难以保证云资源安全可控。为缩短SaaS业务服务的处理时延，设计基于冗余执行和交叉检验的SaaS组合服务模式，并对容器、Hypervisor和云基础设施的安全威胁进行建模，建立拟态化虚拟网络功能映射模型和安全性优化机制。在此基础上，提出基于近端策略优化的PJM算法。实验结果表明，与CCMF、JEGA和QVNE算法相比，PJM算法在满足安全性约束的条件下，能够降低约12.2%业务端到端时延。

关键词: 云计算, 软件即服务, 云网融合, 虚拟网络映射, 网络空间拟态防御, 服务功能链, 近端策略优化

Abstract: In the context of cloud-network integration, the cloud infrastructure carrying Software as a Service(SaaS) business functions may span multiple data centers and home networks, which adds difficulty to the security and controllability of cloud resources.In order to reduce the processing delay of SaaS business services, the SaaS composite service mode is designed based on redundant execution and cross inspection.The security threats of container, Hypervisor and cloud infrastructure are modeled, and the Mimetic Virtural Network Function Embedding(MVNE) model and the security optimization mechanism are established.On this basis, the PJM algorithm based on proximal strategy optimization is proposed.The experimental results show that, compared with CCMF, JEGA and QVNE algorithms, the PJM algorithm can reduce the end-to-end delay of services by about 12.2% under the security constraints.

Key words: cloud computing, Software as a Service(SaaS), cloud-network integration, Virtual Network Embedding(VNE), Cyber Mimic Defense(CMD), Service Function Chain(SFC), Proximal Policy Optimization(PPO)

中图分类号:

TP393

李凌书, 邬江兴. 面向云网融合SaaS安全的虚拟网络功能映射方法[J]. 计算机工程, 2021, 47(12): 30-39.

LI Lingshu, WU Jiangxing. SaaS Security Oriented Virtual Network Function Embedding Method Under Cloud-Network Integration[J]. Computer Engineering, 2021, 47(12): 30-39.

http://www.ecice06.com/CN/Y2021/V47/I12/30

图/表 11

20211213181401

20211213181405

20211213181408

20211213181411

20211213181415

20211213181419

20211213181422

20211213181425

20211213181429

20211213181432

20211213181436

参考文献

[1] DEHURY C K, SAHOO P K.DYVINE:fitness-based dynamic virtual network embedding in cloud computing[J].IEEE Journal on Selected Areas in Communications, 2019, 37(5):1029-1045.
[2] QUAN Y, TANG H, YOU W, et al.Virtual network function scheduling via multilayer encoding genetic algorithm with distributed bandwidth allocation[J].Science China Information Sciences, 2018, 61(9):92-107.
[3] YE Z, CAO X, WANG J, et al.Joint topology design and mapping of service function chains for efficient, scalable, and reliable network functions virtualization[J].IEEE Network, 2016, 30(3):81-87.
[4] 王晓雷, 陈云杰, 王琛, 等.基于Q-learning的虚拟网络功能调度方法[J].计算机工程, 2019, 45(2):64-69. WANG X, CHEN Y J, WANG C, et al.Scheduling method of virtual network function based on Q-learning[J].Computer Engineering, 2019, 45(2):64-69.(in Chinese)
[5] SONG A, CHEN W N, GONG Y J, et al.A divide-and-conquer evolutionary algorithm for large-scale virtual network embedding[J].IEEE Transactions on Evolutionary Computation, 2019, 24(3):566-580.
[6] LI Z, LU Z, DENG S, et al.A self-adaptive virtual network embedding algorithm based on software-defined networks[J].IEEE Transactions on Network and Service Management, 2018, 16(1):362-373.
[7] DOLATI M, HASSANPOUR S B, GHADERI M, et al.DeepViNE:virtual network embedding with deep reinforcement learning[C]//Proceedings of IEEE Conference on Computer Communications Workshops.Washington D.C., USA:IEEE Press, 2019:879-885.
[8] LIU S, CAI Z, XU H, et al.Towards security-aware virtual network embedding[J].Computer Networks, 2015, 91:151-163.
[9] BAYS L R, OLIVEIRA R R, BURIOL L S, et al.Security-aware optimal resource allocation for virtual network embedding[C]//Proceedings of the 8th International Conference on Network and Service Management.Washington D.C., USA:IEEE Press, 2012:378-384.
[10] ZHANG P, WANG C, JIANG C, et al.Security-aware virtual network embedding algorithm based on reinforcement learning[J].IEEE Transactions on Network Science and Engineering, 2021, 8(2):1095-1105.
[11] DUAN Q, YAN Y, VASILAKOS A V.A survey on service-oriented network virtualization toward convergence of networking and cloud computing[J].IEEE Transactions on Network & Service Management, 2012, 9(4):373-392.
[12] ZHANG P, YAO H, LI M, et al.Virtual network embedding based on modified genetic algorithm[J].Peer-to-Peer Networking and Applications, 2019, 12(2):481-492.
[13] YAN Z, GE J, WU Y, et al.Automatic virtual network embedding:a deep reinforcement learning approach with graph convolutional networks[J].IEEE Journal on Selected Areas in Communications, 2020, 38(6):1040-1057.
[14] CAO H, HU H, QU Z, et al.Heuristic solutions of virtual network embedding:a survey[J].China Communications, 2018, 15(3):186-219.
[15] 葛君伟, 张博, 方义秋.云计算环境下的资源监测模型研究[J].计算机工程, 2011, 37(11):31-33. GE J W, ZHANG B, FANG Y Q.Study on resource monitoring model in cloud computing enviroment[J].Computer Engineering, 2011, 37(11):31-33.(in Chinese)
[16] ROST M, SCHMID S.Virtual network embedding approximations:leveraging randomized rounding[J].IEEE/ACM Transactions on Networking, 2019, 27(5):2071-2084.
[17] MEDHAT A M, TALEB T, ELMANGOUSH A, et al.Service function chaining in next generation networks:state of the art and research challenges[J].IEEE Communications Magazine, 2016, 55(2):216-223.
[18] JANSEN W A.Cloud hooks:security and privacy issues in cloud computing[C]//Proceedings of the 44th International Conference on System Sciences.Washington D.C., USA:IEEE Press, 2011:1-10.
[19] HASHIZUME K, ROSADO D G, FERNÁNDEZ-MEDINA E, et al.An analysis of security issues for cloud computing[J].Journal of Internet Services and Applications, 2013, 4(1):1-13.
[20] GONZALEZ N, MIERS C, REDIGOLO F, et al.A quantitative analysis of current security concerns and solutions for cloud computing[J].Journal of Cloud Computing:Advances, Systems and Applications, 2012, 1(1):1-18.
[21] VERMA A, MITTAL M, CHHABRA B.The mutual authentication scheme to detect virtual side channel attack in cloud computing[J].International Journal of Computer Science and Information Security, 2017, 15(3):83-98.
[22] SZEFER J, KELLER E, LEE R B, et al.Eliminating the hypervisor attack surface for a more secure cloud[C]//Proceedings of the 18th ACM Conference on Computer and Communications Security.New York, USA:ACM Press, 2011:401-412.
[23] STEWIN P, BYSTROV I.Understanding DMA malware[C]//Proceedings of International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.Berlin, Germany:Springer, 2012:21-41.
[24] WU J.Cyberspace mimic defense:generalized robust control and endogenous security[M].Berlin, Germany:Springer, 2020.
[25] YAO H, ZHANG B, ZHANG P, et al.RDAM:a reinforcement learning based dynamic attribute matrix representation for virtual network embedding[J].IEEE Transactions on Emerging Topics in Computing, 2021, 9(2):901-914.
[26] 陈卓, 冯钢, 何颖, 等.运营商网络中基于深度强化学习的服务功能链迁移机制[J].电子与信息学报, 2020, 42(9):2173-2179. CHEN Z, FENG G, HE Y, et al.Service function chain migration mechanism based on deep reinforcement learning in operator network[J].Journal of Electronics & Information Technology, 2020, 42(9):2173-2179.(in Chinese)
[27] SCHULMAN J, WOLSKI F, DHARIWAL P, et al.Proximal policy optimization algorithms[EB/OL].(2017-08-28)[2021-02-05].https://arxiv.org/pdf/1707.06347.pdf.
[28] 张红旗, 黄睿, 杨英杰, 等.基于Q-learning的跨域服务链映射机制[J].通信学报, 2018, 39(12):102-112. ZHANG H Q, HUANG R, YANG Y J, et al.Cross-domain service chain mapping mechanism based on Q-learning[J].Journal on Communications, 2018, 39(12):102-112.(in Chinese)
[29] ORLOWSKI S, WESSÄLY R, PIÓRO M, et al.SNDlib 1.0-survivable network design library[J].Networks, 2010, 55(3):276-286.

选择文件类型/文献管理软件名称

选择包含的内容