Ji-Ming Chen,Shi Chen,Xiang Wang,Lin,Li Wang

DOI: https://doi.org/10.1155/2021/2729949

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:With the rapid development of Internet of Things technology, a large amount of user information needs to be uploaded to the cloud server for computing and storage. Side-channel attacks steal the private information of other virtual machines by coresident virtual machines to bring huge security threats to edge computing. Virtual machine migration technology is currently the main way to defend against side-channel attacks. VM migration can effectively prevent attackers from realizing coresident virtual machines, thereby ensuring data security and privacy protection of edge computing based on the Internet of Things. This paper considers the relevance between application services and proposes a VM migration strategy based on service correlation. This strategy defines service relevance factors to quantify the degree of service relevance, build VM migration groups through service relevance factors, and effectively reduce communication overhead between servers during migration, design and implement the VM memory migration based on the post-copy method, effectively reduce the occurrence of page fault interruption, and improve the efficiency of VM migration.

Qingni SHEN,Qing LI

2015-01-01

Journal of Integration Technology

Abstract:In cloud computing, in order to achieve resource sharing, virtual machines (VMs) of different tenants might be scheduled to run on the same physical machine, namely VMs co-residency, which would bring many new security issues. Therefore, security threats due to VMs co-residency, including resources interference, covert or side channel, denial of service and virtual machine load monitoring were reviewed in this paper. Besides, existing detection methods of co-residency were introduced, four kinds of defense about VMs co-residency were summarized and further trends were also pointed out.

Lu Cao,Ruiwen Li,Xiaojun Ruan,Yuhong Liu

DOI: https://doi.org/10.48550/arXiv.2203.10734

2022-03-21

Abstract:Resource sharing among users serves as the foundation of cloud computing, which, however, may also cause vulnerabilities to diverse co-residence attacks launched by malicious virtual machines (VM) residing in the same physical server with the victim VMs. In this paper, we aim to defend against such co-residence attacks through a secure, workload-balanced, and energy-efficient VM allocation strategy. Specifically, we model the problem as an optimization problem by quantifying and minimizing three key factors: (1) the security risks, (2) the power consumption and (3) the unbalanced workloads among different physical servers. Furthermore, this work considers a realistic environmental setting by assuming a random number of VMs from different users arriving at random timings, which requires the optimization solution to be continuously evolving. As the optimization problem is NP-hard, we propose to first cluster VMs in time windows, and further adopt the Ant Colony Optimization (ACO) algorithm to identify the optimal allocation strategy for each time window. Comprehensive experimental results based on real world cloud traces validates the effectiveness of the proposed scheme.

Distributed, Parallel, and Cluster Computing

Jiming Chen,Li Wang

DOI: https://doi.org/10.1109/iecon.2017.8216812

2017-01-01

Abstract:Load balancing can effectively balance the system load, improving the speed of processing and increasing the utilization of resources in cloud computing. Thus how to optimize load balancing has become one of the hot spots of current researches. The existing virtual machine migration strategies to a certain extent promoted the load balancing, but did not take into account the existence of service relationships that led to the close contacts between user avatar and the virtual machines or the links between virtual machines. It may bring more communication overhead between servers in the process of migration and computing. To this end, a virtual machine migration strategy based on service dependency is proposed. This strategy first establishes a load migration group based on service dependencies and uses it as a migration unit for virtual machine migration, and then it divides the virtual machine migration process into load balancing request phase and virtual machine migration phase for detailed design. Finally, CloudSim simulation results show that virtual machine migration strategy based on service relevance can largely reduce the communication overhead between servers while balancing the load compared with other strategies.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Yuchen Wong,Qingni Shen

DOI: https://doi.org/10.1109/bdcloud.2018.00095

2018-01-01

Abstract:With the fast development of cloud computing, cloud demand has exploded. In order to meet the primary performance needs of cloud users, cloud service providers need to carry out load balancing policy for virtual machines (VMs), which exacerbates the co -residence threats. In this paper, we try to solve the problem from the perspective of VM management, that is to say, we optimize the VM management policy to reduce the chances that ordinary VMs resident with the malicious VMs. In previous researches, the basic idea is to make the attack as difficult as possible during the placement, but there is little discussion about how to retrieve after the attacker successfully co -resident. Compared with them, for the first time we introduce the concept of Familiarity to mark cloud users and their VMs, and then design a secure VM placement algorithm and a secure load balancing algorithm. These algorithms not only make the co -residence difficult but can handle the security issue after it happens. After evaluation, our algorithms can well achieve the expectations.

Guilin Shao,Jiming Chen

DOI: https://doi.org/10.1145/2996890.3007852

2016-01-01

Abstract:According to the problems of the correlation of the data disposed by virtual machines and the reduce of resource utilization caused by migration of a single virtual machine in cloud computing, this paper proposes a load balancing strategy based on data correlation in cloud computing. This strategy finds out the migration unit based on the correlation between the data and the virtual machines used to deal with the same data, and construct the load-intensive data set to carry on the overall migration. The experimental results show that the load balancing strategy can reduce the communication overhead and improve the utilization of resources in a certain extent.

Yuxi Peng,Xinchen Jiang,Shaoming Wang,Yanping Xiang,Liudong Xing

DOI: https://doi.org/10.3390/electronics13163273

IF: 2.9

2024-08-19

Electronics

Abstract:Co-resident attacks are serious security threats in multi-tenant public cloud platforms. They are often implemented by building side channels between virtual machines (VMs) hosted on the same cloud server. Traditional defense methods are troubled by the deployment cost. The existing tenant classification methods can hardly cope with the real dataset that is quite large and extremely unevenly distributed, and may have problems in the processing speed considering the computation complexity of the DBSCAN algorithm. In this paper, we propose a novel co-resident attack defense strategy which solve these problems through an improved and efficient multi-level clustering algorithm and semi-supervised classification method. We propose a novel multi-level clustering algorithm which can efficiently reduce the complexity, since only a few parameter adjustments are required. Built on the proposed clustering algorithm, a semi-supervised classification model is designed. The experimental results of the classification effect and training speed show that our model achieves F-scores of over 85% and is significantly faster than traditional SVM classification methods. Based on the classification of unlabeled tenants into different security groups, the cloud service provider may modify the VM placement policy to achieve physical isolation among different groups, reducing the co-residency probability between attackers and target tenants. Experiments are conducted on a large-scale dataset collected from Azure Cloud Platform. The results show that the proposed model achieves 97.86% accuracy and an average 96.06% F-score, proving the effectiveness and feasibility of the proposed defense strategy.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xin Yang,Abla Smahi,Hui Li,Huayu Zhang,Shuo-Yen Robert Li

DOI: https://doi.org/10.1109/globecom54140.2023.10437647

2023-01-01

Abstract:Cloud computing provides users with cost-effective on-demand resource sharing, but the shared resources also creates additional security risks due to co-location with malicious tenants. In addition to static defensive technologies, Virtual Machine (VM) migration, a type of Moving Target Defense (MTD) technique, provides an alternative solution to mitigate co-resident attacks by dynamically migrating services/tasks among various servers. Although significant progress has been made in this area, critical gaps remain regarding the quantification of these techniques' synergistic effectiveness in cloud computing, as previous research focused on either evaluating the defensive capability of MTD or on examining the characteristics of static strategies. In this paper, we aim to use analytical modeling techniques to quantitatively evaluate the synergistic effectiveness of integrating MTD with VM allocation policies. We designed a synergistically defensive architecture and proposed a Stochastic Reward Net (SRN) model to describe the execution and attacking processes of tasks migrating among multiple servers under three commonly used allocation policies. Moreover, experiments were implemented using SimPy to verify the analytical results obtained from the SRN model and to broaden the evaluation scope. Our comprehensive assessment, using both SRN and experiments, evaluates the defensive capacity and corresponding features for different scenarios. The obtained simulation results were approximate, with an error rate of less than 3.40 %, reflecting the reliability of our methods. Several defensive suggestions were further summarized based on the evaluation.

Venkatanathan Varadarajan,Yinqian Zhang,Thomas Ristenpart,Michael Swift

DOI: https://doi.org/10.48550/arXiv.1507.03114

2015-07-11

Abstract:Public infrastructure-as-a-service clouds, such as Amazon EC2, Google Compute Engine (GCE) and Microsoft Azure allow clients to run virtual machines (VMs) on shared physical infrastructure. This practice of multi-tenancy brings economies of scale, but also introduces the risk of sharing a physical server with an arbitrary and potentially malicious VM. Past works have demonstrated how to place a VM alongside a target victim (co-location) in early-generation clouds and how to extract secret information via side- channels. Although there have been numerous works on side-channel attacks, there have been no studies on placement vulnerabilities in public clouds since the adoption of stronger isolation technologies such as Virtual Private Clouds (VPCs). We investigate this problem of placement vulnerabilities and quantitatively evaluate three popular public clouds for their susceptibility to co-location attacks. We find that adoption of new technologies (e.g., VPC) makes many prior attacks, such as cloud cartography, ineffective. We find new ways to reliably test for co-location across Amazon EC2, Google GCE, and Microsoft Azure. We also found ways to detect co-location with victim web servers in a multi-tiered cloud application located behind a load balancer. We use our new co-residence tests and multiple customer accounts to launch VM instances under different strategies that seek to maximize the likelihood of co-residency. We find that it is much easier (10x higher success rate) and cheaper (up to $114 less) to achieve co-location in these three clouds when compared to a secure reference placement policy.

Cryptography and Security

Yuxia Cheng,Wenzhi Chen,Zonghui Wang,Zhongxian Tang,Yang Xiang

DOI: https://doi.org/10.1016/j.future.2016.11.022

IF: 7.307

2016-01-01

Future Generation Computer Systems

Abstract:Traditional virtualization systems cannot effectively isolate the shared micro-architectural resources among VMs. Different types of CPU and memory-intensive VMs contending for these shared resources will lead to different levels of performance degradation, which decreases the system efficiency and Quality of Service (QoS) in the cloud. To address these problems, we design and implement a smart VM co-scheduling system with precise prediction of performance characteristics. First, we identify the performance interference factors and design synthetic micro-benchmarks. By co-running these micro-benchmarks with VMs, we decouple two kinds of VM performance characteristics: VM contention sensitivity and contention intensity. Second, based on the characteristics, we build VM performance prediction model using machine learning techniques to quantify the precise levels of performance degradation. By co-running large numbers of different VMs and collecting their performance scores, we train a robust performance prediction model. Finally, based on the prediction model, we design contention aware VM scheduling algorithms to improve system efficiency and guarantee the QoS of VMs in the cloud. Our experimental results show that the performance prediction model achieves high accuracy and the smart VM scheduling algorithms based on the prediction improves system efficiency and VM performance stability.

Bernard Ousmane Sane,Mandicou Ba,Doudou Fall,Yuzo Taenaka,Ibrahima Niang,Youki Kadobayashi

DOI: https://doi.org/10.1109/access.2024.3404949

IF: 3.9

2024-05-31

IEEE Access

Abstract:Cloud computing has completely changed IT (information technology) by providing IT resources as services on the internet. However, certain types of attacks, such as interdependency attacks, impede its wide adoption. With the latter, an attacker who succeeds in compromising the VM of a user can traverse the hypervisor to launch an attack on the VM(s) of other users on the same hypervisor. Unfortunately, we note a lack of secure and performant allocation policies against this problem. Existing policies focus on security but ignore other factors, including workload balance and energy consumption, which are vital for commercial cloud platforms. In this context, we propose different allocation policies for choosing the datacenter server to which we allocate a new virtual machine. These policies aim to minimize the interdependence of different users' VMs while keeping the system performant regarding workload balance and/or power consumption. By default, our allocation policies treat all legitimate users as attackers and host their virtual machines according to their efficiency and coverage. We first design a secure and balanced solution that increases workload balance to prevent the servers from being overused. Afterward, we propose an algorithm that addresses security, power consumption, and workload balance objectives simultaneously. Based on our simulation results, our solutions perform better than existing algorithms regarding security, workload balance, and power consumption. The balanced solution reduces the chance of an attacker to zero and increases workload balance linearly. In other words, the workload balance is between , and it utilizes slightly more hosts than existing proposals, with gains between . Although our final proposal is less secure than previous algorithms, it performs better, so it has a good workload balance ( ) and consumes less energy.

computer science, information systems,telecommunications,engineering, electrical & electronic

Biao Xu,Minyan Lu

DOI: https://doi.org/10.3390/app13063703

2023-03-14

Applied Sciences

Abstract:The majority of cloud computing consists of servers with different configurations which host several virtual machines (VMs) with changing resource demands. Additionally, co-located VMs are vulnerable to co-resident attacks (CRA) in a networked environment. These two issues may cause uneven resource usage within the server and attacks on the service, leading to performance and security degradation. This paper presents an Agent-based VM migration solution that can balance the burden on commercially diverse servers and avoid potential co-resident attacks by utilizing VM live migrations. The Agent’s policies include the following: (i) a heuristic migration optimization policy to select the VMs to be migrated and the matching hosts; (ii) a migration trigger policy to determine whether the host needs to relocate the VMs; (iii) an acceptance policy to decide if the migration request should be accepted; and (iv) a balancer heuristic policy to make the initial VM allocation. The experiments and analyses demonstrate that the Agents can mitigate CRA in a distributed way to mitigate the associated risks while achieving acceptable load balancing performance.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Kui Su,Lei Xu,Cong Chen,Wenzhi Chen,Zonghui Wang

DOI: https://doi.org/10.1109/isads.2015.42

2015-01-01

Abstract:Virtual machine placement (VMP) problem has been a key issue in IaaS/PaaS cloud infrastructures. Many recent works on VMP prove that inter-VM relations such as memory share, traffic dependency and resource competition should be seriously considered to save energy, increase the performance of infrastructure, reduce service level agreement violation rates and provide better administrative capabilities to the cloud provider. However, most existing works consider the inter-VM relations without taking the heterogeneity of cloud data centers into account. In practice, heterogeneous physical machines (PM) in a heterogeneous data center are often partitioned into logical groups for load balancing and specific services, cloud users always assigned their VMs with specific PM requirements, which make the inter-VM relations far more complex. In this paper, we propose an efficient solution for VMP with inter-VM relation constraints in a heterogeneous data center. The experimental results prove that our solution can efficiently solve the complex problem with an acceptable runtime.

Pengfei Sun,Qingni Shen,Liang Gu,Yangwei Li

DOI: https://doi.org/10.1109/anthology.2013.6784967

2013-01-01

Abstract:Virtualization technologies enable multi-tenancy cloud business models by providing a scalable, shared resource platform for all tenants. Computing capacity, storage, and network are shared between multi-tenants. However, placing different customers' workloads on the same virtualization platform may lead to security vulnerabilities, which include the failure of mechanisms separating storage, memory, routing, and even reputation between different tenants of the shared infrastructure. The co-location of many customers inevitably causes conflict for the cloud provider as customers' communication security requirements are likely to be divergent from each other. In this paper, we introduce Multi-lateral Security concept to multi-tenancy cloud platform. It is difficult to analyze policies defined by consumers in the same virtualization platform in order to guarantee configuration stability given that policies may have conflicts leading to unpredictable effects. We present the Multilateral Security Architecture for Virtualization platform (VPMS) which enables the multilateral security for consumers.

Chongzhou Fang,Han Wang,Najmeh Nazari,Behnam Omidi,Avesta Sasan,Khaled N. Khasawneh,Setareh Rafatirad,Houman Homayoun

DOI: https://doi.org/10.14722/ndss.2022.23149

2021-11-16

Abstract:Cloud computing paradigms have emerged as a major facility to store and process the massive data produced by various business units, public organizations, Internet-of-Things, and cyber-physical systems. To meet users' performance requirements while maximizing resource utilization to achieve cost-efficiency, cloud administrators leverage schedulers to orchestrate tasks to different physical nodes and allow applications from different users to share the same physical node. On the other hand, micro-architectural attacks can exploit the shared resources to compromise the confidentiality/integrity of a co-located victim application. Since co-location is an essential requirement for micro-architectural attacks, in this work, we investigate whether attackers can exploit the cloud schedulers to satisfy the co-location requirement. Our analysis shows that for cloud schedulers that allow users to submit application requirements, an attacker can carefully select the attacker's application requirements to influence the scheduler to co-locate it with a targeted victim application. We call such attack Replication Attack (Repttack). Our experimental results, in both a simulated cluster environment and a real cluster, show similar trends; a single attack instance can reach up to 50% co-location rate and with only 5 instances the co-location rate can reach up to 80%. Furthermore, we propose and evaluate a mitigation strategy that can help defend against Repttack. We believe that our results highlight the fact that schedulers in multi-user clusters need to be more carefully designed with security in mind, and the process of making scheduling decisions should involve as little user-defined information as possible.

Distributed, Parallel, and Cluster Computing

Qian Sun,Qingni Shen,Cong Li,Zhonghai Wu

DOI: https://doi.org/10.1109/trustcom.2016.0123

2016-01-01

Abstract:The rapid development of cloud computing expands the scale of modern cloud data centers, resulting in growing challenges of energy consumption. Load balancing of virtual machines(VMs), for the purposes of improving the utilization of physical resources and reducing energy consumption, has become a research focus in recent years. However, the existing researches mostly focus on how to maximize resource utilization and reduce energy consumption. Security issues in the context of load balancing of VMs were rarely addressed. In this paper, we research the key procedures of load balancing, VM selection and VM placement, we find that the existing schemes introduced several security problems. In consideration of some conclusions of recent researches and inevitable live migrations during load balancing, common tenants have sufficient reasons to worry about their VMs' security when they are migrated to strange hosts and/or co-reside with the VMs owned by strange tenants. In short, VMs' mobility introduced by load balance expands the attack surface. In this work, we classify and analyze related security threats and create an information leakage model for load balancing. We present a new security policy, SeLance, to secure the load balancing via avoiding above threats as far as possible. We develop exact implementations in CloudSim and OpenStack. We show that SeLance can effectively alleviate the threats introduced by load balancing, the security score can improve 46.90%-81.15%, while keeping the load balancer's original function to a great extent (± 2.5%).

Adam Bates,Benjamin Mood,Joe Pletcher,Hannah Pruse,Masoud Valafar,Kevin Butler

DOI: https://doi.org/10.1007/s10207-013-0210-0

2013-10-02

International Journal of Information Security

Abstract:Virtualization is the cornerstone of the developing third-party compute industry, allowing cloud providers to instantiate multiple virtual machines (VMs) on a single set of physical resources. Customers utilize cloud resources alongside unknown and untrusted parties, creating the co-resident threat—unless perfect isolation is provided by the virtual hypervisor, there exists the possibility for unauthorized access to sensitive customer information through the exploitation of covert side channels. This paper presents co-resident watermarking, a traffic analysis attack that allows a malicious co-resident VM to inject a watermark signature into the network flow of a target instance. This watermark can be used to exfiltrate and broadcast co-residency data from the physical machine, compromising isolation without reliance on internal side channels. As a result, our approach is difficult to defend against without costly underutilization of the physical machine. We evaluate co-resident watermarkingunder a large variety of conditions, system loads and hardware configurations, from a local laboratory environment to production cloud environments (Futuregrid and the University of Oregon’s ACISS). We demonstrate the ability to initiate a covert channel of 4 bits per second, and we can confirm co-residency with a target VM instance in <\documentclass[12pt]{minimal}\usepackage{amsmath}\usepackage{wasysym}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{amsbsy}\usepackage{mathrsfs}\usepackage{upgreek}\setlength{\oddsidemargin}{-69pt}\begin{document}$$<$$\end{document}10 s. We also show that passive load measurement of the target and subsequent behavior profiling is possible with this attack. We go on to consider the detectability of co-resident watermarking, extending our scheme to create a subtler watermarking attack by imitating legitimate cloud customer behavior. Our investigation demonstrates the need for the careful design of hardware to be used in the cloud.

computer science, information systems, theory & methods, software engineering

Lei Xu,Wenzhi Chen,Zonghui Wang,Shuangquan Yang

DOI: https://doi.org/10.1109/ClusterW.2012.14

2012-01-01

Abstract:The biggest advantage of employing virtualization is the ability to flexibly remap physical resources to virtual servers in order to handle the resource redistribution. So virtual machine is the fundamental unit in cloud data center. However, the load of virtual machine constantly changes owing to the needs of applications. In order to improve the resource utilization and reduce power energy, data center needs an automatic, quick and dynamic resource scheduling strategy which treats virtual machine as a scheduling unit to balance load and consolidate servers. In this paper, we present a two-steps dynamic resource scheduling strategy, named Smart-DRS, which fits cloud data center well and strikes a balance between efficiency, cost and instantaneity. Firstly, we employ a prediction technique based on Single Exponential Smoothing algorithm. Then a novel and efficient migration algorithm based on Vector Projection was applied. For evaluating the performance of Smart-DRS, we develop a complete resource management prototype system in which resource scheduling is just only a module. Then we build a cluster with 32 physical machines running with 3200 virtual machines to simulate data center environment. Experiment results tell us that Smart-DRS has a high forecast accuracy and also can deal well with load balancing and load consolidation.

Kejiang Ye,Xiaohong Jiang,Deshi Ye,Dawei Huang

DOI: https://doi.org/10.1109/hpcc.2010.95

2010-01-01

Abstract:Virtualization brings many benefits such as improving system utilization and reducing cost through server consolidation. However, it also introduces isolation problem when running multiple virtual machine workloads in one physical platform. Additionally, with the advent of multi-core technology, more and more cores are built into one die in today's data center that will share and compete for the resource like cache. It's worthy to study the isolation of server consolidation in modern multi-core platform. However, to our knowledge there are few work done on the isolation property especially the fault isolation property when one of the virtual machine workloads is attacked in server consolidation. In this paper, we study the isolation property from performance perspective and provide two optimization methods to improve the isolation property. We first define the isolation property and quantify the performance isolation in consolidation and propose a VM-level optimization method. Then we study the fault isolation by introducing a misbehavior virtual machine in server consolidation scenario and propose a core-level cache-aware optimization method to improve the fault isolation. Experimental results show that our two optimization methods can effectively improve the performance isolation and fault isolation with 29.39% and 19.52% respectively. What's more, Oprofile/Xenoprof toolkits are used to find out the factors affecting isolation property from the hardware events level.