Xueyuan Yin,Xingshu Chen,Lin Chen,Guolin Shao,Hui Li,Shusong Tao

DOI: https://doi.org/10.1109/access.2018.2837039

IF: 3.9

2018-01-01

IEEE Access

Abstract:With the rapid promotion and application of cloud computing technology in various fields, cloud computing security has become the focus of attention. To satisfy the virtual machine (VM) security requirements of communication access control, network anomaly detection, memory monitoring, and file antivirus in Infrastructure as a Service (IaaS) platform, a comprehensive protection framework with the capacity of defense-in-depth for tenant VMs was proposed in this paper, which employed three different layers to satisfy above security requirements of tenant business from the outside to the inside of the VM. At the first layer, a tenant domain model was abstracted and realized based on software defined networking (SDN), which was used to re-obtain the capacity for communication access control for VM traffic and ensure security isolation of different tenant business networks. Besides, to detect the network abnormality of tenant VMs, a traffic structure stability model was constructed according to the deviation degree between current and historical normal network traffic structure profile. At the second layer, the capacities of network access control and anomaly detection, the same as the capacities used in the first layer, which were provided based on VM granularity. At the third layer, to monitor the VM memory information, a VM security monitoring method with agentless based on online analysis of VM memory was proposed by employing physical memory analysis mechanism. Moreover, a file antivirus method named HyperAV for VM based on virtualization was given, which was constructed of a frontend and a rear end. HyperAV optimized the process of virus scanning by monitoring the sector change information of a running VM with low performance costs. The experimental results demonstrated the effectiveness and low performance costs of the proposed protection framework and the corresponding security mechanisms, respectively.

TIAN Yu-hong,WANG Ze-bing,FENG Yan

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.24.029

2006-01-01

Abstract:The Java virtual machine(JVM)is used more frequently as the basic engine behind dynamic web services.With the proliferation of network attacks on these network resources,much work are done to provide security for the network environment.Little effort has been placed on securing a Java web server where the attacker has a valid login to the host machine.After describing the vulnerabilities in Java's security mechanisms,an extended security system based on Java 2 security architecture is introduced.It also explains the runtime status of system.The increased assurance of correct system operation and the integrity of Java application server are provided.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Lin Chen,Xingshu Chen,Junfang Jiang,Xueyuan Yin,Guolin Shao

DOI: https://doi.org/10.1109/tst.2014.6919826

2014-01-01

Tsinghua Science & Technology

Abstract:Network security requirements based on virtual network technologies in IaaS platforms and corresponding solutions were reviewed.A dynamic network security architecture was proposed,which was built on the technologies of software defined networking,Virtual Machine（VM）traffic redirection,network policy unified management,software defined isolation networks,vulnerability scanning,and software updates.The proposed architecture was able to obtain the capacity for detection and access control for VM traffic by redirecting it to configurable security appliances,and ensured the effectiveness of network policies in the total life cycle of the VM by configuring the policies to the right place at the appropriate time,according to the impacts of VM state transitions.The virtual isolation domains for tenants’VMs could be built flexibly based on VLAN policies or Netfilter/Iptables firewall appliances,and vulnerability scanning as a service and software update as a service were both provided as security supports.Through cooperation with IDS appliances and automatic alarm mechanisms,the proposed architecture could dynamically mitigate a wide range of network-based attacks.The experimental results demonstrate the effectiveness of the proposed architecture.

Ji-Ming Chen,Shi Chen,Xiang Wang,Lin,Li Wang

DOI: https://doi.org/10.1155/2021/2729949

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:With the rapid development of Internet of Things technology, a large amount of user information needs to be uploaded to the cloud server for computing and storage. Side-channel attacks steal the private information of other virtual machines by coresident virtual machines to bring huge security threats to edge computing. Virtual machine migration technology is currently the main way to defend against side-channel attacks. VM migration can effectively prevent attackers from realizing coresident virtual machines, thereby ensuring data security and privacy protection of edge computing based on the Internet of Things. This paper considers the relevance between application services and proposes a VM migration strategy based on service correlation. This strategy defines service relevance factors to quantify the degree of service relevance, build VM migration groups through service relevance factors, and effectively reduce communication overhead between servers during migration, design and implement the VM memory migration based on the post-copy method, effectively reduce the occurrence of page fault interruption, and improve the efficiency of VM migration.

Yaqiang Mao,Xujian Chen,Yuan Luo

DOI: https://doi.org/10.1049/cp.2014.1285

2014-01-01

Abstract:As a basic cloud service model, the Infrastructure-as-aService (IaaS) provides fundamental computing resources for PaaS and SaaS with a guaranteed ability to reduce costs and improve resource efficiency. Virtualization plays a crucial role to support the IaaS. However, it is not safety because of exposing the hosted virtual machines (VMs) to uncontrollable environment. In addition, traditional in-guest security solutions, relying on operation system kernel trustworthiness, are no longer effective to virtual infrastructure. In this paper, we introduce HVSM (Hybrid Virtualization Security Monitor) to deal with above security problems, which is a new In-OutVM hybrid virtualization-aware architecture depending on lightweight, comprehensive and dynamic security monitoring. First, as to Hybrid, HVSM utilizes virtual machine introspection technique to inspect kernel running state of the guest VM (GVM) from outside. Inside the GVM, measure agent (MA) tests and delivers processes' integrity information to security VM (SVM). In succession, MA is in the guard of measure agent keeper (MAK) running in the SVM. Second, dynamically, HVSM combines kernel state information with processes' integrity so as to provide a security report on GVM. Third, a proof-of-concept prototype is implemented using libvmi based on Xen hypervisor. Finally, we evaluate efficiency and the performance overhead of HVSM, which is acceptably low to support real-time monitoring.

Huaizhe Zhou,Haihe Ba,Jiangchun Ren,Yongjun Wang,Yunshi Li,Yong Chen,Zhiying Wang

DOI: https://doi.org/10.1109/ICISCE.2017.39

2017-01-01

Abstract:With the introduction of virtual machine introspection into IaaS cloud, indirect inspection of the state about guest VMs is supported with strong isolation. But it requires the privilege access to the virtual machine monitor and lacks manageability due to the need of installing various security vendors' agents in a privileged VM. In this paper, we propose an agentless and uniform introspection framework, called SE-Cloud, which supports expert security vendors to build robust and flexible protections for guest VMs of their customers. With the separation of introspection and security-business code, SE-Cloud can stealthily fetch the state of monitored VMs without installing any code of security vendors, which resists rootkit from compromising or evading "in-the-box" security services and is convenient to manage "out-of-the-box" security services. Our preliminary experimental results show that SE-Cloud can support robust and flexible introspection over guest VMs with acceptable overhead.

Huaizhe Zhou,Haihe Ba,Yongjun Wang,Zhiying Wang,Jun Ma,Yunshi Li,Huidong Qiao

DOI: https://doi.org/10.3390/sym11020252

2019-01-01

Abstract:The dramatic proliferation of cloud computing makes it an attractive target for malicious attacks. Increasing solutions resort to virtual machine introspection (VMI) to deal with security issues in the cloud environment. However, the existing works are not feasible to support tenants to customize individual security services based on their security requirements flexibly. Additionally, adoption of VMI-based security solutions makes tenants at the risk of exposing sensitive information to attackers. To alleviate the security and privacy anxieties of tenants, we present SECLOUD, a framework for monitoring VMs in the cloud for security analysis in this paper. By extending VMI techniques, SECLOUD provides remote tenants or their authorized security service providers with flexible interfaces for monitoring runtime information of guest virtual machines (VMs) in a non-intrusive manner. The proposed framework enhances effectiveness of monitoring by taking advantages of architectural symmetry of cloud environment. Moreover, we harden our framework with a privacy-preserving capacity for tenants. The flexibility and effectiveness of SECLOUD is demonstrated through a prototype implementation based on Xen hypervisor, which results in acceptable performance overhead.

Pengze Guo,Yongkai Zhou,Zhi Xue,Xinxing Yin,Liang Pang,Yan Zhu,Xiao Chen,Fangbiao Li

2014-01-01

Abstract:The past decade has witnessed the rapid development of cloud computing. Virtualization, which is the basis of delivering Infrastructure as a Service (IaaS), has led to an explosive growth in the cloud computing industry. Meanwhile, new threats are also introduced. This paper explores different aspects of cloud virtualization security, including security threats of virtualization infrastructure and attacks that can be launched on virtual cloud. The research mainly focuses on hypervisor security, vSwitch security and virtual machine security. The paper also discusses state-of-the-art solutions to those threats, which are beneficial for implementing effective protection methods for virtual cloud environment.

Xingshu Chen,Liang Hu,Guangrui Chen,Lin Chen

DOI: https://doi.org/10.13245/j.hust.160310

2016-01-01

Abstract:To ensure the traditional security detecting tool to adapt virtual network of cloud compu-ting,a method of dynamic accessing into virtual network for security tool was studied.Through pro-viding security detecting service in multi-processes and based on NVF technology,the security detec-ting server could serve parallelly in multi-service processes.Besides,a method of dynamic accessing into virtual network for security detecting tool was implemented based on SDN.Consequently,the se-curity detecting service could access tenant network to provide security services dynamically and on de-mand.The results show that the method clouded the traditional security detecting tool effectively and provide parallel,on-demand and dynamic security service for tenants.

Liang Hu,Xingshu Chen,Lin Chen,Zhenyang Han

DOI: https://doi.org/10.3969/j.issn.1001-3695.2016.03.049

2016-01-01

Abstract:To ensure the security of communication data of virtual machine in IaaS environment adopting shared network infra-structure,this paper proposed an agentless communication encryption framework for virtual machine in IaaS environment. Through the cooperation between an encryption module which was loaded in virtualization node and a platform unified encryp-tion controller,it implemented the agentless communication encryption for virtual machine in IaaS.Moreover,this paper de-veloped a mechanism for effectiveness of communication encryption policy to ensure the effectiveness of communication encryp-tion policy in the whole life cycle of virtual machine.The results show that the framework can encrypt communication data of virtual machine on-demand and ensure the effectiveness of encryption policy in the whole life cycle of virtual machine,while introducing a few overhead.

Xueyuan Yin,Xingshu? Chen,Shusong Tao,Lin Chen

DOI: https://doi.org/10.13232/j.cnki.jnju.2019.02.007

2019-01-01

Abstract:To solve the problem of user virtual machine monitoring in cloud environment,a virtual machine security monitoring method based on real time online analysis of virtual machine memory was proposed.With high privilege of the virtualization layer,virtual machine memory could be obtained outside of virtual machines online transparently. By using the memory analysis mechanism derived from the field of internal forensics,the semantic knowledge of virtual machine memory can be revealed by analyzing some important kernel structures of the virtual machine memory online in the virtualization layer,which effectively solves the semantic gap between the virtual machine and the virtualization layer and leads to achieving fine granularity of information monitoring of virtual machines.Because the monitoring code is under the virtualization layer,outside of the monitored virtual machine and isolated from virtual machine internal codes by the virtualization mechanism,there is no need to deploy monitoring agents in the users’virtual machine.Therefore,any malicious code inside the virtual machine can not bypass and destroy the security monitoring code under the virtualization layer and the transparency and security of the method is improved. The experimental results show that the method can provide a cloud security monitoring service for virtual machines at lower performance cost with agentless.

Si Yu,Xiaolin Gui,Jiancai Lin,Feng Tian,Jianqiang Zhao,Min Dai

DOI: https://doi.org/10.1155/2014/805923

2014-01-01

The Scientific World JOURNAL

Abstract:Cloud computing gets increasing attention for its capacity to leverage developers from infrastructure management tasks. However, recent works reveal that side channel attacks can lead to privacy leakage in the cloud. Enhancing isolation between users is an effective solution to eliminate the attack. In this paper, to eliminate side channel attacks, we investigate the isolation enhancement scheme from the aspect of virtual machine (VM) management. The security-awareness VMs management scheme (SVMS), a VMs isolation enhancement scheme to defend against side channel attacks, is proposed. First, we use the aggressive conflict of interest relation (ACIR) and aggressive in ally with relation (AIAR) to describe user constraint relations. Second, based on the Chinese wall policy, we put forward four isolation rules. Third, the VMs placement and migration algorithms are designed to enforce VMs isolation between the conflict users. Finally, based on the normal distribution, we conduct a series of experiments to evaluate SVMS. The experimental results show that SVMS is efficient in guaranteeing isolation between VMs owned by conflict users, while the resource utilization rate decreases but not by much.

XIANG Guo-Fu,JIN Hai,ZOU De-Qing,CHEN Xue-Guang

DOI: https://doi.org/10.3724/sp.j.1001.2012.04219

2012-01-01

Journal of Software

Abstract:In recent years, virtualization technology is the novel trendy of computer architecture, and it provides a solution for security monitoring.Due to the highest privilege and the smaller trusted computing base of virtual machine monitor, security tools, deployed in an isolated virtual machine, can inspect the target virtual machine with the help of virtual machine monitor.This approach can enhance the effectiveness and anti-attack ability of security tools.From the aspect of the implementation technologies, existing research works can be classified into internal monitoring and external monitoring.According to the different targets, the related works about virtualization-based monitoring are introduced in this paper in detail, such as intrusion detection, honeypot, file integrity monitoring, malware detection and analysis, security monitoring architecture and the generality of monitoring.Finally, this paper summarizes the shortcomings of existing works, and presents the future research directions.It is significant for virtualization research and security monitoring research.

Hai Jin,Guofu Xiang,Deqing Zou,Song Wu,Feng Zhao,Min Li,Weide Zheng

DOI: https://doi.org/10.1007/s11227-011-0608-2

IF: 3.3

2013-01-01

The Journal of Supercomputing

Abstract:With the development of information technology, cloud computing becomes a new direction of grid computing. Cloud computing is user-centric, and provides end users with leasing service. Guaranteeing the security of user data needs careful consideration before cloud computing is widely applied in business. Virtualization provides a new approach to solve the traditional security problems and can be taken as the underlying infrastructure of cloud computing. In this paper, we propose an intrusion prevention system, VMFence, in a virtualization-based cloud computing environment, which is used to monitor network flow and file integrity in real time, and provide a network defense and file integrity protection as well. Due to the dynamicity of the virtual machine, the detection process varies with the state of the virtual machine. The state transition of the virtual machine is described via Definite Finite Automata (DFA). We have implemented VMFence on an open-source virtual machine monitor platform—Xen. The experimental results show our proposed method is effective and it brings acceptable overhead.

Qian Liu,Chuliang Weng,Minglu Li,Yuan Luo

DOI: https://doi.org/10.1109/MSP.2010.143

IF: 3.105

2010-01-01

IEEE Security & Privacy

Abstract:Cloud computing relies heavily on virtualization. Virtualization technology has developed rapidly because of the rapid decrease in hardware cost and concurrent increase in hardware computing power. A virtual machine monitor (VMM, also called a hγpervisor) between the hardware and the OS enables multiple virtual machines (VMs) to run on top of a single physical machine. The VMM manages scheduling and dispatching the physical resources to the individual VMs as needed, and the VMs appear to users as separate computers. Widely used virtualization technologies include VMWare, Xen, Denali, and the Kernel-Based Virtual Machine (KVM). In this framework, a module measures executables running in virtual machines (VMs) and transfers the values to a trusted VM. Comparing those values to a reference table containing the trusted measurement values of running executables verifies the executable/s status.

Xiaoming Ye,Xingshu Chen,Haizhou Wang,Xuemei Zeng,Guolin Shao,Xueyuan Yin,Chun Xu

DOI: https://doi.org/10.1109/TST.2016.7488743

2016-01-01

Abstract:This paper proposes an anomalous behavior detection model based on cloud computing. Virtual Machines (VMs) are one of the key components of cloud Infrastructure as a Service (IaaS). The security of such VMs is critical to IaaS security. Many studies have been done on cloud computing security issues, but research into VM security issues, especially regarding VM network traffic anomalous behavior detection, remains inadequate. More and more studies show that communication among internal nodes exhibits complex patterns. Communication among VMs in cloud computing is invisible. Researchers find such issues challenging, and few solutions have been proposed-leaving cloud computing vulnerable to network attacks. This paper proposes a model that uses Software-Defined Networks (SDN) to implement traffic redirection. Our model can capture inter-VM traffic, detect known and unknown anomalous network behaviors, adopt hybrid techniques to analyze VM network behaviors, and control network systems. The experimental results indicate that the effectiveness of our approach is greater than 90%, and prove the feasibility of the model.

Yikuan Yan,Keman Huang,Michael Siegel

2024-03-03

Abstract:The growing system complexity from microservice architectures and the bilateral enhancement of artificial intelligence (AI) for both attackers and defenders presents increasing security challenges for cloud-native operations. In particular, cloud-native operators require a holistic view of the dynamic security posture for the cloud-native environment from a defense aspect. Additionally, both attackers and defenders can adopt advanced AI technologies. This makes the dynamic interaction and benchmark among different intelligent offense and defense strategies more crucial. Hence, following the multi-agent deep reinforcement learning (RL) paradigm, this research develops an agent-based intelligent security service framework (ISSF) for cloud-native operation. It includes a dynamic access graph model to represent the cloud-native environment and an action model to represent offense and defense actions. Then we develop an approach to enable the training, publishing, and evaluating of intelligent security services using diverse deep RL algorithms and training strategies, facilitating their systematic development and benchmark. The experiments demonstrate that our framework can sufficiently model the security posture of a cloud-native system for defenders, effectively develop and quantitatively benchmark different services for both attackers and defenders and guide further service optimization.

Cryptography and Security

LIU Yu-tao,XIA Yu-bin,CHEN Hai-bo

2012-01-01

Journal of Integration Technology

Abstract:The security issue of cloud computing has received widely attention in recent years. Due to the sharing, out-sourcing and openness features of cloud computing mode, the end-users don’t gain the complete control over their computing and data. Instead, a malicious system operator can tamper with or steal user’s critical data without user’s awareness. Some researchers tried to protect the privacy and integrity of data in the cloud by extending architecture and reduce the hardware/software stack that cloud security relies on. This paper presents technologies in these researches, including enforcing memory isolation, encryption by secure processor, et al.

Si Yu,Xiaolin Gui,Feng Tian,Pan Yang,Jianqiang Zhao

DOI: https://doi.org/10.1109/hpcc.and.euc.2013.152

2013-01-01

Abstract:Recent work reveals that side channel attacks (SCA) can lead to leakage of user privacy in the cloud. Enhancing the isolation between users is an effective solution to eliminate the attacks. However, to achieve the stronger isolation, the existing schemes require the sophisticated decision making systems and specific monitoring systems, which may degrade the efficiency of the system. In this paper, to eliminate the SCA, we investigate the isolation enhancement from a novel perspective - VM placement. And the security-awareness VMs placement scheme (SVMPS) is proposed. In this scheme, we use the aggressive conflict of interest relation (ACIR) to describe the constraint relations for users; based on the Chinese wall policy, we put forward the isolation rules to formulate the VMs placement behavior; according to the isolation rules, we design the VMs placement solution calculated algorithm to enforce the VMs placement. The experimental results demonstrate that SVMPS is efficient in guaranteeing the isolation between conflict users, while the resource utilization rate decreases not too much.