Strategy of container migration and honeypot deployment based on signal game in cloud environment
Multi-tenant coexistence and resource sharing in the SaaS cloud pose serious security risks.On the one hand, soft isolation of logical namespaces is easy to be bypassed or broken.On the other hand, it is easy to be subjected to co-resident attacks due to sharing of the host operating system and unde...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
POSTS&TELECOM PRESS Co., LTD
2022-06-01
|
| Series: | 网络与信息安全学报 |
| Subjects: | |
| Online Access: | http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2021042 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1841529797804556288 |
|---|---|
| author | Lingshu LI Jiangxing WU Wei ZENG Wenyan LIU |
| author_facet | Lingshu LI Jiangxing WU Wei ZENG Wenyan LIU |
| author_sort | Lingshu LI |
| collection | DOAJ |
| description | Multi-tenant coexistence and resource sharing in the SaaS cloud pose serious security risks.On the one hand, soft isolation of logical namespaces is easy to be bypassed or broken.On the other hand, it is easy to be subjected to co-resident attacks due to sharing of the host operating system and underlying physical resources.Therefore it poses a serious threat to data availability, integrity and confidentiality in the container cloud.Given the problem that SaaS cloud services are vulnerable to container escape and side-channel equivalent resident attack, network deception technology increases the uncertainty of the cloud environment and reduces the effectiveness of attack by hiding the business function and characteristic attributes of the executor.Aiming at the security threat caused by the co-resident attack, combining dynamic migration and virtual honeypot security technology, the economical and reasonable network deception method was studied.Specifically, a container migration and honeypot deployment strategy based on the signal game was proposed.According to the security threat analysis, container migration and honeypot were used as defense methods.The former improved the undetectability of the system based on the idea of moving to target defense, while the latter confused attackers by placing decoy containers or providing false services.Furthermore, since network reconnaissance was the pre-step of the network attack chain, the attack and defense process was modeled as a two-person signal game with incomplete information.The sender chose to release a signal according to his type, and the receiver could only obtain the signal released by the sender but could not determine the type.Then, a game tree was constructed for the complete but imperfect information dynamic game, and the costs and benefits of different strategy combinations were set.The optimal deception strategy was determined by equilibrium analysis of attack-defense model.Experimental results show that the proposed strategy can effectively improve system security.Besides, it can also reduce container migration frequency and defense cost. |
| format | Article |
| id | doaj-art-73d5d3bb168948e9b1af078a7879604e |
| institution | Kabale University |
| issn | 2096-109X |
| language | English |
| publishDate | 2022-06-01 |
| publisher | POSTS&TELECOM PRESS Co., LTD |
| record_format | Article |
| series | 网络与信息安全学报 |
| spelling | doaj-art-73d5d3bb168948e9b1af078a7879604e2025-01-15T03:15:47ZengPOSTS&TELECOM PRESS Co., LTD网络与信息安全学报2096-109X2022-06-018879659572474Strategy of container migration and honeypot deployment based on signal game in cloud environmentLingshu LIJiangxing WUWei ZENGWenyan LIUMulti-tenant coexistence and resource sharing in the SaaS cloud pose serious security risks.On the one hand, soft isolation of logical namespaces is easy to be bypassed or broken.On the other hand, it is easy to be subjected to co-resident attacks due to sharing of the host operating system and underlying physical resources.Therefore it poses a serious threat to data availability, integrity and confidentiality in the container cloud.Given the problem that SaaS cloud services are vulnerable to container escape and side-channel equivalent resident attack, network deception technology increases the uncertainty of the cloud environment and reduces the effectiveness of attack by hiding the business function and characteristic attributes of the executor.Aiming at the security threat caused by the co-resident attack, combining dynamic migration and virtual honeypot security technology, the economical and reasonable network deception method was studied.Specifically, a container migration and honeypot deployment strategy based on the signal game was proposed.According to the security threat analysis, container migration and honeypot were used as defense methods.The former improved the undetectability of the system based on the idea of moving to target defense, while the latter confused attackers by placing decoy containers or providing false services.Furthermore, since network reconnaissance was the pre-step of the network attack chain, the attack and defense process was modeled as a two-person signal game with incomplete information.The sender chose to release a signal according to his type, and the receiver could only obtain the signal released by the sender but could not determine the type.Then, a game tree was constructed for the complete but imperfect information dynamic game, and the costs and benefits of different strategy combinations were set.The optimal deception strategy was determined by equilibrium analysis of attack-defense model.Experimental results show that the proposed strategy can effectively improve system security.Besides, it can also reduce container migration frequency and defense cost.http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2021042cloud computingcontainer migrationhoneypotsignal game |
| spellingShingle | Lingshu LI Jiangxing WU Wei ZENG Wenyan LIU Strategy of container migration and honeypot deployment based on signal game in cloud environment 网络与信息安全学报 cloud computing container migration honeypot signal game |
| title | Strategy of container migration and honeypot deployment based on signal game in cloud environment |
| title_full | Strategy of container migration and honeypot deployment based on signal game in cloud environment |
| title_fullStr | Strategy of container migration and honeypot deployment based on signal game in cloud environment |
| title_full_unstemmed | Strategy of container migration and honeypot deployment based on signal game in cloud environment |
| title_short | Strategy of container migration and honeypot deployment based on signal game in cloud environment |
| title_sort | strategy of container migration and honeypot deployment based on signal game in cloud environment |
| topic | cloud computing container migration honeypot signal game |
| url | http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2021042 |
| work_keys_str_mv | AT lingshuli strategyofcontainermigrationandhoneypotdeploymentbasedonsignalgameincloudenvironment AT jiangxingwu strategyofcontainermigrationandhoneypotdeploymentbasedonsignalgameincloudenvironment AT weizeng strategyofcontainermigrationandhoneypotdeploymentbasedonsignalgameincloudenvironment AT wenyanliu strategyofcontainermigrationandhoneypotdeploymentbasedonsignalgameincloudenvironment |