摘要
当前,越来越多的分布式拒绝服务(distributed denial of service,DDoS)攻击的攻击源迁移至云中,给云计算的可控性及整个网络空间的安全带来了严重挑战.然而关于有效控制云中该类攻击源的研究还比较缺乏.为此设计了一种面向可控云计算的DDoS攻击源控制系统pTrace,该系统包括入口流量过滤inFilter和恶意进程溯源mpTrace两部分.其中,inFilter过滤伪造源地址信息的数据包;mpTrace先识别攻击流及其源地址信息,依据源地址信息追溯并管控发送攻击流的恶意进程.在Openstack和Xen环境下实现了pTrace的原型系统,分析及实验表明,inFilter可以有效地防止含有虚假源地址信息的DDoS攻击包流出云外;当攻击流速率约为正常流量的2.5倍时,mpTrace即可正确识别攻击流信息,并可在ms级的时间内正确追溯攻击流量发送进程.该方法有效控制了位于云中的DDoS攻击源,减小了对云内傀儡租户及云外攻击目标的影响.
Currently,agrowing number of attack sources of distributed denial of service(DDoS)are migrating to cloud computing and bringing agreater security challenge to the whole cyberspace.However,the research on effectively suppressing these attack sources is still deficient.So,this paper proposes a method pTrace to defeat the DDoS attack sources in cloud,which comprising the packet filter module inFilter and the malicious process retroactive module mpTrace.inFilter mainly filters packets with forged source address. And, mpTrace firstly identifies attack streams and their corresponding source addresses,then trace malicious processes based on the obtained source addresses.We have implemented a prototype system under Openstack and Xen environment.Experimental results and analysis show that inFilter can prevent large-scale DDoS attack frombeing launched in cloud center with lower time consumption,and mpTrace can identify a attack flow correctly when its flow rate is about 2.5times the normal traffic,tracing malicious processes in ms time level.At last,this method reduces the impact both on puppet cloud tenant and the victim outside cloud.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2015年第10期2212-2223,共12页
Journal of Computer Research and Development
基金
国家"八六三"高技术研究发展计划基金项目(2015AA016005)
国家自然科学基金项目(61402464)
关键词
可控云计算
流量过滤
恶意程序溯源
信息熵
虚拟机自省
controllable cloud computing
packets filtering
malicious program tracebacking
information entropy
virtual machine introspection
