Research On Key Technologies Of Moving Target Defense For Cloud-Native Applications

Based on the two technical characteristics of microservices and containers,cloud-native applications present outstanding advantages such as elasticity and agility and have become the main evolution direction of cloud applications.However,the security management and control of the attack surface of cloud-native applications is still complicated: On the one hand,the microservice splitting of applications leads to a proliferation of access interfaces;On the other hand,the weak isolation nature of containerization also leads to escape risks.At the same time,the characteristics of microservices and containerization lead to the disappearance of boundaries in the cloud-native environment,and traditional perimeter and plug-in defence methods are difficult to cope with the above security challenges.Moving Target Defense(MTD)provides a new idea for cloud-native application surface management by continuously changing the attack surface of target systems by enhancing their dynamics and diversity.However,the dynamism and complexity of cloud-native applications also challenge the optimal design of MTD strategies.Specifically,cloud-native applications can be developed and deployed quickly according to business changes,resulting in continuous changes in their attack surface.MTD policies must be updated promptly,so adaptive defence strategies are required.In addition,cloud-native applications contain many components and microservices.The complexity of cloud-native applications dramatically increases the challenge of optimal design of MTD strategies with "defence of the ground" as the core.This paper first proposes an adaptive security architecture based on MTD to solve the above problems.Then,based on the above architecture,the optimisation strategy is proposed for microservices and serverless application scenarios using the ideas of dynamism and diversity in MTD.The main research contents of this paper are as follows:(1)Adaptive Security Architecture based on Mobile Target Defense is proposed to solve the problem of "effectiveness drift" caused by the dynamic nature of cloud-native applications.Cloud-native applications are dynamic,and its attack surface may change over time,rendering MTD mechanisms with fixed policies gradually ineffective and creating "effectiveness drift" problems.Therefore,given the above problems,an adaptive security architecture based on MTD is proposed.The MTD policy needs to be continuously adaptively adjusted to control the attack surface of cloud-native applications.Firstly,the deployment process of cloud-native applications is introduced.The security problems in microservice and serverless applications are analyzed respectively,and then an MTD-based adaptive security architecture is designed.The functions of each module in the architecture are expanded.The MTD policies and methods for microservice and serverless applications are integrated into the security architecture,promoting the deep integration of cloud-native technology and security.(2)Adaptive Genetic Algorithm based Moving Target Defence Strategy for Microservices is proposed to address the problem of optimal selection of defence "strongholds" in microservices applications.Microservice splitting makes multiple services interact and depend on each other,which poses a significant challenge to the design of MTD policy with the core of "defence in place".To address these problems,we propose an adaptive genetic algorithm-based MTD policy for microservices,which analyzes the attacker’s attack path,formalizes various attack scenarios using a microservice attack graph model,and quantitatively analyzes the security gain and defence payoff of the MTD policy,while converting the problem of solving the optimal security configuration of MTD into the problem of solving the optimal global solution of adaptive genetic algorithm,i.e.,the optimal dynamic rotation of microservices.i.e.,the optimal dynamic rotation period of microservices,and finally,the dynamic rotation policy is shown to be scalable through experiments.(3)The Evolutionary Game based Moving Target Defence Decision Method for Serverless is proposed to address the security issues arising from the homogeneity of Serverless applications.Serverless applications are homogeneous in terms of code memory space and runtime,making it easier for attackers to identify and exploit application vulnerabilities,i.e.,attackers can obtain vulnerability information through continuous probing and accumulate advantages to launch attacks.Therefore,to address the above problems,we propose multi-level diversified defence strategies based on the idea of MTD diversification from the underlying runtime and code compilation levels of Serverless functions,respectively;at the same time,we propose to optimize the above strategies by using evolutionary games to optimally combine the above multi-level diversified strategies for unknown attack scenarios.The experiments show that the evolutionary game model with an exploration mechanism is predictable,and the equilibrium point of the evolutionary game has strong stability.