Design And Implementation Of An Active-Aware Elastic Container Migration Defense System

In recent years,as a lightweight virtualization technology,containers have profoundly changed the ecosystem of building,transporting,and deploying multi-layered distributed applications in the cloud with low overhead,near-native performance,and excellent container management orchestration systems.However,in cloud platforms built on container technologies,there are increasing avenues of side-channel attacks across containers that allow attacker container instances to steal private information from target user container instances located in the same location as themselves.As a result,the security of multi-tenant public clouds is a growing concern.Previous research solutions have tended to defend against side-channel attacks by fixing operating system vulnerabilities or using static defenses such as access control policies,making it difficult for static defenses to be consistently effective in the face of other different kinds of side-channel attacks.As a disruptive active defense technology that changes the phenomenon of asymmetry between attack and defense confrontation in the network environment,moving target defense technology has been widely used in recent years in the field of cloud computing security by dynamically changing the attack surface of the system and expanding the unpredictability and uncertainty class of the system to prevent upcoming or already occurred network attacks.To address the above issues,this thesis proposes a moving target defense framework based on container live migration to limit the colocation time between containers for preventing information leakage due to co-resident containers in cloud platforms.This thesis introduces the active-aware resilient container migration defense system from four subresearch points.(1)A lightweight and efficient container live migration method.This research point proposes a feasible container live migration method for the pain point of the current container live migration mechanism that is not perfect.The method uses container image as the information transmission carrier between nodes to ensure the light weight of the migrated container information;The method uses container image as the information transmission carrier between nodes to ensure the light weight of the migrated container information;by freezing and restoring the runtime state of containers and dynamically correcting the network topology,it ensures that the runtime state and network structure of containers after the migration is consistent with those before migration.(2)An elastic deployment migration placement algorithm.This research point proposes a container migration placement algorithm based on historical gains and a container migration scheduling queue generation algorithm to address the problems of long container migration placement policy generation time and low computational resource utilization during migration scheduling in large-scale cloud environments.This research point performs migration gain calculation based on the historical gain data among containers and uses the idea of heuristic algorithm to guide the generation of container placement policies.After the generation of the placement policy is completed,the migration task is flexibly scheduled according to the load state of the compute nodes to generate the migration queue,and then improve the utilization of compute resources.(3)Agile-aware dynamic migration scheduling method.This research point proposes a solution with monitoring and blocking function and a large-scale container migration scheduling function for the performance optimization of large-scale container scheduling and malicious container detection and blocking problem in the container cloud platform.The solution is responsible for global data collection,abnormal state sensing and malicious container blocking of the cloud platform,and executes migration placement policy according to the operation state of the cloud platform to complete large-scale parallel migration scheduling of containers.(4)Design and implementation of container migration defense system.This system takes container live migration technology as the core,uses container migration scheduling algorithm to guide the operation of the defense system,and completes the system monitoring and blocking of containers through the monitoring and monitoring system,and multiple modules are interlinked and work together to achieve the active defense effect on malicious containers.The system is based on Podman container engine,CRIU and Nginx to realize the live migration function of containers,MultiSR anomaly detection framework to realize the monitoring and detection function,RabbitMQ message queue to realize the parallel migration scheduling function of migration tasks,Vue front-end architecture and SpringBoot back-end architecture to realize the visualization of a number of data metrics in the monitoring platform.In summary,this thesis aims to propose a new container migration defense system with high availability,high efficiency and high security for the complex network environment under the large-scale container cloud platform,so as to reverse the traditional passive defense system which is always at a disadvantage in defending against cache-side channel attacks.