TY - JOUR
T1 - Establishing process-level defense-in-depth framework for software defined networks
AU - Cui, Jing Song
AU - Guo, Chi
AU - Chen, Long
AU - Zhang, Ya Na
AU - Huang, Dijiang
N1 - Publisher Copyright:
© Copyright 2014, Institute of Software. the Chinese Academy of Sciences. All rights reserved.
PY - 2014/10/1
Y1 - 2014/10/1
N2 - Cloud computing is gaining momentum against traditional method in providing users various services with greater flexibility and scalability. Before switching to cloud computing, users must take into account the security of cloud as an extremely important factor. That is because in the cloud environment, attackers can initiate efficient attacks to cloud users through the shared cloud resources such as virtual machines. Since virtual machines (VM) are basic resources of cloud service, by compromising or renting several virtual machines, attackers may deploy malicious software into those machines and launch a wider range of attacks to other virtual machines such as distributed denial of service (DDoS). To tackle this issue, this paper proposes a defense in depth system based on software defined networking to be able to detect suspicious virtual machines and monitor the flow they issued in time, and inhibit the aggressive behavior from the suspected virtual machines to mitigate the attack consequences. The system detects the virtual machines' running state in a completely non-intrusive and agent-free way, and monitors network traffic between virtual machines on the same host or between cloud hosts at process level based on software defined networking. Experimental results demonstrate the effectiveness of the system.
AB - Cloud computing is gaining momentum against traditional method in providing users various services with greater flexibility and scalability. Before switching to cloud computing, users must take into account the security of cloud as an extremely important factor. That is because in the cloud environment, attackers can initiate efficient attacks to cloud users through the shared cloud resources such as virtual machines. Since virtual machines (VM) are basic resources of cloud service, by compromising or renting several virtual machines, attackers may deploy malicious software into those machines and launch a wider range of attacks to other virtual machines such as distributed denial of service (DDoS). To tackle this issue, this paper proposes a defense in depth system based on software defined networking to be able to detect suspicious virtual machines and monitor the flow they issued in time, and inhibit the aggressive behavior from the suspected virtual machines to mitigate the attack consequences. The system detects the virtual machines' running state in a completely non-intrusive and agent-free way, and monitors network traffic between virtual machines on the same host or between cloud hosts at process level based on software defined networking. Experimental results demonstrate the effectiveness of the system.
KW - Agent-free
KW - Inside network firewall
KW - Network virtualization
KW - Software defined networking
KW - Virtual machines' defense in depth
UR - http://www.scopus.com/inward/record.url?scp=84908277730&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84908277730&partnerID=8YFLogxK
U2 - 10.13328/j.cnki.jos.004682
DO - 10.13328/j.cnki.jos.004682
M3 - Article
AN - SCOPUS:84908277730
SN - 1000-9825
VL - 25
SP - 2251
EP - 2265
JO - Ruan Jian Xue Bao/Journal of Software
JF - Ruan Jian Xue Bao/Journal of Software
IS - 10
ER -