CN109412866A - A kind of active detecting method of multi-tenant cloud platform security isolation - Google Patents

A kind of active detecting method of multi-tenant cloud platform security isolation Download PDF

Info

Publication number
CN109412866A
CN109412866A CN201811473272.8A CN201811473272A CN109412866A CN 109412866 A CN109412866 A CN 109412866A CN 201811473272 A CN201811473272 A CN 201811473272A CN 109412866 A CN109412866 A CN 109412866A
Authority
CN
China
Prior art keywords
node
tenant
security isolation
detection
cloud platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811473272.8A
Other languages
Chinese (zh)
Other versions
CN109412866B (en
Inventor
王利明
葛思江
李兆璨
孔同
杨倩
马多贺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201811473272.8A priority Critical patent/CN109412866B/en
Publication of CN109412866A publication Critical patent/CN109412866A/en
Application granted granted Critical
Publication of CN109412866B publication Critical patent/CN109412866B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of active detecting method of multi-tenant cloud platform security isolation, realization is at runtime measured in real time the security isolation of multi-tenant cloud platform.Method and step includes: that (1) defines graph model;(2) definition detection benchmark;(3) original state generates;(4) initial isolation detection;(5) isolation detection when running.The method of the present invention carries out organization modeling to the configuration status of multi-tenant cloud platform in graph form, and establish the detection benchmark based on tenant's security isolation and the detection benchmark based on user group security isolation, then isolation detection with high safety, to find that potential isolated failure threatens the harm caused by tenant in cloud in time.This method has the characteristics that scalability is strong, timeliness is high, solves the security isolation test problems in existing multi-tenant cloud platform, improves the security capabilities of multi-tenant cloud platform, to meet the needs of existing application scenarios.

Description

A kind of active detecting method of multi-tenant cloud platform security isolation
Technical field
The invention belongs to a kind of detection sides of security isolation in cloud security technical field more particularly to multi-tenant cloud platform Method.
Background technique
Cloud has been increasingly becoming the development trend of IT infrastructure, quilt as one of technology with the fastest developing speed in recent years It is more and more widely used.It is by proposing a kind of resource (including computing resource, Internet resources, storage resource etc.) Chi Huaji Art allows infrastructure by the shared use of multiple tenants, to realize a kind of convenient, on-demand method of service.
However, multi-tenant technology has broken the barrier between physical equipment in cloud platform, the utilization rate of resource is being improved Meanwhile also inevitably bringing severe safety problem.On the one hand, cloud service provider need to provide corresponding tenant every The system of disembarking ensures specific resources not by unauthorized access;On the other hand, if isolated failure in shared environment, malice tenant in cloud Break isolation mech isolation test, initiates unauthorized access, the data assets for making other tenants are faced into huge security risk.
Therefore, in multi-tenant cloud platform, security isolation is particularly important, and how to improve the security capabilities of cloud platform, It is a technical problem that needs to be urgently solved by technical personnel in the field at present.Currently, aiming at the problem that security isolation, correlation solution Certainly scheme includes three categories: defence, subsequent retrospect and run-time check in advance.
The scheme defendd in advance, which mainly passes through, reinforces the means such as access control, enhancing security module, the energy of limitation access in advance Power.By the retrieval discovery to existing patent, Chinese patent literature CN104580505A discloses (bulletin) day 2015.04.29, Disclose a kind of tenant's partition method and virtual switch, comprising: virtual switch is each virtual machine point on each physical host With corresponding for identifying the virtual local area network tags of tenant's message;Virtual switch is that each tenant distributes corresponding virtual tenant Network (VTN) identifier, generates the corresponding virtual network of each tenant.
The scheme traced afterwards is chased after by the way that the data of the acquisition in a period of time are excavated and are associated in ex-post analysis It traces back in cloud after already present attack path, enforcing remedies measure.By the retrieval discovery to existing patent, Chinese patent literature number CN107566369A discloses (bulletin) day 2018.01.09, discloses a kind of for industry control infrastructure progress security isolation and anti- Imperial efficiency evaluation method, this method can equally act on IT infrastructure based on cloud.It include: to establish an isolation and prevent Imperial technology model;Information is collected based on technology model;Information carries out algorithm analysis according to the collected data;Pass through analysis The ability of various attacks is resisted when operation system is under attack, then assesses the effectiveness of security isolation measure.
Although essential a part in the above two classes solution and cloud security protection system, its deficiency exists In the former can not cope with the fortuitous event occurred in cloud platform operational process, such as loophole, error configurations;The latter can only be to cloud The security threat inside occurred is analyzed and is remedied, and preventive effect can not be played.
Third class scheme may make even if cloud platform just during operation by being checked at runtime, can also be with The potential security isolation of the discovery of active threatens, to make up the deficiency of first two scheme.The existing safety for tenant's rank Isolation real-time detection method includes: (1) by token network data packet, realizes real-time tracing and the analysis of convection current.But this method It cannot check that potential failure threatens;(2) by solving Boolean satisfiability, network in cloud is verified.This method is deposited It is small to store up expense, but real-time is poor.(3) by carrying out information collection to cloud platform, graph model is established, real-time update and mould are implemented Type analysis.This respect work is concentrated mainly on the configuration compliance according to provider API detection cloud infrastructure.This method is real-time Property it is strong, but for multi-tenant cloud platform security isolation problem it is further proposed that prolongable detection scheme.
The prior art has that expansibility is weaker, timeliness is not strong.The present invention proposes a kind of security isolation detection Method can detect potential isolated failure threat that may be present in the cloud environment of dynamic change, to make up existing in time The deficiency of method improves the security capabilities of multi-tenant cloud platform.
Summary of the invention
Present invention aim to address the deficiencies of existing multi-tenant cloud platform security isolation technology, it is therefore proposed that a kind of right The method that configuration carries out active safety detection in cloud finds isolated failure threat that may be present in multi-tenant cloud platform.The party Method has the characteristics that scalability is strong, timeliness is high.
To achieve the above object, the present invention takes following methods, comprising:
(1) graph model is defined: Directed Graph Model G=(V, E, C), V of the definition comprising each node in multi-tenant cloud platform Indicate the cluster of the node of be provided with service in cloud platform, any node meets v in clusteri∈V;E is indicated between each node Side, there are any bar side e in clusteri,jIndicate node viIt may have access to another node vj, ei,j∈E;C is indicated between node Connected relation, ci,jIndicate node viWith vjBetween connected relation, ci,j∈C.I, j indicate the mark of two nodes.
When constructing Directed Graph Model, if ci,j=1, then it is assumed that v in figure GiWith vjBetween there are side ei,jIf ci,j=0, then vi With vjBetween be not present side ei,j.Above-mentioned Directed Graph Model G is stored in the form of two-dimentional adjacency matrix, is denoted as:
(2) definition detection benchmark: in multi-tenant cloud platform, there are multiple tenants to belong to different rents by Admin Administration Unauthorized access can not be initiated between the node at family;Inside each tenant, there are multiple user groups, by administrator or tenant administrator Management, the node for belonging to different user groups can not initiate unauthorized access.Therefore, security isolation includes two class scenes: first is that different Security isolation between tenant need to verify the potential threat that whether there is unauthorized access between each tenant;Second is that same tenant Security isolation between interior different user groups need to be verified and whether there is the latent of unauthorized access in same tenant between different user groups It is threatening.For the above scene, detection benchmark based on tenant's security isolation is defined respectively and based on user group security isolation Detect benchmark.
(21) based on the detection benchmark of tenant's security isolation: when attacker obtains in administrator right or multi-tenant cloud platform There are when malice administrator, the configuration of multi-tenant cloud platform can be maliciously tampered in portion, make to originally belong to different tenants node it Between can initiate unauthorized access, tenant's security isolation is destroyed.Therefore, the correct mapping relationship f for establishing tenant and node, as The detection benchmark of tenant's security isolation.If n indicates the mark of node, tenentnIndicate the mark for being identified as the node tenant of n Know, mapping relations be denoted as:
F (n)=tenentn
(22) based on the detection benchmark of user group security isolation: for the user for belonging to same tenant in multi-tenant cloud platform Group, definition L are user group grade, and L value can be uppr, normal or lower.L value may have access to non-for the user group of uppr All user groups of uppr, can not be by other users group access;L value be normal user group can be all with L value normal and Mark value is all that the user group of x is exchanged visits, and x is the integer greater than zero;L value be lower user group can by all user's group access, It can not initiate to access.For the node in user group, if n indicates the mark of node, levelnIndicate the mark for being identified as the node of n Note value, then the mark value level of node nnIs defined as:
When attacker obtains inside administrator or tenant's administrator right and multi-tenant cloud platform, there are malice administrators Or when malice tenant administrator, the configuration of the grade of user group can be maliciously tampered, make different grades of user group node it Between can initiate unauthorized access, user group security isolation is destroyed.Therefore, each user group and node are established in same tenant just Mapping relations are denoted as by true mapping relations y as the detection benchmark of user group security isolation:
Y (n)=leveln
(3) original state generates: acquiring the configuration data of all nodes in multi-tenant cloud platform under original state.According to step Suddenly Directed Graph Model G=(V, E, C) defined in (1) traverses configuration data and records current traverse node viWith other sections Point vjConnected relation ci,j∈C.If viWith vjIt is connected to, then ci,j=1, otherwise ci,j=0, then with step (1) the definition structure Build the graph model G based on original stateinit
(4) benchmark, digraph G described in detecting step (3) initial isolation detection: are detected described in foundation step (2)init Whether security isolation is met, and detection process includes initialization vertex ticks and initialization two stages of nodal test:
(41) vertex ticks process is initialized are as follows: successively traversal step (3) the digraph GinitIn all nodes.Time It is node to be detected by current accessed vertex ticks, and be inserted into queue Detect to be detected from tail end during going through.
(42) nodal test process is initialized are as follows: be successively read node up to queue is from queue Detect head end to be detected The current node that reads is denoted as v by skydet.Detect vdetWhether security isolation demand is met, and upon completion of the assays by vdetFrom the beginning End removes queue Detect to be detected.Specific detection content includes: the tenant's security isolation inspection executed based on detection benchmark (21) It surveys, the user group security isolation detection executed based on detection benchmark (22).
(5) isolation detection when running: being denoted as time for the current time of running, if at the time moment, administrator or tenant's pipe Reason person, which implements configuration operation to cloud platform, causes digraph state that will update, then current digraph is denoted as Gtime, and according to Benchmark is detected according to described in step (2), detects G when updatingtimeWhether security isolation demand is met, and detection process includes updating When vertex ticks and update when two stages of nodal test:
(51) update when node labeling process are as follows: described in step (5) configuration operation include creation example, delete example, It creates security strategy, delete security strategy.When in cloud platform administrator or tenant administrator implement aforesaid operations when, increment is more New graph model Gtime, and will be updated vertex ticks is node to be detected, is inserted into queue Detect to be detected from tail end.
(52) node detection process when updating are as follows: be successively read node up to queue is from queue Detect head end to be detected The current node that reads is denoted as v by skydet.Detect vdetWhether security isolation demand is met, and upon completion of the assays by vdetFrom the beginning End removes queue Detect to be detected.Specific detection content includes: the tenant's security isolation inspection executed based on detection benchmark (21) It surveys, the user group security isolation detection executed based on detection benchmark (22).
Further, according to the active detecting method of the multi-tenant cloud platform security isolation, it is characterised in that: step (51) incremental update described in, when implementation, specifically may include following four classes situation:
Side insertion: make step (5) the graph model G when creating or deleting new security strategytimeIn node viIt may have access to vjWhen, connected relation c described in setting steps (1)i,j=1, make adjacency matrix A [i] [j]=1, thereby executing side insertion.
Edge contract: make step (5) the graph model G when creating or deleting new security strategytimeIn node viIt can not visit Ask vjWhen, connected relation c described in setting steps (1)i,j=0, make adjacency matrix A [i] [j]=0, thereby executing edge contract.
Point insertion: when creating new example, in step (5) the graph model GtimeMiddle insertion new node, is denoted as vnew, new Indicate node identification.If remembering GtimeIn other nodes be identified as k, adjacency matrix A [new] [k] described in initialization step (1) =0 and A [new] [k]=0.As node vnewIt may have access to vkWhen, connected relation c described in setting steps (1)new,k=1, make to abut Matrix A [new] [k]=1;As node vkIt may have access to vnewWhen, connected relation c is setk,new=1, make adjacency matrix A [k] [new] =1.Thereby executing an insertion.
Point deletion: when deleting new example, in step (5) the graph model GtimeThe corresponding node of middle positioning example, It is denoted as vdel, del expression node identification.At this time by the way that del=-1 is arranged by node vdelLabeled as failure, it is not involved in detection.From And execute point deletion.
Further, according to the active detecting method of the multi-tenant cloud platform security isolation, it is characterised in that: step (42), tenant's security isolation described in (52) detects, and is according to the detection base based on tenant's security isolation described in step (2) Standard, the node v that queue Detect head end to be detected described in detecting step (42), (52) is readdetWhether tenant safety is met Isolation.
For node vdetSpecific detection process include: to scheme G described in traversal step (3)initOr described in step (5) Scheme GtimeIn all nodes, the node currently traversed is denoted as vk, k expression node identification.At this point, if described in step (1) Adjacency matrix A [k] [det]=1 can assert node v then when f (det)=f (k) described in step (2)detMeet Tenant's security isolation.
Further, according to the active detecting method of the multi-tenant cloud platform security isolation, it is characterised in that: step (42), user group security isolation described in (52) detects, and is according to the detection based on user group security isolation described in step (2) Benchmark, the node v that queue Detect head end to be detected described in detecting step (42), (52) is readdetWhether user group is met Security isolation.
For node vdetSpecific detection process include: to scheme G described in traversal step (3)initOr described in step (5) Scheme GtimeIn all nodes, the node currently traversed is denoted as vk, k expression node identification.At this point, if described in step (1) Adjacency matrix A [k] [det]=1, then only y (k)=y (det) > 0 or y (k)=1 and y (det) described in step (2)!=1 or y(k)!When=0 and y (det)=0, node v can be assertdetMeet user group security isolation.
The present invention takes above technical scheme, has the following characteristics that
(1) this method carries out organization modeling to the configuration status of multi-tenant cloud platform in graph form, and establishes and be based on The detection benchmark of tenant's security isolation and the detection benchmark based on user group security isolation, then isolation detection with high safety, with Find that potential isolated failure threatens the harm caused by tenant in cloud in time.
(2) the main dynamic measuring method of the security isolation inspection proposed through the invention, can detect that in the cloud environment of dynamic change Potential isolated failure that may be present threatens, to make up the deficiency of existing method, improves the safe energy of multi-tenant cloud platform Power.
Detailed description of the invention
Fig. 1 shows a kind of active detecting method flow diagram of multi-tenant cloud platform security isolation provided by the invention;
Fig. 2 shows system platform configuration diagrams provided in an embodiment of the present invention;
Fig. 3 shows a kind of implementation of the active detecting method of multi-tenant cloud platform security isolation provided in an embodiment of the present invention Frame diagram.
Specific embodiment
In order to which target of the invention, technical solution and advantage is more clearly understood, below with reference to the embodiment of the present invention In attached drawing the present invention will be described in further detail.It should be appreciated that specific embodiment described herein is only used to It explains the present invention, is not intended to limit the present invention.Based on the embodiments of the present invention, those skilled in the art are not making wound All other embodiment obtained under the premise of the property made labour, shall fall within the protection scope of the present invention.
Currently, with the fast development and change of IT infrastructure the relevant technologies, the appearance based on lightweight virtualization technology Device engine Docker is used by the more and more companies of every profession and trade.Container (Container) is a kind of New Virtual technology, is made The mechanism such as the namespace and cgroup that are supported with linux kernel itself realize the isolation of environment and resource, have flexibility Feature high, deployment is convenient.It, can be based on appearance by integrating the distributed container cluster Managed Solution using kubernetes as representative Device technology building is to provide service as the PaaS cloud of target.
The present embodiment is based on container engine docker and builds cloud platform, manages container cluster, calico by kubernetes Three-layer network project management container cluster network, the NameSpace label and Network provided in conjunction with kubernetes platform Policy mechanism, realizes the tenant network isolation requirement of cloud platform, and disposing consistency warehouse etcd cooperates with each node of platform Work.
Based on above-mentioned implementation environment, the isolation detection method proposed is applied to container cloud platform by the embodiment of the present invention, And security isolation detection is carried out for tenant network.In the present embodiment, if all users are assigned in management granularity in cloud In dry group, every group is known as a tenant (tenant), and tenant may include user group again.Therefore, user can be divided into three in cloud Class: including cloud platform administrator, tenant administrator and ordinary user.
Fig. 2 is the platform architecture schematic diagram of the embodiment of the present invention.The present embodiment includes 5 steps.
(1) graph model is defined.Under the PAAS cloud environment of kubernetes cluster building, dummy node is referred to as POD, Therefore using POD be used as the fundamental node unit of cloud platform management, then building cloud platform in each user node state it is oriented Graph model G:
G=(V, E, C)
V indicates the cluster of the node of be provided with service in cloud platform, and any node meets v in clusteri∈V;E indicates each Side between node, there are any bar side e in clusteri,jIndicate node viIt may have access to another node vj, ei,j∈E;C indicates section Connected relation between point, ci,jIndicate node viWith vjBetween connected relation, ci,j∈C.I, j indicate the mark of two nodes.
When constructing Directed Graph Model, if ci,j=1, then it is assumed that v in figure GiWith vjBetween there are side ei,jIf ci,j=0, then vi With viBetween be not present side ei,j.Above-mentioned Directed Graph Model G is stored in the form of two-dimentional adjacency matrix, is denoted as:
(2) definition detection benchmark: in multi-tenant cloud platform, there are multiple tenants to belong to different rents by Admin Administration Unauthorized access can not be initiated between the node at family;Inside each tenant, there are multiple user groups, by administrator or tenant administrator Management, the node for belonging to different user groups can not initiate unauthorized access.Therefore, security isolation includes two class scenes: first is that different Security isolation between tenant need to verify the potential threat that whether there is unauthorized access between each tenant;Second is that same tenant Security isolation between interior different user groups need to be verified and whether there is the latent of unauthorized access in same tenant between different user groups It is threatening.For the above scene, detection benchmark based on tenant's security isolation is defined respectively and based on user group security isolation Detect benchmark.
(21) based on the detection benchmark of tenant's security isolation: when attacker obtains in administrator right or multi-tenant cloud platform There are when malice administrator, the configuration of multi-tenant cloud platform can be maliciously tampered in portion, make to originally belong to different tenants node it Between can initiate unauthorized access, tenant's security isolation is destroyed.Therefore, the correct mapping relationship f for establishing tenant and node, as The detection benchmark of tenant's security isolation.If n indicates the mark of node, tenentnIndicate the mark for being identified as the node tenant of n Know, mapping relations be denoted as:
F (n)=tenentn
(22) based on the detection benchmark of user group security isolation: for the user for belonging to same tenant in multi-tenant cloud platform Group, definition L are user group grade, and L value can be uppr, normal or lower.L value may have access to non-for the user group of uppr All user groups of uppr, can not be by other users group access;L value be normal user group can be all with L value normal and Mark value is all that the user group of x is exchanged visits, and x is the integer greater than zero;L value be lower user group can by all user's group access, It can not initiate to access.For the node in user group, if n indicates the mark of node, levelnIndicate the mark for being identified as the node of n Note value, then the mark value level of node nnIs defined as:
When attacker obtains inside administrator or tenant's administrator right and multi-tenant cloud platform, there are malice administrators Or when malice tenant administrator, the grade configuration of user group can be maliciously tampered, between the node for making different grades of user group Unauthorized access can be initiated, user group security isolation is destroyed.Therefore, the correct of each user group and node in same tenant is established Mapping relations are denoted as by mapping relations y as the detection benchmark of user group security isolation:
Y (n)=leveln
(3) original state generates: acquiring the configuration data of all nodes in multi-tenant cloud platform under original state.According to step Suddenly Directed Graph Model G=(V, E, C) defined in (1) traverses configuration data and records current traverse node viWith other sections Point vjConnected relation ci,j∈C.If viWith vjIt is connected to, then ci,j=1, otherwise ci,j=0, then with step (1) the definition structure Build the graph model G based on original stateinit
In the present embodiment, data source is each node in container cloud cluster, and the specific data that acquire include: node NameSpace label;The Role label of node;The corresponding isolation strategy of node R ole label;Time corresponding to current network state Stamp.
Finally obtained data set such as table 1 shows, gives multi-tenant cloud platform node configuration data sample.
1 multi-tenant cloud platform node configuration data sample of table
The configuration of Namespace attribute provides interface by Namespace isolation mech isolation test in kubernetes platform in table 1, The setting of Role attribute provides interface by Network Policy mechanism in kubernetes platform.
Oriented state diagram G can then be constructedinit, and obtain adjacency matrix:
(4) benchmark, digraph G described in detecting step (3) initial isolation detection: are detected described in foundation step (2)init Whether security isolation is met, and detection process includes initialization vertex ticks and initialization two stages of nodal test:
(41) vertex ticks process is initialized are as follows: successively traversal step (3) the digraph GinitIn all nodes.Time It is node to be detected by current accessed vertex ticks, and be inserted into queue Detect to be detected from tail end during going through.
Detect={ pod1, pod2, pod3 }
(42) nodal test process is initialized are as follows: be successively read node up to queue is from queue Detect head end to be detected The current node that reads is denoted as v by skydet.Detect vdetWhether security isolation demand is met, and upon completion of the assays by vdetFrom the beginning End removes queue Detect to be detected.Specific detection content includes: the tenant's security isolation inspection executed based on detection benchmark (21) It surveys, the user group security isolation detection executed based on detection benchmark (22).
The detection of tenant's security isolation is first carried out: traversal step schemes G described in (3)initIn all nodes, by current time The node gone through is denoted as vk, k expression node identification.At this point, if adjacency matrix A [k] [det]=1 described in step (1), when And if only if can assert node v when f (det)=f (k) described in step (2)detMeet tenant's security isolation;
Then execute the state-detection based on region security domain: traversal step schemes G described in (3)initIn all sections The node currently traversed is denoted as v by pointk, k expression node identification.At this point, if adjacency matrix A [k] described in step (1) [det]=1, then only y (k)=y (det) > 0 or y (k)=1 and y (det) described in step (2)!=1 or y (k)!=0 and y (det)=0 when, it can assert node vdetMeet user group security isolation.
(5) isolation detection when running: being denoted as time for the current time of running, if at the time moment, administrator or tenant's pipe Reason person, which implements configuration operation to cloud platform, causes digraph state that will update, then current digraph is denoted as Gtime, and according to Benchmark is detected according to described in step (2), detects G when updatingtimeWhether security isolation demand is met, and detection process includes updating When vertex ticks and update when two stages of nodal test:
(51) update when node labeling process are as follows: described in step (5) configuration operation include creation example, delete example, It creates security strategy, delete security strategy.When in cloud platform administrator or tenant administrator implement aforesaid operations when, increment is more New graph model Gtime.The incremental update, when implementation, specifically may include following four classes situation:
Side insertion: make step (5) the graph model G when creating or deleting new security strategytimeIn node viIt may have access to vjWhen, connected relation c described in setting steps (1)i,j=1, make adjacency matrix A [i] [j]=1, thereby executing side insertion.
Edge contract: make step (5) the graph model G when creating or deleting new security strategytimeIn node viIt can not visit Ask vjWhen, connected relation c described in setting steps (1)i,j=0, make adjacency matrix A [i] [j]=0, thereby executing edge contract.
Point insertion: when creating new example, in step (5) the graph model GtimeMiddle insertion new node, is denoted as vnew, new Indicate node identification.If remembering GtimeIn other nodes be identified as k, adjacency matrix A [new] [k] described in initialization step (1) =0 and A [new] [k]=0.As node vnewIt may have access to vkWhen, connected relation c described in setting steps (1)new,k=1, make to abut Matrix A [new] [k]=1;As node vkIt may have access to vnewWhen, connected relation c is setk,new=1, make adjacency matrix A [k] [new] =1.Thereby executing an insertion.
Point deletion: when deleting new example, in step (5) the graph model GtimeThe corresponding node of middle positioning example, It is denoted as vdel, del expression node identification.At this time by the way that del=-1 is arranged by node vdelLabeled as failure, it is not involved in detection.From And execute point deletion.
For example, if tenant administrator modifies pod3 in table 1 and correspond to Ingress attribute as " { } ", G at this timetimeIt is corresponding adjacent Matrix is connect to be expressed as:
Then, node will be updated and be inserted into queue Detect to be detected from tail end.At this point, then being marked since pod3 is updated It is denoted as node to be detected, Detect queue is added.
Detect={ pod3 }
(52) node detection process when updating are as follows: be successively read node up to queue is from queue Detect head end to be detected The current node that reads is denoted as v by skydet.Detect vdetWhether security isolation demand is met, and upon completion of the assays by vdetFrom the beginning End removes queue Detect to be detected.Specific detection content includes: the tenant's security isolation inspection executed based on detection benchmark (21) It surveys, the user group security isolation detection executed based on detection benchmark (22).
The detection of tenant's security isolation is first carried out: traversal step schemes G described in (3)timeIn all nodes, by current time The node gone through is denoted as vk, k expression node identification.At this point, if adjacency matrix A [k] [det]=1 described in step (1), when And if only if can assert node v when f (det)=f (k) described in step (2)detMeet tenant's security isolation;
Then execute the state-detection based on region security domain: traversal step schemes G described in (3)timeIn all sections The node currently traversed is denoted as v by pointk, k expression node identification.At this point, if adjacency matrix A [k] described in step (1) [det]=1, then only y (k)=y (det) > 0 or y (k)=1 and y (det) described in step (2)!=1 or y (k)!=0 and y (det)=0 when, it can assert node vdetMeet user group security isolation.
Above embodiments are provided just for the sake of the description purpose of the present invention, and are not intended to limit the scope of the invention.This The range of invention is defined by the following claims.It does not depart from spirit and principles of the present invention and the various equivalent replacements made and repairs Change, should all cover within the scope of the present invention.

Claims (4)

1. a kind of active detecting method of multi-tenant cloud platform security isolation, it is characterised in that: the following steps are included:
(1) graph model is defined: the definition Directed Graph Model G=(V, E, C) comprising each node in multi-tenant cloud platform, V expression The cluster of the node of be provided with service in cloud platform, any node meets v in clusteri∈V;E indicates the side between each node, There are any bar side e in clusteri,jIndicate node viIt may have access to another node vj, ei,j∈E;C indicates that the connection between node is closed System, ci,jIndicate node viWith vjBetween connected relation, ci,j∈ C, i, j indicate the mark of two nodes;
When constructing Directed Graph Model, if ci,j=1, then it is assumed that v in figure GiWith vjBetween there are side ei,jIf ci,j=0, then viWith vj Between be not present side ei,j;Above-mentioned Directed Graph Model G is stored in the form of two-dimentional adjacency matrix, is denoted as:
(2) definition detection benchmark: in multi-tenant cloud platform, there are multiple tenants to belong to different tenants' by Admin Administration Unauthorized access can not be initiated between node;Inside each tenant, there are multiple user groups, are managed by administrator or tenant administrator Reason, the node for belonging to different user groups can not initiate unauthorized access;Security isolation includes two class scenes: first is that between different tenants Security isolation, need to verify between each tenant whether there is unauthorized access potential threat;Second is that different in same tenant use Security isolation between the group of family need to verify the potential threat that whether there is unauthorized access in same tenant between different user groups; For the above scene, the detection benchmark based on tenant's security isolation and the detection base based on user group security isolation are defined respectively It is quasi-;
(21) based on the detection benchmark of tenant's security isolation: being deposited inside administrator right or multi-tenant cloud platform when attacker obtains In malice administrator, the configuration of multi-tenant cloud platform can be maliciously tampered, and making to originally belong to can between the node of different tenants To initiate unauthorized access, tenant's security isolation is destroyed, and establishes the correct mapping relationship f of tenant and node, as tenant's safety The detection benchmark of isolation;If n indicates the mark of node, tenentnIt indicates the mark for being identified as the node tenant of n, will reflect The relationship of penetrating is denoted as:
F (n)=tenentn
(22) based on the detection benchmark of user group security isolation: for the user group for belonging to same tenant in multi-tenant cloud platform, Definition L is user group grade, and L value is uppr, normal or lower;The user group that L value is uppr may have access to all of non-uppr User group, can not be by other users group access;L value is that the user group of normal can be all normal with L value and mark value is all x User group exchange visits, x is integer greater than zero;L value is that the user group of lower can not be initiated to visit by all user's group access It asks;For the node in user group, if n indicates the mark of node, levelnIt indicates the mark value for being identified as the node of n, then saves The mark value level of point nnIs defined as:
When attacker obtains inside administrator or tenant's administrator right and multi-tenant cloud platform, there are malice administrator or evils When meaning tenant administrator, the grade configuration of user group can be maliciously tampered, and make to send out between the node of different grades of user group Unauthorized access is played, user group security isolation is destroyed;Establish the correct mapping relations of each user group and node in same tenant Mapping relations are denoted as by y as the detection benchmark of user group security isolation:
Y (n)=leveln
(3) original state generates: the configuration data of all nodes in multi-tenant cloud platform under original state is acquired, according to step (1) the Directed Graph Model G=(V, E, C) defined in traverses configuration data and records current traverse node viWith other nodes vj Connected relation ci,j∈C;If viWith vjIt is connected to, then ci,j=1, otherwise ci,j=0, base is then constructed with step (1) definition In the graph model G of original stateinit
(4) benchmark, digraph G described in detecting step (3) initial isolation detection: are detected described in foundation step (2)initWhether Meet security isolation, detection process includes initialization vertex ticks and initialization two stages of nodal test:
(41) vertex ticks process is initialized are as follows: successively traversal step (3) the digraph GinitIn all nodes;It is traversed Current accessed vertex ticks is node to be detected, and be inserted into queue Detect to be detected from tail end by Cheng Zhong;
(42) initialize nodal test process are as follows: be successively read node from queue Detect head end to be detected until queue be it is empty, The current node that reads is denoted as vdet, detect vdetWhether security isolation demand is met, and upon completion of the assays by vdetIt is moved from head end Queue Detect to be detected out, specific detection content include: the tenant's security isolation detection executed based on detection benchmark (21), base In the user group security isolation detection that detection benchmark (22) executes;
(5) isolation detection when running: being denoted as time for the current time of running, if at the time moment, administrator or tenant administrator Implementing configuration operation to cloud platform causes digraph state that will update, then current digraph is denoted as Gtime, and according to step Suddenly benchmark is detected described in (2), detects G when updatingtimeWhether security isolation demand is met, and detection process includes updating the time Two stages of nodal test when point label and update:
(51) node labeling process when updating are as follows: configuration operation described in step (5) includes creation example, deletes example, creation Security strategy deletes security strategy;When in cloud platform administrator or tenant administrator implement aforesaid operations when, incremental update figure Model Gtime, and will be updated vertex ticks is node to be detected, is inserted into queue Eetect to be detected from tail end;
(52) node detection process when updating are as follows: be successively read node from queue Eetect head end to be detected until queue be it is empty, The current node that reads is denoted as vdet, detect vdeWhether t meets security isolation demand, and upon completion of the assays by vdetIt is moved from head end Queue Detect to be detected out, specific detection content include: the tenant's security isolation detection executed based on detection benchmark (21), base In the user group security isolation detection that detection benchmark (22) executes.
2. the active detecting method of multi-tenant cloud platform security isolation according to claim 1, it is characterised in that: step (51) G of incremental update model described intime, when implementation specifically includes following four classes situation, and i, j indicate the mark of node:
Side insertion: make step (5) the graph model G when creating or deleting new security strategytimeIn node viIt may have access to vj When, connected relation c described in setting steps (1)i,j=1, make adjacency matrix A [i] [j]=1, thereby executing side insertion;
Edge contract: make step (5) the graph model G when creating or deleting new security strategytimeIn node viInaccessible vj When, connected relation c described in setting steps (1)i,j=0, make adjacency matrix A [i] [j]=0, thereby executing edge contract;
Point insertion: when creating new example, in step (5) the graph model GtimeMiddle insertion new node, is denoted as vnew, new expression Node identification;If remembering GtimeIn other nodes be identified as k, adjacency matrix A [new] [k]=0 described in initialization step (1) And A [new] [k]=0;As node vnewIt may have access to vkWhen, connected relation c described in setting steps (1)new,k=1, make adjacent square Battle array A [new] [k]=1;As node vkIt may have access to vnewWhen, connected relation c is setk,new=1, make adjacency matrix A [k] [new]= 1, thereby executing an insertion;
Point deletion: when deleting new example, in step (5) the graph model GtimeThe corresponding node of middle positioning example, is denoted as vdel, del expression node identification;At this time by the way that del=-1 is arranged by node vdelLabeled as failure, it is not involved in detection;To hold Row point deletion.
3. the active detecting method of multi-tenant cloud platform security isolation according to claim 1, it is characterised in that: step (42), tenant's security isolation described in (52) detects, and is according to the detection base based on tenant's security isolation described in step (2) Standard, the node v that queue Eetect head end to be detected described in detecting step (42), (52) is readdetWhether tenant safety is met Isolation;For node vdetSpecific detection process include: to scheme G described in traversal step (3)initOr scheme described in step (5) GtimeIn all nodes, the node currently traversed is denoted as vk, k expression node identification;At this point, if neighbour described in step (1) Matrix A [k] [det]=1 is met, then when f (det)=f (k) described in step (2), can assert node vdetMeet and rents Family security isolation.
4. the active detecting method of multi-tenant cloud platform security isolation according to claim 1, it is characterised in that: step (42), user group security isolation described in (52) detects, and is according to the detection based on user group security isolation described in step (2) Benchmark, the node v that queue Detect head end to be detected described in detecting step (42), (52) is readdetWhether user group is met Security isolation;For node vdetSpecific detection process include: to scheme G described in traversal step (3)initOr described in step (5) Scheme GtimeIn all nodes, the node currently traversed is denoted as vk, k expression node identification;At this point, if described in step (1) Adjacency matrix A [k] [det]=1, then only y (k)=y (det) > 0 or y (k)=1 and y (det) described in step (2)!=1 or y(k)!When=0 and y (det)=0, node v can be assertdetMeet user group security isolation.
CN201811473272.8A 2018-12-04 2018-12-04 Active detection method for multi-tenant cloud platform security isolation Active CN109412866B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811473272.8A CN109412866B (en) 2018-12-04 2018-12-04 Active detection method for multi-tenant cloud platform security isolation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811473272.8A CN109412866B (en) 2018-12-04 2018-12-04 Active detection method for multi-tenant cloud platform security isolation

Publications (2)

Publication Number Publication Date
CN109412866A true CN109412866A (en) 2019-03-01
CN109412866B CN109412866B (en) 2020-07-28

Family

ID=65456980

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811473272.8A Active CN109412866B (en) 2018-12-04 2018-12-04 Active detection method for multi-tenant cloud platform security isolation

Country Status (1)

Country Link
CN (1) CN109412866B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8839345B2 (en) * 2008-03-17 2014-09-16 International Business Machines Corporation Method for discovering a security policy
CN104092565A (en) * 2014-06-24 2014-10-08 复旦大学 Multi-tenant policy-driven type software-defined networking method for cloud data center
CN106569895A (en) * 2016-10-24 2017-04-19 华南理工大学 Construction method of multi-tenant big data platform based on container
CN107104963A (en) * 2017-04-25 2017-08-29 华中科技大学 Towards the trusted controller framework and its operating method of cloud environment multi-tenant network
US20170261264A1 (en) * 2017-05-25 2017-09-14 Northeastern University Fault diagnosis device based on common information and special information of running video information for electric-arc furnace and method thereof
CN107689953A (en) * 2017-08-18 2018-02-13 中国科学院信息工程研究所 A kind of vessel safety monitoring method and system towards multi-tenant cloud computing

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8839345B2 (en) * 2008-03-17 2014-09-16 International Business Machines Corporation Method for discovering a security policy
CN104092565A (en) * 2014-06-24 2014-10-08 复旦大学 Multi-tenant policy-driven type software-defined networking method for cloud data center
CN106569895A (en) * 2016-10-24 2017-04-19 华南理工大学 Construction method of multi-tenant big data platform based on container
CN107104963A (en) * 2017-04-25 2017-08-29 华中科技大学 Towards the trusted controller framework and its operating method of cloud environment multi-tenant network
US20170261264A1 (en) * 2017-05-25 2017-09-14 Northeastern University Fault diagnosis device based on common information and special information of running video information for electric-arc furnace and method thereof
CN107689953A (en) * 2017-08-18 2018-02-13 中国科学院信息工程研究所 A kind of vessel safety monitoring method and system towards multi-tenant cloud computing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张坤: "《面向多租户应用的云数据隐私保护机制研究》", 《山东大学博士论文》 *

Also Published As

Publication number Publication date
CN109412866B (en) 2020-07-28

Similar Documents

Publication Publication Date Title
US11831668B1 (en) Using a logical graph to model activity in a network environment
CN107659543B (en) Protection method for APT (android packet) attack of cloud platform
Fan et al. An improved network security situation assessment approach in software defined networks
Ji et al. Enabling refinable {Cross-Host} attack investigation with efficient data flow tagging and tracking
DE112019004913T5 (en) DETECTING INAPPROPRIATE ACTIVITY IN THE PRESENCE OF UNAUTHORIZED API REQUESTS USING ARTIFICIAL INTELLIGENCE
CN115039098A (en) Fuzzy network probe pattern matching
Tien et al. KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches
US20200120109A1 (en) Iterative constraint solving in abstract graph matching for cyber incident reasoning
CN106687971A (en) Automated code lockdown to reduce attack surface for software
CN110036600A (en) The convergence service of network health data
CN110036599A (en) The programming interface of network health information
US11765249B2 (en) Facilitating developer efficiency and application quality
CN104683394A (en) Cloud computing platform database benchmark test system for new technology and method thereof
Hu et al. Attack scenario reconstruction approach using attack graph and alert data mining
US11429542B2 (en) Secure data stream processing using trusted execution environments
Aldribi et al. Data sources and datasets for cloud intrusion detection modeling and evaluation
JP2022512195A (en) Systems and methods for behavioral threat detection
Khan et al. Towards an applicability of current network forensics for cloud networks: A SWOT analysis
Sangeetha et al. An optimistic technique to detect cache based side channel attacks in cloud
CN104683382A (en) Benchmark testing system for cloud computing platform database of novel innovative algorithm
CN109246248B (en) Data credible safety sharing system and method based on block chain technology
CN115186136A (en) Knowledge graph structure for network attack and defense confrontation
Chen et al. Building machine learning-based threat hunting system from scratch
CN105025067B (en) A kind of information security technology research platform
US20230247040A1 (en) Techniques for cloud detection and response from cloud logs utilizing a security graph

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant