计算机应用 ›› 2017, Vol. 37 ›› Issue (12): 3442-3446.DOI: 10.11772/j.issn.1001-9081.2017.12.3442

• 网络空间安全 • 上一篇    下一篇

基于Linux名字空间的Web服务器动态防御方法

陈刚1,2, 郭玉东1,2, 魏小锋2   

  1. 1. 信息工程大学, 郑州 450001;
    2. 数学工程与先进计算国家重点实验室, 郑州 450001
  • 收稿日期:2017-06-12 修回日期:2017-08-02 出版日期:2017-12-10 发布日期:2017-12-18
  • 通讯作者: 陈刚
  • 作者简介:陈刚(1992-),男,河南民权人,硕士研究生,主要研究方向:系统安全、云计算;郭玉东(1964-),男,河南太康人,教授,硕士,主要研究方向:操作系统、虚拟化;魏小锋(1985-),男,山东枣庄人,硕士,主要研究方向:信息安全。

Dynamic defense method of Web server based on Linux namespace

CHEN Gang1,2, GUO Yudong1,2, WEI Xiaofeng2   

  1. 1. Information Engineering University, Zhengzhou Henan 450001, China;
    2. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou Henan 450001, China
  • Received:2017-06-12 Revised:2017-08-02 Online:2017-12-10 Published:2017-12-18

摘要: Web服务器广泛部署在以Docker容器为代表的云计算平台上,面临着严峻的安全挑战。为了提高此类Web服务器的安全防御能力,提出一种基于Linux名字空间的Web服务器动态防御方法。该方法能够保证在Web服务正常工作的前提下,首先使用名字空间构建Web服务器运行环境;其次,通过多环境的交替运行来实现Web服务器的动态变换以迷惑入侵者,增加入侵者对Web服务器的攻击难度;最后,通过定期主动清除并重建Web服务器的运行环境来消除入侵行为对Web服务器的影响,最终实现有效提高Web服务器的动态防御能力。实验结果表明,所提方法能够有效增强Web服务器的安全性,同时对系统性能影响很小,请求响应100 KB数据的时间损耗为0.02~0.07 ms。

关键词: 容器, Linux名字空间, 动态防御, 虚拟化

Abstract: Web servers are widely deployed on cloud computing platform represented by Docker containers and face serious security challenges. In order to improve the security and defense capability of such Web servers, a dynamic defense method of Web server based on Linux namespace was proposed. Firstly, the running environment of Web server was built by using namespace on the premise to ensure Web service working normally. Then, the dynamic transformation of Web server was realized by the alternate running of multiple environments to confuse intruder, which increased the difficulty of attacking Web server by the intruder. Finally, the running environment of Web server was periodically deleted and rebuilt to eliminate the impact of intrusion behavior on the Web server, and ultimately the dynamic defense capability of Web server was effectively improved. The experimental results show that, the proposed method can effectively enhance the security of Web server while it has little affect on system performance, and its response time of requesting 100 KB data is 0.02-0.07 ms.

Key words: container, Linux namespace, dynamic defense, virtualization

中图分类号: