Journal of Computer Applications ›› 2022, Vol. 42 ›› Issue (6): 1932-1940.DOI: 10.11772/j.issn.1001-9081.2021040595

• Cyber security • Previous Articles    

Design and implementation method of mimic cloud agent based on active-standby monitoring

Qiaoyu GUO(), Fucai CHEN, Guozhen CHENG, Wei ZENG, Yuqiang XIAO   

  1. National Digital Switching System Engineering and Technology Research Center,Zhengzhou Henan 450002,China
  • Received:2021-04-15 Revised:2021-07-09 Accepted:2021-07-09 Online:2022-06-22 Published:2022-06-10
  • Contact: Qiaoyu GUO
  • About author:CHEN Fucai,born in 1974,M. S.,research fellow. His research interests include network communication,network active defense.
    CHENG Guozhen,born in 1986,Ph. D.,associate professor. His research interests include cyber security,cloud data security.
    ZENG Wei,born in 1997,M. S. candidate. His research interests include network active defense.
    XIAO Yuqiang,born in 1997,M. S. candidate. His research interests include software diversification,network active defense.
  • Supported by:
    National Natural Science Foundation of China(62072467)

基于主备监视的拟态云代理设计实现方法

郭乔羽(), 陈福才, 程国振, 曾威, 肖玉强   

  1. 国家数字交换系统工程技术研究中心,郑州 450002
  • 通讯作者: 郭乔羽
  • 作者简介:郭乔羽(1997—),男,河南商丘人,硕士研究生,主要研究方向:网络主动防御
    陈福才(1974—),男,江西高安人,研究员,硕士,主要研究方向:网络通信、网络主动防御
    程国振(1986—),男,山东菏泽人,副教授,博士,主要研究方向:网络安全、云数据安全
    曾威(1997—),男,河南信阳人,硕士研究生,主要研究方向:网络主动防御
    肖玉强(1997—),男,吉林辽源人,硕士研究生,主要研究方向:软件多样化、网络主动防御。
  • 基金资助:
    国家自然科学基金资助项目(62072467)

Abstract:

Aiming at the security threats and single point of failure of the agent in mimic cloud systems, a high-available mimic cloud agent with active-standby monitoring was proposed. Firstly, an active-standby monitoring mechanism based on distributed agents in the cloud environment was proposed to construct heterogeneous active-standby agents. The traffic to the active agent was analyzed by the standby agent through mirroring the traffic, and the output results of the active agent were cross-validated by the standby agent. Secondly, based on the Data Plane Development Kit (DPDK) platform, a synchronous adjudication mechanism for standby agents and a seamless active-standby switching mechanism were designed to achieve security reinforcement and performance optimization of cloud agents. Finally, an active-standby switching decision algorithm was proposed to avoid the waste of resources caused by frequent active/standby switching. Experimental results showed that compared with the traffic processing delay of Nginx based cloud agents, the loss of this mimic cloud agent was milliseconds under high concurrency. It can be seen that the designed method can greatly improve the security and stability of the cloud proxy, and reduce the impact of the single point of failure on the stability of the proxy.

Key words: mimic defense, cloud agent, active-standby monitoring, cross validation, mimic cloud system

摘要:

针对拟态云系统中代理的安全威胁和单点故障问题,提出一种主备监视的高可用拟态云代理实现方法。首先,在云环境分布式代理基础之上,提出一种主备用监视机制来构建异构的主备代理,备用代理通过镜像流方式分析到达主用代理的流量,并对主用代理输出结果进行交叉验证;其次,基于数据平面开发套件(DPDK)平台设计备用代理的同步裁决机制和无缝的主备切换机制,实现云代理的安全加固与性能优化;最后,提出一种主备切换判决算法以避免主备频繁切换造成的资源浪费。实验结果分析表明,该拟态云代理相较于基于Nginx的云代理,在高并发下的流量处理时延损耗为毫秒级。可见该设计能够大幅提升云代理的安全性和稳定性,减少单点故障对代理稳定性造成的影响。

关键词: 拟态防御, 云代理, 主备监视, 交叉验证, 拟态云系统

CLC Number: