[1]扈红超,张帅普,程国振,等.云原生环境下基于移动目标防御的 ReDoS 防御方法[J].郑州大学学报(工学版),2024,45(02):72-79.[doi:10.13705/j.issn.1671-6833.2023.05.009]
 HU Hongchao,ZHANG Shuaipu,CHENG Guozhen,et al.ReDoS Defense Method Based on Moving Target Defense in Cloud-native Environment[J].Journal of Zhengzhou University (Engineering Science),2024,45(02):72-79.[doi:10.13705/j.issn.1671-6833.2023.05.009]
点击复制

云原生环境下基于移动目标防御的 ReDoS 防御方法()
分享到:

《郑州大学学报(工学版)》[ISSN:1671-6833/CN:41-1339/T]

卷:
45卷
期数:
2024年02期
页码:
72-79
栏目:
出版日期:
2024-03-06

文章信息/Info

Title:
ReDoS Defense Method Based on Moving Target Defense in Cloud-native Environment
作者:
扈红超 张帅普 程国振 何威振
1. 郑州大学 中原网络安全研究院,河南 郑州 450001;2. 郑州大学 网络安全学院,河南 郑州 450001 3. 信息工程 大学 信息技术研究所,河南 郑州 450001
Author(s):
HU Hongchao 1 ZHANG Shuaipu 2 CHENG Guozhen 3 HE Weizhen 3
1. Zhongyuan Network Security Research Institute, Zhengzhou University, Zhengzhou 450001,China; 2. School of Cyber Science and Engineering, Zhengzhou University, Zhengzhou 450001,China; 3. Information Technology Research Institute, University of Information Engineering, Zhengzhou 450001, China
关键词:
微服务 ReDoS 移动目标防御 异构 正则表达式
Keywords:
microservices ReDoS moving target defenseheterogeneous regular expression
DOI:
10.13705/j.issn.1671-6833.2023.05.009
文献标志码:
A
摘要:
针对云原生环境中正则表达式拒绝服务(ReDoS)攻击的防御方式存在效率低、无法进行主动防御的问题, 提出了基于移动目标防御(MTD)技术的 ReDoS 攻击防御方法。 首先基于云原生环境下的微服务应用特点,对攻防 双方的行为进行了分析;其次,基于 Kuberneters 设计了基于 MTD 的防御系统,并提出基于拓扑信息和请求到达速 率的动态和静态的多维微服务权重指标、基于排队论的服务效率判断指标以及轮换时机选择方法来指导关键微服 务的选择和关键微服务的轮换时机;最后,给出了基于异构度和服务效率的多维指标 MTD 异构轮换算法,并使用 Python 进行了仿真,结果表明:所提算法防御时延比动态伸缩缩短了 50%左右;并且防御开销在第一次攻击之后趋 于平稳,不会持续增长。
Abstract:
In addressing the inefficiencies and limitations in proactive defense against Regular Expression Denial of Service (ReDoS) attacks in cloud-native environments, we have developed a defense method based on Moving Target Defense (MTD) technology. Initially, we analyzed the behaviors of both attackers and defenders within microservice applications characteristic of cloud-native environments. Subsequently, leveraging Kubernetes, we designed an MTD-based defense system. This system incorporates dynamic and static multi-dimensional microservice weight indices based on topology information and request arrival rates, as well as service efficiency judgment indices based on queue theory. It also includes a method for selecting the timing of key microservice rotations to guide the selection and rotation timings of critical microservices. Finally, we introduced a multi-dimensional MTD heterogeneous rotation algorithm, grounded in heterogeneity and service efficiency, and conducted simulations using Python. Experimental results indicate that our proposed algorithm reduces defense latency by approximately 50% compared to dynamic scaling and that defense costs stabilize after the initial defense against an attack, preventing continuous growth.

相似文献/References:

[1]龙新征,欧阳荣彬,李若淼,等.基于微信公众平台的校园移动信息服务建设方案研究[J].郑州大学学报(工学版),2017,38(02):5.[doi:10.13705/j.issn.1671-6833.2017.02.002]
 Long Xinzheng,Ouyang Rongbin,Li Ruomiao,et al.The Research of Campus Mobile Information Service Construction Scheme Based on Wechat Public Platform[J].Journal of Zhengzhou University (Engineering Science),2017,38(02):5.[doi:10.13705/j.issn.1671-6833.2017.02.002]

更新日期/Last Update: 2024-03-08