云原生环境下基于移动目标防御的ReDoS防御方法  

作　　者：扈红超 张帅普 程国振[3] 何威振 HU Hongchao;ZHANG Shuaipu;CHENG Guozhen;HE Weizhen(Zhongyuan Network Security Research Institute,Zhengzhou University,Zhengzhou 450001,China;School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450001,China;Information Technology Research Institute,University of Information Engineering,Zhengzhou 450001,China)

机构地区：[1]郑州大学中原网络安全研究院,河南郑州450001 [2]郑州大学网络安全学院,河南郑州450001 [3]信息工程大学信息技术研究所,河南郑州450001

出　　处：《郑州大学学报（工学版）》2024年第2期72-79,共8页Journal of Zhengzhou University（Engineering Science）

基　　金：国家自然科学基金资助项目(2072467);国家重点研发计划项目(2021YFB1006200,2021YFB1006201)。

摘　　要：针对云原生环境中正则表达式拒绝服务(ReDoS)攻击的防御方式存在效率低、无法进行主动防御的问题,提出了基于移动目标防御(MTD)技术的ReDoS攻击防御方法。首先基于云原生环境下的微服务应用特点,对攻防双方的行为进行了分析;其次,基于Kuberneters设计了基于MTD的防御系统,并提出基于拓扑信息和请求到达速率的动态和静态的多维微服务权重指标、基于排队论的服务效率判断指标以及轮换时机选择方法来指导关键微服务的选择和关键微服务的轮换时机;最后,给出了基于异构度和服务效率的多维指标MTD异构轮换算法,并使用Python进行了仿真,结果表明:所提算法防御时延比动态伸缩缩短了50%左右;并且防御开销在第一次攻击之后趋于平稳,不会持续增长。The defense methods against regular expression denial of service(ReDoS)attackin cloud-native environment were low efficient and inability to actively denfense so that this article proposed an active defense method based on moving target defense(MTD).Firstly,the behaviors of both attacker and defender were analyzed based on the characteristics of microservice applications in cloud-native environments.Secondly,a defense system based on MTD was designed based on Kubernetes platform,flowing that we proposede a set of multidimensional indicators whitch based on topology information and request arrival rate,and service efficiency and judgment indicators based on queueing theory to guide the selection of key micro service and rotation timing.Finally,a Multi-dimensional MTD heterogeneous rotation algorithm based on isomerism degree and service efficiency was proposed.The experimental results showed that the defense delay of the proposed algorithm was shortened by half compared with dynamic scaling,and the defense overhead tended to stabilize after the first attack instead of continually increasing.In addressing the inefficiencies and limitations in proactive defense against Regular Expression Denial of Service(ReDoS)attacks in cloud-native environments,we have developed a defense method based on Moving Target Defense(MTD)technology.Initially,we analyzed the behaviors of both attackers and defenders within microservice applications characteristic of cloud-native environments.Subsequently,leveraging Kubernetes,we designed an MTD-based defense system.This system incorporates dynamic and static multi-dimensional microservice weight indices based on topology information and request arrival rates,as well as service efficiency judgment indices based on queue theory.It also includes a method for selecting the timing of key microservice rotations to guide the selection and rotation timings of critical microservices.Finally,we introduced a multi-dimensional MTD heterogeneous rotation algorithm,grounded in heterogeneity and service

关 键 词：微服务 ReDoS 移动目标防御 异构 正则表达式 

分 类 号：TP301.6[自动化与计算机技术—计算机系统结构] TP302.1[自动化与计算机技术—计算机科学与技术] TP302.7