基于动态异构冗余的非侵入式内生安全微服务模型研究  

作　　者：石磊[1,2] 李世博 程国振 高宇飞 SHI Lei;LI Shibo;CHENG Guozhen;GAO Yufei(School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450002,China;Songshan Laboratory,Zhengzhou 450052,China;Institute of Information Technology,Information Engineering University,Zhengzhou 450007,China)

机构地区：[1]郑州大学网络空间安全学院,郑州450002 [2]嵩山实验室,郑州450052 [3]信息工程大学信息技术研究所,郑州450007

出　　处：《信息网络安全》2025年第3期438-450,共13页Netinfo Security

基　　金：河南省重大科技专项[221100211200];河南省研究生联合培养基地项目[YJS2023JD04];南阳市协同创新重大专项[22XTCX12001];郑州大学高层次人才科研启动基金[32340306]。

摘　　要：基于微服务架构的云原生应用具有高度的灵活性和效率,但也面临着多种安全威胁。由于微服务架构的松散分布、动态独立部署和协同响应等特点,传统的拟态Web服务器裁决策略无法适应,导致高内存占用、高延时的低裁决效率问题。针对以上问题,文章提出一种基于动态异构冗余架构的非侵入式内生安全微服务模型(EnSecDHR)。该模型利用云原生API网关实现对微服务组件的动态异构冗余改造,选取系统调用被触发的类别与次数、内核栈与用户栈调用信息为特征,构建基于白名单机制的持续裁决模型,为裁决器提供短路判定机制,避免裁决器在等待各个组件完整响应的时间消耗。对比实验采用缓冲区溢出漏洞攻击和漏洞扫描,结果表明EnSecDHR模型能够有效提高拟态Web服务器的安全性,同时降低性能损失和资源消耗,提升了DHR架构的微服务适配性。Cloud-Native applications based on microservices architecture are highly flexible and efficient but also face multiple security threats.Due to the loosely coupled nature,dynamic independent deployment,and collaborative response of microservice architecture,traditional mimetic Web server adjudication strategies are not adaptable,resulting in issues such as low adjudication efficiency,high memory consumption,and high latency.To address these challenges,this paper proposed a non-intrusive endogenous security microservice model(EnSecDHR)based on a dynamic heterogeneous redundant architecture.The model leveraged a cloud-native API gateway to achieve dynamic heterogeneous redundancy transformation of microservice components.It selected the frequency and categories of system calls,kernel stack,and user stack call information as features,constructed a continuous adjudication model based on a whitelisting mechanism,and provided a short-circuit adjudication mechanism for the adjudicator.This avoided the time consumption associated with waiting for the complete response from each component.Comparative experiments were conducted using buffer overflow vulnerability attacks and vulnerability scanning.The results demonstrate that the EnSecDHR model can effectively enhance the security of the proposed Web server while reducing performance loss and resource consumption,thereby improving the microservice adaptability of the DHR architecture.

关 键 词：微服务 拟态系统架构 动态冗余架构 非侵入式技术 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]