應用雲端環境下資源重分配之特性以最小化服務被攻克率

Abstract

在過去的幾年裡，我們已經看到了IT投資的大幅增長，於是出現雲端計算這個新的名詞。目前已經有許多的企業與組織採用雲端運算。然而，仍然有一些技術障礙，可能會阻止雲端計算成為一個真正的無處不在的服務。尤其是對於顧客在基礎設施的安全性上有嚴格或複雜的要求。對一些著名的企業的新的網路攻擊以及雲端上網路攻擊會更多的預測，都使得雲端運算面臨了可能會減緩其發展的威脅。網絡攻擊的數量現在已經非常多，也具有很大的複雜性，許多組織都遇到了要確定哪些新的威脅和漏洞帶來的風險最大的問題，以及資源應如何分配，以確保要首先處理最可能的破壞性攻擊。 但另一方面，防禦機制的發展也相當多元，所以有相當多的防禦措施可供防禦者選擇以保護服務不受外在威脅。資源重新分配是用於分配大規模任務的可用資源的方法。該方法考慮了在虛擬化的環境中的網絡狀態。我們可以運用雲端資源可重新分配的這個特形，也就是當service預測到高危險，會將VM關掉，並將該VM的資源加到其他VM，以加強防禦能力。 因此我們希望能夠提供一個方法，讓雲端服務的提供商能夠有效的佈建資安防禦措施來增加網路的存活度，加以抵抗外在環境的威脅。在本研究中，將會著重在資源重新分配的防禦機制去抵抗攻擊。研究問題會使用Monte Carlo simulation 來模擬結果。最後找出防禦者最好的防禦策略配置方式。

In the last few years, we have seen a dramatic growth in IT investments, and a new term has come on the surface which is cloud computing. Cloud Computing has been highly adopted by many enterprises and organizations. However, there are still a number of technical barriers that may prevent cloud computing from becoming a truly ubiquitous service. Especially where the customer has strict or complex requirements over the security of an infrastructure. The latest cyber-attacks on high profile firms (Amazon, Google and Sony’s PlayStation) and the predictions of more cyberattacks on cloud infrastructure are threatening to slow the take-off of cloud computing. The numbers of cyber-attacks are now extremely large and their sophistication so great, that many organizations are having trouble determining which new threats and vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt first. In contrast, the network defense mechanism is diverse development, so there have more defense alternative for defender to protect the network from external threats. The resource reallocation is the method to allocate the large-scale task to the available resource. The method considers a network state on the virtualization environments. When the service predicted high risk level, a VM will be switch off and withdraw the VM resources to strengthen defense capabilities. Hence, we help the service provider to allocate their defense resource, in order to find the most efficient way against external attacks. In this thesis, we focus on resource reallocation to increasing the network survivability. And we use Monte Carlo to simulate the model of the network attack-defense scenario. Finally, the ultimate goal is to figure out the optimal defense strategy.