An Optimal Active Defensive Security Framework for the Container-Based Cloud with Deep Reinforcement Learning-Reference-Cited by-同舟云学术

An Optimal Active Defensive Security Framework for the Container-Based Cloud with Deep Reinforcement Learning

Published:2023-03-29 Issue:7 Volume:12 Page:1598
ISSN:2079-9292
Container-title:Electronics
language:en
Short-container-title:Electronics

Author:

Li Yuanbo¹²,Hu Hongchao¹,Liu Wenyan¹³,Yang Xiaohan¹

Affiliation:

1. National Digital Switching System Engineering and Technological Research Center, PLA Strategic Support Force Information Engineering University, Zhengzhou 450002, China

2. School of Computer and Information Engineering, Luoyang Institute of Science and Technology, Luoyang 471023, China

3. Purple Mountain Laboratories, Nanjing 211111, China

Abstract

Due to the complexity of attack scenarios in the container-based cloud environment and the continuous changes in the state of microservices, the effectiveness of active defense strategies decreases with the cloud environment and microservice change. To tackle it, the main focus is how to establish a comprehensive threat model and adaptive active defense deployment strategy. In this study, we present an optimal active defensive security framework (OADSF) for a container-based cloud with deep reinforcement learning. Firstly, based on the characteristics of container clouds and microservices, the security threats and attack paths of attackers are analyzed from the application layer and container layer. Then, we propose a Holistic System Attack Graph to quantitatively analyze the security gain, quality of service (QOS) and defense efficiency in the container-based cloud scenarios. Finally, the optimization of a moving target defense (MTD) strategy is modeled as a Markov decision process. Deep reinforcement learning is proposed to handle the state space explosion under large-scale cloud applications, thus solving the optimal defense configuration strategy for the orchestration platform. We use Kubernetes to build container-based clusters. The algorithm is implemented in Python 3.7 based on Tensorflow 1.14. Simulation results show that the proposed method can quickly converge under large-scale cloud applications and increase defensive efficiency. Compared with DSEOM and SmartSCR, the defense efficiency is increased by 35.19% and 12.09%, respectively.

Funder

National Natural Science Foundation of China

National Key Research and Development Plan of China

Publisher

MDPI AG

Subject

Electrical and Electronic Engineering,Computer Networks and Communications,Hardware and Architecture,Signal Processing,Control and Systems Engineering

Link

https://www.mdpi.com/2079-9292/12/7/1598/pdf

Reference38 articles.

1. Fault Analysis and Debugging of Microservice Systems: Industrial Survey, Benchmark System, and Empirical Study;Zhou;IIEEE Trans. Softw. Eng.,2021

2. PerfSim: A Performance Simulator for Cloud Native Microservice Chains;Taheri;IEEE Trans. Cloud Comput.,2021

3. Arouk, O., and Nikaein, N. (, January 11–13). Kube5G: A Cloud-Native 5G Service Platform. Proceedings of the GLOBECOM 2020–2020 IEEE Global Communications Conference, Taipei, Taiwan.

4. A Study on the Security Implications of Information Leakages in Container Clouds;Gao;IEEE Trans. Dependable Secur. Comput.,2021

5. Application-Aware Firewall Mechanism for Software Defined Networks;Nife;J. Netw. Syst. Manag.,2020

Cited by 3 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. A Secure Container Placement Algorithm Based on Microservice Invocation Criticality;2024 IEEE 2nd International Conference on Control, Electronics and Computer Technology (ICCECT);2024-04-26

2. Containerization;Advances in Systems Analysis, Software Engineering, and High Performance Computing;2024-04-05

3. Container Security in Cloud Environments: A Comprehensive Analysis and Future Directions for DevSecOps;RAiSE-2023;2023-12-18