CN108763927A - A kind of cloud system safety detection method and device - Google Patents
A kind of cloud system safety detection method and device Download PDFInfo
- Publication number
- CN108763927A CN108763927A CN201810040382.9A CN201810040382A CN108763927A CN 108763927 A CN108763927 A CN 108763927A CN 201810040382 A CN201810040382 A CN 201810040382A CN 108763927 A CN108763927 A CN 108763927A
- Authority
- CN
- China
- Prior art keywords
- state machine
- cloud system
- operation result
- target state
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides a kind of cloud system safety detection method and device, the present invention determines that corresponding cloud system layer, state machine action and security strategy are asked in the detection when cloud system receives detection request;The target state machine of the cloud system layer is established according to the detection request;The state machine action is executed by the target state machine, obtains the agenda operation result of the target state machine;The security strategy is called by the target state machine, the state machine action is executed by the security strategy, obtains the anticipatory behavior operation result of the target state machine;The agenda operation result and the anticipatory behavior operation result are compared, it can be judged to whether there is incredible behavior in cloud system according to comparison result, when the agenda operation result is identical with the anticipatory behavior operation result, assert the cloud system safety, and then can accurately detect the safety of cloud system.
Description
Technical field
The present invention relates to cloud system technical field more particularly to a kind of cloud system safety detection methods and device.
Background technology
As cloud system obtains extensive use, safety problem is increasingly paid close attention to by researcher.Currently, cloud computing and
Its security study concentrates on the following aspect:
(1) technologies such as network security, cryptography, trust computing, virtualization safety is utilized to enhance cloud system inherently safe;
(2) cloud system data safety;(3) cloud system access control;(4) cloud system tenant is isolated;(5) cloud system quantifies security evaluation;
(6) cloud system (cloud) is applied to build secure and trusted system.
But these above-mentioned work are all not involved with the credibility for how analyzing cloud system itself behavior.Specifically,
" cloud system is given, how to judge to whether there is incredible behavior in the cloud system?If there are insincere in cloud system
Behavior, then causing the incredible reason of behavior (order, function call, API Calls, machine instruction etc.) that is?Have not
There is the algorithm (polynomial time complexity) that can be put into practice that can complete above-mentioned verification work?", existing work can not answer
State problem.
Pertinent literature《A kind of cloud platform credibility Analysis method for establishing model》One text discloses:It externally provides platform
Service process portrays the interaction between interaction and cloud platform internal entity for user and cloud, and utilizes model analysis detection instrument
Kronos analyzes platform interior state change process from multiple angles such as available, reliable, safety, and this article is to mark transition
System verifies cloud platform credibility using Kronos tools as theoretical tool, this article, but can not be reliable and complete
On the basis of standby ground theoretical proof, the verification algorithm that can put into practice (polynomial time) is devised, and can not be solved credible (without dry
Disturb) verification problem.This article " it is modeled from the interaction " between the interaction and cloud platform internal entity of user and cloud, because
And it possibly can not be suitable for the arbitrary extensions XaaS such as IaaS and PaaS levels (the typically no user of the two levels intervenes interaction)
Etc. levels.
Another pertinent literature is《Cloud system tenant is isolated》, this article also utilize interference-free model to cloud system safety into
Research is gone.But the method for this article is limited only to tenant's isolation, and wider cloud system behavior safety is not carried out
Property is studied.
Analysis and the proof theory of cloud system behavior creditability are established, and proposes to put into practice (polynomial time complexity)
Algorithm is applied to practice, is a meaningful job.It can not only real-time metrics cloud system at runtime credibility;
The credibility of cloud system can also be analyzed in a static condition and peace is explicitly pointed out there are insincere sexual behaviour
Full defect there are the reason of for repairing.However, up to the present, according to our findings as far as possible, do not work still
It can solve the above problems.Therefore how to be more accurately detected to the safety of cloud system is asking for current continued solution
Topic.
The above is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that the above is existing skill
Art.
Invention content
The main purpose of the present invention is to provide a kind of cloud system safety detection method and devices, it is intended to which how is solution
Enough the problem of more accurately safety of cloud system is detected.
To achieve the above object, the present invention provides a kind of cloud system safety detection method, the method includes following steps
Suddenly:
When cloud system receives detection request, determine the detection ask corresponding cloud system layer, state machine to act with
And security strategy;
The target state machine of the cloud system layer is established according to the detection request;
The state machine action is executed by the target state machine, obtains the agenda operation knot of the target state machine
Fruit;
The security strategy is called by the target state machine, it is motor-driven that the state is executed by the security strategy
Make, obtains the anticipatory behavior operation result of the target state machine;
The agenda operation result and the anticipatory behavior operation result are compared, transported in the agenda
When row result is identical with the anticipatory behavior operation result, the cloud system safety is assert.
Preferably, described that the security strategy is called by the target state machine, by the security strategy to execute
It states state machine to act, before the anticipatory behavior operation result for obtaining the target state machine, the method further includes:
Receive targeted security domain input by user;
Correspondingly, described that the security strategy is called by the target state machine, by the security strategy to execute
State machine action is stated, the anticipatory behavior operation result of the target state machine is obtained, specifically includes:
The security strategy is called by the target state machine, it is motor-driven that the state is executed by the security strategy
Make;
Determine that the state machine acts corresponding security domain to be measured;
The security domain to be measured is compared with the targeted security domain, is pacified in the security domain to be measured and the target
Between universe when existence information flowing relation, the corresponding state machine action of the security domain to be measured is executed, the target-like is obtained
The anticipatory behavior operation result of state machine.
Preferably, described when cloud system receives detection request, determine that corresponding cloud system layer, shape are asked in the detection
Before the motor-driven work of state and security strategy, the method further includes:
State machine modeling instruction input by user is received, the state that instruction obtains cloud system is modeled according to the state machine
Collection, atomic action collection, behavior collection and security domain collection;
Condition conversion is built according to the state set of the cloud system, atomic action collection, behavior collection and security domain collection to close
System, generates the basic status machine of the cloud system;
Correspondingly, the target state machine that the cloud system layer is established according to the detection request, specifically includes:
The target state machine of the cloud system layer is established according to the basic status machine of the detection request and the cloud system.
Preferably, the target state machine includes security domain to state machine function of movement dom (), testing result function
(s a), detects execution function exec (s, γ), and expected detection function wexpected (γ, w) to behcon;
The security domain acts the affiliated security domain dom (a) of a to state machine function of movement dom (), for returning to state machine,
The state machine action a belongs to the atomic action collection;
(s a) executes institute to the testing result function behcon for exporting the target state machine at current state s
The testing result of state machine action a is stated, current state s belongs to the state set;
The detection executes function exec (s, γ), and detection request γ, the inspection are executed at current state s for indicating
It surveys request γ and belongs to the behavior collection;
The expected detection function wexpected (γ, w), for indicating the detection at the targeted security domain w
γ, the targeted security domain w is asked to belong to the security domain collection.
Preferably, described that the state machine action is executed by the target state machine, obtain the reality of the target state machine
Border behavior operation result, specifically includes:
It calls formula (1) to act a to execute the state machine by the target state machine, obtains the target state machine
Agenda operation result M1;
Wherein, the formula (1) is
M1=behcon (exec (s, γ), a);
Correspondingly, described that the security strategy is called by the target state machine, by the security strategy to execute
State machine action is stated, the anticipatory behavior operation result of the target state machine is obtained, specifically includes:
The security strategy is called by the target state machine and formula (2) is called to act a to execute the state machine, is obtained
Obtain the anticipatory behavior operation result M2 of the target state machine;
Wherein, the formula (2) is
M2=behcon (exec (s, wexpected (γ, dom (a))), a)
Correspondingly, described to be compared the agenda operation result and the anticipatory behavior operation result, in institute
State agenda operation result it is identical with the anticipatory behavior operation result when, assert cloud system safety, specifically include:
The agenda operation result M1 and the anticipatory behavior operation result M2 are compared, in the practical row
When identical with the anticipatory behavior operation result for operation result, the cloud system safety is assert.
Preferably, the cloud system layer includes infrastructure services layer IaaS, platform services layer PaaS and software service
At least one of in layer SaaS.
Preferably, it is described the agenda operation result and the anticipatory behavior operation result are compared after,
The method further includes:
When the agenda operation result is with the anticipatory behavior operation result difference, to the state machine act into
Row displaying.
In addition to achieve the above object, the present invention also proposes that a kind of cloud system safety detection device, described device include:It deposits
Reservoir, processor and the cloud system safety detection program that is stored on the memory and can run on the processor, institute
State the step of cloud system safety detection program is arranged for carrying out cloud system safety detection method as described above.
The present invention determines that corresponding cloud system layer, state machine are asked in the detection when cloud system receives detection request
Action and security strategy;The target state machine of the cloud system layer is established according to the detection request;By the dbjective state
Machine executes the state machine action, obtains the agenda operation result of the target state machine;By the target state machine tune
With the security strategy, the state machine action is executed by the security strategy, obtains the expection of the target state machine
Behavior operation result;The agenda operation result and the anticipatory behavior operation result are compared, tied according to comparing
Fruit can judge to whether there is incredible behavior in cloud system, be transported in the agenda operation result and the anticipatory behavior
When row result is identical, the cloud system safety is assert, and then can accurately detect the safety of cloud system.
Description of the drawings
Fig. 1 is that target state machine and the target state machine under security strategy control synchronize the stream for executing state machine action
Journey schematic diagram;
Fig. 2 is the structural representation of the cloud system safety detection device for the hardware running environment that the embodiment of the present invention is related to
Figure;
Fig. 3 is the flow diagram of one embodiment of cloud system safety detection method of the present invention;
Fig. 4 is that one embodiment of the invention medium cloud system modelling is true state machine diagram;
Fig. 5 is the schematic diagram of the virtual condition of the target state machine of cloud system in one embodiment of the invention;
Fig. 6 is security strategy schematic diagram corresponding with detection request in one embodiment of the invention;
Fig. 7 is expecting state signal of the target state machine of cloud system in one embodiment of the invention under security strategy control
Figure.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific implementation mode
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
According to the cloud computing specification SP 800-146 that American National Standard technical research institute NIST is issued, level is pressed in cloud computing
It infrastructure can be divided into services IaaS, platform and services PaaS and software and service SaaS.At practical credible point
When analysis, which layer for belonging to cloud system actually of system clearly to be analyzed first needed, be IaaS, PaaS or SaaS (even
Others extension XaaS).Then, then by cloud system equivalence it is modeled as the form of state machine.
Following the present embodiment of the present invention will illustrate how cloud system being modeled as state based on the IaaS of the bottom
Machine model.The cloud computing specification SP 800-146 of NIST publications point out that IaaS provides processing, storage, network for consumer
(processing, storage, networks) and some other basic calculating resource.Consumer cannot be to the cloud base of bottom
Infrastructure is controlled, but can control virtual machine, the storage accessed by network, subnetwork infrastructure component (such as
Host firewall) and configuration service etc..This means that at least to include such as four bases described in 1 of giving a definition in IaaS definition
This component.
1 is defined, cloud computing infrastructure services IaaS.According to the SP 800-146 that NIST is issued, cloud computing basis is set
It applies by four elements:Virtual machine H, the storage G of network-accessible, part addressable network infrastructure component E, with
And configuration service X.
Based on defining 1, and combine the equivalent state machine of SP 800-146, IaaS level cloud systems can be with such as giving a definition 2
Description.
2 are defined, cloud computing system M (hereinafter referred to as system M or machine M) is made of following element:(1) one virtual
Machine set H.Agreement uses h1,h2... indicate different virtual machines;The storage set G of (2) network-accessibles.Agreement makes
Use g1,g2... indicate different storage devices;(3) collection of network E, agreement use e1,e2... indicate different networks
Equipment;(4) configuration set of service X agreements use x1,x2... indicate different configurations;(5) one comprising unique initial
State s0State set S, agreement use ... s, t etc. indicate system mode;(6) one are made of all atomic actions in system
Behavior aggregate A, agreement a, b ... wait expressions atomic action;(7) behavior collection B being made of all behaviors in system, row
To be expressed as the form of atomic action sequence, agreement alpha, beta, gamma ... wait expressions behavior, the example of a behavior
It isWhereinIt is connector;(8) output collection O, wherein containing using action a
The result that ∈ A are observed;(9) each atomic action has the security domain belonging to itself, and the collection that these security domains are constituted is collectively referred to as
For security domain collection D;(10) security strategyWithCan there are information flow, information whether can be specific between security domain collection
Flowing is by security strategy between domainWithIt determines,WithIt is referred to as interference and noiseless relationship, the two supplementary set each other;
(11) mapping function of the security domain to action:dom:A → D, dom return to the security domain dom (a) belonging to a specific action a;
(12) single step function:step:S × A → S. single step functions describe machine from preceding state, after executing some action,
The latter state that should be reached;(13) behavior outcome function: behcon:S×A→O.Behavior outcome function behcon
(behavior consequence) gives:In state s ∈ S knot is executed using the specific action a ∈ A behaviors observed
Fruit;(14) behavior executes function: exec:S × B → S, if indicating that empty action sequence, exec can be expressed as the right side and pass with Λ
The form returned:
It defines 2 and gives formal definitions of the cloud computing system M based on IaaS, wherein:(1) it is according to specification SP to (4)
Form explanations of the 800-146 for four basic modules of IaaS;(5) shape necessary to the noiseless analysis provided to (14)
Formula explanation.It is to be noted that:First, the state set S in (5) they are by H, G, E, and the tetrameric internal states of X are constituted, if
S is used respectivelyH,SG,SE,SXThe internal state subset for indicating above-mentioned four, then have:S=SH∪SG∪SE∪SX, and SH,SG,SE,SX
Between mutually without intersection.For unique original state s0∈ S, by subsequently defining 3 with definition 6 it is found that it is by H, G, E, X
Original state constitute, i.e.,Second, similarly, the behavior aggregate A in (6) is also by dividing
H, G, E, the tetrameric set of actions of X, i.e. A are not influencedH,AG,AE,AX, composition.And meet relationship A=AH∪AG∪AE∪AX。
Since an action may influence H, G, E, the multiple portions in X are (for example, a shutdown command may be such that virtual machine H
Dirty data is written to storage G, terminates network connection E, and preserve and be currently configured X by shutdown), therefore AH,AG,AE,AXIt may
There is intersection.
2 are defined to illustrate how for cloud system to be modeled as state machine of equal value from the level of IaaS.If it is considered that PaaS and
SaaS then defines 2 and needs further refinement, such as:PaaS needs to consider platform interface;SaaS needs to consider application, even
Process etc..Specific how to refine also relies on actual demand for security.
Further, it for PaaS and SaaS (or other extensions XaaS), can be summarized " general " with reference to defining 2
Cloud system defines method, is divided into following three step:First, retain define 2 in (5) to (14) --- this is noiseless analysis institute
It is required;Secondly, definition being extended to cloud system with reference to (1) to (4) defined in 2 --- specific how to be extended takes
Certainly in specific platform and actual demand for security;Finally, S, A, D are established, the relationship between O set and expanded definition --- by
This converts actual platform and demand for security to standard state machine form.Fig. 1 gives the basic flow of structure cloud system state M
Journey.
For example, for PaaS, if focusing on platform interface API (on the basis of IaaS), atomic action collection should increase
Add AI, i.e. A=AH∪AG∪AE∪AX∪AI, wherein AIIt is platform interface access subset.AIExecution will lead to cloud platform and phase
Application Status is answered to change.For SaaS, granularity is thinner, needs to refine to application, even process etc..Thus it moves
It includes service request order input by user to make collection A not only, in some instances it may even be possible to also need to the kernel for being deep into virtual machine, including machine
Instruction etc..It is specifically refine to any degree, depends on platform and actual demand for security, it is similar with example according to the above analysis
Processing.
2. secondly, utilizing the credibility of interference-free model research state machine (cloud system)
It is explained above and how cloud system is modeled as state machine M.Interference-free model analysis is utilized to determine cloud system equivalence
Whether corresponding state machine is credible, it is also necessary to such as give a definition 3~5 and the noiseless relevant basic definition of analysis.
Define 3. structuring machines.Structuring machine corresponds to actual machine M, focuses on storage unit (inside and outside deposit receipt
Member, chip storage unit etc.) and its value and observable storage unit, the intensions such as storage unit can be changed.
Storage unit collection N.There are one names for each storage unit of machine.The set structure of all storage unit names
At storage unit collection N, it is called and is name set N.
It is made of H, G, E, the name of C clearly for cloud computing system M, storage unit collection N:N=NH∪NG∪NE∪
NC。
Value collection V.There are one specific value value ∈ V in specific state s ∈ S meetings by each storage unit n ∈ N.
Specific value can be calculated by following content function.The set composition value collection V of all values.
Content function contents:S×N→V.
Observe functionAnd Modification growth functionThe two is set forth specific
The security domain u ∈ D set of storage unit that can observe and change, whereinIt is that power set calculates.
Define 4. relationshipsIt is known as equivalence relation, it is consistent with (weak) single step and if only if meeting output-consistence simultaneously
Property.
Output-consistence:
Weak single step consistency:
Note:The symbolic formulation of the noiseless definition given by Rushby is deferred in the present invention, agreement usesExpression is contained
Relationship.
It defines 5. Reference monitors and assumes RMA (Reference Monitor Assumption).Reference monitor is to being
System operation is monitored.Regulation Reference monitor will meet following 3 hypothesis:
Assuming that 1, the memory cell content consistency of equivalent state:Two state equivalentsAnd if only if their storage
Unit value all having the same.
I.e.:
Assuming that 2, the storage unit of equivalent state changes consistency:If two state equivalentsIt then changes and deposits when them
When storage unit, it is necessary to assure storage unit is modified to similarly be worth.I.e.:
Assuming that 3, storage unit changes authenticity:If action a has modified the value of some storage unit, the safety belonging to a
Domain dom (a), which must have to change the storage unit, to be authorized,
I.e.:
2.1 credible sex determination equatioies
Next, whether credible using the state machine in interference-free model analytic definition.Corresponding judgement equation is fixed as follows
Shown in justice 6.
Define 6. behavior creditabilities judgement equation
In equation (1), γ is the actual motion behavior of cloud system, and wexpected (γ, dom (a)) is in security strategy control
Anticipatory behavior under system.Specifically, the purpose of wexpected is extracted in γ, under security strategy control, have to system
The behavior that the everything of (direct or indirect) interference is constituted.The formal definitions of wexpected are as defined shown in 7.
Define 7.wexpected:B×D→B.Wexpected (Λ, w)=Λ, and
Wherein,
In defining 7, interfsrc is interference source collection, is had for obtaining all to cloud system (directly or indirectly interference)
Security domain.It is defined as follows:
Define 8. interference source collectionThe recursive definition of interference source collection is as follows:
Interfsrcs (Λ, w)={ w }, and
Wherein,
For the sake of simplicity, it hereafter rises and interfsrcs (γ, w) equivalence is abbreviated as ISγ, i.e. interfsrcs (γ, w)=
ISγ。
Definition 6 is returned to, what is " credible " for, academia and industrial quarters have different definition.Trusted Computing Group TCG
The definition that (Trusted Computing Group) is provided is:One entity is believable, if its behavior is always with expection
Mode, towards the set goal.The country also has viewpoint to think:Credible ≈ is reliable+safe, in security fields, people and emphasis
Pay close attention to confidentiality and integrity.
Therefore, formula (1) needs to analyze above-mentioned several situations:
(1) behavioral expectations of TCG is defined.The left side of equation (1) is considered as practical execution of the system M to behavior γ
As a result;It is system M on the right of equation (1) under the control of non-transmission security strategy, it is contemplated that behavior wexpected (γ, dom (a))
Theoretical implementing result.The true implementing result for illustrating behavior if equation is set up and the expection under security strategy control
Implementing result is consistent, thus behavior is believable.Otherwise it is incredible.
(2) for confidentiality.The left side of equation (1) is the practical implementing result that lower security grade observer observes;It is right
While be lower security grade observer observe remove all and have to lower security grade observer it is any (directly or indirectly) dry
Implementing result after the high safety action disturbed.Since the right and left is equal, then lower security grade observer can not tie from
Backstepping is analyzed to obtain any information in fruit, and to which confidentiality is protected, thus system is believable.
(3) for integrality.Similarly, the left side of equation (1) is the practical implementing result of real behavior;The right is to pacify
Eliminated under full policy control all invalid information streams (i.e. all actions that target object can not be interfered directly or indirectly) it
Theoretical implementing result afterwards.If the right and left is consistent, illustrate that the integrality of system is protected, system is believable.
Analysis shows, for the credible definition of mainstream, (the behavioral expectations definition of TCG, confidentiality and integrity are fixed above
Justice etc.), equation (1) can be covered, as long as selecting different actions to observe system according to the difference of focus.
In conclusion equation (1) is the judgement equation of behavior creditability.
Next, needing to test defining the state machine in 6 (i.e. cloud system of equal value) progress credibility using equation (1)
Card.
2.2 cloud system credibilities automate decision theory
According to the theory of existing interference-free model, still judged without effective automatic Verification algorithm peer-to-peer (1):
Or existing algorithm time complexity is excessively high, reaching index rank can not practical application;Only theoretic research,
The algorithm that can be put into practice can not be constructed.For this purpose, the present invention needs to build the algorithm of polynomial time complexity, to solve to utilize equation
(1) the problem of judging cloud system behavior creditability.
Solution is to regard the right and left of equation (1) as two different conditions machines, be briefly referred to as EMA and
WEMA.The two executes the practical process performing γ and cloud system security strategy of cloud system respectively from identical original state
Anticipatory behavior wexpected (γ, dom (a)) under control.The implementation procedure for observing the two, can obtain following result.
Theorem 1. is for cloud system M.Assuming that it has arbitrary actN=n is enabled, is had:It is the believable necessary and sufficient condition of cloud system M.HereIt is domain collection equivalence relation, is defined as
In theorem 1:γ is M in original state s0The behavior character string that will be received;siAnd tiEMA and WEMA is indicated respectively
Current state;It enablesThen si+1Indicate EMA from current state siReception acts aiThe new state s reached lateri+1
=step (si,ai), ti+1Indicate WEMA from current state tiIt is corresponding to receive aiIf (T at this timei+1=step
(ti,ai)) or do not receive aiIf (T at this timei+1=ti) after reach new state.
It proves:
Adequacy
(1) it proves first in the initial state, lemma conditionInitial preconditionIt sets up.Otherwise adequate condition former piece is meaningless.
If the original state of EMA is s0, the original state of WEMA is t0, it is clear that s0=t0, therefore have immediately:At
Vertical, i.e., the initial precondition of lemma condition is set up.
(2) secondly prove that the execution of machine M always meets the judgement equation of definition 12.
SinceIt always sets up, then the recursive call condition, finally has:It sets up, Yi Jiyou:
Due to γn+1=Λ, thereforeIt substitutes intoHave:That is,Therefore
behcon(sn+1, a)=behcon (tn+1, a) (dom (a)=w) establishment.By the definition of EMA and WEMA, substitute into: sn+1=exec
(s0, γ), tn+1=exec (t0, wexpected (γ, w)), s0=t0, judge equatioies in conjunction with the arbitrariness of γ to get defining 9
It sets up, adequacy must be demonstrate,proved.
Necessity
Using reduction to absurdity.The basic thought of proof is:Once occurringI.e.The case where, then under the conditions of cloud system M is believable, in v between EMA and WEMAjOn non-equivalence will
It cannot be corrected, and will be with γi+1In be left the continuous of action and receive vjOn this non-equivalence hand on.Both
SoIt is defined according to interference source collection, certainly exists following similar security strategy:Then it
Afterwards when due to security strategySo that by security domain vjSend out some action b interference security domains vj+1When, due to EMA and
WEMA is in vjUpper non-equivalence can necessarily construct action b and EMA and WEMA are arrived after executing b in conjunction with the arbitrariness of γ
The new state reached is in vj+1On also non-equivalence.This process continues until final EMA and WEMA on w also non-equivalence, from
And the judgement equation defined in 12 is invalid, this is believable contradict with machine M.
Detailed proof procedure is as follows, using reduction to absurdity:
It might as well assumeHave:
EMA and WEMA is investigated below respectively from current state si+1And ti+1Continue to γi+1Middle new element ai+1(pay attention to
It is that string has defined by execution sub-line) the case where.
Without loss of generality, it might as well assume have(forSituation, being defined by interference source collection necessarily has:So to vkIt similar can be proved using following thought):
If
EMA can receive a at this timei+1, and it is transformed into new state step (si+1,ai+1);And WEMA will not receive ai+1, and protect
It is still t that it is constant, which to hold state,i+1.It will be proven below:
It has been defined by interference source collection:
OtherwiseContradiction.
According to formula (3), (necessarily sets up under the conditions of machine M is believable using the noiseless attribute in part, be otherwise easy structure
Make counter-example proof machine M be unsatisfactory for it is non-transmit it is noiseless, to insincere) have:
It can be obtained immediately by formula (2) (4):
If
Then EMA and WEMA can receive ai+1, and it is transformed into new state step (s respectivelyi+1,ai+1) and step (ti+1,
ai+1).It needs to prove belowThis is divided into two kinds of situations and discusses:
Situation 1:IfSince machine M is believable, using the noiseless attribute in part, have to EMA:
Similarly have to WEMA:
It can be obtained immediately by formula (2) (5) (6):
Situation 2:IfSince machine M is believable, for arbitrary initial behavior γ, machine M
The equation of definition 12 must all be met after receipt.But according to the arbitrariness of γ, by assuming(formula (4)) go out
Hair, we must can construct a specific action a 'i+1(to replace ai+1) so that EMA and WEMA acts a ' in receptioni+1
Later, still have--- this needs EMA and WEMA " respectively from si+1And ti+1State, root
According to security domain vjThe value condition for the name observed " constructs a 'i+1。
A kind of building method is:Respectively in si+1And ti+1State, EMA and WEMA are to security domain vjName observed.
According to formula (2), assume must have known to 1 (defining 5) by RMA1:
Construction acts a 'i+1(instead of ai+1) so that a 'i+1Not to n0It is rewritten, is then had respectively to EMA and WEMA:
Had by formula (7) (8) (9):
Assume 1 using RMA, can be obtained immediately by formula (10):
Above-mentioned construction show it is believable in machine M, once EMA with WEMA in synchronous implementation procedure, at some
There is the case where non-equivalence in stateIt enablesThen can centainly find one it is specific
Action a 'i+1So that EMA and WEMA is receiving a 'i+1Later in security domain vj(tectonic ideology is for upper holding non-equivalence:ForSituation, according to EMA and WEMA in vjThe case where value that is able to observe that different name, construct one
a′i+1So that a 'i+1These name elements with different values are not rewritten;ForSituation,
A ' can then be directly selectedi+1=ai+1)。
It can also be obtained from above-mentioned construction process:Once occurringThe case where (at this time according to execution
Sub-line, which is string definition, to be hadIf above-mentioned construction process recurrence use is gone down, action is constructed respectively
“a′i+1,a′i+2,a′i+3... " and replace " ai+1,ai+2,ai+3... ", then EMA and WEMA is in reception " a 'i+1,a′i+2,a′i+3…”
During can be maintained at vjUpper non-equivalence, i.e., in vjOn non-equivalence can constantly be handed on.Further, due toMust have known to the definition of interference source collection similarSecurity strategy, then when due to
Strategy takes turns to when sending out action, since EMA and WEMA is in security domain vjUpper non-equivalence, thus can always utilize similar to aforementioned
Prove that the building method of 2 the inside of situation of step (2), the new behavior b of construction behavior make EMA and WEMA in vj+1Upper continuation is not
It is of equal value that (a kind of structural scheme is, since EMA and WEMA is in upper non-equivalence, then assuming must there is name n known to 1 by RMA1∈
observe(vj) different in EMA with WEMA values.The operation for constructing b is by name n1Value copy any one n to2∈
observe(vj+1), being assumed by RMA will be in v after EMA and WEMA receives b known to 1j+1Upper non-equivalence).This explanation, we
It can be by non-equivalence from vjIt is transmitted to vj+1, i.e., it is transmitted to another security domain from a security domain.
Since non-equivalence can be transmitted to another security domain by us from a security domain, then byIt is (public
Formula (2)), it is defined in conjunction with interference source collection, must there is security strategyAs the method previously described, by non-equivalence
From vjStart, is sequentially delivered to " vj+1..., w " finally has EMA and WEMA in upper w non-equivalences, thus equation (1) not at
It is vertical.
This explanation,Supposed premise under, for execute sub-line be string γi+1In it is every
One action al(i+1≤l≤N), we, which can centainly correspond to, constructs an a 'l, to obtain a new string γ 'i+1.It enablesWith γ 'i+1Replace γi+1It obtainsIt is centainly unsatisfactory for after machine M executes γ '
3 equation is defined, this is believable contradict with cloud system M.Necessity must be demonstrate,proved.
To sum up, theorem 1 is set up.Card is finished.
In order to illustrate how to use theorem 1, illustrated here with an example.
Example 1:If certain cloud system M security strategies are:Now choose certain in M
Single behaviorWhether the examination judgement behavior is credible.
Is answered according to theorem 1, it is only necessary to investigate EMA and be reached during synchronous execution single behavior with WEMA
Each state always whether hold mode equivalence can be (with reference to figure 1).
(1) first, the EMA and WEMA behaviors to be executed are investigated.Have to EMA:To WEMA, root
According to the definition of WEMA, β=wexpected (γ, w) is calculated, is had:
(2) it calculatesAtomic action a is executed successively0,a2,a1,a0,a2Remaining sub-line is later
String (it is string referred to as to execute sub-line), has:
γ5=Λ.
(3) it is the corresponding interference source collection of string to calculate all execution sub-line, according to ISγ=interfsrcs (γ, w) is defined
Have: Had again by 1 form of theorem, N=4.
(4) according to theorem 1, the result of calculation recurrence of step (1)~(3) is substituted into
And judge whether to set up.
(a) it substitutes intoCorresponding EMA and WEMA receives a simultaneously0;
(b) it substitutes intoCorresponding EMA and WEMA receives a simultaneously2;
(c) it substitutes intoCorresponding EMA and WEMA receives a simultaneously1;
(d) it substitutes intoCorresponding EMA receives a0, and WEMA receives Λ;
(e) it substitutes intoCorresponding EMA and WEMA receives a simultaneously2。
If always had in above (a)~(e) stepsIt sets up, then illustrates behaviorIt is credible.Otherwise, without loss of generality, for example, it is assumed that formula is invalid after step (d) substitutes into, then anticipate
Taste the execution of γ there are potential security hole, and the reason of leading to loophole is the 4th atomic action that EMA is received --- i.e.
4th action a in γ0.Solution finishes.
2.3 cloud system credibility automatic Verification algorithms
Theorem 1 theoretically demonstrates the necessary and sufficient condition that noiseless attribute is set up.State recursive form based on theorem 1
(also reference can be made to example 1) can construct the cloud system credibility automatic Verification algorithm of automation.
Automatic behavior Trusting eBusiness algorithm of the algorithm 1 based on noiseless theory
Function name:Boolean TrustVerification(p,s0,w,α,c)
Function returns:TRUE/FALSE (cloud system behavior is credible/behavior insincere)
Input parameter:P is security strategy;s0It is the original state of cloud system M;W is the final impacted security domain of system,
Corresponding to the dom (a) in formula (1), i.e. w=dom (a);
Output parameter:If function returns to TRUE, α=c=Λ;Otherwise, α is incredible behavior in cloud system M,
C is to lead to the incredible reasons of α (atomic action).
Algorithmic procedure:
(1) it initializes:The state machine of cloud system M actual motions is constructed, i.e. EMA (corresponds to the left side for defining 6 equatioies (1)
Side).
It enablesFor the behavior collection of cloud system M, the behavior in all EMA is put into B.
Enable α=c=Λ.
(2) algorithm main body:
There are two WHILE to recycle in/* algorithm main bodys.Wherein, WHILE1 is used for arbitrarily choosing some row in subordinate act collection B
For γ;WHILE2 according to theorem 1 verify γ it is whether credible, and in the case that it is incredible indicate incredible reason */
If still have in the state machine of/* cloud system actual motions behavior need to be verified */
WHILE{//WHILE 1
/ * arbitrarily selected from cloud system M behavior carry out Trusting eBusiness */
A behavior γ is arbitrarily selected from set B, enables B=B- { γ };
/ * Initialize installations, with start to the Trusting eBusiness * of selected behavior γ/
Enable γi=γ is the behavior that current EMA will be executed.Enable si, tiIt is the current state of EMA and WEMA respectively, initial
Under state, EMA and WEMA always bring into operation from identical original state, therefore have s0=t0.It is cloud in security strategy to enable w
The security domain that system M is finally interfered, i.e. w=dom (a) (referring to the dom (a) in equation (1));
/ * initializes α and c.If γ is verified as insincere, pass through α=γi=γ returns to incredible γ, and is referred to by c
It is bright be in γ which action cause the insincere * of γ/
Enable α=γi, c=Λ;
If/* is to selected behavior γi=γ recurrence verification be not over */
WHILE(γi≠Λ){//WHILE2
IfCalculate WEMA theoretic anticipatory behavior β under security strategy controli=wexpected
(γi, w);
EMA executes ai, and from current state siIt is transformed into next state si+1=step (si, ai);
If/* WEMA also execute ai.Such case corresponds to dom (ai) (directly or indirectly) interference w*/
IF{
WEMA executes ai, and from current state tiIt is transformed into next state ti+1=step (ti, ai);
}//End of IF
If/* WEMA execute empty action Λ.Such case corresponds to dom (ai) to w do not have any interference */
ELSE IF{
WEMA executes Λ, and hold mode is constant, ti+1=ti;
}//End of ELSE
/ * prepares verification EMA and WEMA in remaining behavior γi+1On state equivalent relationship (pay attention to pairIt is verified:First determine whether EMA and WEMA to aiReception condition, and be transformed into new state respectively, then
Judgement EMA and WEMA is in γ in the state of newi+1On equivalence relation) */
It calculates
If/* EMA and WEMA are in γi+1In arbitrarily to being state on the security domain belonging to the noisy actions of w
* of equal value/
IF{
/ * initializes recurrence and verifies (the recurrence formula based on theorem 1
*/
Enable γi=γi+1;
Enable si=si+1;
Enable ti=ti+1;
CONTINUE;/ * recurrence verification */
}//End of IF
If/* EMA and WEMA are in γi+1In the security domain existence belonging to the noisy actions of w is differed
The case where valence */
ELSE{
C=ai;
RETURN FALSE;Behavior α=γ in/* cloud systems MiIt is insincere, the reason is that action in the middle
c*/
}//End of ELSE
}//End of WHILE2
}//End of WHILE1
RETURN TRUE;If the arbitrary act in/* cloud systems M be all believable */
(3) algorithm terminates.If function returns to TRUE, cloud system M is believable.Otherwise, exist in cloud system M
When incredible behavior, α will return to incredible behavior, and it is what action in α that c, which is specified, causes α insincere.
(4) time complexity is analyzed.In the worst case, algorithm 1 needs to compare all states pair of EMA and WEMA
(s, t) is in all security domains | D | on equivalence relation.Since EMA has | S | a state, it is fixed according to wexpected and WEMA
Justice, WEMA have | T |≤| S | a state.Therefore the state of (s, t) is up to quantity | S | × | T |≤| S |2.It examines
Examine | S | × | T |≤| S |2A state is in | D | on equivalence relation, then the number of comparisons at most needed is | S | × | T | × | D |
≤|S2|×|D|.Therefore time complexity be O (| S |2* | D |), i.e. polynomial time.
The present invention theoretically gives the necessary and sufficient condition set up based on noiseless attribute as a result,;It establishes and passs accordingly
Return automatic Verification algorithm;It is polynomial time complexity to demonstrate algorithm, can be applied in practice.
Based on above-mentioned cloud system credibility automatization judgement theoretical foundation, a kind of cloud system safety detection dress of the present invention is proposed
Embodiment is set, with reference to Fig. 2, Fig. 2 is the cloud system safety detection device for the hardware running environment that the embodiment of the present invention is related to
Structural schematic diagram.
As shown in Fig. 2, the device may include:Processor 1001, such as CPU, communication bus 1002, user interface
1003, network interface 1004, memory 1005.Wherein, communication bus 1002 is for realizing the connection communication between these components.
User interface 1003 may include display screen (Display), input unit such as keyboard (Keyboard), optional user interface
1003 can also include standard wireline interface and wireless interface.Network interface 1004 may include optionally that the wired of standard connects
Mouth, wireless interface (such as WI-FI interfaces).Memory 1005 can be high-speed RAM memory, can also be stable memory
(non-volatile memory), such as magnetic disk storage.
The cloud system is examined safely it will be understood by those skilled in the art that apparatus structure shown in Figure 2 is not constituted
The restriction for surveying device may include either combining certain components or different component cloth than illustrating more or fewer components
It sets.
As shown in Fig. 2, may include operating system, network communication module, Subscriber Interface Module SIM in the memory 1005
And cloud system safety detection program.
In cloud system safety detection device shown in Fig. 2, network interface 1004 is mainly used for data communication;User interface
1003 are mainly used for that user is facilitated to carry out data interaction with cloud system safety detection device;Cloud system safety detection device of the present invention
The cloud system safety detection program stored in memory 1005 is called by processor 1001, and executes following operation:
When cloud system receives detection request, determine the detection ask corresponding cloud system layer, state machine to act with
And security strategy;
The target state machine of the cloud system layer is established according to the detection request;
The state machine action is executed by the target state machine, obtains the agenda operation knot of the target state machine
Fruit;
The security strategy is called by the target state machine, it is motor-driven that the state is executed by the security strategy
Make, obtains the anticipatory behavior operation result of the target state machine;
The agenda operation result and the anticipatory behavior operation result are compared, transported in the agenda
When row result is identical with the anticipatory behavior operation result, the cloud system safety is assert.
Further, the cloud system safety detection program stored in memory 1005 is called by processor 1001, also simultaneously
Execute following operation:
Receive targeted security domain input by user;
The security strategy is called by the target state machine, it is motor-driven that the state is executed by the security strategy
Make;
Determine that the state machine acts corresponding security domain to be measured;
The security domain to be measured is compared with the targeted security domain, is pacified in the security domain to be measured and the target
Between universe when existence information flowing relation, the corresponding state machine action of the security domain to be measured is executed, the target-like is obtained
The anticipatory behavior operation result of state machine.
Further, the cloud system safety detection program stored in memory 1005 is called by processor 1001, also simultaneously
Execute following operation:
State machine modeling instruction input by user is received, the state that instruction obtains cloud system is modeled according to the state machine
Collection, atomic action collection, behavior collection and security domain collection;
Condition conversion is built according to the state set of the cloud system, atomic action collection, behavior collection and security domain collection to close
System, generates the basic status machine of the cloud system;
The target state machine of the cloud system layer is established according to the basic status machine of the detection request and the cloud system.
Further, the cloud system safety detection program stored in memory 1005 is called by processor 1001, also simultaneously
Execute following operation:
When the agenda operation result is with the anticipatory behavior operation result difference, to the state machine act into
Row displaying.
Further, the cloud system safety detection program stored in memory 1005 is called by processor 1001, also simultaneously
Execute following operation:
The present embodiment determines that corresponding cloud system layer, state are asked in the detection when cloud system receives detection request
Motor-driven work and security strategy;The target state machine of the cloud system layer is established according to the detection request;By the target-like
State machine executes the state machine action, obtains the agenda operation result of the target state machine;By the target state machine
The security strategy is called, the state machine action is executed by the security strategy, obtains the pre- of the target state machine
Phase behavior operation result;The agenda operation result and the anticipatory behavior operation result are compared, according to comparing
As a result can judge to whether there is incredible behavior in cloud system, in the agenda operation result and the anticipatory behavior
When operation result is identical, the cloud system safety is assert, and then can accurately detect the safety of cloud system;
It is an implementation process diagram of cloud system safety detection method of the present invention with reference to Fig. 3, Fig. 3, is based on above-mentioned cloud system
The embodiment for the cloud system safety detection method of the present invention that the credible automatization judgement theory of system and hardware running environment propose,
The cloud system safety detection method includes the following steps:
Step S10:When cloud system receives detection request, determine that corresponding cloud system layer, state are asked in the detection
Motor-driven work and security strategy;
It should be noted that the executive agent of the present embodiment is the processor of the cloud system safety detection device, this reality
It is illustrated for example is applied using Cloud Server as the cloud system safety detection device;
Before the step S10, current embodiment require that structure cloud system state machine m, receives state machine input by user
Modeling instruction models instruction according to the state machine and obtains the basic state set S of cloud system, atomic action collection A, behavior collection B, peace
Universe collection D, output collection O, security strategyBuild condition conversion relationship step:S × A → S generates the basic of the cloud system
State machine m;
It will be appreciated that in the step S10, when receiving detection request γ, that is, system to be analyzed is determined
It is which layer for belonging to cloud system, cloud system layer can be infrastructure services layer IaaS, platform services layer PaaS, software service
The extension layers such as layer SaaS.For the present embodiment asks corresponding cloud system layer using infrastructure services layer IaaS as the detection
It illustrates.The motor-driven work of the detection request corresponding states and security strategy are further defined in the step S10.
Step S20:The target state machine of the cloud system layer is established according to the detection request;
It will be appreciated that the level (IaaS, PaaS, SaaS or other XaaS) belonging to system to be analyzed, and
Actual demand is extended definition to basic status machine m;Establish expanded definition and state set S, atomic action collection A, behavior collection B,
Relationship between output collection O, security domain D etc., obtains the target state machine EMA of cloud system;Fig. 4 is can refer to, Fig. 4 is true cloud system
The schematic diagram of the state machine of system;
The target state machine include security domain to state machine function of movement dom (), testing result function behcon (s,
A), detection executes function exec (s, γ), and expected detection function wexpected (γ, w);
The target state machine includes security domain to state machine function of movement dom (), for returning belonging to state machine action a
Security domain dom (a), the state machine action a belong to the atomic action collection A;
(s a) executes institute to the testing result function behcon for exporting the target state machine at current state s
The testing result of state machine action a is stated, current state s belongs to the state set S;
The detection executes function exec (s, γ), and detection request γ, the inspection are executed at current state s for indicating
It surveys request γ and belongs to the behavior collection B;
The expected detection function wexpected (γ, w), for indicating the detection at the targeted security domain w
γ, the targeted security domain w is asked to belong to the security domain collection D.
It should be noted that the agenda for the target state machine EMA that detection request γ may be characterized as cloud system is (i.e. practical
Implementing result).
Step S30:The state machine action is executed by the target state machine, obtains the practical row of the target state machine
For operation result;
It will be appreciated that with reference to figure 5, Fig. 5 is the target state machine EMA of equal value that the present embodiment medium cloud system modelling obtains
Schematic diagram, a, b, c, d, e, f, g, h, i are state machine action in Fig. 5, belong to behavior aggregate A;S, S0, Sf0, Sf1, Sf2, Sf3,
Sf4 belongs to state set S;Wherein, circle indicates the state of cloud system, i.e. agenda operation result.
In the concrete realization, target state machine calls formula (1) to execute state machine action (the state machine action successively
A belongs to behavior aggregate A), the agenda operation result M1 of the target state machine EMA is obtained, the formula (1) is M1=
behcon(exec(s,γ),a);
It will be appreciated that being considered as practical implementing result of the cloud system target state machine to behavior γ.
Step S40:The security strategy is called by the target state machine, the shape is executed by the security strategy
The motor-driven work of state obtains the anticipatory behavior operation result of the target state machine;
In the concrete realization, it before the step S40, needs to receive the targeted security that user inputs according to actual demand
Domain w;
It will be appreciated that detection described in the present embodiment asks corresponding security strategy with reference to figure 6, it is whole as shown in Fig. 6
The security strategy of a system is expressed asAndFig. 6
In, targeted security domain w is the security domain for receiving finally to influence cloud system, i.e.,;uiExpression acts the security domain dom belonging to i
(i), i.e. ui=dom (i) is that the state machine acts corresponding security domain to be measured.
Security domain u in Fig. 6a、ub、uc、ueTo have the security domain of indirect interference relationships, u with the targeted security domain wd、uf、
ugTo there is the security domain of direct interference relationship with the targeted security domain w, have directly in security domain to be measured and the targeted security domain w
When connecing interference relationships, show existence information flowing relation between the security domain to be measured and the targeted security domain w.Without scheming
Other security domains explanation in 6 does not have any (directly or indirectly) interference relationships to targeted security domain w.
Between the security domain to be measured and the targeted security domain when existence information flowing relation, the peace to be measured is executed
Universe corresponding state machine action is specially based on the security strategy and formula (2) is called to be acted to execute the state machine
A, obtains the anticipatory behavior operation result M2 of the kernel state machine, the formula (2) be M2=behcon (exec (s,
wexpected(γ,dom(a))),a)
Wherein, wexpected (γ, dom (a)) indicates after receiving detection request γ that cloud system is under security strategy control
Anticipatory behavior;
It will be appreciated that the target state machine that anticipatory behavior operation result M2 is considered as cloud system transmits safe plan non-
Under slightly controlling, it is contemplated that the theoretical implementing result of behavior wexpected (γ, dom (a)).
In the concrete realization, to each behavior α in the target state machine EMA in Fig. 5, α is calculated in security strategy control
Anticipatory behavior β=wexpected (α, w) under system can be obtained pre- under security strategy control in cloud system as shown in Figure 6
The state machine (scheming WEMA, i.e. Fig. 7) of phase process performing.Steps are as follows for specific calculating:
First, there are 5 behaviors in the cloud system of Fig. 5:α1=aa*Bd, α2=adbc*D, α3=ecf, α4=ecd, α5=
hibg.α is calculated successively1~α5Anticipatory behavior under security strategy control, can obtain the state of description cloud system anticipatory behavior
Machine WEMA;
(1) to α1=aa*Bd, according to security strategyBeing easy its calculating interference source collection is
interfsrcs(α1, w)={ w, d }, therefore have:β1=wexpected (α1, w) and=d.
(2) for α2=adbc*D, according to the case where whether c executes acted, there are two types of may at this time:α21=adbd, α22=
adbcc*d。
For α21=adbd, according toCalculate interfsrcs (α21, w)={ w, d }, because
This, β21=wexpected (α21, w) and=d.
For α21=adbcc*D calculates interfsrcs (α22, w)={ w, d, c, b, a }, obtain β22=wexpected
(α22, w) and=adbcc*d。
(3) for α3=ecf and α4=ecd, be easy to get β3=wexpected (α3, w) and=ecf and β4=wexpected (α4,
W)=ecd.
(4) for α5=hibg.Since dom (h) and dom (i) do not have any interference relationships to w, then byIt is easy
Calculate β5=wexpected (α5, w) and=g.
By the above calculating process, the state machine of description cloud system anticipatory behavior under security strategy control can be obtained
WEMA.With reference to figure 7, Fig. 7 is the schematic diagram of cloud system state machine WEMA of anticipatory behavior under security strategy control.
Step S50:The agenda operation result and the anticipatory behavior operation result are compared, in the reality
When behavior operation result in border is identical with the anticipatory behavior operation result, the cloud system safety is assert.
If it will be appreciated that fruit M1=M2, i.e., it is aforementioned it is theoretical in equation (1) set up, then illustrate the true execution of behavior
As a result consistent with the expected execution result under security strategy control, thus cloud system behavior be it is safe and reliable, it is on the contrary then be
It is unsafe.
In the concrete realization, after the EMA (Fig. 5) and WEMA (Fig. 7) that obtain cloud system, cloud system is enumerated using algorithm 1
In each behavior credibility, finally obtain the credibility of entire cloud system.Without loss of generality, might as well assumeWithDecision process is as follows:
(1) behavior α3=ecf and α4=ecd is believable.Because comparison diagram 5 and Fig. 7 are it is found that executing α3And α4's
In the process, two state machines of EMA and WEMA all remain equivalent state at any time;
(2) behavior α1=aa*Bd is believable.But, α is being executed1=aa*During bd, because EMA can execute action
A, b, and WEMA will not, this make two state machines of EMA and WEMA in the process of running may some intermediate state not
It is of equal value.But due to having on user w of concern(and then equation (1) set up), therefore the behavior is finally still
It is believable.
It needs to make a concrete analysis of in this case, there is fine or not two kinds of possibility.That good, which may be user, allows to degrade
(downgrade) presence, thus it is legal that above-mentioned intermediate state is inconsistent;And bad possibility is then the presence of potential uneasiness
Total factor, this potential insecurity may cause cloud system M insincere on other security domains, and then cloud system is
There may be security risk.The reason of causing security risk is that (i.e. state machine acts for operation.Such as the API Calls of PaaS levels;Or
The order command of person's SaaS levels, instruction instruction etc.) a and b presence.
(3) behavior α2=adbc*D can be divided into α according to state of atom motor-driven the case where making c21=adbd and α22=
adbcc*Two kinds of situations of d.
For α21=adbd, EMA terminate at final state sf1;WEMA terminates at final state s'f0.And becauseTherefore α21
=adbd is believable, this is similar with said circumstances (2).
For α22=adbcc*D, it is similar with said circumstances (1).
Therefore behavior α2=adbc*The credibility of d depends on the wherein appearance feelings of single operation (the motor-driven work of state of atom) c
Condition.
(4) behavior α5=hibg is incredible.The reason is that due to:To which algorithm 1 can not pass through.Algorithm
1 can find the non-equivalence relationship on w, and return to FALSE, meanwhile, algorithm 1 can also provide:Incredible behavior be α=
Hibg, it is incredible the reason is that operating the presence of h, i and b.Final α=hibg corresponds to what sequence of operation and h, and i, b study carefully
Unexpectedly it is any concrete operations, can analyzes to obtain according to actual system and demand for security.
By above-mentioned example as it can be seen that algorithm 1 not only can be determined that whether some cloud system is credible;And it can be incredible
When point out with precision and lead to the incredible behavior of cloud system (sequence of atomic action), and accordingly lead to incredible atom
What action is.What specific atomic action is, depends on actual system and demand for security.As previously mentioned, if laying particular emphasis on
PaaS is analyzed, then atomic action may be that api interface calls;If laying particular emphasis on analysis SaaS, atomic action may be one
Machine instruction etc. inside operating system command or process.
The present embodiment determines that corresponding cloud system layer, state are asked in the detection when cloud system receives detection request
Motor-driven work and security strategy;The target state machine of the cloud system layer is established according to the detection request;By the target-like
State machine executes the state machine action, obtains the agenda operation result of the target state machine;By the target state machine
The security strategy is called, the state machine action is executed by the security strategy, obtains the pre- of the target state machine
Phase behavior operation result;The agenda operation result and the anticipatory behavior operation result are compared, according to comparing
As a result can judge to whether there is incredible behavior in cloud system, in the agenda operation result and the anticipatory behavior
When operation result is identical, the cloud system safety is assert, and then can accurately detect the safety of cloud system;And it can be
In cloud system there are when insincere behavior, point out with precision cause the incredible reason of cloud system behavior (atomic action, such as:Life
Enable, function call, API Calls, machine instruction etc.), with convenient and safe repairing.
It should be noted that herein, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that process, method, article or system including a series of elements include not only those elements, and
And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including this
There is also other identical elements in the process of element, method, article or system.
The embodiments of the present invention are for illustration only, can not represent the quality of embodiment.
It these are only the preferred embodiment of the present invention, be not intended to limit the scope of the invention, it is every to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (8)
1. a kind of cloud system safety detection method, which is characterized in that the method includes:
When cloud system receives detection request, determine that corresponding cloud system layer, state machine action and peace are asked in the detection
Full strategy;
The target state machine of the cloud system layer is established according to the detection request;
The state machine action is executed by the target state machine, obtains the agenda operation result of the target state machine;
The security strategy is called by the target state machine, the state machine action is executed by the security strategy, is obtained
Obtain the anticipatory behavior operation result of the target state machine;
The agenda operation result and the anticipatory behavior operation result are compared, runs and ties in the agenda
When fruit is identical with the anticipatory behavior operation result, the cloud system safety is assert.
2. the method as described in claim 1, which is characterized in that it is described that the security strategy is called by the target state machine,
State machine action is executed by the security strategy, obtain the target state machine anticipatory behavior operation result it
Before, the method further includes:
Receive targeted security domain input by user;
Correspondingly, described that the security strategy is called by the target state machine, the shape is executed by the security strategy
The motor-driven work of state obtains the anticipatory behavior operation result of the target state machine, specifically includes:
The security strategy is called by the target state machine, the state machine action is executed by the security strategy;
Determine that the state machine acts corresponding security domain to be measured;
The security domain to be measured is compared with the targeted security domain, in the security domain to be measured and the targeted security domain
Between existence information flowing relation when, execute the corresponding state machine action of the security domain to be measured, obtain the target state machine
Anticipatory behavior operation result.
3. method as claimed in claim 2, which is characterized in that it is described when cloud system receives detection request, described in determination
Before corresponding cloud system layer, state machine action and security strategy are asked in detection, the method further includes:
State machine modeling instruction input by user is received, modeling instruction according to the state machine obtains the state set of cloud system, original
Sub- behavior aggregate, behavior collection and security domain collection;
Condition conversion relationship is built according to the state set of the cloud system, atomic action collection, behavior collection and security domain collection, it is raw
At the basic status machine of the cloud system;
Correspondingly, the target state machine that the cloud system layer is established according to the detection request, specifically includes:
The target state machine of the cloud system layer is established according to the basic status machine of the detection request and the cloud system.
4. method as claimed in claim 3, which is characterized in that the target state machine includes that security domain acts letter to state machine
(s a), detects execution function exec (s, γ), and expected detection function by number dom (), testing result function behcon
wexpected(γ,w);
The security domain acts the affiliated security domain dom (a) of a to state machine function of movement dom (), for returning to state machine, described
State machine action a belongs to the atomic action collection;
(s a) executes the shape to the testing result function behcon for exporting the target state machine at current state s
The motor-driven testing result for making a of state, current state s belong to the state set;
The detection executes function exec (s, γ), detection request γ is executed at current state s for indicating, the detection is asked
γ is asked to belong to the behavior collection;
The expected detection function wexpected (γ, w), for indicating the request of the detection at the targeted security domain w
γ, the targeted security domain w belong to the security domain collection.
5. method as claimed in claim 4, which is characterized in that described motor-driven by the target state machine execution state
Make, obtains the agenda operation result of the target state machine, specifically include:
It calls formula (1) to act a to execute the state machine by the target state machine, obtains the reality of the target state machine
Behavior operation result M1;
Wherein, the formula (1) is
M1=behcon (exec (s, γ), a);
Correspondingly, described that the security strategy is called by the target state machine, the shape is executed by the security strategy
The motor-driven work of state obtains the anticipatory behavior operation result of the target state machine, specifically includes:
The security strategy is called by the target state machine and formula (2) is called to act a to execute the state machine, obtains institute
State the anticipatory behavior operation result M2 of target state machine;
Wherein, the formula (2) is
M2=behcon (exec (s, wexpected (γ, dom (a))), a)
Correspondingly, described to be compared the agenda operation result and the anticipatory behavior operation result, in the reality
When behavior operation result in border is identical with the anticipatory behavior operation result, assert the cloud system safety, specifically include:
The agenda operation result M1 and the anticipatory behavior operation result M2 are compared, transported in the agenda
When row result is identical with the anticipatory behavior operation result, the cloud system safety is assert.
6. method as described in any one in claim 1-5, which is characterized in that the cloud system layer includes infrastructure services layer
At least one of in IaaS, platform services layer PaaS and software services layer SaaS.
7. method as claimed in claim 6, which is characterized in that described by the agenda operation result and the expected row
After being compared for operation result, the method further includes:
When the agenda operation result is with the anticipatory behavior operation result difference, state machine action is opened up
Show.
8. a kind of cloud system safety detection device, which is characterized in that described device includes:Memory, processor and it is stored in institute
The cloud system safety detection program stated on memory and can run on the processor, the cloud system safety detection program are matched
It is set to the step of realizing the cloud system safety detection method as described in any one of claim 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810040382.9A CN108763927A (en) | 2018-01-16 | 2018-01-16 | A kind of cloud system safety detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810040382.9A CN108763927A (en) | 2018-01-16 | 2018-01-16 | A kind of cloud system safety detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108763927A true CN108763927A (en) | 2018-11-06 |
Family
ID=63980036
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810040382.9A Pending CN108763927A (en) | 2018-01-16 | 2018-01-16 | A kind of cloud system safety detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108763927A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112437070A (en) * | 2020-11-16 | 2021-03-02 | 深圳市永达电子信息股份有限公司 | Operation-based spanning tree state machine integrity verification calculation method and system |
| CN112866220A (en) * | 2021-01-07 | 2021-05-28 | 深圳市永达电子信息股份有限公司 | Safety management and control method and system based on CIA state machine |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150205962A1 (en) * | 2014-01-23 | 2015-07-23 | Cylent Systems, Inc. | Behavioral analytics driven host-based malicious behavior and data exfiltration disruption |
| CN104809401A (en) * | 2015-05-08 | 2015-07-29 | 南京大学 | Method for protecting integrity of kernel of operating system |
-
2018
- 2018-01-16 CN CN201810040382.9A patent/CN108763927A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150205962A1 (en) * | 2014-01-23 | 2015-07-23 | Cylent Systems, Inc. | Behavioral analytics driven host-based malicious behavior and data exfiltration disruption |
| CN104809401A (en) * | 2015-05-08 | 2015-07-29 | 南京大学 | Method for protecting integrity of kernel of operating system |
Non-Patent Citations (1)
| Title |
|---|
| 张帆等: "基于无干扰的云环境行为可信性分析", 《计算机学报》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112437070A (en) * | 2020-11-16 | 2021-03-02 | 深圳市永达电子信息股份有限公司 | Operation-based spanning tree state machine integrity verification calculation method and system |
| CN112866220A (en) * | 2021-01-07 | 2021-05-28 | 深圳市永达电子信息股份有限公司 | Safety management and control method and system based on CIA state machine |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Chiregi et al. | A comprehensive study of the trust evaluation mechanisms in the cloud computing | |
| EP2814218A1 (en) | Detecting anomalies in work practice data by combining multiple domains of information | |
| CN109478263A (en) | System and equipment for architecture assessment and strategy execution | |
| CN110505241A (en) | A kind of network attack face detection method and system | |
| Xu et al. | System regression test planning with a fuzzy expert system | |
| Torjusen et al. | Towards run-time verification of adaptive security for IoT in eHealth | |
| NAIKAN | Review of simulation approaches in reliability and availability modeling | |
| Cai et al. | Optimal and adaptive testing for software reliability assessment | |
| CN108763927A (en) | A kind of cloud system safety detection method and device | |
| Cody | A layered reference model for penetration testing with reinforcement learning and attack graphs | |
| Ye et al. | Estimating malaria incidence through modeling is a good academic exercise, but how practical is it in high-burden settings? | |
| CN108171061A (en) | A kind of Android system Kernel security detection method and device | |
| Ricós et al. | Distributed state model inference for scriptless GUI testing | |
| Carroll et al. | Realizing scientific methods for cyber security | |
| Singh et al. | Predicting testing effort using artificial neural network | |
| Nami et al. | Software trustworthiness: past, present and future | |
| La Manna et al. | Synthesizing tests for combinatorial coverage of modal scenario specifications | |
| CN106648895A (en) | Data processing method and device, and terminal | |
| Cui et al. | Bsela: A blockchain simulator with event-layered architecture | |
| Henia et al. | Integrating Formal Timing Analysis in the Real-Time Software Development Process | |
| Singh et al. | Fault localization in software testing using soft computing approaches | |
| Ohueri et al. | IoT-based digital twin best practices for reducing operational carbon in building retrofitting: a mixed-method approach | |
| Sell et al. | A dynamic programming approach for planning reliability growth | |
| Das et al. | Digital twin based fault analysis in hybrid-cloud applications | |
| Kumar et al. | Fuzzy Cognitive Map based Prediction Tool for Schedule Overrun |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181106 |