SDS2: A novel software-defined security service for protecting cloud computing infrastructure

摘要

Software-Defined Infrastructure (SDI) is a resource sharing infrastructure that embraces the concept of separation of the network control plane from its data plane, and software realization of network functions from the underlying hardware appliances through the virtualization technology in emerging infrastructures such as Cloud, Network Function Virtualization (NFV), and Software-Defined Networking (SDN). Virtualization and virtualized infrastructures bring with them new challenges regarding security and virtual resources protection. Traditional security measures and endpoint security are no longer adequate due to invisible boundaries created among shared logical and virtual entities among numerous users. This paper introduces a software-defined security service (SDS₂) for protecting cloud infrastructures. SDS₂ focuses on defining security concerns regarding physical and virtual boundaries of data, resources, tenants and detecting security breaches through violations of boundaries. Boundaries are defined by security policies and security violations by attackers are predicted, monitored, and detected when boundaries are crossed. This paper describes SDS₂ and presents its initial implementation. The paper provides examples of policy-defined boundaries and shows the effectiveness and feasibility of our design in detecting invisible security boundaries through simulation of a security control structure and agile, dynamic, and intelligent VSFs.