In the cloud environment, owing to the large-scale sharing of the upper application instance and the underlying virtual machine resources, the tenants' information flow boundary in the shared virtual machine is fuzzy and difficult to identify. In addition, protection of tenant information flow between processes is inadequate, resulting in the leakage of sensitive information of tenants. Therefore, a dynamic control method for tenants' sensitive information flow based on virtual boundary recognition is proposed. By analyzing the behavior and operation log of tenants, the behavior feature vectors of tenants are constructed, and an automatic recognition algorithm of tenant virtual boundary based on the dynamic spiking neural network is designed. This algorithm can realize dynamic identification of the tenant virtual security boundary when the application service demand changes dynamically. Further, combined with the concept of centralized and decentralized information flow control, a dynamic control method of sensitive information flow is established. The security label is formally defined by using the lattice structure, and the control rules of tenants' information flow and the rules of tenant label encryption-declassification are designed. Thus, the independent, dynamic and secure control of tenants' information flow inside and outside the tenant virtual boundary. Finally, the detailed design of a dynamic security control application system for cloud tenants' sensitive information flow is provided. Experiments confirm that the proposed algorithm can identify the security boundary of tenants more accurately and efficiently than the traditional spiking neural network classification methods. Further, the security and effectiveness of the method is verified by the intransitive noninterference theory and the experiment of information flow control.
Read full abstract