摘要
Network functions such as intrusion detection systems (IDS) have been increasingly deployed as virtual network functions or outsourced to cloud service providers so as to achieve the scalability and agility, and reducing equipment costs and operational cost. However, virtual intrusion detection systems (VIDS) face more serious security threats due to running in a shared and virtualized environment instead of proprietary devices. Cloud service providers or malicious tenants may illegally access and tamper with the policies, packet information, and internal processing states of intrusion detection systems, thereby violating the privacy and security of tenant’s networks. To address these challenges, we use Intel Software Guard Extensions (SGX) to build a Trusted Virtual Intrusion Detection System (TVIDS). For TVIDS, to prevent cloud service providers from accessing sensitive information about the users’ network, we build a trusted execution environment for security policy, packets processing, and internal state so that cloud service providers and other malicious tenants can’t access the protected code, policy, processing states, and packets information of the intrusion detection system. We implemented TVIDS on the basis of the Snort which is a famous open-source IDS and evaluated its results on real SGX hardware.The results show that our method can protect the security of the virtual IDS and brings acceptable performance overhead.
Network functions such as intrusion detection systems(IDS) have been increasingly deployed as virtual network functions or outsourced to cloud service providers so as to achieve the scalability and agility, and reducing equipment costs and operational cost. However, virtual intrusion detection systems(VIDS) face more serious security threats due to running in a shared and virtualized environment instead of proprietary devices. Cloud service providers or malicious tenants may illegally access and tamper with the policies, packet information, and internal processing states of intrusion detection systems, thereby violating the privacy and security of tenant’s networks. To address these challenges, we use Intel Software Guard Extensions(SGX) to build a Trusted Virtual Intrusion Detection System(TVIDS). For TVIDS, to prevent cloud service providers from accessing sensitive information about the users’ network, we build a trusted execution environment for security policy, packets processing, and internal state so that cloud service providers and other malicious tenants can’t access the protected code, policy, processing states, and packets information of the intrusion detection system. We implemented TVIDS on the basis of the Snort which is a famous open-source IDS and evaluated its results on real SGX hardware.The results show that our method can protect the security of the virtual IDS and brings acceptable performance overhead.
基金
sponsored by the National Natural Science Foundation of China granted No.61872430, 61402342, 61772384
the National Basic Research Program of China 973 Program granted No.2014CB340601
Foundation of Science and Technology on Information Assurance Laboratory (No. KJ-17-103)
