发布求助
文献互助 智能选刊 最新文献

IEEE Transactions on Cloud Computing最新文献

筛选
英文 中文
Optimizing Cloud Computing Performance Through Integration of a Threshold-Based Load Balancing Algorithm With Multiple Service Broker Policies 通过集成基于阈值的负载均衡算法和多个服务代理策略来优化云计算性能
IF 5.3 2区 计算机科学
IEEE Transactions on Cloud Computing Pub Date : 2025-04-24 DOI: 10.1109/TCC.2025.3563848
Shusmoy Chowdhury;Ajay Katangur
{"title":"Optimizing Cloud Computing Performance Through Integration of a Threshold-Based Load Balancing Algorithm With Multiple Service Broker Policies","authors":"Shusmoy Chowdhury;Ajay Katangur","doi":"10.1109/TCC.2025.3563848","DOIUrl":"https://doi.org/10.1109/TCC.2025.3563848","url":null,"abstract":"The triumph of cloud computing hinges upon the adept instantiation of infrastructure and the judicious utilization of available resources. Load balancing, a pivotal facet, substantiates the fulfillment of these imperatives, thereby augmenting the performance of the cloud environment for its users. Our research introduces a load balancing algorithm grounded in threshold principles devised to ensure equitable distribution of workloads among nodes. The main objective of the algorithm is to preclude the overburdening of virtual machines (VMs) within the cloud with tasks or their idleness due to task allocation deficiencies in the presence of active tasks. The threshold values embedded in our algorithm ascertain the judicious deployment of VMs, forestalling both task overload and idle states arising from task allocation inadequacies. Simulation outcomes manifest that our threshold-based algorithm markedly enhances response time for tasks/requests and data processing duration within datacenters, outperforming extant algorithms such as First Come First Serve, Round Robin, and the Equally Spread Current Execution Load Balancing algorithm. Our threshold algorithm attains superior results to alternative load balancing algorithms when coupled with an optimized response time service broker policy.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":"13 2","pages":"751-768"},"PeriodicalIF":5.3,"publicationDate":"2025-04-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144232134","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Modeling Resource Scheduling in Optical Switching DCNs Under Bursty and Skewed Traffic 突发和倾斜流量下光交换DCNs资源调度建模
IF 5.3 2区 计算机科学
IEEE Transactions on Cloud Computing Pub Date : 2025-04-16 DOI: 10.1109/TCC.2025.3561281
Shuai Zhang;Baojun Chen;Weiqiang Sun;Weisheng Hu
{"title":"Modeling Resource Scheduling in Optical Switching DCNs Under Bursty and Skewed Traffic","authors":"Shuai Zhang;Baojun Chen;Weiqiang Sun;Weisheng Hu","doi":"10.1109/TCC.2025.3561281","DOIUrl":"https://doi.org/10.1109/TCC.2025.3561281","url":null,"abstract":"When optical switching is deployed in Data Center Networks (DCNs), the reconfiguration of the optical switching matrix leads to substantially longer overheads, posing a significant impact on the system performance. Despite the extensive studies on the scheduling algorithms based on demand matrix decomposition (DMD), the stateful and irregular nature of the scheduling processes hinders the development of quantitative models, thereby limiting our understanding of resource scheduling in optical switching DCNs based on DMD. In this article, we model the DMD based resource scheduling process under a bursty and skewed traffic pattern and derive closed-form equations for the burst completion time. Our study shows that an increased reconfiguration delay will lead to an approximate linear increase in the burst completion time. Our study also demonstrates that the size of the slot and the maximum allowed duration of one match are approximately inversely proportional to the burst completion time, with diminishing marginal returns.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":"13 2","pages":"737-750"},"PeriodicalIF":5.3,"publicationDate":"2025-04-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144230587","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Secure kNN for Distributed Cloud Environment Using Fully Homomorphic Encryption 基于全同态加密的分布式云环境安全kNN
IF 5.3 2区 计算机科学
IEEE Transactions on Cloud Computing Pub Date : 2025-04-16 DOI: 10.1109/TCC.2025.3561586
Yuuya Fukuchi;Sota Hashimoto;Kazuya Sakai;Satoshi Fukumoto;Min-Te Sun;Wei-Shinn Ku
{"title":"Secure kNN for Distributed Cloud Environment Using Fully Homomorphic Encryption","authors":"Yuuya Fukuchi;Sota Hashimoto;Kazuya Sakai;Satoshi Fukumoto;Min-Te Sun;Wei-Shinn Ku","doi":"10.1109/TCC.2025.3561586","DOIUrl":"https://doi.org/10.1109/TCC.2025.3561586","url":null,"abstract":"Privacy-preserving k-nearest neighbor (PPkNN) classification for multiple clouds enables categorizing queried data into a class in keeping with data privacy, where the database and key servers jointly perform cryptographic operations. The existing solutions, unfortunately, take a long time and incur a large amount of traffic between the database and key servers. Therefore, in this article, we propose a fast and secure kNN classification protocol, namely FSkNN, over distributed databases deployed in multiple clouds under the semi-honest model. Particularly, we focus on optimizing the network-related operations during kNN classification. That is, the proposed cryptographic protocol reduces the number of interactions between the servers by using a fully homomorphic encryption scheme and eliminates unnecessary traffic by applying mathematical techniques. In addition, the indistinguishability-based security of FSkNN is proven. We implemented FSkNN with C++ and the testbed experiments demonstrate that the proposed scheme significantly facilitates the query response time and reduces the communication cost.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":"13 2","pages":"721-736"},"PeriodicalIF":5.3,"publicationDate":"2025-04-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144230588","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
SOCT: Secure Outsourcing Computation Toolkit Using Threshold ElGamal Algorithm 基于阈值ElGamal算法的安全外包计算工具包
IF 5.3 2区 计算机科学
IEEE Transactions on Cloud Computing Pub Date : 2025-04-15 DOI: 10.1109/TCC.2025.3561313
Sen Hu;Shang Ci;Donghai Guan;Çetin Kaya Koç
{"title":"SOCT: Secure Outsourcing Computation Toolkit Using Threshold ElGamal Algorithm","authors":"Sen Hu;Shang Ci;Donghai Guan;Çetin Kaya Koç","doi":"10.1109/TCC.2025.3561313","DOIUrl":"https://doi.org/10.1109/TCC.2025.3561313","url":null,"abstract":"Cloud computing offers inexpensive and scalable solutions for data processing, however privacy concerns often hinder the outsourcing of sensitive information. Homomorphic encryption provides a promising approach for secure computations over encrypted data. However, existing models often rely on restrictive assumptions, such as semi-honest adversaries and inaccessible public data. To address these limitations, we introduce the Secure Outsourcing Computation Toolkit (SOCT), which is a novel framework based on the threshold ElGamal cryptosystem. The toolkit employs a dual-server decryption architecture using a (2,2) threshold additively homomorphic ElGamal (TAHEG) algorithm. This architecture ensures that ciphertexts can be decrypted only with the cooperation of both servers, mitigating the risk of data breaches. The TAHEG algorithm requires the input of a secret key for every decryption operation, preventing unauthorized access to plaintext data. Moreover, the key generation process does not burden users with generating or distributing partial secret keys. We provide rigorous security proofs for our threshold ElGamal cryptosystem and associated secure computation functions. Experimental results demonstrate that SOCT achieves significant efficiency gains compared to existing toolkits, making it a practical choice for privacy-preserving data outsourcing.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":"13 2","pages":"711-720"},"PeriodicalIF":5.3,"publicationDate":"2025-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144232041","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Breaking the Edge: Enabling Efficient Neural Network Inference on Integrated Edge Devices 突破边缘:在集成边缘设备上实现高效神经网络推理
IF 5.3 2区 计算机科学
IEEE Transactions on Cloud Computing Pub Date : 2025-04-09 DOI: 10.1109/TCC.2025.3559346
Feng Zhang;Chenyang Zhang;Jiawei Guan;Qiangjun Zhou;Kuangyu Chen;Xiao Zhang;Bingsheng He;Jidong Zhai;Xiaoyong Du
{"title":"Breaking the Edge: Enabling Efficient Neural Network Inference on Integrated Edge Devices","authors":"Feng Zhang;Chenyang Zhang;Jiawei Guan;Qiangjun Zhou;Kuangyu Chen;Xiao Zhang;Bingsheng He;Jidong Zhai;Xiaoyong Du","doi":"10.1109/TCC.2025.3559346","DOIUrl":"https://doi.org/10.1109/TCC.2025.3559346","url":null,"abstract":"Edge computing has gained widespread attention in cloud computing due to the increasing demands of AIoT applications and the evolution of edge architectures. One prevalent application in this domain is neural network inference on edge for computing and processing. This article presents an in-depth exploration of inference on integrated edge devices and introduces EdgeNN, a groundbreaking solution for inference specifically designed for CPU-GPU integrated edge devices. EdgeNN offers three key innovations. First, EdgeNN adaptively employs <italic>zero-copy</i> optimization by harnessing unified physical memory. Second, EdgeNN introduces an innovative approach to CPU-GPU hybrid execution tailored for inference tasks. This technique enables concurrent CPU and GPU operation, effectively leveraging edge platforms’ computational capabilities. Third, EdgeNN adopts a finely tuned adaptive inference tuning technique that analyzes complex inference structures. It divides computations into sub-tasks, intelligently assigning them to the two processors for better performance. Experimental results demonstrate EdgeNN's superiority across six popular neural network inference processing. EdgeNN delivers average speed improvements of 3.97×, 4.10×, 3.12×, and 8.80× when compared to inference on four distinct edge CPUs. Furthermore, EdgeNN achieves significant time advantages compared to the direct execution of original programs. This improvement is attributed to better unified memory utilization (44.37%) and the innovative CPU-GPU hybrid execution approach (17.91%). Additionally, EdgeNN exhibits superior energy efficiency, providing 29.14× higher energy efficiency than edge CPUs and 5.70× higher energy efficiency than discrete GPUs. EdgeNN is now open source at <uri>https://github.com/ChenyangZhang-cs/EdgeNN</uri>.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":"13 2","pages":"694-710"},"PeriodicalIF":5.3,"publicationDate":"2025-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144232037","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
PKEST: Public-Key Encryption With Similarity Test for Medical Consortia Cloud Computing 医疗联盟云计算的公钥加密与相似度测试
IF 5.3 2区 计算机科学
IEEE Transactions on Cloud Computing Pub Date : 2025-04-08 DOI: 10.1109/TCC.2025.3558858
Junsong Chen;Shengke Zeng;Song Han;Jin Yin;Peng Chen
{"title":"PKEST: Public-Key Encryption With Similarity Test for Medical Consortia Cloud Computing","authors":"Junsong Chen;Shengke Zeng;Song Han;Jin Yin;Peng Chen","doi":"10.1109/TCC.2025.3558858","DOIUrl":"https://doi.org/10.1109/TCC.2025.3558858","url":null,"abstract":"Cloud computing eliminates the limitations of local hardware architecture while also enabling rapid data sharing between healthcare institutions. Encryption of electronic medical records (EMRs) before uploading to cloud servers is necessary for privacy. However, encryption brings challenges for computation. Public Key Encryption with Equality Test (PKEET) allows cloud servers to test the underlying message equality without decryption. Therefore, it can be used to classify the encrypted EMRs corresponding to different medical symptoms. However, traditional PKEETs have limitations in testing the similarity between the ciphertexts. Undoubtedly, it can not handle EMR classification with similar medical symptoms efficiently. In this work, we propose a lightweight public key encryption with similarity test (PKEST) for the EMR classification shared in medical consortia. Our scheme can resist offline message recovery attacks, which may be launched by the insider manager, and the traditional paring computation is not necessary. Our experiment simulation shows that the similarity error between ciphertext and plaintext is tiny when the parameters are set properly. Compared to previous works, our scheme not only achieves the classification of similar encrypted EMRs but is also more efficient than traditional PKEETs since our construction does not need paring computation anymore.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":"13 2","pages":"680-693"},"PeriodicalIF":5.3,"publicationDate":"2025-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144230585","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Privacy-Preserving and Traceable Functional Encryption for Inner Product in Cloud Computing 云计算中内积的隐私保护和可追踪功能加密
IF 5.3 2区 计算机科学
IEEE Transactions on Cloud Computing Pub Date : 2025-04-01 DOI: 10.1109/TCC.2025.3556925
Muyao Qiu;Jinguang Han;Feng Hao;Chao Sun;Ge Wu
{"title":"Privacy-Preserving and Traceable Functional Encryption for Inner Product in Cloud Computing","authors":"Muyao Qiu;Jinguang Han;Feng Hao;Chao Sun;Ge Wu","doi":"10.1109/TCC.2025.3556925","DOIUrl":"https://doi.org/10.1109/TCC.2025.3556925","url":null,"abstract":"Cloud computing is a distributed infrastructure that centralizes server resources on a platform in order to provide services over the internet. Traditional public-key encryption protects data confidentiality in cloud computing, while functional encryption provides a more fine-grained decryption method, which only reveals a function of the encrypted data. However, functional encryption in cloud computing faces the problem of key sharing. In order to trace malicious users who share keys with others, traceable FE-IP (TFE-IP) schemes were proposed where the key generation center (KGC) knows users’ identities and binds them with different secret keys. Nevertheless, existing schemes fail to protect the privacy of users’ identities. The fundamental challenge to construct a privacy-preserving TFE-IP scheme is that KGC needs to bind a key with a user's identity without knowing the identity. To balance privacy and accountability in cloud computing, we propose the concept of privacy-preserving traceable functional encryption for inner product (PPTFE-IP) and give a concrete construction which offers the features: (1) To prevent key sharing, both a user's identity and a vector are bound together in the key; (2) The KGC and a user execute a two-party secure computing protocol to generate a key without the former knowing anything about the latter's identity; (3) Each user can ensure the integrity and correctness of his/her key through verification; (4) The inner product of the two vectors embedded in a ciphertext and in his/her key can be calculated by an authorized user; (5) Only the tracer can trace the identity embedded in a key. We formally reduce the security of the proposed PPTFE-IP to well-known complexity assumptions, and conduct an implementation to evaluate its efficiency. The novelty of our scheme is to protect the user's privacy and provide traceability if required.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":"13 2","pages":"667-679"},"PeriodicalIF":5.3,"publicationDate":"2025-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144232000","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Delegatable Multi-Authority Attribute-Based Anonymous Credentials 可委派的基于多授权机构属性的匿名凭证
IF 5.3 2区 计算机科学
IEEE Transactions on Cloud Computing Pub Date : 2025-03-28 DOI: 10.1109/TCC.2025.3555519
Meng Sun;Junzuo Lai;Xiaohan Mo;Chi Wu;Peng Li;Cheng-Kang Chu;Robert H. Deng
{"title":"Delegatable Multi-Authority Attribute-Based Anonymous Credentials","authors":"Meng Sun;Junzuo Lai;Xiaohan Mo;Chi Wu;Peng Li;Cheng-Kang Chu;Robert H. Deng","doi":"10.1109/TCC.2025.3555519","DOIUrl":"https://doi.org/10.1109/TCC.2025.3555519","url":null,"abstract":"In cloud computing, users need to authenticate to access various resources. Attribute-based anonymous credentials (ABCs) provide a tool for privacy-preserving authentication, allowing users to prove possession of a set of attributes to cloud service providers anonymously. Most existing works on ABC deal with credentials on attributes issued by a single authority (issuer). In reality, it is more practical for users to obtain credentials on attributes from multiple authorities. There are a few works on multi-authority ABC, which do not support delegation needed in real deployments. In this article, we present the first delegatable multi-authority attribute-based anonymous credential system, which simultaneously achieves revocation and traceability. We also give the security analysis of our construction. Finally, we implement our system, and the experimental results show its efficiency.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":"13 2","pages":"655-666"},"PeriodicalIF":5.3,"publicationDate":"2025-03-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144230586","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
ReflexPilot: Startup-Aware Dependent Task Scheduling Based on Deep Reinforcement Learning for Edge-Cloud Collaborative Computing ReflexPilot:基于深度强化学习的边缘云协同计算启动感知依赖任务调度
IF 5.3 2区 计算机科学
IEEE Transactions on Cloud Computing Pub Date : 2025-03-27 DOI: 10.1109/TCC.2025.3555231
Wenhao Zou;Zongshuai Zhang;Nina Wang;Yu Tian;Lin Tian
{"title":"ReflexPilot: Startup-Aware Dependent Task Scheduling Based on Deep Reinforcement Learning for Edge-Cloud Collaborative Computing","authors":"Wenhao Zou;Zongshuai Zhang;Nina Wang;Yu Tian;Lin Tian","doi":"10.1109/TCC.2025.3555231","DOIUrl":"https://doi.org/10.1109/TCC.2025.3555231","url":null,"abstract":"With the increasing number of devices, the demand for data computation is growing rapidly. In edge-cloud collaborative computing, tasks can be scheduled to servers as interdependent subtasks, enhancing performance through parallel computing. A task is executed in an executor, which must first initialize the runtime environment in a process called task startup. However, most existing research neglects the reuse of executors, leading to considerable delays during task startup. To address this issue, we model the edge-cloud collaborative task scheduling scenario considering executor reuse, task startup, and dependency relationships. We then formulate the dependent task scheduling problem with task startup. To meet real-time demands in edge-cloud collaborative computing, we propose ReflexPilot, an online task scheduling architecture featuring executor management. Building on this architecture, we introduce OTSA-PPO, a task scheduling algorithm based on Proximal Policy Optimization (PPO), and EMA, an advanced executor allocation algorithm. Under constraints of computational and communication resources, ReflexPilot leverages OTSA-PPO for online scheduling of dependent tasks based on current states, while EMA pre-creates and reuses executors to reduce the average task completion time. Extensive simulations demonstrate that ReflexPilot significantly reduces the average task completion time by 31% to 71% compared with existing baselines.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":"13 2","pages":"641-654"},"PeriodicalIF":5.3,"publicationDate":"2025-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144232045","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
BPFGuard: Multi-Granularity Container Runtime Mandatory Access Control BPFGuard:多粒度容器运行时强制访问控制
IF 5.3 2区 计算机科学
IEEE Transactions on Cloud Computing Pub Date : 2025-03-24 DOI: 10.1109/TCC.2025.3551838
Hui Lu;Xiaojiang Du;Dawei Hu;Shen Su;Zhihong Tian
{"title":"BPFGuard: Multi-Granularity Container Runtime Mandatory Access Control","authors":"Hui Lu;Xiaojiang Du;Dawei Hu;Shen Su;Zhihong Tian","doi":"10.1109/TCC.2025.3551838","DOIUrl":"https://doi.org/10.1109/TCC.2025.3551838","url":null,"abstract":"The adoption of container-based cloud computing services has been prevalent, especially with the introduction of Kubernetes, which enables the automated deployment, scaling, and administration of applications in containers, hence boosting the popularity of containers. As a result, researchers have placed greater emphasis on container runtime security, notably investigating the efficacy of traditional techniques such as Capabilities, Seccomp, and Linux security modules in guaranteeing container security. However, due to the limitations imposed by the container environment, the results have been unsatisfactory. In addition, eBPF-based solutions face the problem of being unable to quickly load policies and affect real-time operations when faced with newer kernel vulnerabilities. This paper investigates the limitations of existing container security mechanisms. Additionally, it examines the specific constraints of these mechanisms in Kubernetes environments. The paper classifies container monitoring and obligatory access control into three distinct categories: system call access control, LSM hook access control, and kernel function access control. Therefore, we propose a technique for regulating container access with a variety of granularity levels. This technique is executed using eBPF and is tightly integrated with Kubernetes to collect relevant meta-information. In addition, we suggest implementing a consolidated routing method and employing function tail call chaining to overcome the limitation of eBPF in enforcing mandatory access control for containers. Lastly, we conducted a series of experiment to verify the effectiveness of the system's security using CVE-2022-0492 and to benchmark the system that had BPFGuard enabled. The results indicate that the average performance loss increased merely by 2.16%, demonstrating that there are no adverse effects on the container services. This suggests that greater security can be achieved at a minimal cost.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":"13 2","pages":"629-640"},"PeriodicalIF":5.3,"publicationDate":"2025-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144229455","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信