计算机与网络

云原生微服务已广泛应用于各个领域，但是目前其内部容器的安全防御功能欠缺，一旦某个微服务遭到恶意攻击，关联的其他微服务都存在被攻击的风险，可能导致整个系统崩溃。仅靠外部传统防火墙的单一安全防护策略，不能满足云原生微服务的差异化安全要求。针对云原生微服务面临的安全问题，设计实现了面向云原生微服务的安全防御方法(Security Defense Method, SDM)和功能模块，提出了通过构建微服务的多层综合级联关系矩阵，实现微服务之间的安全联动。若检测发现安全异常的攻击行为，则根据微服务数据架构的多层综合级联关系，查找并通知关联的其他同类云原生容器的微服务，并启动级联自陷熔断，阻止恶意安全攻击请求而不会影响正常功能，实现保障云原生微服务安全的目标。以此方法为基础，在云原生容器内部的原始架构上新增安全防御模块及其6个子模块。实验结果表明，该方法显著提升了云原生微服务的安全性，对于抵抗跨站脚本(Cross-Site Scripting, XSS)攻击、结构化查询语言注入(Structured Query Language Injection, SQLI)攻击、远程代码执行(Remote Code Execution, RCE)攻击和本地文件包含(Local File Inclusion, LFI)攻击等均有明显效果。为云原生微服务的安全防护提供了一种新方法，对保护企业应用和数据安全具有重要的实际价值和意义。

Cloud native microservices have been widely applied in various fields. However, the current security defense capabilities of internal containers are lacking. Once a single microservice is subjected to malicious attacks, other associated microservices are at risk of being attacked, potentially leading to the collapse of the entire system. Relying solely on the security protection strategy of external traditional firewalls cannot meet the differentiated security requirements of cloud native microservices. To address the security issues faced by cloud native microservices, the Security Defense Method(SDM) for cloud native microservices have been designed and implemented. It is proposed that several multi-layer comprehensive cascading relationship matrices of microservices are constructed to achieve security interlinking among microservices.If an attack behavior with abnormal security is detected, the system will identify and notify other related microservices in the same type of cloud native containers based on the multi-layer comprehensive cascading relationship of microservice data and architecture. It will then initiate a cascading self-trapping circuit breaker to block malicious attack requests without affecting normal functionality. Finally, it will achieve the goal of ensuring the security of cloud native microservices.Based on the method, a security defense module and its six sub-modules have been added to the original architecture in cloud native containers. The experimental results demonstrate that the method outstandingly improves the security of cloud native microservices. It has significant effects on resisting Cross-Site Scripting(XSS) attacks, Structured Query Language Injection(SQLI) attacks, Remote Code Execution(RCE) attacks, and Local File Inclusion(LFI) attacks. It provides a new method for security protection of cloud native microservices, which has important practical value and significance for protecting enterprise applications and data security.