As defined by the National Institute of Standards and Technology (NIST), cloud computing has three service modes, namely, software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). The PaaS is a commercial mode of providing a server platform as a service. The PaaS mainly provides hardware resources such as a central processing unit (CPU) and a memory and software resources such as an operating system and a library on which a program depends for a cloud application, and a developer of the cloud application does not need to consider software and hardware environments in which the application runs, and focuses on development of the application program. Emergence of the PaaS accelerates development and deployment of cloud applications. Therefore, in this Internet era, more cloud applications may be deployed in a cloud computing system.
In the cloud computing system (which may be briefly referred to as a cloud system), to increase utilization of hardware resources of the system, generally, multiple cloud applications may run on a same cloud host (which is a hardware host or a virtual host, and has different implementations for different cloud computing systems), and the cloud computing system provides necessary system resource isolation for the cloud applications in order to ensure that cloud applications running on the same cloud host do not interfere with each other. In addition, the cloud computing system further provides a virtual network in the cloud host such that the cloud applications communicate with each other.
In another aspect, in the network security field, before attacking a target machine, hackers generally look for zombies (puppet machines that can be controlled) on a network first, and launch attacks using the zombies in order to hide their identities. In this way, even if the attacked parties detect the attacks, they can find only addresses of the zombies, but cannot find real addresses of the hackers. After emergence of the cloud computing system, the network hackers no longer need to look for zombies, but directly run their attack programs in the cloud computing system, and can run multiple instances of the attack programs in order to form a large-scale attack system. In the cloud computing system, the hackers not only can attack the target using the original attack program, but also can attack application programs on different cloud hosts in the cloud computing system, and even other application programs on a same cloud host using the attack program and using a characteristic that many cloud application programs run in the cloud computing system.
In other approaches, a problem that the cloud computing system is attacked is generally resolved by means of traffic detection and traffic cleaning. As shown in FIG. 1, a traffic detection apparatus is added in the cloud computing system, and is connected to a cloud host of the cloud computing system using a switch in order to detect a data flow input to the cloud host in the cloud computing system, where the data flow includes a data flow generated when a user outside the cloud computing system accesses a cloud application, and a data flow generated when cloud hosts in the cloud computing system interact with each other. The traffic detection apparatus collects statistics on a traffic volume of a data flow that is input to a cloud host within preset duration, and when the traffic volume obtained through statistics collection exceeds a preset threshold, the traffic input to the cloud host is considered abnormal. After it is detected that the traffic is abnormal, the traffic detection apparatus may instruct a traffic cleaning apparatus to start. The traffic cleaning apparatus cleans the data flow input to the cloud host, filters an attack packet out, and sends the cleaned data flow to the cloud host.
The solution of the other approaches can prevent only attacks between cloud hosts in a cloud computing system, or external attacks launched on a cloud host in a cloud computing system, but cannot prevent mutual attacks between different cloud applications on a same cloud host, or internal attacks launched on a cloud host. In addition, in the solution of the other approaches, traffic monitoring and cleaning is performed using a cloud host as a unit, which may affect all cloud applications on a target cloud host.