中文摘要：

脆弱点类型差异和脆弱性演化对脆弱性扩散过程具有显著影响,而现有脆弱性扩散模型对此还缺少深入研究.该文提出一种基于分簇思想的分布式虚拟化系统脆弱性扩散模型,首先按照节点包含脆弱点类型的不同进行分簇,其次利用Bio-PEPA静态分层特性,对脆弱性在簇内、簇间传播,以及簇间迁移演化过程进行建模.最后,将Bio-PEPA模型转化为常微分方程求解,分析分布式虚拟化系统脆弱性扩散的特点和规律,避免了传统分析方法的状态空间爆炸问题.实验结果显示,可以通过提升系统修复能力、降低簇间传播速率、减小簇间变迁速率,抑制分布式虚拟化系统的脆弱性扩散.

英文摘要：

Vulnerability is usually the essential reason of security and dependability. Recently, enormous amounts of third-party applications appear on distributed virtualized systems, which bring out a lot of additional vulnerabilities even more than the inherent vulnerabilities in the systems. Meanwhile, the vulnerabilities are propagated rapidly by frequent interactions and unreasonable trust relationship among nodes. Vulnerability propagation has grown up to be a serious problem. Different types of vulnerabilities and vulnerability evolution have a significant impact on the process of vulnerability propagation, but the existing vulnerability propagation models have not considered these issues. In order to make the model more reasonable, we propose a new vulnerability propagation model for distributed virtualized systems based on clustering. In this model, the same kind of vulnerabilities is regarded as in a single cluster, and then the vulnerability propagation in/between clusters as well as vulnerability migration between clusters is modeled by Bio-PEPA （Performance Evaluation Process Algebra） in a static hierarchy manner. Besides, the Bio-PEPA model we have proposed is converted into ODEs （Original Differential Equations） to discover the law of vulnerability propagation, avoiding the state space explosion existing in traditional analysis methods. The experimental results show that the vulnerability propagation progress can be retained by enhancing the recovery capability, decreasing the rate of vulnerability propagation and reducing the rate of vulnerability migration between clusters. Our works provide an insight into the nature of the vulnerability propagation of distributed virtualized systems, and it is useful to improve the security of the systems.