Dynamic Control Method for Tenants’ Sensitive Information Flow Based on Virtual Boundary Recognition

In the cloud environment, owing to the large-scale sharing of the upper application instance and the underlying virtual machine resources, the tenants’ information flow boundary in the shared virtual machine is fuzzy and difficult to identify. In addition, protection of tenant information flow between processes is inadequate, resulting in the leakage of sensitive information of tenants. Therefore, a dynamic control method for tenants’ sensitive information flow based on virtual boundary recognition is proposed. By analyzing the behavior and operation log of tenants, the behavior feature vectors of tenants are constructed, and an automatic recognition algorithm of tenant virtual boundary based on the dynamic spiking neural network is designed. This algorithm can realize dynamic identification of the tenant virtual security boundary when the application service demand changes dynamically. Further, combined with the concept of centralized and decentralized information flow control, a dynamic control method of sensitive information flow is established. The security label is formally defined by using the lattice structure, and the control rules of tenants’ information flow and the rules of tenant label encryption–declassification are designed. Thus, the independent, dynamic and secure control of tenants’ information flow inside and outside the tenant virtual boundary. Finally, the detailed design of a dynamic security control application system for cloud tenants’ sensitive information flow is provided. Experiments confirm that the proposed algorithm can identify the security boundary of tenants more accurately and efficiently than the traditional spiking neural network classification methods. Further, the security and effectiveness of the method is verified by the intransitive noninterference theory and the experiment of information flow control.


I. INTRODUCTION
Currently, cloud computing is a major innovation of the information technology service mode, realizing multi-tenant sharing and distribution on demand [1]. However, although the characteristics of cloud computing bring great convenience to tenants, they pose a serious threat to the security of tenants' sensitive data [2]. The cloud platform has the following characteristics [3], [4]: 1. Public infrastructure. This breaks down the barriers between physical resources, rendering the security boundary The associate editor coordinating the review of this manuscript and approving it for publication was Jing Bi . of tenants in the virtual network environment fuzzy and weak. As a result, it is difficult to effectively identify the virtual security boundary of tenants, leading to challenging security isolation of tenants' data.
2. Cloud management of tenant information. In cloud service outsourcing, the applications and information of tenants are not controlled and managed by tenants themselves but handled by cloud management. This can easily lead to illegal access and disclosure of internal information of virtual machines by untrusted programs in the cloud; thus, effective security of sensitive information cannot be ensured. 3. Large scale, high degree of openness, multi-tenant resource sharing. The relationship between tenants is complex, and malicious tenants can break the virtual isolation boundary of other tenants and illegally obtain sensitive information.
Given the cloud platform characteristics and the existing security problems, this paper summarizes the following security requirements of cloud tenants: 1. The dynamic upperlevel tenants' application behavior, the sharing of physical instance resources, and the decentralized distribution of virtual machines require that the virtual security boundary of the tenants under the software definition can be identified accurately; 2. Tenants cannot fully trust the programs and services provided by the cloud platform and need to protect sensitive information from disclosure or illegal use autonomously; 3. Tenants cannot fully trust other tenants sharing cloud resources with them, so they need to prevent illegal flow of information to other tenants and be able to dynamically control the security sharing of information. To meet the above-mentioned requirements, this study investigates and contributes in the following aspects: 1. We propose a dynamic control method for tenants' sensitive information flow based on virtual boundary recognition. This method combines the automatic learning algorithm of tenant virtual boundary recognition and the dynamic control method of cloud tenants' sensitive information flow to realize security protection of tenant's sensitive information in cloud.
2. We extract the key characteristics of tenants through deep mining of the behavior of tenants and analysis of the operation log. After quantification, normalization, and coding of the key features, we construct the behavior characteristic vectors of tenants. Based on an improved dynamic spiking neural network learning algorithm to train and learn sample data, we perform automatic identification of the tenant operation process in a shared virtual machine instance, which establishes the virtual security boundary between tenants.
3. We propose a dynamic control method of sensitive information flow of cloud tenants on the basis of the identification of the virtual boundary of tenants combined with the concept of centralized and decentralized control mechanisms of information flow. This method can realize self-control of tenant information flow within the boundary as well as dynamic control and security sharing of information flow between tenants.
4. Based on the effective identification of the tenant virtual boundary and the dynamic control method of tenant information flow, we provide a detailed design of the dynamic security control application system of cloud tenants' sensitive information flow. 5. We build a cloud platform through OpenStack, monitor virtual machines on it, analyze tenants' resource information and log information, and obtain sample data. By using the sample data for performing several training and testing experiments, we verify the accuracy and efficiency of the boundary recognition algorithm. 6. In this study, we use the intransitive noninterference theory to confirm the efficiency of the security control application system of cloud tenants' sensitive information flow.
With the help of Linux security module (LSM) [5] framework, the security verification experiment of tenant information flow control is carried out.

II. RELATED WORK
''Multi-tenant architecture'' refers to the architecture mode of sharing the same system or program components in a multiuser environment and is one of the most basic features in cloud computing. Multi-tenant architecture requires tenants to ensure the mutual isolation of information among tenants on the premise of sharing physical resources [6], [7]. Therefore, security isolation of tenant data is the key to design multi-tenant architecture and the most important aspect to be considered to ensure security isolation of sensitive information among tenants.
The protection of tenants' sensitive information based on tenant isolation mainly refers to preventing the illegal flow of information among tenants by dividing the tenant security domain and combining with a system isolation method to ensure that tenants' sensitive information and private business are not interfered with by other tenants [8]. Through the analysis of the above definitions, we can see that the key to the implementation of tenants' sensitive information protection is as follows: 1. Realize the effective division of the tenant security domain, and 2. control the legitimate flow of information inside and outside the tenant security domain to prevent leakage of sensitive information.
1. The identification of the tenant system boundary is the basis of division of the tenant security domain; the tenant system boundary can effectively establish the scope of tenant security domain and serve as the basis of tenant information flow security control. Tenant system boundary identification mainly includes two parts: identification of the physical boundary and the virtual boundary. The physical boundary refers to the multi-tenant system-level boundary. Each tenant can use one or more virtual machines to carry application programs and save data. Its identification includes different network addresses such as system IP address. The most typical method for identifying the physical boundary is to divide VLANs [9]; each tenant has a VLAN, but the number of VLANs is limited, so the requirement of large-scale tenants cannot be met. The boundary identification is mainly through manual static identification of IP, with complex configuration and low efficiency. Therefore, overlay network architecture, which is a type of virtualization technology mode superimposed on the network architecture, emerges as a current requirement. Its typical technical implementation includes VXLAN (Virtual eXtensible LAN) and NVGRE (Network Virtualization using Generic Routing Encapsulation) [10,11]. The VXLAN protocol greatly increases the number of VLANs and realizes cross-regional two-layer interconnection. However, the burden of the VTEP node (i.e., virtual tunnel terminal) is extremely heavy, affecting the overall performance of the network. The NVGRE protocol is mainly encapsulated by using the generic routing encapsulation protocol (GRE). Its maximum number of subnet divisions is the same as that of VXLAN, and its broadcast mode is more flexible. However, it does not use the standard transmission protocol, resulting in high equipment requirements. These two network types can effectively realize isolation of multitenant systems and expand the number of tenant networks. However, the identification of the tenant network boundary mainly depends on the artificial judgment of rental relationship and static identification through the IP address and other ways, so the methods cannot better adapt to the dynamic changes of the boundary.
The virtual boundary mainly refers to the virtual security boundary based on software definition. Greater emphasis is placed on the effective identification of the process level boundary when the tenant application shares the same system instance (such as virtual machines). That is to cut the upper application environment of different tenants at the bottom process level and ensure the mutual isolation of tenant process communication. The software-defined network (SDN) [12], [13] mainly refers to a new network architecture based on network virtualization, which separates the control plane and the data plane of network equipment. By increasing the programmability of the network, it innovates the current partial static and configures a complex network architecture; further, the network can be dynamically constructed according to the application requirements of the upper tenants. Because of its high flexibility and dynamic nature, the tenant security boundary is fuzzy and difficult to be identified on the basis of software definition. The software-as-a-service (SaaS) [14], [15] platform provides software services through a network by deploying the application system on the suppliers' own servers and delivering application services to various tenants based on tenant subscription. Multiple tenants share the same physical instance under the application, because they share the SaaS platform. In addition, because of the complexity of tenant identity and information interaction, the virtual communication security boundary between bottom tenants becomes fuzzy. In addition, most of the existing cloud management technologies [16], [17] mainly focus on improving efficiency, reducing cost, and maximizing revenue, and they do not fully consider the identification of the data security boundary and the security of data flow when tenants share cloud data center resources.
Owing to their learning characteristics and adaptability, neural networks are well suited for tenant boundary classification and recognition [18]. The traditional neural network requires prior knowledge of the number of neurons in the hidden and output layers; in order to improve the reliability of training, such as in the backpropagation neural network and fixed spiking neural network, it is necessary to know the proportion of distribution of all samples in advance. However, in the cloud environment, the number of tenants and virtual machines is constantly changing. In addition, the tenant behavior is complex and the virtual security boundary of tenants changes dynamically, making collection of samples at one time difficult. As a result, the traditional neural network cannot meet the needs of adaptive identification of the tenant boundary.
As the third generation of artificial neural networks, spiking neurons are more biomimetic than traditional neurons [19]. However, the number of neurons in the hidden and output layers of a spiking neural network with a fixed structure is determined in advance, which can only be used when the number of classes is known. In view of continuously changing data, a dynamic adaptive spiking neural network [20] is proposed to realize the dynamic increase of output layer neurons and meet the requirements of tenant boundary dynamic identification. However, there are still some problems in the existing research. Thorpe [21] proposed a spiking neural network learning algorithm based on the firing order (Rank order); it was emphasized that the first firing pulse sequence of neurons cannot reflect the pulse information well, and the effect of imprecise time on classification is ignored. Wang [22] proposed a learning algorithm of spiking neural networks based on precise time (only precise). Although it improves the classification accuracy, it increases the classification time, affecting the classification efficiency. Therefore, it is not suitable for large-scale tenant data training in a cloud environment.
2. In view of the security flow of information inside and outside the tenant security domain, it is mainly realized by the way of access control. The traditional access control model [23], [24] includes mandatory access control and autonomous access control. The traditional mandatory access control method strictly regulates the one-way flow of data; it is high in security but low in flexibility and practicability. By contrast, the autonomous access control model cannot guarantee the security of data after they are accessed by using the access control list that controls the access of subjects to objects. Therefore, information flow control technology has become essential. It mainly tracks and controls the flow of data in the system by ''sticking'' the label with policy requirements on the data so as to ensure the data's safe use. The most classical method of information flow control is the lattice [25] model proposed by Denning in 1976. The lattice structure is used to formally describe the information flow strategy, the system state, and the transition relationship among the states. The security policy in the traditional information flow control mode can only be formulated by a security administrator, thus it has poor flexibility. In case of an error, the security or the availability of the system can be easily reduced. In view of the defects of traditional information flow control, Myers [26] proposed a decentralized label model and an extended security-type programming language (Java information flow, JIF), which realize decentralized information flow control. The security strategy is developed by the programmers themselves and considers the problem of declassification, which is not considered in the traditional information flow control method. However, it cannot effectively solve the security problem caused by untrusted nodes. Smalley [27] proposed an information flow control system ''SELinux'', which is essentially a domain-type and multilevel security-based Mandatory Access Control (MAC) security system. However, it does not support dynamic adjustment of tags and policy. Asbesto [28] proposed a decentralized declassification method, which defines the owner and decryption of data, and defined the receiving and sending tags of processes. However, it does not consider the sharing of system resources among processes, and it cannot realize dynamic adjustment of tags. Based on the research of Asbesto, Histar [29] provided a memory sharing mechanism between processes and solved the problem of covert channels through the method of explicit adjustment of tags. Flume [30] proposed a method to control the information flow of the key resources of the operating system; this method can realize the dynamic adjustment of tags but requires high compatibility between the application software and the system. Weir [31] proposed a decentralized information flow control system; it however has a problem of coarse control granularity and does not support a user-defined information flow control strategy. Wu [32] presented a novel dynamic defense model (DDM) to reduce security risks brought by these suspicious data or codes for the open operating systems. In the model, dynamic label marking, dynamic label tracking, dynamic label modulating, and run-time controlling were given, which provided a good idea for the tracking and control of information flow, but this model was mainly aimed at the security protection of a single operating system, and only the system application on Android was given.
Based on the above research, considering the characteristics of a cloud environment, information flow control technology has been extensively researched. CloudFence [33] realized fine-grained tracking of sensitive data in the cloud based on a pin plug-in platform; this approach effectively guarantees user data isolation and security sharing in the cloud, but it cannot support user-independent policy configuration and information flow control. FlowK [34] and FlowR [35] implemented process-level coarse-grained data propagation control in the cloud tenant operating system layer. Priebe [36] provided a lightweight monitoring framework ''Cloud-SafetyNet'' in the cloud environment; it enables tenants to monitor the flow of information between applications and detect the risk of information leakage by using the motivation of cooperation between tenants, but it is used mainly for the security detection of information flow. Wu [37] proposed a two-layer information flow control model for a cloud environment; the model realized the combination of centralized information flow and decentralized information flow control; however, no identity for the virtual security boundary of the tenant exists in the model. Pasquier [38] realized the combination of distributed information flow control technology and trusted platform technology and applied it to cloud data security enhancement; however, this method does not consider the protection mechanism of cloud platform service providers. LV [39] proposed noninterference for cloud architecture in which concurrent access and sequential access coexist, which realized the security control of information flow between security domains when concurrent and sequential actions were executed in the cloud, but the boundary of security domain was not clear, and the availability and security were not verified by experiments. According to the characteristics of cloud computing, Ma [40] formalized the process of the tenant information flow in the cloud computing system, proposed the corresponding separation rules, and verified the security of the separation rules through the noninterference theory. However, the separation rules mainly emphasized the isolation of resources among tenants, but did not design the rules of information flow security control between tenants and between tenants and the cloud platform in a fine-grained way, and also lacked experimental verification.
Although the above-mentioned research has been involved in aspects such as integrity and confidentiality assurance, policy management, label declassification, and mark propagation, it fails to fully consider these capability requirements. Therefore, in the face of the data security needs of cloud tenants and the real-time and dynamic nature of the tenant boundary, it is necessary to study a fine-grained autonomous dynamic control strategy for tenant information flow, which can not only realize the security flow of information within the tenant boundary but also ensure the security of information flow among tenants and between tenants and cloud service programs.

III. DYNAMIC CONTROL METHOD DESIGN OF TENANT SENSITIVE INFORMATION FLOW BASED ON VIRTUAL BOUNDARY RECOGNITION
The identification of the tenant boundary mainly serves the security control of tenant information flow. Based on the accurate identification of the virtual security boundary of tenants, combined with the security control method of the sensitive information flow of tenants, the security of the information flow inside and outside the tenant boundary is guaranteed and leakage of the sensitive information of tenants caused by malicious attack is prevented.  Figure 1 shows that one or more shared application instances are deployed to provide customized application services for tenants, allowing different tenants to share the same upper application instance and providing the bottom shared service resources for supporting applications. However, because the tenants must share the underlying virtual machine resources and the information flow between the tenants' processes in the shared virtual machine is transparent for the upper application, the service processes under different tenants may be distributed on the same virtual machine instance. In addition, the number of tenants and the dynamic changes in the upper application requirements are likely to cause frequent migration of tenant application services in the shared virtual machine. This renders the security boundary of tenant data in the shared virtual machine fuzzy and difficult to identify dynamically. The traditional artificial static audit method for boundary identification cannot adapt to the dynamically changing virtual security boundary of tenants in real time. Therefore, this paper designs a dynamic control method for tenant sensitive information flow based on virtual boundary recognition (D_SNNBAR).

2) TENANT BEHAVIOR FEATURE EXTRACTION AND PROCESSING
In this study, the operation logs of tenants are collected and the key features of tenants are extracted for building the feature vectors for neural network learning. To mine the tenant feature information, first, the tenants and virtual machines in the cloud platform are monitored and the log information is analyzed to obtain tenant information, including the tenant related information obtained through monitoring of the virtual machine. Subsequently, the process of tenant connection is monitored, the key features are extracted together with tenant operation log information, and the feature vector is constructed.
Herein, we first use the virtual machine monitor (VMM) to obtain tenant registration and permission information, including tenant category (user group) T type . Then, we extract the virtual machine related information, including the virtual machine identification number V id , and obtain the process number P ID of the virtual machine connected with the tenant. Further, we analyze log information to obtain operation information, including file name F NAME , file path F PATH , operation type F OM , opening time F OT , and closing time F CT .
After collecting the tenant's key feature information, we construct the feature vector ϕ = (T type , V ID , P ID , F NAME , F PATH , F OM , F OT , F CT ) = (ϕ 1 , ϕ 2 , ϕ 3 , ϕ 4 , ϕ 5 , ϕ 6 , ϕ 7 , ϕ 8 ). According to the different types and units of the above features, the vector is quantized and normalized before neural network learning.

a: QUANTIZING EIGENVALUES
Here, first, tenant categories are mapped; for example, T ype = {Administrator, Senior, VIP, Normal. . . } is mapped to ϕ 1 = {1,2,3,4, . . . }. For V ID , the quantization of P ID can be used directly, that is, ϕ 2 = V ID and ϕ 3 = P ID . For the quantization of F NAME and F PATH , we mainly use hash algorithm to map, that is, ϕ 4 = HASH(F NAME ) and ϕ 5 = HASH(F PATH ). In this paper, considering the hash operation of strings, we adopt the hash operation method based on multiplication. When the multiplier is set to 33, it has a good hash effect on English words. The hash algorithm design is shown in Table 1. For the quantization of F OM , the operation type F OM = {new, read, write, update, delete, clear, . . . } is also mapped to ϕ 6 = {1,2,3,4,5, . . . }. For the operation time F OT and F CT , the unified time format is used for counting, with the unit seconds; that is, ϕ 7 = T(F OT ) and ϕ 8 = T(F CT ).

b: NORMALIZATION
To reduce the effect of different value range of variables in the feature vector for the neural network, neural network learning is facilitated, and considering each feature variable with the same importance, each feature variable is normalized. We use the method of deviation standardization, that is, x = (x-min)/

c: INFORMATION ENCODING
In the dynamic spiking neural network, we use the method of Gaussian group coding to transform each eigenvector to be input in a multiple-pulse pattern. This method is based on the Gaussian receptive field, which represents a series of operations related to a Gaussian function. According to this coding method based on the Gaussian hypothesis, suppose that the eigenvalue obeys multiple Gaussian distributions in the data sample space. First, different distributions are obtained by calculating different values of mean and variance of the eigenvalue. Then, the probability corresponding to the eigenvalue is calculated. Finally, multiple pulses corresponding to the eigenvalue are obtained according to the probability and the coding function. The coding process is as follows: Assuming that the number of Gaussian receptive field is n, each eigenvalue will be encoded into n pulses, and the dimension of the eigenvector is m, then the encoded eigenvector will become m×n pulses. The formula of mean u j i and standard deviation δ j i of the i-th feature in the j-th acceptance domain are described as equation 1 and equation 2: Among them, ϕ i max and ϕ i min are the minimum and maximum values of the i-th eigenvalue, respectively; β is a parameter that affects the coverage of the Gaussian receptive field by affecting the standard deviation. The above values of mean and variance jointly determine the Gaussian function, which is described as equation 3: According to the results of Gaussian function calculation, the pulse time of each eigenvalue, that is, the pulse time of each input neuron, is calculated as equation 4:

3) ALGORITHM FLOW DESIGN
The process of the tenant virtual security boundary recognition algorithm, as shown in Figure 2, includes network initialization, eigenvector processing and input, information coding (Gaussian group coding), dynamic spiking neural network learning, and tenant boundary review and confirmation.

a: STRUCTURE OF DYNAMIC SPIKING NEURAL NETWORK
The dynamic spiking neural network structure includes an input layer, a coding neuron layer, and an output neuron layer, as shown in Figure 3. The input neuron of the coding layer uses Gaussian coding to transform the input eigenvalue into a series of pulse time. n in Figure 3 represents the number of Gaussian receptive fields. The neurons in each coding layer generate a pulse time, which is transmitted to the next layer. The coding layer and the output layer are connected in a fully connected way. The number of neurons in the coding layer is determined by the dimension of the eigenvector and the Gaussian receptive field. At the beginning, there is no connection between the coding layer and the output layer of the neural network. When a new sample is input, the output layer will dynamically add a neuron. According to the pulse time of the coding layer, the weights of neuron connections are established. In the learning process, each neuron in the output layer will represent a category label. Finally, the neuron in the output layer will be updated or merged according to the dynamic learning algorithm.

b: LEARNING STRATEGY OF TENANT BOUNDARY AUTOMATIC RECOGNITION
In the process of automatic identification of the tenant boundary, the weight vector of an output layer neuron represents the clustering center of the tenant boundary category. The automatic recognition learning strategy of the tenant boundary includes two parts: initial weight adjustment and dynamic adjustment strategy of output layer neurons.
1) Initial weight adjustment The weight connection formula between the output layer neuron and the coding layer is as equation 5: Among them, w ij is the synaptic weight between coding layer neuron i and output layer neuron j, w 0 is the initial weight, t i is the pulse time, and τ is the time constant.
2) Dynamic adjustment strategy of neurons In the training process, the existing information in the neural network is compared with the information presented by the input samples. Learning strategies are then chosen according to the comparison results: a. Addition of neurons: when the similarity between the existing output neuron category and the input sample data is lower than the threshold, new neurons are added to the output layer to represent the new category.   b. Merge neurons: when the similarity between the input tenant sample data and the existing neuron tenant category exceeds the threshold, new neurons and the most similar neurons are merged and the weight of the merged neurons is updated; that is, the neurons are merged according to the similarity between the output neurons, thus achieving the classification effect.
c. After the classification is determined, the classification is identified. Here, the triple is used to define the classification (security boundary) identification number Sec_boundary_ID: Sec_boundary_ID =(TID, VMID, PID), TID, VMID and PID are respectively tenant ID, virtual machine ID and process ID.

c: DETAILED PROCESS OF ALGORITHM IMPLEMENTATION
After quantizing and normalizing the sample data, the set of eigenvectors to be input is ψ. The algorithm is shown in Table 2.
Each output neuron represents a tenant boundary. Lines 3-12 calculate the weight vector of the output neuron connected with the coding layer; lines 14-18 classify the unclassified processes; lines 19-30 dynamically update the classified processes. The algorithm process indicates that the number of feature vectors and the number of Gaussian acceptance regions are determined, and the two values are relatively small, so the time complexity of the algorithm is O(n). In addition, the training process of the recognition algorithm does not need iteration, and only uses the key information and dynamic adjustment mechanism underlying the spiking neural network; thus, the efficiency of data classification is greatly improved.

B. DYNAMIC CONTROL METHOD FOR SENSITIVE INFORMATION FLOW OF CLOUD TENANTS 1) SECURITY ISSUE DESCRIPTION OF CLOUD TENANTS' SENSITIVE INFORMATION FLOW
Tenant sensitive information refers to private tenant data with a sensitivity level in the virtual machine. The sensitivity level mainly reflects the importance of the tenant's private data, such as tenant account information, tenant calculation data, and data information of different departments or users of the tenant, which requires fine-grained security control. The importance and use of tenant data information of different sensitivity levels differ; therefore, tenant sensitive information should be handled by specified service levels to avoid cross operation and flow, thereby preventing leakage.
In the process of renting cloud services, tenants upload their own data to the cloud platform for processing and lose the direct control of their own sensitive information to a certain extent, which seriously threatens the security of tenant data. If the security protection of tenant data depends only on the identification of the data security boundary and lacks an effective information flow control method, the data will be vulnerable to the cross-border attack of untrusted programs in the virtual machine or other tenants, resulting in the disclosure of sensitive information of tenants.
Due to the large scale of sharing of virtual machine resources among different tenant applications in the upper layer and the weakening of tenants' control over their own data, there is a possibility of illegal flow of information between processes inside and outside the tenant virtual boundary.  process of other tenants under the same virtual machine illegally accesses the information in the authorized process of a tenant, resulting in the outflow of sensitive information. y Among different virtual machines, an untrusted process outside the boundary steals the authorized process within the boundary, resulting in the leakage of tenant sensitive information. z Information is illegally shared among tenants, for example, through virtual machine escape attack or DDoS attack.
For the security of the information flow within the boundary of a cloud tenant, the security strength of the data and the permission of the application in the virtual machine are determined by the cloud tenant itself, aiming to realize the centralized control of the information within the boundary by the tenant. The control strategy of information flow among cloud tenants is jointly formulated by participating tenants, and cloud tenants can only formulate their own information flow or data sharing security strategy with other cloud tenants for achieving distributed dynamic control of information flow among tenants.

2) DESIGN OF SECURITY LABEL
Definition 1: Security label L represents a set of security policies, each of which represents a tenant's security requirements for information, including confidentiality and integrity security requirements.
L is composed of the policy subject owner (i.e., the information owner or policy maker, identified by the boundary ID of the tenant) and value domain R (a collection of policy executors, determined by the owner). It is formally expressed as L = (ID : R), and it includes two types: confidentiality label L c and integrity label L i . L c = (ID → R) indicates that the owner of the information marked by the confidentiality label only allows the information to flow to the subjects in R; for example, L c = (ID 1 → r 1 , r 2 ) indicates that r 1 andr 2 are allowed to read the information with the confidentiality label L c . L i = (ID ← R) indicates that the owner of the information allows the subjects in R to write the information. In addition, for the data marked by the tag, the tag will follow the data in the whole system, and the object derived from the data will also inherit the original tag. Data, data owner and data operator are identified by the boundary identification number (Sec_boundary_ID).
Definition 2: Confidentiality label lattice G c means that the confidentiality label system is abstracted by a lattice; that is, G c =(L c , ∧, c , ∇ c ) is used for the confidentiality protection of tenant data, where L c represents the set of confidentiality labels, and for any label value, L c .R belongs to the value domain of L c . ''∧'' represents the intersection operator, and the result is the union ''∪'' of the label set, which satisfies the following characteristics: x Idempotence: ''∧'' specifies the partial order relation '' '' on the value domain of the label, which satisfies reflexivity, antisymmetry, and transitivity. If L c 1 L c 2 and L c 2 L c 1 , then L c 1 = L c 2 . For example: if L c 1 =(ID→r 1 , r 2 ) and L c 2 =(ID → r 1 ), then L c 1 L c 2 , which indicates that L c 2 requires higher confidentiality. '' c '' represents the maximum upper bound of the value domain of the confidentiality label, indicating the maximum range of reading the data; ''∇ c '' represents the minimum lower bound of the value domain of the confidentiality label, indicating the minimum range of reading the data.
Definition 3: Integrity label lattice G i means the integrity label system is abstracted by lattice; that is, G i =(L i , ∧, i , ∇ i ) is used for the integrity protection of tenant data.  If the partial order relation is satisfied in the confidentiality domain, the opposite partial order relation is satisfied in the integrity domain. For example, if L i 1 = (ID ←− w 1 ) and L i 2 = (ID ←− w 1 , w 2 ), then L i 2 L i 1 , which indicates that L i 1 requires higher integrity. '' i '' represents the maximum upper bound of the value range of the integrity label. From the dual relationship between data confidentiality and integrity, it can be seen that i = ∇ c . ''∇ i '' represents the minimum lower bound of the value range of the integrity label. Similarly, ∇ i = c .
Definition 4: Partial order of label lattice L = (L c , L i ), that is, the set of L c × L i . L means to meet the partial order of the confidentiality label and integrity label simultaneously, which is described as equation 6: In order to better understand the information flow control strategy, the symbol definitions are given in detail in Table 3.

3) INFORMATION FLOW SECURITY LABEL CONTROL STRATEGY
(1) Rule 1. Label value field minimization If data is marked by labels L 1 = (ID 1 : R 1 ) and L 2 = (ID 2 : R 2 ), the security label of the data is the union of the two labels, that is, the intersection of the label value field, which is described as equation 7: Rule 1 indicates that operations on data satisfy the minimum privilege principle, and data flows only to subjects that satisfy all label policies. This rule is the security foundation of the data label propagation rule and information flow control among tenants.
(2)Rule 2. ''and or'' of the label value field Rule 2.1: The ''and'' of the label value field means that data needs to be operated by multiple entities simultaneously, and a single entity cannot read or write data. The label is formalized as L = (ID : R 1 andR 2 ), which expresses the principle of separation of authority and duty.
Rule 2.2: The ''or'' of the label value field refers to the priority of the main body's operation on data. The label is formalized as L = (ID : R 1 orR 2 ). This rule specifies the operation order of R 1 and R 2 , which cannot be operated simultaneously.
(3) Rule 3. Tenant information flow control rules Assuming that the confidentiality label and integrity label of any two data, data 1 and data 2 , are L c 1 , L i 1 and L c 2 ,L i 2 , respectively, the protection rules of data flow from data 1 to data 2 are as equation 8 and equation 9: Rule 3 indicates that the necessary condition for data flow is to meet the partial order relationship of the confidentiality label and integrity label of data simultaneously. The confidentiality label of data requires that tenant data can only flow from a label with a weak constraint to that with a strong constraint in order to prevent data leakage. The integrity label of data requires that data flow only from high integrity to low integrity in order to prevent data from being polluted.
Based on the flow control rules of information flow, the control rules of sending and receiving processes of information flow in virtual machines are given here: Rule 3.1: Set sending process P 1 , sending data D 1 , receiving process P 2 , and receiving data D 2 according to the equation 10: The necessary condition for process P 1 to be able to send data D 1 to P 2 is that process P 1 belongs to the value domain of the confidentiality label of D 1 , that is, flow from data D 1 to data D 2 must meet rule 3, and P 2 must be in the value domain of the integrity label of D 2 .
(4) Rule 4. Propagation rules of label Suppose that the labels flow with data 1 to data 2 , and the security labels of data 2 needs to be updated. The updated security labels are L c new2 and L i new2 , and the rules are as equation 11: This rule indicates that the label should be stricter after data flow, so the intersection operation of labels is followed, that is, the union of labels. The propagation of tags can be divided into two situations: x In process operation, the propagation of internal tags; for example, assignment operation X = Y:, where the information in Y flows to X, and the label of X is updated to L X = L X ∪ L Y . y Data transfer between processes; for example, process P transfers D 1 to process Q and stores it with D 2 . Here, the label of data D 2 is updated to L X = L X ∪ L Y .

4) TENANT LABEL ADJUSTMENT STRATEGY
To complete the tenant's independent and dynamic control of data, the tenant's ability to adjust its own data security label is designed; this process is divided into label encryption and label declassification rules. To better realize the tenant's adjustment of labels, we introduce the set of confidentiality label policy adjustment ''S c '' and the set of integrity label policy adjustment ''S i ''. S + c represents the set of additive confidentiality label policies, S − c represents the set of removable confidentiality label policies, S + i represents the set of additive integrity label policies, and S − i represents the set of removable integrity label policies.
(1) Rule 5. Label encryption rule Suppose tenant T has confidentiality label set L c = (L c 1 , L c 2 , . . . , L c n ), L c i = (ID −→ R 2 ), and the encryption set of confidentiality label corresponding to L c is S c . In addition, suppose tenant T has integrity label set L i = (L i 1 , L i 2 , . . . , L i n ), L i j = (ID −→ R 2 ), and the integrity label encryption set corresponding to L i is S i . The authorization rules are as follows: Rule 5.1: Confidentiality label encryption is described as equation 12: The necessary condition for tenants to add the confidentiality label L add−c to the original label is that L add−c is included in S + c . Rule 5.2: Integrity label encryption is described as equation 13: VOLUME 8, 2020 The necessary condition for tenants to add the integrity label L add−i to the original label is that L add−i is included in S + i . In addition, according to rule 5 and the minimum lower bound of label, the complete encryption formula of data is described as equation 14: (2) Rule 6. Label declassification rule Rule 6.1: Confidentiality label declassification is described as equation 15: There are two situations in the declassification rule of confidentiality label: x remove the confidentiality label directly, and y add the subject to the value domain of the label. The necessary condition for the tenant to reduce the confidentiality label constraint is that L sub−c is included in S − c or R add belongs to the value domain of a security label in set S − c . Rule 6.2: Integrity label declassification is described as equation 16: There are two situations in the declassification rule of integrity label: x remove the integrity label directly, and y add the subject to the value domain of the label. The necessary condition for the tenant to reduce the integrity label constraint is that L sub−i is included in S − i or R add belongs to the value domain of a security label in set S − i . In addition, according to rule 6 and the maximum upper bound of the label, the complete decryption formula of the data is described as equation 17:

IV. DYNAMIC SECURITY CONTROL APPLICATION SYSTEM FOR CLOUD TENANTS' SENSITIVE INFORMATION FLOW (DSCLoud)
Based on the aforementioned methods, we present the design of a dynamic security control system for sensitive information flow of cloud tenants, which aims to accurately identify the virtual boundaries of tenants and realize the security control and sharing of sensitive information flow of tenants in the cloud. The overall architecture design of the system is shown in Figure 5.
The system consists of three parts: automatic identification of tenants' virtual security boundaries, centralized and autonomous control of information flow within the boundary of tenants, and decentralized dynamic control and security sharing of information flow among tenants. All programs of cloud tenants run in virtual machines with the operating system installed. In the virtual machine, modules such as a fine-grained label tracking module, an instant virtual machine introspection module, a virtual machine monitoring module, an audit module, and a user interface module, are included. The tenant boundary also includes an information flow control strategy library, a label dynamic tag component, a label dynamic adjustment component, and a risk monitoring module of tenant information flow, among others. The flow of tenant information inside and outside the boundary is completed by cloud platform network communication or the virtual machine data sharing component.
According to the security requirements of sensitive information flow control of cloud tenants, the system design is as follows: (1) In the system, the module of automatic identification of tenant boundaries based on the neural network is designed; this module can automatically determine the virtual security boundary of tenants and provide the basis for tenant information flow tracking and control.
(2) In the interior of the cloud tenant boundary, the method of centralized formulation of the information flow control strategy (the method implementation is shown in Figure 6) is adopted, and the control method is independently developed by the tenant. This approach can realize the information tracking and control of the virtual machine at the process level and the network communication at the byte level within the tenant boundary to prevent the leakage of the tenant's sensitive information. The examples of information flow within the tenant boundary are shown in Figures 5-x and y: x shows that the information flow between processes in the same virtual machine within the tenant boundary is monitored by the information flow risk monitoring module within the tenant. When the information flow control rules are met, the information flow from P 1 to P 2 is allowed.
y shows that the information flow between processes in different virtual machines within the tenant boundary is monitored by the information flow risk monitoring module within the tenant. Because the integrity of data 4 is less than that of data 2 , the information flow from P 4 to P 2 is not allowed.
(3) Among the cloud tenants, the decentralized information flow control method is adopted, and the tenants jointly formulate the information flow control strategy (the method implementation is shown in Figure 7). The cloud tenants can formulate the corresponding information flow control strategy and view the information flow audit information through the program interface. For example, tenant A can participate in the formulation of the information flow control strategy between tenant B and tenant A, but not between tenant B and tenant C. According to the information flow control policies formulated by each tenant, the distributed policy control set among tenants is formed. This can realize the tracking and control of virtual machines at the process level and network communication at the byte level between different tenant boundaries to prevent malicious tenants from illegally obtaining sensitive information from other tenants. An example of information flow between tenants is shown in Figures 5-z and {: z shows that the illegal flow of information when tenants share the same virtual machine is monitored by the information flow risk monitoring module between tenants.
{ shows that the legitimate sharing of information between tenants is also monitored by the information flow risk monitoring module between tenants.
In the application of the information flow control strategy, the security restriction of the entire information flow process is realized by the transfer rule of security label. By introducing the minimization rule of the value domain of labels, the flow of information conforms to the minimum privilege principle. By introducing ''and or'' of the tag value field, the principle of separation of authority and duty in data operation is realized. Through the introduction of label encryption and declassification rules, the tenants can dynamically control the flow of their own information flow, and thus jointly formulate information flow policies and the share security of information flow among tenants in a convenient manner.

V. EXPERIMENTAL VERIFICATION AND SYSTEM SECURITY ANALYSIS A. ACCURACY VERIFICATION OF D_SNNBAR ALGORITHM
In this study, OpenStack-Ocata was used to build a cloud platform. Three MSI GT63 physical machines were used for conducting the experiments. The processor was Intel (R) core (TM) i7-8750h @ 2.2GHz, six cores/twelve threads, memory was 32 GB, and hard disk capacity was 512GB solid state + 1TB mechanical. An ubuntu 12.04 virtual machine was selected for the cloud environment, and the minimum instance of a single machine was used for deployment. The experimental configuration of each virtual machine was 1 CPU core, 512 MB memory, and 20 GB hard disk capacity.
We created a control node controller and three calculation nodes, namely nova1, nova2, and nova3, for the test platform.

1) PLATFORM CONSTRUCTION
To better reflect the identification of tenant boundaries after the number of tenants and the number of virtual machines change dynamically, the platform is constructed in the following two stages: x Initialization: create five tenants and two users for each tenant. On average, create three virtual machine instances initially for each tenant to collect operation data.  y Change the number of tenants and virtual machines dynamically: collect sample data multiple times by increasing the number of tenants and virtual machines. The dynamic change situation is as follows: add two tenants, add two virtual machine instances for each tenant, and collect sample data.

2) SAMPLE DATA COLLECTION
Through continuous monitoring of virtual machines in the cloud platform, the resource statistics information of tenants (e.g., by the command Nova usage list) and the detailed information of virtual machines (the command Nova show ID or name) can be obtained in OpenStack. In the computing node, the log information of starting and running of virtual machines can be obtained (e.g., by the command Nova compute. Log).
Through the virtual machine monitoring platform, every T = 5 minutes was recorded (including the log information of all virtual machines), and eight consecutive records were taken as a group of sample data for neural network learning. The same items in the records were combined to get the sample data, of which 80% in each experiment were training data and 20% were test data.

3) EXPERIMENTAL VERIFICATION
The verification experiments of the D_SNNBAR algorithm are divided into four parts: setting of the similarity threshold ''TH sim '' and the number of Gaussian receptive fields ''n'', verification of the algorithm's recognition accuracy, verification of the algorithm's dynamic boundary recognition accuracy, and verification of the algorithm's efficiency.
x Setting of the similarity threshold ''TH sim '' and the number of Gaussian receptive fields ''n''.
A set of 1148 sample data was collected by the initial platform. By calculating the accuracy rate (AR) and error rate (ER), the similarity threshold and the number of the Gaussian receptive field are determined. Under a certain similarity threshold and Gaussian receptive field size, ''T'' is the result recognized by the algorithm and ''N'' is the classification result under the standard condition. The calculation formulas of the two rates are as follows: AR = |T ∩ N | |N | ; that is, the ratio of the number of data intersected by T and N to the total number of data in the standard case; ER = |T − (T ∩ N )| |N | ; that is, the proportion of data with incorrect identification.
The experimental process is as follows: a. Similarity threshold ''TH sim '': If the value of ''TH sim '' is too large, the classification will be excessive and the recognition accuracy will reduce. By contrast, if the value of ''TH sim '' is too small, the incorrect classification and therefore the error rate will increase. It can be seen that the size of ''TH sim '' directly affects the accuracy of algorithm classification. Therefore, in this experiment, the threshold value was increased from 0.6 to 1 consecutively at an increment of 0.01. b. Gaussian receptive field ''n'': it represents the pulse time range covered by the input neuron. If it is set too large, too many pulses will be covered, which are not enough to excite neurons; this reduces the accuracy of recognition. By contrast, if n is too small, the neurons cannot be accurately represented by pulses, thus increasing the recognition error rate. Therefore, to determine the optimal size of the Gaussian receptive field, ''n'' was increased from 1-16 consecutively at an increment of 1 in the experiment.
At the value of each Gaussian receptive field, each threshold was tested. The recognition accuracy and error rate vary as shown in Figure 8. Figure 8 and 9 indicate that when TH sim = 0.83 and n = 8, the accuracy rate reaches 0.983 and the error rate reaches 0.007, and the algorithm recognition effect is the best. Therefore, ''n'' and ''TH sim '' for the subsequent experiments were taken as 8 and 0.83, respectively.
y Verification of the algorithm's recognition accuracy.
On the basis of the sample data in x, two groups of sample data, consisting of 1079 and 1247 data, were collected. These three groups of sample data are tested by ''rank order'' [21], the pulse neural network learning algorithm based on the precise time ''only precise'' [22], and the    proposed algorithm in this paper. Their recognition accuracy rate and error rate are compared, and the results are shown in Figures 10 and 11. Figure 10 indicates that the recognition accuracy rate of the D_SNNBAR algorithm for tenant boundaries is slightly higher than that of the ''only precise'' algorithm and far higher than that of the ''rank order'' algorithm. Figure 11   indicates that the recognition error rate of the D_SNNBAR algorithm is lower than those of the other two algorithms. Thus, the proposed algorithm is confirmed to have high recognition accuracy rate and low recognition error rate, indicating its ability to accurately identify tenant boundaries.
z Verification of the algorithm's dynamic boundary recognition accuracy.
After varying the number of tenants and virtual machines dynamically, the experimental data were collected continuously and input into the network one by one. The continuous recognition results of three groups of sample data were counted. The accuracy rate and error rate comparison results of dynamic recognition are shown in Figures 12 and 13. Figures 12 and 13 indicate that the D_SNNBAR algorithm has the ability to dynamically identify the tenant boundary in the case of dynamic changes in the number of tenants and virtual machines and can more accurately realize the dynamic update of the tenant boundary.
{ Verification of the algorithm's efficiency.
To verify the efficiency of the D_SNNBAR algorithm, the execution time of the three algorithms in y is compared. The comparison results are shown in Figure 14. Figure 14 indicates that the D_SNNBAR algorithm has superior efficiency compared to the other two algorithms, and the processing time of data is far less than the time of data collection. Thus, the algorithm can realize real-time updating of tenant boundary identification. Table 4 indicates the comparison of accuracy and time consumption between the D_SNNBAR algorithm and the other two algorithms in the above experiments.

4) CLASSIFICATION ACCURACY VERIFICATION UNDER STANDARD DATASETS
To further verify the performance and accuracy of the algorithm, this study conducted experiments using two standard datasets from the UCI machine learning library [41]: the ''IRIS'' dataset and ''Yeast'' dataset.
First, the size of the Gaussian receptive field and the similarity threshold in the two datasets were tested. The results show that the classification effect is the best when the Gaussian receptive field and similarity threshold are set to 6 and 0.85, respectively, in the ''IRIS'' dataset, and 12 and 0.86, respectively, in the ''Yeast'' dataset.
On the basis of the above parameters, the classification accuracy, error rate, and simulation time of the algorithm for the two datasets are compared as shown in Table 5. Table 5 indicates that the recognition accuracy of the D_SNNBARR algorithm is better than the only precise and rank order algorithms for the two standard datasets and has high recognition accuracy. In addition, the running time of the proposed algorithm is considerably less than that of the other two algorithms. Figures 15-(a), (b), (c) intuitively show the recognition effect of the three algorithms for the two datasets.

B. SECURITY ANALYSIS AND VERIFICATION OF THE METHOD 1) SECURITY ANALYSIS
According to the basic concept of the noninterference theory [42], secure information flow can be regarded as noninterference of information flow between tenants and cloud service programs and between tenants' security domains; that is, there are two domains in the system. If the information flow in one domain does not destroy the system output observed in the other domain, it is an indication of no interference. The traditional noninterference theory [43] can be applied to only the security policy environment with the nature of transmission, which obviously does not meet the security requirement of information flow between joint tenants. Therefore, in this study, we choose the intransitive noninterference theory based on the TA-safety model [44] to prove the security of the system.
To confirm the non-interference of the system, we first analyze the security of confidentiality and integrity of tenant information flow, as follows:  To analyze the security of tenant data flow, first, the security features of the Bell-La Padula (BLP) and Biba models [23], [24], are introduced.
Security  Table 6: (''r'' stands for reading, ''w'' for writing, ''rw'' for reading and writing, and ''No'' for not executing; ''L c H '' stands for high level confidentiality label, ''L c L '' stands for low level confidentiality label, ''L i H '' stands for high level integrity label, ''L i L '' stands for low level integrity label.) Thus, all the situations in Table 6 are brought into the security features of BLP and Biba models for verification, it is confirmed that the flow of tenant information can meet the confidentiality and integrity requirements simultaneously. Next, the system noninterference is analyzed. For this purpose, the elements involved in the system are defined in a mathematical form: Let system m be a finite automaton, which mainly consists of the following components: Next, the definition of TA function is given [44]: for system M (D, →), ν ∈ D, function ta : A * → T ({ε, A), the specific definition is described as equation 18: α · a is the empty sequence; According to the above definition, the judgment theorem of TA-safety is described as follows: If For the proof of theorem 1, it is necessary to prove that the weak unwinding of system M (D, →) about policy '' →'' satisfies OC, WSC, and LR according to the judgment theorem of TA-safety. The proof is as follows: Suppose that the security labels in domain µ and domain ν are L c u , L i u and L c ν , L i ν , respectively. a: OUTPUT CONSISTENCY (OC) x When (L c µ L c ν ) ∧ (L i ν L i µ ) is satisfied, it can be seen from rule 2 that information I can flow from µ to ν. By observing the tenant information flow control matrix M, the following three situations exist: (a) When action a = r, the information value before and after the read-only VOLUME 8, 2020 operation does not change, that is, val ν (s, I ) = val ν (t, I ). Therefore, in the equivalent state (s ∼ υ t), there must be val ν (s) = val ν (t); (b) When a = w, according to the integrity and confidentiality proof of tenant information flow, the confidentiality and integrity security of the original data and the new information before and after the information is written are guaranteed. According to rules 3 and 1, the security label will become stricter after writing and will not pose a security threat to other data. Therefore, in the equivalent state, val ν (s) = val ν (t) holds the same; (c). When a = rw, the confidentiality and integrity of both sides of information flow are the same, which will not change the access relationship of the main body to the data in the tenant. Therefore, under s ∼ υ t, val ν (s) = val ν (t) must hold. y is satisfied, it can be seen from rule 2 that information is not allowed to flow, because it will destroy the integrity and confidentiality of information in the domain and avoid the occurrence of interference behavior. For the inflow and outflow operation without information in the system, obs ν (s) = obs ν (t) must hold.
It can be seen that output consistency is satisfied b: WEAK SINGLE-STEP CONSISTENCY (WSC) According to the definition of WSC, the proof of WSC can be transformed into the proof that the value of the same operation a ∈ A performed on the data in state s ∼ µ t is consistent; that is, val µ (step(s, a)) = val µ (step(t, a)), and the analysis is based on whether the operation domain of action a interferes with domain µ.
When dom(a) µ, dom(a) has no effect on domain µ, because it will not change the value of data in domain µ, nor the access relationship to data, so val µ (s, Data) = val µ (t, Data) ⇒ val µ (step(s, a), Data) = val µ (step(t, a), Data); When dom(a) → µ, in state s, operation a is performed on the data, and the data value changes. According to the information flow control matrix M, it can be seen that the executed domain dom(a) performs w or rw operation on domain µ.
a. When (L c dom(a) L c µ ) ∧ (L i µ L i dom(a) ) and action a = w, according to rule 2, the execution of action a is completed under the condition of ensuring the confidentiality and integrity of domain µ. According to rules 3 and 1, after the data is written to domain µ, L c Data = L c Data ∪ L c µ and L i Data = L i Data ∪ L i µ are obtained. It can be seen that the security label policy of data becomes stricter, and the writing of data will not change the access relationship of other data in domain µ, that is, it will not change the value of original data in domain µ.
b. When (L c dom(a) = L c µ ) ∧ (L i µ = L i dom(a) ), according to rules 2 and 3, the integrity and confidentiality of both sides of data flow remain unchanged before and after data flow; that is, the integrity and confidentiality of domain µ will not change and will not affect the value of the original data in domain µ. Therefore, in the equivalent states s and t, after the completion of action, a, val (step(s, a), Data) = val (step(t, a), Data).
It can be seen that WSC is satisfied.

c: LOCAL COMPLIANCE (LR)
According to the definition of LR, dom(a) u ⇒ obs u (s) = obs u (step(s, a)). According to the tenant information flow control matrix, action a is divided into three situations, which are analyzed as follows: When a = r, because the read-only operation is carried out under the constraint of rule 2, the data of domain u will not be disclosed, and the data value and label policy in domain u have not changed before and after the execution of a, that is, dom(a) µ, obs u (s) = obs u (step(s, a)). When a = w∨ rw, from the converse negative proposition, it is proved whether obsu(s) =obs u (step(s, a)) ⇒ dom(a) −→µ is true or not. After action a is executed, the data is written to domain u, and the amount of data and the security label set of the domain u will change, that is, val µ (s, Data) = val µ (step(s, a), Data)⇒obs u (s) =obs u (step(s, a)).Obviously dom(a) −→u is established, so dom(a) u⇒obs u (s) = obs u (step(s, a)) is established.
Therefore, LR is satisfied.
In conclusion, the proof of Theorem 1 shows that the system M (D, →) is TA safe to the strategy, and the system can ensure the security of tenant information flow without interference.

2) SECURITY VERIFICATION
Experiments were conducted for the security verification of tenant information flow control in DSCLoud, that is, for testing tenant process level communication and network level information flow control. The verification test consists of three parts: x the tests of label propagation and file operation's information flow control in the virtual machine, y the test of communication through the shared physical memory between processes in the same virtual machine, z the test of process communication between virtual machines, and { the test of system performance delay after adding security measures.
Experiment environment: the virtual operating system was Ubuntu 12.04, Linux kernel version 3.0.1, and the test virtual machine was ''Xen''. The test was implemented on the existing LSM framework in Linux. The security control of tenant information flow was programmed as a security module, which can be loaded and executed dynamically in a Linux kernel through the ''mod_reg_security()'' function [5], [45].
The related modules are realized as follows: (1) Access to information The virtual machine introspection (VMI) [46] is used to obtain the information of the internal process, module, memory, and network interface of the virtual machine, and the label information of the above objects is saved by creating the corresponding data structure. For example, to obtain the current process and module information, the following process classes are defined in the VMI module: class process { public: uint32_t cr3; // Indicates the memory location of the process uint32_t pid; // Indicates the process identification number char name[VMI_MAX_MODULE]; // Modules loaded by the process uint32_t level; // The security level of the process unordered_map < uint32_t, module * > module_list; // The mapping table of the base address to the module pointer }; (2) Label marking method According to the control rules of information flow in the system, label marking can be realized by adding security labels with the security level on the processes and files.
In the experiment, 0 × 0, 0 × 1, 0 × 2, and 0 × 3 were used to represent the security levels of security labels in increasing order.
(3) Dynamic tracking of labels To realize fine-grained label dynamic tracking at the instruction level, tiny code generation (TCG) technology is used to create a labeled global variable with the same size for each global variable (general register and label register) and the corresponding label dynamic tracking code is inserted in the TCG code generation phase. For example, the label of the global variable ''eax'' is ''label_eax''. If the data of the level ''0 × 1'' is stored in ''eax'', ''label_eax'' saves the value of the corresponding security level of ''eax''. If a certain type of instruction (such as a move instruction, an arithmetic instruction, or a logical operation instruction) generates information flow propagation, a corresponding label propagation instruction is inserted to track the label.
The experimental results are as follows: x Test of label propagation and file operation's information flow control in the virtual machine: The test files were named ''public'', ''sensitive'', and ''secret'', and the security levels of the security labels of the files were set to 0 × 0, 0 × 1, and 0 × 2, respectively. ''gedit'' and ''office'' were used as the test programs, and the security levels of the security labels were set to 0 × 1 and 0 × 3, respectively. ''gedit'' and ''office'' were used to try to read these three files. The experimental results are shown in Figure 16. Figure 16 indicates that ''gedit'' could read the files ''public'' and ''sensitive'', but could not open the file ''secret'', and ''office'' could read the file ''secret''. Thus, the experimental expectation is met.
Propagation of security label: first, ''office'' read the file ''secret'' and then the file ''public''. Then, the file ''public'' was tried to open with ''gedit''; this reading result is shown in Figure 17.    y Test of communication through the shared physical memory between processes in the same virtual machine: The test programs used were ''productor'', ''customerl'', and ''customerh'', and the security levels of the security labels were set to 0 × 1, 0 × 0, and 0 × 1, respectively.  ''productor'' was used to send messages to ''customerh'' and ''customerl''. The test results are shown in Figure 18. Figure 18 indicates that ''productor'' and ''customerh'' with the same security level could communicate normally, while ''productor'' and ''customerl'' with different security levels could not communicate; this meets the experiment expectation.
The settings of the transfer file were the same as those in experiment x. In the experiment, we used ''clientl'' to connect with ''server'' to receive the files ''sensitive'' and ''secret'' from the ftp server and used ''clienth'' to connect with ''serverh'' to receive the files ''public'', ''sensitive'', and ''secret'' from the ftp server. The experimental results are shown in Figure 19. Figure 19 indicates that ''server'' failed to transfer the files ''sensitive'' and ''secret'' to ''clientl'', whereas ''clienth'' and ''serverh'' successfully transferred the files ''public'', ''sensitive'', and ''secret''. This meets the experiment expectation. This result can be attributed to the fact that under the constraints of the information flow control rules, when two virtual machines communicate with each other, they cannot send the data of a high security level to the process of a low security level.
{ Test of system performance delay To test the effect of adding the security measures on the actual performance of the system, this study tested the system startup time, program startup time, file opening time, keyboard input response time, and network data transmission time between the original Linux system and the present system. The results are shown in Table 8.
The table 8 shows that the security measures delayed the operation performance of the system by an average of approximately 3.0%. The security measures showed the greatest effect on the performance of the startup program (from inputting ''gedit'' on the command line till the program starts and displays) and file opening (from entering ''gedit file path'' on the command line till the file is opened and displayed),whereas they had no effect on the operation of the system. In summary, the performance delay of the system after adding security measures can be ignored.

VI. CONCLUSION
By analyzing the characteristics of the cloud environment and the security requirements of sensitive information flow of cloud tenants, a dynamic control method for tenants' sensitive information flow based on virtual boundary recognition was proposed. First, an automatic recognition algorithm of tenant virtual boundaries based on the dynamic spiking neural network was designed. Based on the analysis of tenant behavior and operation log, the feature vector of tenant behavior was constructed. Through the learning and training of the neural network, the automatic recognition of tenants' virtual security boundary was realized, which provides the basis for the security control of tenants' sensitive information flow. By implementing a dynamic control method for sensitive information flow of cloud tenants, the security strategy of tenant information flow was formulated, and security labels were used to track and control the tenant information flow inside and outside the boundary in order to realize the tenant's independent control of the information flow within the boundary as well as the dynamic control and security sharing of information flow between tenants. Based on the identification n of tenants' virtual security boundaries and the security control of information flow, a dynamic security control application system for sensitive information flow was constructed. Finally, a cloud platform was built using OpenStack and sample data were collected for experiments. The accuracy of the recognition algorithm was verified, and the safety and effectiveness of the system were confirmed by the intransitive noninterference theory and the experiment of information flow control. In the future work, we hope to achieve higher accuracy and efficiency in boundary recognition. So, we will further optimize the ''D_SNNBAR'' algorithm and build a more complete dataset. In addition, we will complete the overall implementation of the ''DSCloud'' system to achieve better application.