Design and implementation of abnormal behavior detection system in cloud computing

doi:10.11772/j.issn.1001-9081.2015.05.1284

Journal of Computer Applications ›› 2015, Vol. 35 ›› Issue (5): 1284-1289.DOI: 10.11772/j.issn.1001-9081.2015.05.1284

Previous Articles Next Articles

Design and implementation of abnormal behavior detection system in cloud computing

YU Hongyan¹, CEN Kailun², YANG Tengxiao³

1. College of Transport and Communications, Shanghai Maritime University, Shanghai 201306, China;
2. College of Information Engineering, Shanghai Maritime University, Shanghai 201306, China;
3. Research and Development Department, Shanghai Newdon Technology Company Limited, Shanghai 200092, China

Received:2014-12-10 Revised:2015-01-14 Online:2015-05-10 Published:2015-05-14

云计算平台异常行为检测系统的设计与实现

于红岩¹, 岑凯伦², 杨腾霄³

1. 上海海事大学交通运输学院, 上海 201306;
2. 上海海事大学信息工程学院, 上海 201306;
3. 上海纽盾科技有限公司研发部, 上海 200092

通讯作者: 于红岩
作者简介:于红岩(1979-),女,山东文登人,讲师,博士,主要研究方向:电子商务、云计算安全; 岑凯伦(1991-),男,上海人,硕士研究生,主要研究方向:云计算安全; 杨腾霄(1977-),男,山西长治人,工程师,硕士,主要研究方向:云计算安全.
基金资助:
上海市教育委员会科研创新项目(11YS142);2014年上海市科技型中小企业技术创新基金资助项目(1401H164800);2012年上海海事大学校基金资助项目(20120080).

Abstract

Abstract:

Worm, Address Resolution Protocol (ARP) broadcast and other abnormal behaviorS which attack the cloud computing platform from the virtual machines cannot be detected by traditional network security components. In order to solve the problem, abnormal behavior detection technology architecture for cloud computing platform was designed, abnormal behavior detection for worms which brought signature and non-signature behaviors based on mutation theory and "Detection-Isolation-Cure-Restore" intelligent processing for cloud security was proposed. Abnormal detection, management of event and defense, and ARP broadcast detection for cloud computing platform were merged in the system. The experimental results show that the abnormal behavior inside the cloud computing platform can be detected and defensed with the system, the collection and analysis of the abnormal behavior inside cloud computing platform can be provided by this system in real-time, the traffic information can be refreshed automatically every 5 seconds, the system throughput can reach to 640 Gb and the bandwith occupied by abnormal flow can be reduced to less than 5% of the total bandwith in protected link.

Key words: cloud computing, abnormal behavior detection, event management, Address Resolution Protocol (ARP) anomaly detection, cloud security

摘要：

针对传统网络安全设备对云计算平台中虚拟机内部发生的蠕虫病毒、地址解析协议(ARP)广播攻击等异常行为失效的问题,设计了基于VMware的云计算平台下异常行为检测技术架构,提出了云计算下有特征码的蠕虫病毒异常行为检测,和基于突变理论的无特征码的异常行为检测,并针对两种异常行为提出了"侦测—隔离—治愈—恢复"智能处理云安全机制.系统融合云计算下异常行为检测,云计算下事件与防卫管理,和云计算下ARP广播检测三种功能于一体.实验结果表明,系统能实时提供云计算环境下异常行为的采集及分析,每隔5秒自动刷新实时流量资料,且吞吐量可达到640 Gb的处理能力,能够将被保护链路中异常流量所占用带宽降至总拥有带宽的5%以下,解决了云计算下的异常行为检测和防护问题.

关键词: 云计算, 异常行为检测, 事件管理, 地址解析协议异常侦测, 云安全

CLC Number:

TP393.08

YU Hongyan, CEN Kailun, YANG Tengxiao. Design and implementation of abnormal behavior detection system in cloud computing[J]. Journal of Computer Applications, 2015, 35(5): 1284-1289.

于红岩, 岑凯伦, 杨腾霄. 云计算平台异常行为检测系统的设计与实现[J]. 计算机应用, 2015, 35(5): 1284-1289.

References

[1] ARMBRUST M, FOX A, GRIFFITH R, et al. A view of cloud computing [J]. Communications of the ACM,2010,53(4):50-58.
[2] FENG D, ZHANG M, ZHANG Y, et al. Study on cloud computing security[J]. Journal of Software, 2012, 22(1): 71-83.(冯登国, 张敏, 张妍, 等. 云计算安全研究[J] . 软件学报, 2011, 22(1): 71-83.)
[3] SHAO G, CHEN X, YIN X, et al. Design and implementation of virtual machine traffic detection system based on OpenFlow[J]. Journal of Computer Applications,2014,34(4):1034-1037. (邵国林,陈兴蜀,尹学渊,等. 基于OpenFlow的虚拟机流量监测系统的设计与实现[J]. 计算机应用, 2014,34(4):1034-1037.)
[4] LOCKWOOD J W, MOSCALA J, KULIG M. Internet worm and virus protection in dynamically reconfigurable hardware[C]// Proceedings of the 2003 ACM CCS Workshop on Rapid Malcode. New York: ACM, 2003:1-8.
[5] XIN Y, FANG B, HE L, et al. Worm detection and signature extraction based on communication characteristics [J]. Journal on Communications, 2007, 28(12): 1-7.(辛毅,方滨兴,贺龙涛,等. 基于通信特征分析的蠕虫检测和特征提取方法的研究[J]. 通信学报, 2007, 28(12): 1-7.)
[6] ZHU H, LI W, SHI H. Peer behavior based proactive P2P worm detection[J]. Computer Engineering and Applications, 2013, 49(7):93-97.(朱晖,李伟华,史豪斌.基于节点行为的主动P2P蠕虫检测[J].计算机工程与应用,2013,49(7):93-97.)
[7] SU M. Using clustering to improve KNN-based classifiers for online anomaly network traffic identification[J]. Journal of Network and Computer Applications, 2011, 34(2): 722-730.
[8] SHAH B, TRIVEDI H B. Artificial neural network based intrusion detection system: a survey[J]. International Journal of Computer Applications, 2012, 39(6): 13-18.
[9] GUAN X, QIN T, LI W, et al. Dynamic feature analysis and measurement for large-scale network traffic monitoring [J]. IEEE Transactions on Information Forensics and Security, 2010, 5(4): 905-919.
[10] XIANG G, JIN H, ZOU D, et al. Virtualization-based security monitoring[J]. Journal of Software, 2012, 23(8): 2173-2187.(项国富, 金海, 邹德清, 等. 基于虚拟化的安全监控[J]. 软件学报,2012,23(8):2173-2187.)
[11] LIU Q, WANG G, WENG C, et al. A mandatory access control framework in virtual machine system with respect to multi-level security I: theory[J]. China Communications, 2010(4): 137-143.(刘谦,王观海,翁楚良,等. 一种虚拟机系统中关于多级安全的强制访问控制框架Ⅰ: 理论[J]. 中国通信,2010(4): 137-143.)
[12] LIU Q, WANG G, WENG C, et al. A mandatory access control framework in virtual machine system with respect to multi-level security II: implementation [J]. China Communications, 2011(2): 86-94.(刘谦,王观海,翁楚良,等.一种虚拟机系统下关于多级安全的强制访问控制框架Ⅱ: 实现[J]. 中国通信,2011(2): 86-94.)
[13] DUNLAP G W, KING S T, CINAR S, et al. ReVirt: enabling intrusion analysis through virtual-machine logging and replay[C]// Proceedings of the 5th Symposium on Operating Systems Design and Implementation. New York: ACM, 2002: 211-224.

[1]	CHEN Jiahao, YIN Xinchun. Traceable and revocable ciphertext-policy attribute-based encryption scheme based on cloud-fog computing [J]. Journal of Computer Applications, 2021, 41(6): 1611-1620.
[2]	GE Lina, HU Yugu, ZHANG Guifen, CHEN Yuanyuan. Reverse hybrid access control scheme based on object attribute matching in cloud computing environment [J]. Journal of Computer Applications, 2021, 41(6): 1604-1610.
[3]	YANG Ling, JIANG Chunmao. Strategy of energy-aware virtual machine migration based on three-way decision [J]. Journal of Computer Applications, 2021, 41(4): 990-998.
[4]	Xiaoling SUN, Guang YANG, Yanping SHEN, Qiuge YANG, Tao CHEN. Searchable encryption scheme based on splittable inverted index [J]. Journal of Computer Applications, 2021, 41(11): 3288-3294.
[5]	LI Ziqiang, WANG Zhengyong, CHEN Honggang, LI Linyi, HE Xiaohai. Video abnormal behavior detection based on dual prediction model of appearance and motion features [J]. Journal of Computer Applications, 2021, 41(10): 2997-3003.
[6]	LYU Jiayu, ZHU Zhirong, YAO Zhiqiang. Two-channel dynamic data encryption strategy in cloud computing environment [J]. Journal of Computer Applications, 2020, 40(8): 2268-2273.
[7]	CHEN Chengjun, MAO Yingchi, WANG Yichao. CNN model compression based on activation-entropy based layer-wise iterative pruning strategy [J]. Journal of Computer Applications, 2020, 40(5): 1260-1265.
[8]	GUO Shujie, LI Zhihua, LIN Kaiqing. Fuzzy membership degree based virtual machine placement algorithmin cloud environment [J]. Journal of Computer Applications, 2020, 40(5): 1374-1381.
[9]	XU Yingxin, SUN Lei, ZHAO Jiancheng, GUO Songhui. Virtual field programmable gate array placement strategy based on ant colony optimization algorithm [J]. Journal of Computer Applications, 2020, 40(3): 747-752.
[10]	WANG Qingyong, MAO Yingchi, WANG Yichao, WANG Longbao. Computing task offloading based on multi-cloudlet collaboration [J]. Journal of Computer Applications, 2020, 40(2): 328-334.
[11]	LIU Fuxin, LI Jingwei, WANG Yihong, LI Lin. Design and implementation of cloud native massive data storage system based on Kubernetes [J]. Journal of Computer Applications, 2020, 40(2): 547-552.
[12]	WANG Zhiheng, XU Yanyan. Design and implementation of fingerprint authentication terminal APP in mobile cloud environment based on TrustZone [J]. Journal of Computer Applications, 2020, 40(11): 3255-3260.
[13]	YANG Shenshen, WU Huizhen, ZHUANG Lili, LYU Hongwu. Markov process-based availability modeling and analysis method of IaaS system [J]. Journal of Computer Applications, 2020, 40(10): 3013-3018.
[14]	LIN Li, XIONG Jinbo, XIAO Ruliang, LIN Mingwei, CHEN Xiuhua. Gaming@Edge: low latency cloud gaming system based on edge nodes [J]. Journal of Computer Applications, 2019, 39(7): 2001-2007.
[15]	YANG Hongyu, LI Bochao. Network abnormal behavior detection model based on adversarially learned inference [J]. Journal of Computer Applications, 2019, 39(7): 1967-1972.

Design and implementation of abnormal behavior detection system in cloud computing

云计算平台异常行为检测系统的设计与实现

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics