云计算服务平台安全审计技术研究与实现

发布时间：2018-02-27 07:41

本文关键词： 云平台安全审计代理关联分析　出处：《北京邮电大学》2014年硕士论文　论文类型：学位论文

【摘要】：近年来随着网络规模的不断扩大,人们更加倾向将网络作为日常业务的处理的途径,网络为用户进行信息的交流与存储提供了平台。云计算技术在这种用户需求不断增大的背景下应运而生,各大厂商相继推出基于云计算技术的服务平台,依靠其通用性与低使用成本而得到了广泛的使用。然而,云平台的安全性问题也逐渐暴露出来,对云计算服务提供商来说,用户在使用服务的过程中是否有异常行为,对异常行为的审计是保证服务正常运行的重要环节。本文首先对云平台安全审计相关的技术进行了全面的深入的研究,包括学习传统安全审计的标准和模型与云平台审计相关的技术；分析传统安全审计的不足、云环境安全与传统网络安全的区别,为审计系统设计与实现建立了理论依据。提出一种面向云计算服务平台的安全审计模型。该模型具有以下特点： (1)基于云平台Agent的审计信息收集。在审计信息收集阶段,通过部署在集群服务器上的云平台Agent,进行云环境下审计信息的采集和格式化,再将格式化数据发送给存储服务器,同时进行实时审计。通过应用分布式部署的云平台Agent,提高审计信息收集的能力； (2)采用基于对称密钥加密的审计信息存储。在审计信息存储的过程中,通过对敏感的审计信息进行加密及安全的密钥存储管理体系,并支持使用对称密钥加密后信息的密文检索,防止云服务商内部窃取和篡改数据,保证了半可信的云环境中审计信息的机密性； (3)实时与事后相结合的审计信息分析。云平台Agent根据下发至本地规则库中的规则进行初步的实时审计,审计分析模块根据规则库进行事后审计。通过两种审计相结合的方式,保证审计分析的有效性。同时,本文对云平台事后审计分析使用的Apriori算法的连接步进行了改进,减少了无效的连接和比较次数,减轻了系统I/0的负荷,提高了算法的效率。在云计算服务平台安全审计模型的基础上实现的“北京工业云计算平台保障项目”,包括对审计信息收集、审计信息安全存储、审计信息分析等主要系统功能的实现,对使用系统的用户提供友好的操作界面,具有较高的易用性。经过测试,系统满足云平台审计的要求。
[Abstract]:In recent years, with the continuous expansion of the scale of the network, people are more inclined to take the network as a way to deal with daily business. The network provides a platform for users to exchange and store information. Cloud computing technology emerges as the times require in the background of increasing user demand, each major manufacturer has launched a service platform based on cloud computing technology. Because of its versatility and low cost of use, it has been widely used. However, the security problems of cloud platform have been gradually exposed. For cloud computing service providers, whether the user has abnormal behavior in the process of using the service, The audit of abnormal behavior is an important link to ensure the normal operation of service. Firstly, this paper makes a comprehensive and in-depth study on the technologies related to the security audit of cloud platform, including learning the standard and model of traditional security audit and the technology related to the audit of cloud platform, analyzing the shortcomings of the traditional security audit, The difference between cloud environment security and traditional network security establishes the theoretical basis for the design and implementation of audit system. A security audit model for cloud computing service platform is proposed. The model has the following characteristics:. Audit information collection based on cloud platform Agent. In the stage of audit information collection, through the cloud platform agent deployed on the cluster server, the audit information is collected and formatted in the cloud environment, and then the formatted data is sent to the storage server. At the same time, real-time audit. Through the application of distributed deployment of cloud platform agent, improve the ability of audit information collection; Audit information storage based on symmetric key encryption is adopted. In the process of audit information storage, the sensitive audit information is encrypted and a secure key storage management system is adopted. It also supports the ciphertext retrieval of information encrypted by symmetric key to prevent the cloud service providers from stealing and tampering with the data, which ensures the confidentiality of audit information in the semi-trusted cloud environment. The cloud platform Agent carries on the preliminary real-time audit according to the rule sent to the local rule base, the audit analysis module carries on the post audit according to the rule base. Through the two kinds of audit combination way, the cloud platform Agent carries on the preliminary real-time audit according to the rule base. Ensure the effectiveness of audit analysis. At the same time, this paper improves the join step of the Apriori algorithm used in the post-audit analysis of cloud platform, reduces the invalid connection and comparison times, lightens the load of the system I / 0 and improves the efficiency of the algorithm. Based on the security audit model of cloud computing service platform, the "Beijing Industrial Cloud Computing platform guarantee Project" includes the realization of the main system functions, such as audit information collection, audit information security storage, audit information analysis and so on. The system provides a friendly interface for the users of the system, and it is easy to use. After testing, the system meets the requirements of cloud platform audit.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.09

【参考文献】