云环境下的自适应异常检测模型及部署策略的研究

发布时间：2018-07-12 13:20

本文选题：云计算 + 异常检测　；参考：《复旦大学》2014年硕士论文

【摘要】：云计算是通过Internet以服务的方式提供动态可伸缩的虚拟化资源的计算模式。它同时也是一种按使用量付费的模式,能够让云租户得到按需的、可用的和便捷的网络访问。云计算按照所提供服务的层次、侧重点及对象不同可以分为三层：IaaS(基础设施作为一种服务)、PaaS(平台作为一种服务)和SaaS(软件作为一种服务)。云计算所提供的服务是基于现有标准化的网络协议,具有特定的格式及标准。然而现有技术和标准协议所存在的安全隐患和脆弱性为非法分子敞开了入侵的大门。传统的网络入侵和云计算特有的入侵使得云计算安全问题日益成为一个很重要的研究方向。作为能够检测未知入侵行为的异常检测通常是被当作云环境中入侵检测的手段和方法。为了检测云环境中的异常,需要对云平台的运行状况进行监控,并且能够搜集运行时性能数据。搜集到的性能数据通常都是无标记的,因此如何从这些无标记的性能数据中获取关于云服务器的健康指标是本文所关心的问题。采集到的性能数据有很多属性是不需要关心的,需要对真正关乎云服务器的数据维度进行简化。在维度简化之前通常会对数据进行预处理,找出具有不同特征的维度。信息论中的互信息概念可以很好地找出具有最小相关性并且对目标分类参数具有很大贡献的数据维度。在得到这些敏感的数据维度后,可以利用PCA (Principal Component Analysis,主成分分析方法)对有效的高维数据进一步降维,得到具有很强特征体现的维度,作为后续异常检测的度量及评判标准。云环境中的异常检测需要快速和准确,基于分类的异常检测方法可以作为云环境中异常检测方法。SVM (Support Vector Machine,支持向量机)可以对表征云服务器性能的数据实例进行分类,通过对分类检测出的疑似异常数据实例提交给云安全管理员进行确认,根据确认结果对SVM分类器逐步迭代,从而不断完善异常检测分类模型,达到自适应的目的。本文设计自适应异常检测模型CAPS (Cloud Adaptive PCA-SVM),从数据获取及预处理,到高维数据维度约简,最终能够完成对云环境中的异常进行标记和上报告警等功能。本文后续利用CAPS,从主机、网络、Hypervisor和分布式等几方面考虑,研究云环境中特定情形下安全防护部署策略。最后在OpenStack上利用真实的云环境数据,对所构建的CAPS进行性能分析,实验结果表明,本文提出的CAPS在云环境中检测率较高,误报率较低,速度较快。
[Abstract]:Cloud computing is a computing model that provides dynamic and scalable virtualization resources through the Internet. It is also a pay-as-you-go model, enabling cloud tenants to have on-demand, usable and convenient network access. Cloud computing can be divided into three layers: IaaS (infrastructure as a service) PaaS (platform as a service) and SaaS (software as a service). Cloud computing provides services based on existing standardized network protocols with specific formats and standards. However, the security risks and vulnerabilities of existing technologies and standard protocols open the door for illegal elements to invade. Traditional network intrusion and cloud computing intrusion make cloud computing security a very important research direction. Anomaly detection, which can detect unknown intrusion behavior, is usually used as a means and method of intrusion detection in cloud environment. In order to detect the anomalies in the cloud environment, it is necessary to monitor the performance of the cloud platform and to collect runtime performance data. The collected performance data is usually unmarked, so how to get health index of cloud server from these unmarked performance data is the concern of this paper. There are many properties of the collected performance data that need not be concerned about, and need to simplify the data dimension that is really related to the cloud server. Data are usually preprocessed before dimensionality is simplified to identify dimensions with different characteristics. The concept of mutual information in information theory can find out the data dimension which has the least correlation and has a great contribution to the target classification parameters. After obtaining these sensitive data dimensions, PCA (Principal component Analysis) can be used to further reduce the dimensionality of high-dimensional data, and the dimension with strong characteristics can be obtained, which can be used as the measurement and evaluation standard for subsequent anomaly detection. Anomaly detection in cloud environment needs to be rapid and accurate. Anomaly detection method based on classification can be used as anomaly detection method in cloud environment. SVM (support Vector Machine) can classify data instances that represent the performance of cloud server. By submitting the suspected abnormal data examples to the cloud security administrator for confirmation, the SVM classifier is iterated step by step according to the confirmation results, and the classification model of anomaly detection is continuously improved to achieve the purpose of self-adaptation. In this paper, an adaptive anomaly detection model, caps (Cloud Adaptive PCA-SVM), is designed. From data acquisition and preprocessing to dimensionality reduction of high-dimensional data, the functions of marking anomalies in cloud environment and reporting warnings are finally completed. In this paper, we study the security protection deployment strategy in the cloud environment from the aspects of host, network hypervisor and distributed, with the help of CAPSs. Finally, using the real cloud environment data on OpenStack, the performance of caps is analyzed. The experimental results show that the proposed caps has higher detection rate, lower false alarm rate and faster speed in cloud environment.
【学位授予单位】：复旦大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.09

【参考文献】