面向可控云计算的恶意行为分析与管控关键技术研究
发布时间:2018-08-31 09:45
【摘要】:云计算在给人们生活带来福利的同时,其自身的资源丰富、泛在接入等特性也容易被攻击者滥用以扩展其攻击能力和攻击范围。与普通网络环境中的网络攻击相比,攻击者可以更容易获取云资源对云外空间发起DDoS、Spamming等多种攻击,而且可以轻易地规避追责,这给云计算的可控性带来了严峻的挑战。云计算的不可控一方面伤害了云服务提供商的信誉,另一方面,也极大地损害了傀儡云租户以及攻击受害者的利益,因此,研究有效的云计算可控性保障方法具有重要的理论意义与现实意义。目前,相比于保护云中数据等安全研究,针对这一挑战的工作还比较少,主要分为两部分,一部分对botCloud等滥用形式进行检测,然而,除了检测种类相对较少之外,如何对滥用行为实施管控的研究却没有开展。另一部分工作尝试将普通网络环境下的恶意行为检测及控制方法迁移到云计算环境,如利用防火墙或入侵检测设备实时监控租户的网络流量等,虽然收到了一定的效果,但比较有限。本文认为,这主要是由云计算环境与普通网络环境的差异造成的。比如,云服务提供商可以有效获取其控制范围内硬件资源承载的多种数据信息,而普通网络环境下却难以获取主机行为数据;云计算中心一般规模较大且恶意行为识别精度要求高,而普通网络环境下待处理的数据却相对较小;再比如,云服务提供商追求有限资源基础上的利润最大化,而普通网络环境下的安全工作者却首要追求安全风险最小化。这些不同,一方面阻碍了将普通环境下的相关措施迁移到云中,另一方面,也为设计新型且满足云计算中心可控需求的方法提供了新思路。基于上述认识,针对云计算平台租户行为不可控问题,本文从恶意行为的数据获取、分析与管控三个维度进行系统研究,构建安全可控的云计算平台,为云计算服务提供商及第三方监管提供相关技术支撑。具体而言,本文的主要工作及创新点阐述如下:(1)深入研究了面向云计算中心的恶意行为数据获取方法。云计算利用计算虚拟化、网络虚拟化以及存储虚拟化技术实现了弹性可扩展,为此,本文深入研究了面向系统虚拟化的数据获取方法—虚拟机自省技术,从技术实现的角度系统分析了虚拟机自省技术跨越语义鸿沟的四种方式及每种方式面临的问题,为后续设计面向可控云计算的恶意行为分析与控制方案打下了理论和实践基础。(2)为了提高恶意行为识别精度、减少对云租户使用体验的影响,在客观上要求更大的训练样本集;与此同时,云计算中心规模大,产生的海量系统调用序列需要实时分析,为此,本文提出了分布式在线进程行为分析方法,满足了可控云计算的恶意行为分析需求。针对分析过程中的样本行为特征维度高且数据量大等问题,本方法首先基于随机投影树,将样本行为特征数据集划分为具有良好“圆度”保证的子数据集,然后,在保证局部临近性的前提下,将各子数据集放置在结构化P2P节点上,由各节点负责为其上的子数据集生成哈希表,并借助高效的路由算法避免了全网泛洪造成的资源消耗和延时。实验结果表明,该方法除了路由效率高外,K最近邻结果在三跳之内的召回率便可达75%以上。(3)针对普通网络环境下的恶意行为控制技术资源消耗大、管控粒度粗等问题,本文提出了应用层恶意软件细粒度控制技术,并以控制云中的DDoS攻击源为背景,设计实现了可以直接对恶意软件实施管控的pTrace系统,pTrace系统减少了响应资源消耗,易于被云服务提供商所采纳。pTrace系统首先利用虚拟机自省和数据包捕获技术获取恶意行为数据,识别攻击流及攻击流源地址信息,然后,根据源地址信息对恶意软件实施精准溯源,从而实现了对恶意进程的直接管控。相比于被动的数据过滤等控制方法,pTrace系统主动从源头上挂起恶意进程,极大地节省了资源,实验结果表明,该系统可以在毫秒级的时间内对恶意进程进行精准溯源。(4)为了控制恶意软件滥用云资源的能力,本文提出并设计了基于网络资源隔离的恶意行为限制方案。本文结合当前的“泛SDN”技术,以Openstack为应用平台设计了一套灵活的面向云计算中心的网络资源隔离方案,并在此基础上设计了多租户虚拟网络之间的访问控制策略。安全性分析表明该方案有效限制了恶意软件的传播和资源滥用范围。
[Abstract]:Cloud computing brings benefits to people's lives at the same time, its own rich resources, ubiquitous access and other features are easy to be abused by attackers to expand their attack capabilities and scope. The uncontrollability of cloud computing hurts the reputation of cloud service providers on the one hand, and greatly damages the interests of puppet cloud tenants and attack victims on the other. Therefore, it is important to study effective methods to guarantee the controllability of cloud computing. At present, compared with the protection of data in the cloud and other security studies, there are still less work to address this challenge, mainly divided into two parts, one part of the abuse of botCloud and other forms of detection, however, in addition to relatively few types of detection, how to implement abuse control research has not been carried out. Part of the work attempts to migrate malicious behavior detection and control methods in the common network environment to the cloud computing environment, such as using firewalls or intrusion detection devices to monitor the real-time network traffic of tenants, although some results have been achieved, but relatively limited. For example, cloud service providers can effectively obtain a variety of data information carried by hardware resources within their control area, but it is difficult to obtain host behavior data in the ordinary network environment; cloud computing centers are generally large-scale and require high accuracy of malicious behavior identification, while the data to be processed in the ordinary network environment is relatively small; For example, cloud service providers seek to maximize profits on the basis of limited resources, while security workers in general network environments seek to minimize security risks first. These differences, on the one hand, hinder the migration of relevant measures in the general environment to the cloud, on the other hand, also to design new and meet the controllable needs of cloud computing centers. Based on the above understanding, aiming at the uncontrollable behavior of the tenants in cloud computing platform, this paper systematically studies the three dimensions of malicious behavior: data acquisition, analysis and control, and constructs a secure and controllable cloud computing platform, which provides technical support for cloud computing service providers and third-party supervision. In this paper, the main work and innovations are as follows: (1) In-depth study of cloud computing center-oriented malicious behavior data acquisition methods. Cloud computing using computational virtualization, network virtualization and storage virtualization technology to achieve resilient scalability, for this reason, this paper in-depth study of system virtualization-oriented data acquisition methods - Virtual From the point of view of technology implementation, this paper systematically analyzes the four modes of virtual machine introspection technology crossing the semantic gap and the problems faced by each mode, which lays a theoretical and practical foundation for the subsequent design of malicious behavior analysis and control scheme for controllable cloud computing. (2) In order to improve the accuracy of malicious behavior identification and reduce the number of cloud. The impact of tenant experience objectively requires a larger set of training samples; at the same time, the large-scale cloud computing center produces a large number of system call sequences that need real-time analysis. Therefore, this paper proposes a distributed online process behavior analysis method to meet the needs of malicious behavior analysis in controllable cloud computing. First, based on the random projection tree, this method divides the sample behavior feature dataset into sub-datasets with good roundness. Then, on the premise of ensuring local proximity, each sub-dataset is placed on a structured P2P node, and each node is responsible for it. The experimental results show that, besides high routing efficiency, the recall rate of K-nearest neighbor results within three hops can reach more than 75%. (3) The resource consumption of malicious behavior control technology in general network environment is high. This paper proposes a fine-grained control technology for application-level malicious software, and designs and implements a pTrace system which can control malicious software directly under the background of controlling the DDoS attack source in the cloud. The pTrace system reduces the response resource consumption and is easy to be adopted by cloud service providers. VM introspection and packet capture technology acquire malicious behavior data, identify the source address information of attack stream and attack stream, then trace the source of malicious software accurately according to the source address information, thus realizing the direct control of malicious process. The experimental results show that the system can trace malicious processes accurately in milliseconds. (4) In order to control the ability of malicious software to abuse cloud resources, this paper proposes and designs a malicious behavior restriction scheme based on network resource isolation. A flexible network resource isolation scheme for cloud computing centers is designed based on Openstack. On this basis, an access control strategy between multi-tenant virtual networks is designed.
【学位授予单位】:北京邮电大学
【学位级别】:博士
【学位授予年份】:2016
【分类号】:TP393.08
本文编号:2214615
[Abstract]:Cloud computing brings benefits to people's lives at the same time, its own rich resources, ubiquitous access and other features are easy to be abused by attackers to expand their attack capabilities and scope. The uncontrollability of cloud computing hurts the reputation of cloud service providers on the one hand, and greatly damages the interests of puppet cloud tenants and attack victims on the other. Therefore, it is important to study effective methods to guarantee the controllability of cloud computing. At present, compared with the protection of data in the cloud and other security studies, there are still less work to address this challenge, mainly divided into two parts, one part of the abuse of botCloud and other forms of detection, however, in addition to relatively few types of detection, how to implement abuse control research has not been carried out. Part of the work attempts to migrate malicious behavior detection and control methods in the common network environment to the cloud computing environment, such as using firewalls or intrusion detection devices to monitor the real-time network traffic of tenants, although some results have been achieved, but relatively limited. For example, cloud service providers can effectively obtain a variety of data information carried by hardware resources within their control area, but it is difficult to obtain host behavior data in the ordinary network environment; cloud computing centers are generally large-scale and require high accuracy of malicious behavior identification, while the data to be processed in the ordinary network environment is relatively small; For example, cloud service providers seek to maximize profits on the basis of limited resources, while security workers in general network environments seek to minimize security risks first. These differences, on the one hand, hinder the migration of relevant measures in the general environment to the cloud, on the other hand, also to design new and meet the controllable needs of cloud computing centers. Based on the above understanding, aiming at the uncontrollable behavior of the tenants in cloud computing platform, this paper systematically studies the three dimensions of malicious behavior: data acquisition, analysis and control, and constructs a secure and controllable cloud computing platform, which provides technical support for cloud computing service providers and third-party supervision. In this paper, the main work and innovations are as follows: (1) In-depth study of cloud computing center-oriented malicious behavior data acquisition methods. Cloud computing using computational virtualization, network virtualization and storage virtualization technology to achieve resilient scalability, for this reason, this paper in-depth study of system virtualization-oriented data acquisition methods - Virtual From the point of view of technology implementation, this paper systematically analyzes the four modes of virtual machine introspection technology crossing the semantic gap and the problems faced by each mode, which lays a theoretical and practical foundation for the subsequent design of malicious behavior analysis and control scheme for controllable cloud computing. (2) In order to improve the accuracy of malicious behavior identification and reduce the number of cloud. The impact of tenant experience objectively requires a larger set of training samples; at the same time, the large-scale cloud computing center produces a large number of system call sequences that need real-time analysis. Therefore, this paper proposes a distributed online process behavior analysis method to meet the needs of malicious behavior analysis in controllable cloud computing. First, based on the random projection tree, this method divides the sample behavior feature dataset into sub-datasets with good roundness. Then, on the premise of ensuring local proximity, each sub-dataset is placed on a structured P2P node, and each node is responsible for it. The experimental results show that, besides high routing efficiency, the recall rate of K-nearest neighbor results within three hops can reach more than 75%. (3) The resource consumption of malicious behavior control technology in general network environment is high. This paper proposes a fine-grained control technology for application-level malicious software, and designs and implements a pTrace system which can control malicious software directly under the background of controlling the DDoS attack source in the cloud. The pTrace system reduces the response resource consumption and is easy to be adopted by cloud service providers. VM introspection and packet capture technology acquire malicious behavior data, identify the source address information of attack stream and attack stream, then trace the source of malicious software accurately according to the source address information, thus realizing the direct control of malicious process. The experimental results show that the system can trace malicious processes accurately in milliseconds. (4) In order to control the ability of malicious software to abuse cloud resources, this paper proposes and designs a malicious behavior restriction scheme based on network resource isolation. A flexible network resource isolation scheme for cloud computing centers is designed based on Openstack. On this basis, an access control strategy between multi-tenant virtual networks is designed.
【学位授予单位】:北京邮电大学
【学位级别】:博士
【学位授予年份】:2016
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 张国平;;基于SDN和Overlay的云计算数据中心网络[J];中国新通信;2015年03期
2 毛晓蛟;杨育彬;;一种基于子空间学习的图像语义哈希索引方法[J];软件学报;2014年08期
3 云安全联盟;王旭东;;2013年云计算的9大威胁[J];通讯世界;2013年08期
4 孟小峰;慈祥;;大数据管理:概念、技术与挑战[J];计算机研究与发展;2013年01期
5 项国富;金海;邹德清;陈学广;;基于虚拟化的安全监控[J];软件学报;2012年08期
6 姜辉;杨峰;段海新;;Rootkit隐藏技术与检测方法研究[J];小型微型计算机系统;2012年05期
7 冯天树;许学东;;Windows木马的各种进程隐藏技术及应对策略[J];信息网络安全;2011年10期
8 张显;黎文伟;;基于多核平台的数据包捕获方法性能评估[J];计算机应用研究;2011年07期
9 刘晓茜;杨寿保;郭良敏;王淑玲;宋浒;;雪花结构:一种新型数据中心网络结构[J];计算机学报;2011年01期
10 刘宝旭;马建民;池亚平;;计算机网络安全应急响应技术的分析与研究[J];计算机工程;2007年10期
相关博士学位论文 前2条
1 林杰;面向服务监控的可控云关键技术研究[D];北京邮电大学;2015年
2 冯振乾;云计算数据中心的网络带宽隔离技术研究[D];国防科学技术大学;2012年
相关硕士学位论文 前2条
1 黄全伟;基于N-Gram系统调用序列的恶意代码静态检测[D];哈尔滨工业大学;2009年
2 王旭乐;基于内容的图像检索系统中高维索引技术的研究[D];华中科技大学;2008年
,本文编号:2214615
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2214615.html
