Research On Data Protection Against Insider Threats For IaaS Cloud Environments

With the development of cloud computing technology,more and more enterprises and individuals rent IaaS services to reduce the management and maintenance costs of IT resources.In the IaaS(Infrastructure as a Service)service model,tenants host data and applications to the cloud.The transparency of the cloud service leaves them with no absolute control over private data.The cloud service provider controls the management interface of user data.Because cloud providers' credibility is not assessed easily,malicious cloud administrators or internal operations staff may use their privileges to infringe on user data security and privacy.For example,the data can be read and written directly,and the data can be operated indirectly through nonauthorization calling cloud service.Therefore,it has become a key issue in IaaS environment how to protect tenants' virtual machine data against internal personnel attacks.Currently,it has been proposed to prevent or detect the above internal threats by means of user-controllable data encryption,virtual machine monitoring based on nested virtualization,and single node security audit.However,due to the incompatibility of the existing public cloud platform,the introduction of new computing costs and the invalidation of the judgment of legality of operation source,these solutions are difficult to apply to IaaS cloud environment directly.And it need to address the important issues such as low-cost user data protection and multi-node behavior tracking for data access on current mainstream cloud platforms.In order to solve the above problems,this paper analyzes cloud service behavior and internal threat characteristics in IaaS cloud environment,proposes a data protection framework called TVGuarder,and focuses on access control of virtual machine image,users behavior tree construction and internal threats discovery based on behavior traceability.The main research findings are as follows:1.We have proposed an access control method of virtual machine image based on process monitoring.First,all cloud service processes are monitored by using the Linux kernel hook to determine the legal process of accessing user virtual machine image files.Secondly,the access control strategy of the user image file is constructed based on the legal process information,and the kernel access control module is used to block the illegal behavior of the direct access image file.Finally,we have implemented and tested the proposed method under the real cloud platform.The experimental results show that the proposed method can prevent illegal process to access the image file maliciously,and has a small impact on the response time of cloud services.2.We have proposed a behavior-tree construction method based on multilayer API association analysis.First,we analyze the service invocation interfaces of IaaS cloud environment,such as computing service,remote call,management implementation,and virtualization management,and condense the complete process of cloud user behavior.Secondly,adopting the multi-level API association idea based on the source code analysis,we achieve the behavioral correlation analysis of the related source code under open source Openstack cloud platform.Finally,using the tree-based behavior modeling technique,a behavior-tree construction algorithm is proposed to construct the normal behavior tree that can describe various legal operations of cloud users.Since most IaaS clouds adopt the Openstack architecture,the proposed approach has a wide range of applicability.3.We have proposed an internal threat detection method based on behavioral trace.First,we set up trace points of cloud service behavior on multi-layer APIs such as computing service interfaces,remote call interfaces,management implementation interfaces,virtualization management interfaces,and virtualization processes,then we trace cloud service behavior across multiple nodes.Secondly,based on keyword matching technology,the behavior traced is matched with the user's normal behavior tree and the malicious internal threat is identified through tree-based integrity analysis.Finally,we verify the proposed method through experimental evaluation.The experimental results show that the proposed method can detect malicious internal staff call cloud services unauthorizedly and have high detection accuracy.4.We have implemented TVGuarder prototype.First,based on the above three proposed methods,the design idea,architecture and execution flow of TVGuarder are given.Secondly,we have deployed TVGuarder prototype in the real Openstack-based cloud environment.Finally,we compared the cloud service performance before and after the deployment of TVGuarder and the corresponding performance of the operating system in cloud service node.The experimental results show that TVGuarder has higher practicality and better performance.