Research On Analysis And Control Technologies For Malicious Behaviors To Warding Controllable Cloud Computing

Cloud computing bringings lots of benefits to our daily life, however,its features, such as rich resources and ubiquitous access, are also deeply attracting the attention of attackers. And attackers can more easily obtain cloud resources and effectively evade responsibility, bringing serious challenges for the controllability of cloud computing. Cloud computing's uncontrollability has great impacts on cyber space. On the one hand, it would harm the reputation of cloud service providers, and on the other hand, it can also greatly damage the interests of puppet cloud tenants as well as the victims of attacks.Works focusing on solving these problems are still relatively small,comparing with other security researches on cloud computing. We divide these works into two parts. The first aspect is abuse detecting, such as botCloud. However, in addition to relatively few types of detection, how to deal with these attacks, from the perspective of cloud service providers,has not yet been carried out. The other aspect is attempting to migrate methods in general network environment to cloud computing. Although having received some effects, the benefits are relatively limited. We deem that this is mainly due to the differences between cloud computing environment and the general network environment. First, cloud service providers can effectively obtain the data residing on hardwares maintained by themselves, however, it is hard to get them in general network environment. Second, the scale of cloud computing is large,making that the source of malicious behaviors is wide, but the data to be processed in general environment is relatively small. Third, cloud service provider pursuits to maximize the profits on the basis of their cloud resources, while the minimization of safety risks is the primary pursuit of security researchers in general network environment.It is obvious that these differences hinder the migration of relevant measures in general network environment to cloud computing. However,they also provide research foundations for designing new methods towarding controllable cloud computing. Based on this understanding,this thesis, from the cloud service provider's point of view, has carried out systematic study, comprising of data acquisition, analysis and control methods for malicious software, ensuring the controllability of cloud computing. Specifically, the main works and innovations of this thesis are as follows:(1) We study data acquisition methods adapting to cloud computing environment. Cloud computing introduces virtualization and other technologies to support its own flexibility and other characteristics. As a result, computing, storage and other resources are software defined. Thus,this thesis studies a new type of data acquisition method, called Virtual machine introspection, in virtualization layer. We summarize the methods acrossing the semantic gap during introspection process. And the problems encountered with each method are also discussed in details,laying the theory and practice foundation for designing malware analysis and response methods.(2) In order to improve identification accuracy of malicious behaviors and reduce impacts on cloud tenants's experiences, massive training data set is required to be analized. At the same time, cloud computing is large in scale, resulting in massive system call sequences to be analized timely.Therefore, this thesis presents a distributed behavior analysis method,meeting the needs of malicious behavior analysis in controllable cloud computing. We firstly partition the whole data set into sub data sets with well "roundness" assurance based on random projection tree. Then, we place sub data sets in structured P2P network, with the premise of data proximity. At last but not least, we also design an efficient routing algorithm to avoid resource consumption and time delay caused by flooding in the whole network. Experimental results show that, in addition to high routing efficiency, the recall ratio for K nearest neighbors,in three network hops, was about 75%.(3) For the problem of large resource consumption for response technologies under common network environment, we propose a fine-grained tracing and controlling technology for malwares in application layer. We also have designed and implemented the pTrace system towarding controlling DDoS attack's sources in cloud computing,which can directly control malwares, reducing resource consumption.Firstly, pTrace identifies attack streams and their corresponding source addresses, then trace malicious processes based on the obtained source addresses. We have implemented a prototype system under Openstack and Xen environment. Experimental results and analysis show that pTrace can prevent large-scale DDoS attack launched in cloud center with lower time consumption, and can also identify an attack flow correctly when it's flow rate is about 2.5 times the normal traffic, tracing malicious processes in ms time level.(4) In order to contrain the malware's ability of abusing cloud resources, we propose and design an actively control scheme based on the isolation of network resources. Combined with "General SDN"technologies, this network resource isolation scheme is flexible enough to meet the requirements of cloud computing. And on this basis, we also design security strategy based on security dormain, reducing uncontrollable factors in cloud computing and limiting the abuse range of attackers.