On Intrusion Detection Technology Based On User Abnormal Level For Virtual Machine

Cloud computing provides service to users according to their need. As a new-born business model, cloud computing allows users to access Internet easily with its open mode, at the same time, it’s with great threats, most of which are from user terminal. Since virtual machine is the foundation of cloud computing, to guarantee the security of it is the foundation of cloud computing. Network Instruction Detection System (NIDS) is an important security assurance to the operation of virtual machine.Virtual Machine Manager (VMM) is used to manage and schedule multiple guest operating systems on a single physical resource. The appearance of Virtual Machine (VM) changes the architecture of system and makes the traditional NIDS technology no longer as effective as it was before. Network intrusion detection system in a virtual machine must be in view of the virtual machine isolation and the diversity of service, to provide different levels of security and protection.In view that the end-user’s credibility has a significant impact on the credibility of the virtual machine, and based on the credibility mechanism of dynamic behavior and social trust, User Behavior Assessment Model Based on Sliding Window (UBAMSW) is designed, which lays the foundation for dynamic allocation of virtual machine protection grade. In this assessment model, uncertain and vague problem of user trust evaluation is handled by examining the behavior of the end user’s direct evidence and using quantitative behavioral evidence. Secondly, the trustworthiness of user behavior evaluation are obtained by setting the window size, the sliding conditions, the updating and replacing record in the window. Thirdly, by using of dual-sliding window mechanism, the assessment model prevents the user deception with a small window control, and assures evaluation scalability with a large window control. At last, the effectiveness and resistibility of the proposed assessment model are analyzed theoretically and evaluated experimentally. The experimental results show that the proposed assessment model can effectively be applied to the virtual machine. To provide different levels of defense strategy for the virtual machine according to the user abnormal level, a technology of dynamic rules chain is adopted in intrusion detection system. A combination of centralized configuration and domain configuration is studied in the dynamic rules chain. Centralized configuration uses the general security policy to ensure that the security of whole system is not too low. Domain configuration meets the demand of service diversity, based on the user requirements or user abnormal level to provide defense strategy with different security levels for the virtual machine. At the same time, in view of the intrusion detection engine performance problems, the data cache technology and Dynamic Weighted Rotation Scheduling Strategy (DWRSS) are used to achieve load balancing.Finally, the prototype is implemented on the network intrusion detection system of Snort, and the results are verified from the aspects such as caught rate, event handling efficiency, detection rate and false negative rate of intrusion detection systems, etc. Test results show that the system has basically reached the design goal, the system can adapt to changes in the dynamic deployment and withdrawal of each virtual machine, and support different virtual machines with different intrusion detection configuration.