Research On Anomaly Detection Technology Based On Cloud Environment

With the widespread use of cloud computing technology,cloud computing has become a powerful tool to improve productivity.However,at the same time,cloud security issues are becoming more and more prominent.Attacks against cloud computing environment are frequently intensified,and cloud computing environment is facing new security threats.Traditional anomaly detection technologies only consider detection or information extraction in the operating system,but Network intrusion detection technology based on rules is also difficult to find new security threats.Therefore,intrusion detection technologies face new challenges in cloud environment.At present,Virtual Machine Introspection(VMI)has become a key technology to solve cloud security problems.This technology can obtain detailed running status information of virtual machines from the outside of the virtual machine through semantic reconstruction.It can effectively determine the hidden threats in the virtual machine of the cloud environment,and use the relationship between the process and the network to combine the host detection with the network detection effectively,improve the accuracy of the abnormal detection of the cloud environment,and reduce the false positive rate and false negative rate.This paper proposes a hybrid collaborative detection architecture based on VMI.The main research work and achievements are as follows:(1)The implementation of the introspection technology of the virtual machine is analyzed in detail.The corresponding introspection tools are deployed in the hypervisor layer of the privileged domain in cloud environment virtualization platform to dynamically obtain the virtual machine security status information such as memory dump file,network packet traffic,process behavior,modules,files and registry.(2)A security threat model in cloud environment is analyzed.The security threats faced by the cloud environment are analyzed from the attack flow direction and the attack level.The attack forms in the cloud environment are divided into external attacks and virtualized.The target attack and the attack from the virtual machine analyze the typical attack forms in the cloud environment from five levels: virtual machine,virtual machine monitor,storage,network and hardware.(3)According to the above research results,a VMI-based hybrid collaborative detection architecture is proposed.The virtual machine is detected for network anomaly at the virtual machine network port,and the VMI technology is used to extract the state information of the virtual machine from the virtual machine.The machine is used to detect the host of the virtual machine in a machine learning manner,and the rules of the network detection is dynamically updated in real time by using the obtained relationship between the process and the network in the host to realize the collaborative detection of the network and the host detection.(4)The VMI-based hybrid collaborative detection architecture is implemented and verified by experiments.The results show that the detection model can detect most of the current attacks,and has good security,scalability and the ability of detecting unknown attacks.