Design And Implementation Of Intrusion Detection System In Cloud Environment

The rapid development of cloud computing technology has brought a lot of convenience to people’s lives,but also brought huge network security risks.More and more people without network security awareness and network security technology have become website administrators.Hackers may attack these servers at any time.And the administrators without security skills often don’t know how to defense the attack.The IDS(intrusion detection system)can detect intrusions and remind users or block hacker attacks.Providing security protection for tenants by cloud service provider with IDS is undoubtedly the best solution to alleviate this security risk.However,the network environment is complex and the number of virtual machines is huge in the cloud environment.So traditional intrusion detection systems cannot be applied well in this environment.In addition,traditional intrusion detection methods have low recall rates and high false positive rates.In order to solve these problems,this paper analyzed the existing system architecture and algorithm for intrusion detection system in cloud environment.Based on the summary of the existing system architecture and methods,a network-based intrusion detection system suitable for cloud environments is proposed.The system proposed in this article mainly includes the following three modules:traffic mirroring module,intrusion detection module and Webshell upload detection module.The traffic mirroring module is mainly used to collect detection data.There are a large number of virtual networks in the cloud environment,and the system may have multiple Internet outlets.The network environment is more complicated than traditional physical networks.In order to mirror all network traffic for all virtual hosts,the Openstack system is used as an example to deeply analyze the virtual network architecture and implementation methods of the cloud computing system,and the existing traffic mirroring method is analyzed.Based on the understanding of software-defined networks in the cloud environment and the summary of the advantages and disadvantages of existing solutions,a traffic mirroring system based on flow table is proposed.Compared with the existing solution,this system has a simple architecture.And the physical separation of production traffic and mirroring traffic is achieved.So it’s able to avoid the problem of doubling the production network traffic in the process of mirroring traffic.And the solution proposed in this article forward the traffic in the virtual network to the physical network.Therefore,a physical machine can be used to detect the traffic in the cloud environment.The intrusion detection module is mainly responsible for attack detection based on the network data packets collected in the traffic mirroring module.The convolution operation in the convolutional neural network is essentially a feature extraction operation,which can effectively avoid the feature reduction process in traditional machine learning methods.Therefore,this paper adopts the convolutional neural network as the core classification algorithm of the intrusion detection module.In order to solve the negative impact of unbalanced training data on the convolutional neural network,the fruit fly algorithm is used to balance the data during the training process.With the data equalization of the fruit fly algorithm,the average recall rate of the intrusion detection system proposed in this paper is improved a lot.The Webshell detection module is mainly used to prevent hackers from uploading the Webshell when the the intrusion detection module is bypassed.At present,Web application is the most popular application scenario in the cloud environment,which have also become the primary target of hacker attacks.Any intrusion detection system has the possibility of being bypassed.When the target is attacked,hackers often upload Webshell to perform persistent control on the host.Therefore,a Webshell upload detection module based on XLNet is proposed to avoid this persistent control.Compared with the Webshell detection method based on traditional machine learning methods,the Webshell detection module proposed in this paper performs better.