【摘要】：云計(jì)算在給人們生活帶來福利的同時(shí),其自身的資源豐富、泛在接入等特性也容易被攻擊者濫用以擴(kuò)展其攻擊能力和攻擊范圍。與普通網(wǎng)絡(luò)環(huán)境中的網(wǎng)絡(luò)攻擊相比,攻擊者可以更容易獲取云資源對云外空間發(fā)起DDoS、Spamming等多種攻擊,而且可以輕易地規(guī)避追責(zé),這給云計(jì)算的可控性帶來了嚴(yán)峻的挑戰(zhàn)。云計(jì)算的不可控一方面?zhèn)α嗽品⻊?wù)提供商的信譽(yù),另一方面,也極大地?fù)p害了傀儡云租戶以及攻擊受害者的利益,因此,研究有效的云計(jì)算可控性保障方法具有重要的理論意義與現(xiàn)實(shí)意義。目前,相比于保護(hù)云中數(shù)據(jù)等安全研究,針對這一挑戰(zhàn)的工作還比較少,主要分為兩部分,一部分對botCloud等濫用形式進(jìn)行檢測,然而,除了檢測種類相對較少之外,如何對濫用行為實(shí)施管控的研究卻沒有開展。另一部分工作嘗試將普通網(wǎng)絡(luò)環(huán)境下的惡意行為檢測及控制方法遷移到云計(jì)算環(huán)境,如利用防火墻或入侵檢測設(shè)備實(shí)時(shí)監(jiān)控租戶的網(wǎng)絡(luò)流量等,雖然收到了一定的效果,但比較有限。本文認(rèn)為,這主要是由云計(jì)算環(huán)境與普通網(wǎng)絡(luò)環(huán)境的差異造成的。比如,云服務(wù)提供商可以有效獲取其控制范圍內(nèi)硬件資源承載的多種數(shù)據(jù)信息,而普通網(wǎng)絡(luò)環(huán)境下卻難以獲取主機(jī)行為數(shù)據(jù);云計(jì)算中心一般規(guī)模較大且惡意行為識別精度要求高,而普通網(wǎng)絡(luò)環(huán)境下待處理的數(shù)據(jù)卻相對較小;再比如,云服務(wù)提供商追求有限資源基礎(chǔ)上的利潤最大化,而普通網(wǎng)絡(luò)環(huán)境下的安全工作者卻首要追求安全風(fēng)險(xiǎn)最小化。這些不同,一方面阻礙了將普通環(huán)境下的相關(guān)措施遷移到云中,另一方面,也為設(shè)計(jì)新型且滿足云計(jì)算中心可控需求的方法提供了新思路�；谏鲜稣J(rèn)識,針對云計(jì)算平臺租戶行為不可控問題,本文從惡意行為的數(shù)據(jù)獲取、分析與管控三個(gè)維度進(jìn)行系統(tǒng)研究,構(gòu)建安全可控的云計(jì)算平臺,為云計(jì)算服務(wù)提供商及第三方監(jiān)管提供相關(guān)技術(shù)支撐。具體而言,本文的主要工作及創(chuàng)新點(diǎn)闡述如下:(1)深入研究了面向云計(jì)算中心的惡意行為數(shù)據(jù)獲取方法。云計(jì)算利用計(jì)算虛擬化、網(wǎng)絡(luò)虛擬化以及存儲虛擬化技術(shù)實(shí)現(xiàn)了彈性可擴(kuò)展,為此,本文深入研究了面向系統(tǒng)虛擬化的數(shù)據(jù)獲取方法—虛擬機(jī)自省技術(shù),從技術(shù)實(shí)現(xiàn)的角度系統(tǒng)分析了虛擬機(jī)自省技術(shù)跨越語義鴻溝的四種方式及每種方式面臨的問題,為后續(xù)設(shè)計(jì)面向可控云計(jì)算的惡意行為分析與控制方案打下了理論和實(shí)踐基礎(chǔ)。(2)為了提高惡意行為識別精度、減少對云租戶使用體驗(yàn)的影響,在客觀上要求更大的訓(xùn)練樣本集;與此同時(shí),云計(jì)算中心規(guī)模大,產(chǎn)生的海量系統(tǒng)調(diào)用序列需要實(shí)時(shí)分析,為此,本文提出了分布式在線進(jìn)程行為分析方法,滿足了可控云計(jì)算的惡意行為分析需求。針對分析過程中的樣本行為特征維度高且數(shù)據(jù)量大等問題,本方法首先基于隨機(jī)投影樹,將樣本行為特征數(shù)據(jù)集劃分為具有良好“圓度”保證的子數(shù)據(jù)集,然后,在保證局部臨近性的前提下,將各子數(shù)據(jù)集放置在結(jié)構(gòu)化P2P節(jié)點(diǎn)上,由各節(jié)點(diǎn)負(fù)責(zé)為其上的子數(shù)據(jù)集生成哈希表,并借助高效的路由算法避免了全網(wǎng)泛洪造成的資源消耗和延時(shí)。實(shí)驗(yàn)結(jié)果表明,該方法除了路由效率高外,K最近鄰結(jié)果在三跳之內(nèi)的召回率便可達(dá)75%以上。(3)針對普通網(wǎng)絡(luò)環(huán)境下的惡意行為控制技術(shù)資源消耗大、管控粒度粗等問題,本文提出了應(yīng)用層惡意軟件細(xì)粒度控制技術(shù),并以控制云中的DDoS攻擊源為背景,設(shè)計(jì)實(shí)現(xiàn)了可以直接對惡意軟件實(shí)施管控的pTrace系統(tǒng),pTrace系統(tǒng)減少了響應(yīng)資源消耗,易于被云服務(wù)提供商所采納。pTrace系統(tǒng)首先利用虛擬機(jī)自省和數(shù)據(jù)包捕獲技術(shù)獲取惡意行為數(shù)據(jù),識別攻擊流及攻擊流源地址信息,然后,根據(jù)源地址信息對惡意軟件實(shí)施精準(zhǔn)溯源,從而實(shí)現(xiàn)了對惡意進(jìn)程的直接管控。相比于被動的數(shù)據(jù)過濾等控制方法,pTrace系統(tǒng)主動從源頭上掛起惡意進(jìn)程,極大地節(jié)省了資源,實(shí)驗(yàn)結(jié)果表明,該系統(tǒng)可以在毫秒級的時(shí)間內(nèi)對惡意進(jìn)程進(jìn)行精準(zhǔn)溯源。(4)為了控制惡意軟件濫用云資源的能力,本文提出并設(shè)計(jì)了基于網(wǎng)絡(luò)資源隔離的惡意行為限制方案。本文結(jié)合當(dāng)前的“泛SDN”技術(shù),以O(shè)penstack為應(yīng)用平臺設(shè)計(jì)了一套靈活的面向云計(jì)算中心的網(wǎng)絡(luò)資源隔離方案,并在此基礎(chǔ)上設(shè)計(jì)了多租戶虛擬網(wǎng)絡(luò)之間的訪問控制策略。安全性分析表明該方案有效限制了惡意軟件的傳播和資源濫用范圍。
[Abstract]:Cloud computing brings benefits to people's lives at the same time, its own rich resources, ubiquitous access and other features are easy to be abused by attackers to expand their attack capabilities and scope. The uncontrollability of cloud computing hurts the reputation of cloud service providers on the one hand, and greatly damages the interests of puppet cloud tenants and attack victims on the other. Therefore, it is important to study effective methods to guarantee the controllability of cloud computing. At present, compared with the protection of data in the cloud and other security studies, there are still less work to address this challenge, mainly divided into two parts, one part of the abuse of botCloud and other forms of detection, however, in addition to relatively few types of detection, how to implement abuse control research has not been carried out. Part of the work attempts to migrate malicious behavior detection and control methods in the common network environment to the cloud computing environment, such as using firewalls or intrusion detection devices to monitor the real-time network traffic of tenants, although some results have been achieved, but relatively limited. For example, cloud service providers can effectively obtain a variety of data information carried by hardware resources within their control area, but it is difficult to obtain host behavior data in the ordinary network environment; cloud computing centers are generally large-scale and require high accuracy of malicious behavior identification, while the data to be processed in the ordinary network environment is relatively small; For example, cloud service providers seek to maximize profits on the basis of limited resources, while security workers in general network environments seek to minimize security risks first. These differences, on the one hand, hinder the migration of relevant measures in the general environment to the cloud, on the other hand, also to design new and meet the controllable needs of cloud computing centers. Based on the above understanding, aiming at the uncontrollable behavior of the tenants in cloud computing platform, this paper systematically studies the three dimensions of malicious behavior: data acquisition, analysis and control, and constructs a secure and controllable cloud computing platform, which provides technical support for cloud computing service providers and third-party supervision. In this paper, the main work and innovations are as follows: (1) In-depth study of cloud computing center-oriented malicious behavior data acquisition methods. Cloud computing using computational virtualization, network virtualization and storage virtualization technology to achieve resilient scalability, for this reason, this paper in-depth study of system virtualization-oriented data acquisition methods - Virtual From the point of view of technology implementation, this paper systematically analyzes the four modes of virtual machine introspection technology crossing the semantic gap and the problems faced by each mode, which lays a theoretical and practical foundation for the subsequent design of malicious behavior analysis and control scheme for controllable cloud computing. (2) In order to improve the accuracy of malicious behavior identification and reduce the number of cloud. The impact of tenant experience objectively requires a larger set of training samples; at the same time, the large-scale cloud computing center produces a large number of system call sequences that need real-time analysis. Therefore, this paper proposes a distributed online process behavior analysis method to meet the needs of malicious behavior analysis in controllable cloud computing. First, based on the random projection tree, this method divides the sample behavior feature dataset into sub-datasets with good roundness. Then, on the premise of ensuring local proximity, each sub-dataset is placed on a structured P2P node, and each node is responsible for it. The experimental results show that, besides high routing efficiency, the recall rate of K-nearest neighbor results within three hops can reach more than 75%. (3) The resource consumption of malicious behavior control technology in general network environment is high. This paper proposes a fine-grained control technology for application-level malicious software, and designs and implements a pTrace system which can control malicious software directly under the background of controlling the DDoS attack source in the cloud. The pTrace system reduces the response resource consumption and is easy to be adopted by cloud service providers. VM introspection and packet capture technology acquire malicious behavior data, identify the source address information of attack stream and attack stream, then trace the source of malicious software accurately according to the source address information, thus realizing the direct control of malicious process. The experimental results show that the system can trace malicious processes accurately in milliseconds. (4) In order to control the ability of malicious software to abuse cloud resources, this paper proposes and designs a malicious behavior restriction scheme based on network resource isolation. A flexible network resource isolation scheme for cloud computing centers is designed based on Openstack. On this basis, an access control strategy between multi-tenant virtual networks is designed.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級別】：博士
【學(xué)位授予年份】：2016
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 張國平;;基于SDN和Overlay的云計(jì)算數(shù)據(jù)中心網(wǎng)絡(luò)[J];中國新通信;2015年03期

2 毛曉蛟;楊育彬;;一種基于子空間學(xué)習(xí)的圖像語義哈希索引方法[J];軟件學(xué)報(bào);2014年08期

3 云安全聯(lián)盟;王旭東;;2013年云計(jì)算的9大威脅[J];通訊世界;2013年08期

4 孟小峰;慈祥;;大數(shù)據(jù)管理:概念、技術(shù)與挑戰(zhàn)[J];計(jì)算機(jī)研究與發(fā)展;2013年01期

5 項(xiàng)國富;金海;鄒德清;陳學(xué)廣;;基于虛擬化的安全監(jiān)控[J];軟件學(xué)報(bào);2012年08期

6 姜輝;楊峰;段海新;;Rootkit隱藏技術(shù)與檢測方法研究[J];小型微型計(jì)算機(jī)系統(tǒng);2012年05期

7 馮天樹;許學(xué)東;;Windows木馬的各種進(jìn)程隱藏技術(shù)及應(yīng)對策略[J];信息網(wǎng)絡(luò)安全;2011年10期

8 張顯;黎文偉;;基于多核平臺的數(shù)據(jù)包捕獲方法性能評估[J];計(jì)算機(jī)應(yīng)用研究;2011年07期

9 劉曉茜;楊壽保;郭良敏;王淑玲;宋滸;;雪花結(jié)構(gòu):一種新型數(shù)據(jù)中心網(wǎng)絡(luò)結(jié)構(gòu)[J];計(jì)算機(jī)學(xué)報(bào);2011年01期

10 劉寶旭;馬建民;池亞平;;計(jì)算機(jī)網(wǎng)絡(luò)安全應(yīng)急響應(yīng)技術(shù)的分析與研究[J];計(jì)算機(jī)工程;2007年10期

相關(guān)博士學(xué)位論文 前2條

1 林杰;面向服務(wù)監(jiān)控的可控云關(guān)鍵技術(shù)研究[D];北京郵電大學(xué);2015年

2 馮振乾;云計(jì)算數(shù)據(jù)中心的網(wǎng)絡(luò)帶寬隔離技術(shù)研究[D];國防科學(xué)技術(shù)大學(xué);2012年

相關(guān)碩士學(xué)位論文 前2條

1 黃全偉;基于N-Gram系統(tǒng)調(diào)用序列的惡意代碼靜態(tài)檢測[D];哈爾濱工業(yè)大學(xué);2009年

2 王旭樂;基于內(nèi)容的圖像檢索系統(tǒng)中高維索引技術(shù)的研究[D];華中科技大學(xué);2008年

，

本文編號：2214615