ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2019, Vol. 56 ›› Issue (12): 2684-2693.doi: 10.7544/issn1000-1239.2019.20180843

• 信息安全 • 上一篇    下一篇

云环境基于系统调用向量空间的进程异常检测

陈兴蜀1,2,陈佳昕2,金鑫2,葛龙2   

  1. 1(四川大学网络空间安全学院 成都 610065);2(四川大学计算机学院 成都 610065) (chenxsh@scu.edu.cn)
  • 出版日期: 2019-12-01
  • 基金资助: 
    国家自然科学基金青年科学基金项目(61802270,61802271);四川省重点研发项目(2018GZ0100);中央高校基本科研业务费专项资金(2017SCU11059)

Process Abnormal Detection Based on System Call Vector Space in Cloud Computing Environments

Chen Xingshu1,2, Chen Jiaxin2, Jin Xin2, Ge Long2   

  1. 1(School of Cybersecurity, Sichuan University, Chengdu 610065);2(School of Computing, Sichuan University, Chengdu 610065)
  • Online: 2019-12-01

摘要: 传统主机领域下基于系统调用的入侵检测方案,往往针对单一特权进程的运行行为进行监控,而在云计算环境下引入了更多的安全风险,采用主机入侵检测方案难以有效检测虚拟机进程异常行为,对此,提出了一种基于系统调用向量空间的虚拟机进程行为检测模型.模型采用了无代理监控技术透明的采集虚拟机进程系统调用数据,引入了TF-IDF(term frequency-inverse document frequency)算法思想为进程系统调用数据进行加权,用于区分租户虚拟机中运行的不同服务,识别异常进程行为.此外,为优化检测算法效率,设计了行格式存储法 (compressed sparse row, CSR)稀疏矩阵与KD树(k-dimension tree)相结合的存储策略.最后在KVM (kernel-based virtual machine)虚拟化平台下设计并实现了VMPBD (virtual machine process behavior detecting)原型系统,针对Linux与Windows虚拟机进行了功能测试和性能测试.实验结果表明:VMPBD能有效检出虚拟机进程异常行为,检测误报率与系统性能开销在可接受范围以内.

关键词: 虚拟化, 异常检测, 系统调用分析, 向量空间, 基于内核的虚拟机

Abstract: The intrusion detection scheme based on system call in the traditional host domain often monitors the running behavior of a single privileged process. It is difficult to effectively detect the abnormal process behavior of the virtual machine using the host intrusion detection scheme because of more security risks in the cloud computing environment. To break this limitation, a virtual machine process behavior detection model based on system call vector space is proposed. The model collects system call data of different operating system without using agent in the virtual machine. The TF-IDF (term frequency-inverse document frequency) algorithm idea is introduced to weight the process system call data to distinguish different running services in the virtual machine and identify abnormal process behavior. Furthermore, in order to optimize the efficiency of the detection algorithm, a storage strategy combining compressed sparse row (CSR) matrix and K-dimension tree is designed. Eventually a prototype system called VMPBD (virtual machine process behavior detecting) has been implemented on the platform of KVM (kernel-based virtual machine). The functions and performance of VMPBD is tested on Linux and Windows virtual machines. The results show that VMPBD can effectively detect the abnormal behavior of the virtual machine processes, and the detection false alarm rate and system performance overhead are within the acceptable range.

Key words: virtualization, anomaly detection, system call analysis, vector space, kernel-based virtual machine

中图分类号: