高级检索

    云环境基于系统调用向量空间的进程异常检测

    Process Abnormal Detection Based on System Call Vector Space in Cloud Computing Environments

    • 摘要: 传统主机领域下基于系统调用的入侵检测方案,往往针对单一特权进程的运行行为进行监控,而在云计算环境下引入了更多的安全风险,采用主机入侵检测方案难以有效检测虚拟机进程异常行为,对此,提出了一种基于系统调用向量空间的虚拟机进程行为检测模型.模型采用了无代理监控技术透明的采集虚拟机进程系统调用数据,引入了TF-IDF(term frequency-inverse document frequency)算法思想为进程系统调用数据进行加权,用于区分租户虚拟机中运行的不同服务,识别异常进程行为.此外,为优化检测算法效率,设计了行格式存储法 (compressed sparse row, CSR)稀疏矩阵与KD树(k-dimension tree)相结合的存储策略.最后在KVM (kernel-based virtual machine)虚拟化平台下设计并实现了VMPBD (virtual machine process behavior detecting)原型系统,针对Linux与Windows虚拟机进行了功能测试和性能测试.实验结果表明:VMPBD能有效检出虚拟机进程异常行为,检测误报率与系统性能开销在可接受范围以内.

       

      Abstract: The intrusion detection scheme based on system call in the traditional host domain often monitors the running behavior of a single privileged process. It is difficult to effectively detect the abnormal process behavior of the virtual machine using the host intrusion detection scheme because of more security risks in the cloud computing environment. To break this limitation, a virtual machine process behavior detection model based on system call vector space is proposed. The model collects system call data of different operating system without using agent in the virtual machine. The TF-IDF (term frequency-inverse document frequency) algorithm idea is introduced to weight the process system call data to distinguish different running services in the virtual machine and identify abnormal process behavior. Furthermore, in order to optimize the efficiency of the detection algorithm, a storage strategy combining compressed sparse row (CSR) matrix and K-dimension tree is designed. Eventually a prototype system called VMPBD (virtual machine process behavior detecting) has been implemented on the platform of KVM (kernel-based virtual machine). The functions and performance of VMPBD is tested on Linux and Windows virtual machines. The results show that VMPBD can effectively detect the abnormal behavior of the virtual machine processes, and the detection false alarm rate and system performance overhead are within the acceptable range.

       

    /

    返回文章
    返回