云计算平台异常行为检测系统的设计与实现

龙源期刊网 https://www.wendangku.net/doc/287274428.html,

云计算平台异常行为检测系统的设计与实现作者：于红岩岑凯伦杨腾霄

来源：《计算机应用》2015年第05期

摘要：针对传统网络安全设备对云计算平台中虚拟机内部发生的蠕虫病毒、地址解析协议（ARP）广播攻击等异常行为失效的问题，设计了基于VMware的云计算平台下异常行为检测技术架构，提出了云计算下有特征码的蠕虫病毒异常行为检测，和基于突变理论的无特征码的异常行为检测，并针对两种异常行为提出了“侦测—隔离—治愈—恢复”智能处理云安全机制。系统融合云计算下异常行为检测，云计算下事件与防卫管理，和云计算下ARP广播检测三种功能于一体。实验结果表明，系统能实时提供云计算环境下异常行为的采集及分析，每隔5秒自动刷新实时流量资料，且吞吐量可达到640Gb的处理能力，能够将被保护链路中异常流量

所占用带宽降至总拥有带宽的5%以下，解决了云计算下的异常行为检测和防护问题。

关键词：云计算；异常行为检测；事件管理；地址解析协议异常侦测；云安全

中图分类号： TP393.08 文献标志码：A

Abstract：Worm， Address Resolution Protocol （ARP） broadcast and other abnormal behaviorS which attack the cloud computing platform from the virtual machines cannot be detected by traditional network security components. In order to solve the problem， abnormal behavior detection technology architecture for cloud computing platform was designed， abnormal behavior detection for worms which brought signature and nonsignature behaviors based on mutation theory and "DetectionIsolationCureRestore" intelligent processing for cloud security was proposed. Abnormal detection， management of event and defense， and ARP broadcast detection for cloud computing platform were merged in the system. The experimental results show that the abnormal behavior inside the cloud computing platform can be detected and defensed with the system， the collection and analysis of the abnormal behavior inside cloud computing platform can be provided by this system in realtime， the traffic information can be refreshed automatically every 5 seconds， the system throughput can reach to 640Gb and the bandwith occupied by abnormal flow can be reduced to less than 5% of the total bandwith in protected link.

Key words： cloud computing； abnormal behavior detection； event management； Address Resolution Protocol （ARP） anomaly detection； cloud security

0 引言

云计算因其虚拟化的特性，能够将计算机资源，逻辑抽象成资源池，实现资源共享、弹性分配、按需服务等功能[1-2]。企业用户通过将自身服务架设在云计算平台，显著降低维护成本；个人用户通过将自身数据和计算放在云端，降低了自身存在的存储和计算机性能有限带来