CN105791286A - Abnormity detection and processing method of cloud virtual environment - Google Patents

Abstract

The invention discloses an application layer abnormity detection and processing method of a cloud virtual environment. The method comprises that a cloud controller detects states of virtual machines in real time; if a virtual machine is an abnormal virtual machine, a comprehensive abnormity detection system carries out comprehensive detection to the abnormal virtual machine; if the comprehensive abnormity detection system judges that the comprehensive detection result value of the abnormal virtual machine is less than a preset threshold value Q, the cloud controller calculates the average logarithm likelihood probability value of the abnormity detection of the abnormal virtual machine; if the average logarithm likelihood probability value is more than a Pmax, the abnormal virtual machine is a high risk virtual machine; the abnormal virtual machine is isolated; if the average logarithm likelihood probability value is less than the Pmax, the abnormal virtual machine is a low risk virtual machine; and the abnormal behaviors of the abnormal virtual machine are eliminated. According to the method, the abnormity detection reliability of the cloud virtual machine is ensured; through adoption of multiple detection mechanisms, the abnormal virtual machine can be detected more reliably; false detection will not be carried out to certain normal virtual machines; and the service of the cloud tenants of the normal virtual machines will not be influenced by the false detection.

Description

The abnormality detection of cloud virtual environment and processing method

Technical field

The present invention relates to the application layer abnormality detection of a kind of cloud virtual environment and processing method, be specifically related to abnormality detection and the processing method of a kind of cloud virtual environment.

Background technology

Currently, the scale of cloud computing service, the information resources that revolutionize intensive, specialized are scattered in the general layout of terminal unit in a large number.Utilize the distribution of Intel Virtualization Technology tissue and use the pattern calculating resource, being conducive to reasonable disposition resource, increase operation rate, it is achieved green calculating.But Intel Virtualization Technology itself exists a lot of safety problem, virtualized safety analysis and protection will become more important.By cloud security technology being analyzed from many aspects; show that a kind of security mechanism or several security mechanism are safely sufficient not to protect cloud environment; it is abnormal that the safe practice mechanism of multiple reinforcement or control device just can accurately detect cloud virtual machine, it is advantageous that: specify that the scope of high in the clouds abnormality detection on the one hand；Improve accuracy and the reliability of the detection of cloud virtual security exception on the other hand.

Under multi-tenant environment, a physical server running multiple stage virtual machine, multiple stage virtual machine provides service for multiple cloud tenants simultaneously.The normal cloud tenant user behavior when use virtual machine has certain similarity, and the behavior attacking cloud tenant is completed by machine, it is clear that the abnormal behavior of cloud tenant and the behavior of normal cloud tenant have diversity.Beyond the clouds, the risk class state of virtual machine can pass through the description of cloud tenant's behavior sequence.When cloud tenant uses virtual machine to provide service for it, there is a series of behavior sequence on a virtual machine, and behavior sequence can embody the state of virtual machine.Therefore, it can portray with hidden Markov model (HiddenMarkovModel, HMM) the risk class state of single virtual machine, identify that cloud virtual machine is abnormal more efficiently.

Existing high in the clouds abnormality detection and the system of process, it is primarily directed to the attack of various Internet and transportation level and process and for the detection of various viruses and process, for the detection of the attack of certain applications layer and process, a kind of abnormality detection for most new application layer attacks and processing method can only be lacked.

Summary of the invention

The present invention provides abnormality detection and the processing method of a kind of cloud virtual environment, ensure that cloud virtual machine can provide reliable service for tenant, improve the abnormal accuracy judged of cloud virtual machine, can not only effectively detect and process the various Internets of cloud virtual machine and the attack of transportation level, additionally it is possible to the attack of the various application layers of effective detection and process cloud virtual machine.

For achieving the above object, the present invention provides application layer abnormality detection and the processing method of a kind of cloud virtual environment, is characterized in, this cloud system comprises cloud controller, and connects application server cluster and the cloud storage equipment of cloud controller；Cloud controller comprises: receive user's request and authenticating user identification module, integrated Security Strategy module, virtual machine state monitoring module；Application server cluster comprises: comprehensive abnormality detection system, HMM model training and online abnormality detection module, application controls module, cluster virtual machine group；

The method comprises:

Cloud controller detects virtual machine state in real time, and when judging that virtual machine is abnormal virtual machine, abnormal virtual machine is carried out comprehensive detection by comprehensive abnormality detection system；

If comprehensive abnormality detection system judges that the end value of abnormal virtual machine comprehensive detection is less than predetermined threshold value Q, then cloud controller calculates the average log-likelihood probit of the abnormality detection of this abnormal virtual machine；

If average log-likelihood probit is more than the maximum application layer exception ultimate value P of HMM abnormality detection and process_max, then this abnormal virtual machine is excessive risk virtual machine, and is isolated by excessive risk virtual machine；If judging, average log-likelihood probit is less than P_max, then this abnormal virtual machine is low-risk virtual machine, eliminates the Deviant Behavior of this low-risk virtual machine application layer.

Before above-mentioned cloud controller detects virtual machine state in real time, all virtual machines in high in the clouds are carried out Initialize installation by cloud controller, and the physically or logically address of virtual machine is registered in cloud controller.

Above-mentioned cloud controller judges that virtual machine is normal virtual machine, then adopt the status information composition observation sequence of normal virtual machine, training HMM model, designs the online Outlier Detection Algorithm of HMM obtaining the average log-likelihood probit for calculating abnormal virtual machine abnormality detection with this.

Above-mentioned comprehensive abnormality detection system judges that the end value of abnormal virtual machine comprehensive detection is more than predetermined threshold value Q, then comprehensive abnormality detection system eliminates the exception of abnormal virtual machine by abnormality eliminating method.

After above-mentioned excessive risk virtual machine is isolated, the status information of excessive risk virtual machine is write the off-note code library of comprehensive abnormality detection system.

Above-mentioned HMM model is the statistical model describing a Markov process containing implicit unknown parameter, use λ={ A, B, π, N, M} describes, and wherein, N is Hidden Markov Model state number, M is observation number, A is state transition probability matrix, and B is the probability distribution of observation under current state, and π is initial state probabilities distribution；

N valued space is S=(S₁,S₂,...,S_N)；

M span is V={V₁,V₂,...,V_M}；

A A=(a_ij) represent, wherein,

$\begin{array}{c}{a}_{ij}=P(q_{t+1}+S_j|q_t=S_i)=\frac{P(q_{t+1}=S_j|q_t=S_i)}{P(q_t=S_i)}\\ a_{ij\≥0,}\underset{j}{\Σ}{a}_{ij}=1\end{array};---\left(1\right)$

The implication of formula (1) is for be in state S when current time t_i, transfer to state S in the t+1 moment_jProbability；

B B={b_j(k) } represent, wherein b_j(k)=P (V_k|q_t=S_j) its implication: represent and be in state S at moment t_j, observation V_kThe probability occurred；

π π={ π_iRepresent, whereinIt is meant that expression is in state S at initial time_iProbability.

When HMM model λ determines, moment t and current state are S_iTime observation sequence be { O₁,O₂,...,O_tProbability be taken as forward variable α_t(i), its computing formula is:

$\begin{array}{cc}{\mathrm{\α}}_{t+1}\left(j\right)=\[\underset{i=1}{\overset{N}{\Σ}}{\mathrm{\α}}_t\left(i\right)a_{ij}\]b_j\left(O_{t+1}\right)& 1\≤t\≤T-1,1\≤j\≤N\end{array}---\left(2\right)$

Wherein, initializaing variable α₁(i)=π_ib_i(O₁), and 1≤i≤N；

HMM model λ and current state q_t=S_iWhen determining, the sequence of observations is { O_t+1,O_t+2,...,O_TProbability be taken as backward variable β_t(i), its computing formula is:

$\begin{array}{cc}{\mathrm{\β}}_t\left(i\right)=\[\underset{j=1}{\overset{N}{\Σ}}{a}_{ij}{b}_j\left(O_{t+1}\right){\mathrm{\β}}_{t+1}\left(j\right)\],t=T-1,T-2,\mathrm{...2},1& 1\≤i\≤N\end{array}---\left(3\right)$

Wherein, initializaing variable β_T(i)=1, and 1≤i≤N；

In order to carry out HMM model training, it is necessary to following variable ξ_t(i j) represents that when HMM model λ and sequence of observations O determines, the state of t is S_i, the state in t+1 moment is in S_jProbability；Variable γ_tI () represents that when HMM model λ and sequence of observations O determines, t state is S_iProbability, ξ_t(i, j) and γ_tI the computing formula of () is as follows:

$\begin{array}{c}{\mathrm{\ξ}}_t(i,j)=P(q_t=S_i,q_{t+1}=S_j|O,\mathrm{\λ})=\frac{P(q_t=S_i,q_{t+1}=S_j|O,\mathrm{\λ})}{P\left(O\right|\mathrm{\λ})}\\ =\frac{{\mathrm{\α}}_t\left(i\right)a_{ij}{b}_j\left(O_{t+1}\right){\mathrm{\β}}_{t+1}\left(j\right)}{\underset{i=1}{\overset{N}{\Σ}}\underset{j=1}{\overset{N}{\Σ}}{\mathrm{\α}}_t\left(i\right)a_{ij}{b}_j\left(O_{t+1}\right){\mathrm{\β}}_{t+1}\left(j\right)}\end{array}---\left(4\right)$

${\mathrm{\γ}}_t\left(i\right)=P(q_t=S_i|O,\mathrm{\λ})=\frac{{\mathrm{\α}}_t\left(i\right){\mathrm{\β}}_t\left(i\right)}{\underset{i=1}{\overset{N}{\Σ}}{\mathrm{\α}}_t\left(i\right){\mathrm{\β}}_t\left(i\right)}---\left(5\right)$

Wherein ${\mathrm{\γ}}_t\left(i\right)=\underset{j=1}{\overset{N}{\Σ}}{\mathrm{\ξ}}_t(i,j);$

The then parameter of model optimizationComputing formula as follows:

$\stackrel{\‾}{{\mathrm{\π}}_i}=\frac{{\mathrm{\γ}}_1\left(i\right)}{\underset{i=1}{\overset{N}{\Σ}}{\mathrm{\γ}}_1\left(i\right)}---\left(6\right)$

$\stackrel{\‾}{a_{ij}}=\frac{\underset{i=1}{\overset{T}{\Σ}}{\mathrm{\ξ}}_t(i,j)}{\underset{t=1}{\overset{t}{\Σ}}{\mathrm{\γ}}_t\left(i\right)},1\≤i\≤N,1\≤j\≤N---\left(7\right)$

$\stackrel{\‾}{b_i\left(k\right)}=\frac{\underset{t=1,o_t=v_k}{\overset{T}{\Σ}}{\mathrm{\γ}}_i\left(i\right)}{\underset{t=1}{\overset{T}{\Σ}}{\mathrm{\γ}}_t\left(i\right)}---\left(8\right)$

HMM model λ is as follows with the conditional probability computing formula of the sequence of observations:

$P\left(O\right|\mathrm{\λ})=\underset{i=1}{\overset{N}{\Σ}}{\mathrm{\α}}_T\left(i\right)---\left(9\right).$

The training process of above-mentioned HMM model comprises: first given initial value: A=1/ (N-1), B=1/ (N-1), π=1/N, calculating according to formula (4) and (5), the value of P (O | λ) is obtained further according to formula (9), carry out successive ignition, relatively each P (O | λ) value, finally draw the model parameter value of optimum and corresponding P (O | λ) threshold values P_max。

Compared to the prior art the abnormality detection of a kind of cloud virtual environment of the present invention and processing method, have an advantage in that, the present invention has ensured the reliability of cloud virtual machine abnormality detection.Adopt what Multiple detection mechanism can be relatively reliable to detect abnormal virtual machine, be not result in the flase drop of some normal virtual machine and affect the service of normal virtual machine cloud tenant；

The present invention improves the accuracy of cloud virtual machine abnormality detection.Adopt the comprehensive abnormality detection system in high in the clouds being made up of multiple isomerous detection engine can accurately detect various Internet to attack and transportation level attack, also can detect certain applications layer attacks simultaneously, adopt HMM Outlier Detection Algorithm can accurately detect various novel virtual machine application layer attack, thus improve the accuracy of cloud virtual machine abnormality detection；

Cloud virtual machine application layer attack abnormality detection technology that the present invention is perfect.Traditional detecting and alarm can only the various Internets of virtual machine be attacked and transportation level is attacked, and the various virus attacks detection of virtual inside is effectively, and novel virtual machine application layer attack is helpless.The present invention uses HMM model and Outlier Detection Algorithm thereof, it is possible to efficient identification goes out the various new application layer attacks for virtual machine, and can carry out quickly processing eliminating these application layer attacks.

Accompanying drawing explanation

Fig. 1 is the structural representation of cloud system of the present invention；

Fig. 2 is the flow chart of the application layer abnormality detection of cloud virtual environment of the present invention and processing method.

Detailed description of the invention

Below in conjunction with accompanying drawing, further illustrate specific embodiments of the invention.

As it is shown in figure 1, be the embodiment of a kind of cloud system.This cloud system comprises: cloud controller 110, and communication connects application server cluster 120 and the cloud storage equipment 130 of cloud controller 110.

Cloud controller 110 comprises: receive user's request and authenticating user identification module, integrated Security Strategy module and virtual machine state monitoring module.

Cloud controller 110 refers to special server or server cluster, it communicates mainly through other servers in public network or private network and high in the clouds, accepting the I/O access request of various procotol user and the identity of user is authenticated, it is the virtual machine space that this user sets up that the authentication of user just can access high in the clouds by rear user.

Application server cluster 120 comprises: comprehensive abnormality detection system, HMM model training and online abnormality detection module, application controls module, and cluster virtual machine group.Cluster virtual machine group comprises some cluster virtual machines, for instance cluster virtual machine 1, cluster virtual machine 2 ... cluster virtual machine N, and each cluster virtual machine includes some virtual machines, for instance VM1, VM2 ... VMn.

Cloud storage equipment 130 comprises: the multiple storage device of cloud system, is mainly used to deposit the data message of cloud tenant.

The HMM modeling method of the present invention is set forth below with an example.

When virtual machine carries out HMM modeling, it is necessary to the comprehensive design parameter analyzing high in the clouds also carries out Initialize installation according to practical situation, specifically comprises:

1) HMM status values: assume that cloud virtual machine state has two kinds, respectively low-risk state, excessive risk state.In the present invention, with 0 representing low-risk state, representing excessive risk state with 1, HMM state space value is S={0,1}.

2) initial state probabilities value: π is set to that π={ 1,0}, concrete meaning is cloud virtual machine state be low-risk probability is 1, and virtual machine state is high risk probability is 0.

3) state-transition matrix: state-transition matrix A is set to $A=\left[\begin{array}{cc}{a}_{00}& a_{01}\\ a_{10}& a_{11}\end{array}\right]=\left[\begin{array}{cc}1& 0\\ 1& 0\end{array}\right],$ Assume that the virtual machine in high in the clouds under normal circumstances is all in normal condition, so by a₀₀,a₁₀Being set to 1, all the other are set to 0.

4) sequence of observations: using cloud tenant in the state behavior of virtual machine end as the sequence of observations, utilize the user behavior record that audit trail system produces to obtain.

5) observation probability distribution: the state according to current cloud virtual machine, carries out rational initial value setting to the behavior probability of occurrence of virtual machine end cloud tenant.

As in figure 2 it is shown, be the embodiment of the application layer abnormality detection of a kind of cloud virtual environment disclosed by the invention and processing method, the method includes the steps of:

S1, high in the clouds all virtual machines carry out Initialize installation, registered in cloud controller by the physically or logically address of virtual machine, in order to all virtual machines in high in the clouds are carried out unified management by cloud controller.

S2, cloud controller formulate corresponding integrated Security Strategy according to the demand for security in high in the clouds, and all virtual machine state information of registration in cloud controller are detected in real time.

Wherein, integrated Security Strategy refers to: virtual machine state information monitoring, abnormality detection and the abnormality processing measure that cloud controller is formulated according to the demand for security of the virtual machine in high in the clouds.

In real time detection refers to: every the virtual machine that virtual machine state monitoring module is cloud system in cloud controller distributes a process collecting these virtual machine state information data, this process by real-time collecting to virtual machine state information Data Concurrent deliver to the virtual machine state monitoring module of cloud controller and process.

Virtual machine state information includes: the cpu busy percentage of virtual machine, GPU utilization rate, hard disk utilization rate, I/O load and memory usage, network bandwidth utilization factor, and they dynamic situations of change in time.

S3, cloud controller virtual machine state monitoring module obtain the status information of virtual machine after, judge that whether this virtual machine is suspicious according to integrated Security Strategy, namely whether virtual machine state is abnormal, if, suspicious for this virtual machine, virtual machine state is abnormal, it is determined that for abnormal virtual machine, then this virtual machine state abnormality mark parameter flag is set to 1, and jumps to S4；If it is not, then this virtual machine state abnormality mark parameter flag is set to 0, and jump to S5.

Wherein, virtual machine state is abnormal, refers to the state generation ANOMALOUS VARIATIONS of virtual machine, as the utilization of CPU, the utilization rate of internal memory, GPU utilization rate in one or more exceed or close to 90%, or huge strong change occurs in short-term, or have significantly different from the state information change of normal virtual machine.

Because when there is abnormal virtual machine, the comprehensive abnormality detection system in cloud system can immediately process and eliminate abnormal (such as: isolate the abnormal application program in abnormal virtual machine or port, or isolate whole virtual machine).So, in usual cloud system, the quantity of the abnormal virtual machine that state is suspicious is less than the half of virtual machine sum.

S4, cloud system the comprehensive abnormality detection system detection flags parameters flag of application server cluster be the virtual machine of 1, and jump to S6.

Wherein, comprehensive abnormality detection system refers to: be provided with the isomerous detection engine that multiple different manufacturers produces beyond the clouds in systematic difference server cluster, abnormal virtual machine can be carried out parallel detection by these isomerous detection engines simultaneously, the abnormality detection result of multiple isomerous detection engines after decision Tree algorithms comprehensive descision as the last abnormality detection result of this virtual machine.

It is normal virtual machine that S5, virtual machine state abnormality mark parameter flag are set to this virtual machine of 0 expression.The virtual machine state monitoring module status information of the virtual machine (normal virtual machine) that some flags parameters flag are 0 forms observation sequence training HMM model.After the training of the judgement and HMM model that complete normal virtual machine, jump to S2, continue all virtual machine state information of registration in cloud controller are detected in real time.

Wherein, normal virtual machine refers in cloud system and not only to be infected but also not by the virtual machine of external attack.

HMM model is a kind of statistical model, it is possible to describe a Markov process containing implicit unknown parameter.HMM model can use λ=A, B, π, N, M} describe, and wherein, N is Hidden Markov Model state number, and M is observation number, and A is state transition probability matrix, and B is the probability distribution of observation under current state, and π be initial state probabilities distribution.

In above-mentioned parameter, N is Hidden Markov Model state number, and its valued space is S=(S₁,S₂,...,S_N)；M is the observation under each state in observation sequence, and its span is V={V₁,V₂,...,V_M}；A is state transition probability matrix, with A=(a_ij) represent, wherein,

$\begin{array}{c}{a}_{ij}=P(q_{t+1}=S_j|q_t=S_i)=\frac{P(q_{t+1}=S_j|q_t=S_i)}{P(q_t=S_i)}\\ a_{ij\≥0},\underset{j}{\Σ}{a}_{ij}=1\end{array};---\left(1\right)$

The implication of formula (1) is for be in state S when current time t_i, transfer to state S in the t+1 moment_jProbability.B is the probability distribution of observation under current state, uses B={b_j(k) } represent, wherein b_j(k)=P (V_k|q_t=S_j) its implication: represent and be in state S at moment t_j, observation V_kThe probability occurred.π is initial state probabilities, with π={ π_iRepresent, whereinIt is meant that expression is in state S at initial time_iProbability.

In S5, when HMM λ determines, moment t and current state are S_iTime observation sequence be { O₁,O₂,...,O_tProbability be taken as forward variable α_t(i).Its computing formula is:

$\begin{array}{cc}{\mathrm{\α}}_{t+1}\left(j\right)=\[\underset{i=1}{\overset{N}{\Σ}}{\mathrm{\α}}_t\left(i\right)a_{ij}\]b_j\left(O_{t+1}\right)& 1\≤t\≤T-1,1\≤j\≤N\end{array}---\left(2\right)$

Wherein, initializaing variable α₁(i)=π_ib_i(O₁), and 1≤i≤N.

In S5, HMM λ and current state q_t=S_iWhen determining, the sequence of observations is { O_t+1,O_t+2,...,O_TProbability be taken as backward variable β_t(i).Its computing formula is:

$\begin{array}{cc}{\mathrm{\β}}_t\left(i\right)=\[\underset{j=1}{\overset{N}{\Σ}}{a}_{ij}{b}_j\left(O_{t+1}\right){\mathrm{\β}}_{t+1}\left(j\right)\],t=T-2,\mathrm{...2},1& 1\≤i\≤N\end{array}---\left(3\right)$

Wherein, initializaing variable β_T(i)=1, and 1≤i≤N.

In order to carry out model training, it is necessary to following variable ξ_t(i j) represents that when HMM λ and sequence of observations O determines, the state of t is S_i, the state in t+1 moment is in S_jProbability；Variable γ_tI () represents that when HMM λ and sequence of observations O determines, t state is S_iProbability.ξ_t(i, j) and γ_tI the computing formula of () is as follows:

$\begin{array}{c}{\mathrm{\ξ}}_t(i,j)=P(q_t=S_i,q_{t+1}=S_j|O,\mathrm{\λ})=\frac{P(q_t=S_i,q_{t+1}=S_j|O,\mathrm{\λ})}{P\left(O\right|\mathrm{\λ})}\\ =\frac{{\mathrm{\α}}_t\left(i\right)a_{ij}{b}_j\left(O_{t+1}\right){\mathrm{\β}}_{t+1}\left(j\right)}{\underset{i=1}{\overset{N}{\Σ}}\underset{j=1}{\overset{N}{\Σ}}{\mathrm{\α}}_t\left(i\right)a_{ij}{b}_j\left(O_{t+1}\right){\mathrm{\β}}_{t+1}\left(j\right)}\end{array}---\left(4\right)$

${\mathrm{\γ}}_t\left(i\right)=P(q_t=S_i|O,\mathrm{\λ})=\frac{{\mathrm{\α}}_t\left(i\right){\mathrm{\β}}_t\left(i\right)}{\underset{i=1}{\overset{N}{\Σ}}{\mathrm{\α}}_t\left(i\right){\mathrm{\β}}_t\left(i\right)}---\left(5\right)$

Wherein ${\mathrm{\γ}}_t\left(i\right)=\underset{j=1}{\overset{N}{\Σ}}{\mathrm{\ξ}}_t(i,j).$

The then parameter of model optimizationComputing formula as follows:

$\stackrel{\‾}{{\mathrm{\π}}_i}=\frac{{\mathrm{\γ}}_1\left(i\right)}{\underset{i=1}{\overset{N}{\Σ}}{\mathrm{\γ}}_1\left(i\right)}---\left(6\right)$

$\stackrel{\‾}{a_{ij}}=\frac{\underset{t=1}{\overset{T}{\Σ}}{\mathrm{\ξ}}_t(i,j)}{\underset{t=1}{\overset{t}{\Σ}}{\mathrm{\γ}}_t\left(i\right)},1\≤i\≤N,1\≤j\≤N---\left(7\right)$

$\stackrel{\‾}{b_i\left(k\right)}=\frac{\underset{t=1,o_t=v_k}{\overset{T}{\Σ}}{\mathrm{\γ}}_t\left(i\right)}{\underset{t=1}{\overset{T}{\Σ}}{\mathrm{\γ}}_t\left(i\right)}---\left(8\right)$

HMM λ is as follows with the conditional probability computing formula of the sequence of observations:

$P\left(O\right|\mathrm{\λ})=\underset{i=1}{\overset{N}{\Σ}}{\mathrm{\α}}_T\left(i\right)---\left(9\right)$

So, the training process of HMM is, first given initial value: A=1/ (N-1), B=1/ (N-1), π=1/N, the calculating according to formula (4) and (5), the value of P (O | λ) is obtained further according to formula (9), carry out successive ignition, relatively each P (O | λ) value, finally draw the model parameter value of optimum and corresponding P (O | λ) threshold values P_max。

Abnormal virtual machine is carried out comprehensive detection by S6, comprehensive abnormality detection system, it is judged that the end value of comprehensive detection whether less than predetermined threshold value Q, if, end value less than predetermined threshold value Q, then jumps to S8, if not, end value more than predetermined threshold value Q, then jumps to S7.

Wherein, predetermined threshold value Q is the minimum limit value that cloud virtual machine is in normal condition abnormal rate.

S7, cloud system comprehensive abnormality detection system eliminated the abnormality of abnormal virtual machine by its abnormality eliminating method, jump to S2 after having processed, continue all virtual machine state information of registration in cloud controller are detected in real time.

Abnormality eliminating method specifically comprises: the information in conjunction with the off-note code library of cloud system judges that virtual machine is certain application program or port exception, or multiple application exception or multiple port are extremely.If certain application program or port are abnormal, then close certain application program or port；If multiple application exceptions or multiple port are abnormal, then isolate whole virtual machine.

S8, cloud controller virtual machine state monitoring module gather normal virtual machine end status information, this normal virtual machine end status information is formed observation sequence, training obtains HMM model, and design obtains the online Outlier Detection Algorithm of HMM, the abnormal virtual machine that the state that detects is suspicious.

The online Outlier Detection Algorithm of S9, HMM obtains the average log-likelihood probit of virtual machine abnormality detection, and judges that whether average log-likelihood probit is more than P_max.Wherein, P_maxIt is the maximum application layer exception ultimate value of HMM abnormality detection and process.

If so, this average log-likelihood probit is more than P_max, it was shown that this abnormal virtual machine is the abnormal virtual machine of high-risk grade, then jump to S11.If it is not, show that the abnormal virtual machine that this abnormal virtual machine is low risk level then jumps to S10.

Concrete, the maximum application layer exception ultimate value P of HMM abnormality detection and process_maxAccording to P value computing formula in S5, formula (9), calculate P value during current abnormal virtual machine, and with predetermined threshold values P_maxCompare.If formula (9) calculates the P≤P of current abnormal virtual machine_max, then judge that this virtual machine is as low-risk virtual machine；If drawing P > P_max, then judge that this virtual machine risk class is as height, for excessive risk virtual machine.Wherein, excessive risk virtual machine refers to: be infected in cloud system or by the virtual machine of external attack.

S10, abnormal virtual machine for low risk level are likely to belong to application layer attack, and application layer attack to be the port from outside by virtual machine send the attack of mass data stream to virtual machine.Application layer attack can eliminate the Deviant Behavior of application layer in this abnormal virtual machine by HMM abnormality detection and processing method, and jumps to S2, continues all virtual machine state information of registration in cloud controller are detected in real time.

HMM abnormality detection specifically comprises with processing method: the queue different by setting up multiple priority, the more bandwidth resources of queue assignment, calculating resource and the storage resource that priority is high, the queue assignment that priority is low is less or does not distribute bandwidth resources, calculating resource and storage resource in peak period.When the application layer attack of the virtual machine to low risk level processes, putting in Low Priority Queuing by the flow of abnormal, the flow of other normal ports is put in high-priority queue, thus realizing eliminating the purpose of virtual machine application layer attack.

S11, cloud controller adopt isolation mech isolation test directly the abnormal virtual machine (excessive risk virtual machine) of high-risk grade to be isolated, and its status information data is write in the off-note code library of comprehensive abnormality detection system of cloud system, provide foundation for abnormality detection next time.

Isolation mech isolation test refers to that cloud controller passes through mandatory Access Control Mechanism (MAC) and arranges this virtual machine access rights to resource, makes the virtual machine of high-risk grade can not access the resource in high in the clouds；Force the communication process terminating between this virtual machine and other virtual machines simultaneously, effectively protect the resource in high in the clouds and the safety of other normal virtual machines.

Further, in above-mentioned S6, comprehensive abnormality detection system can adopt decision Tree algorithms be hacked or normally, set forth decision Tree algorithms comprehensive descision process used by the comprehensive abnormality detection system in high in the clouds with an example below judging certain abnormal virtual machine.

Assuming that the comprehensive abnormality detection system in high in the clouds is made up of four isomerous detection engines X1, X2, X3, X4, carrying out parallel detection for certain abnormal virtual machine A, tetra-isomerous detection engine detection case of X1, X2, X3, X4 are as shown in table 1.

Detecting and alarm	X1	X2	X3	X4
					Normal probability	0.6	0.85	0.1	0.3
Malice probability	0.4	0.15	0.9	0.7
					Testing result	Normally	Normally	Maliciously	Maliciously

1 four isomerous detection engines of table are to abnormal virtual machine A detection case

Data according to table 1, available decision tree algorithm calculates the comprehensive normal Random entropy of abnormal virtual machine and is comprehensively hacked Random entropy, and it is as follows that it calculates process:

If D is division training tuple carried out by classification, can represent the set of the testing result of isomerous detection engine in the comprehensive abnormality detection system in high in the clouds, then the entropy (entropy) of D is expressed as:

$Info\left(D\right)=-{\Σ}_{i=1}^m{p}_i{\log }_2{p}_i$

Wherein p_iRepresent the probability that i-th classification occurs in whole training tuple, can represent the normal probability of the detection abnormal virtual machine A of i-th detecting and alarm in the comprehensive abnormality detection system in high in the clouds or be hacked probability, then to the comprehensive normal Random entropy of abnormal virtual machine A and to be comprehensively hacked Random entropy as follows to seek in table 1 four detecting and alarm:

Info(D)_{Comprehensive normal Random entropy}> Info (D)_{Comprehensively it is hacked Random entropy}

From the foregoing, it will be observed that this abnormal virtual machine A be normal combined chance less than the combined chance for being hacked, thus can determine that this abnormal virtual machine A is hacked.

Comprehensive descision result above also to be determined whether its abnormal rate P being hacked_{Abnormal probability}。

P_{Abnormal probability}=(the comprehensive normal Random entropy-Info (D) of Info (D) is comprehensively hacked Random entropy) the comprehensive normal Random entropy of/Info (D)

If P_{Abnormal probability}Less than predetermined threshold value Q, the then normal combined chance showing virtual machine A and the close or normal combined chance of the combined chance being hacked more than the combined chance for being hacked, at this moment this virtual machine HMM Outlier Detection Algorithm carries out application layer attack detection.If the average log-likelihood probit of HMM abnormality detection is more than P_max, it was shown that this virtual machine is serious from the attack of application layer, it is necessary to isolation processing, otherwise eliminates the exception of this virtual machine with application layer abnormality eliminating method.

Although present disclosure has been made to be discussed in detail already by above preferred embodiment, but it should be appreciated that the description above is not considered as limitation of the present invention.After those skilled in the art have read foregoing, multiple amendment and replacement for the present invention all will be apparent from.Therefore, protection scope of the present invention should be limited to the appended claims.

Claims (8)

1. the application layer abnormality detection of a cloud virtual environment and processing method, it is characterised in that this cloud system comprises cloud controller, and connects application server cluster and the cloud storage equipment of cloud controller；Cloud controller comprises: receive user's request and authenticating user identification module, integrated Security Strategy module, virtual machine state monitoring module；Application server cluster comprises: comprehensive abnormality detection system, HMM model training and online abnormality detection module, application controls module, cluster virtual machine group；

The method comprises:

Cloud controller detects virtual machine state in real time, and when judging that virtual machine is abnormal virtual machine, abnormal virtual machine is carried out comprehensive detection by comprehensive abnormality detection system；

If comprehensive abnormality detection system judges that the end value of abnormal virtual machine comprehensive detection is less than predetermined threshold value Q, then cloud controller calculates the average log-likelihood probit of the abnormality detection of this abnormal virtual machine；

If average log-likelihood probit is more than the maximum application layer exception ultimate value P of HMM abnormality detection and process_max, then this abnormal virtual machine is excessive risk virtual machine, and is isolated by excessive risk virtual machine；If judging, average log-likelihood probit is less than P_max, then this abnormal virtual machine is low-risk virtual machine, eliminates the Deviant Behavior of this low-risk virtual machine application layer.

2. the application layer abnormality detection of cloud virtual environment as claimed in claim 1 and processing method, it is characterized in that, before described cloud controller detects virtual machine state in real time, all virtual machines in high in the clouds are carried out Initialize installation by cloud controller, and the physically or logically address of virtual machine is registered in cloud controller.

3. the application layer abnormality detection of cloud virtual environment as claimed in claim 1 and processing method, it is characterized in that, described cloud controller judges that virtual machine is normal virtual machine, then adopt the status information composition observation sequence of normal virtual machine, training HMM model, designs the online Outlier Detection Algorithm of HMM obtaining the average log-likelihood probit for calculating abnormal virtual machine abnormality detection with this.

4. the application layer abnormality detection of cloud virtual environment as claimed in claim 1 and processing method, it is characterized in that, described comprehensive abnormality detection system judges that the end value of abnormal virtual machine comprehensive detection is more than predetermined threshold value Q, then comprehensive abnormality detection system eliminates the exception of abnormal virtual machine by abnormality eliminating method.

5. the application layer abnormality detection of cloud virtual environment as claimed in claim 1 and processing method, it is characterised in that after described excessive risk virtual machine is isolated, the status information of excessive risk virtual machine is write the off-note code library of comprehensive abnormality detection system.

6. the application layer abnormality detection of cloud virtual environment as claimed in claim 1 and processing method, it is characterised in that described HMM model is the statistical model describing a Markov process containing implicit unknown parameter, use λ={ A, B, π, N, M} describes, and wherein, N is Hidden Markov Model state number, M is observation number, A is state transition probability matrix, and B is the probability distribution of observation under current state, and π is initial state probabilities distribution；

N valued space is S=(S₁,S₂,...,S_N)；

M span is V={V₁,V₂,...,V_M}；

A A=(a_ij) represent, wherein,

$a_{ij}=P(q_{t+1}=S_j|q_t=S_i)=\frac{P(q_{t+1}=S_j|q_t=S_i)}{P(q_t=S_i)};$

$a_{ij}\≥0,\underset{j}{\Σ}{a}_{ij}=1---\left(1\right)$

The implication of formula (1) is for be in state S when current time t_i, transfer to state S in the t+1 moment_jProbability；

B B={b_j(k) } represent, wherein b_j(k)=P (V_k|q_t=S_j) its implication: represent and be in state S at moment t_j, observation V_kThe probability occurred；

π π={ π_iRepresent, whereinIt is meant that expression is in state S at initial time_iProbability.

7. the application layer abnormality detection of cloud virtual environment as claimed in claim 6 and processing method, it is characterised in that

When HMM model λ determines, moment t and current state are S_iTime observation sequence be { O₁,O₂,...,O_tProbability be taken as forward variable α_t(i), its computing formula is:

${\mathrm{\α}}_{t+1}\left(j\right)=\[\underset{i=1}{\overset{N}{\Σ}}{\mathrm{\α}}_t\left(i\right)a_{ij}\]b_j\left(O_{t+1}\right),1\≤t\≤T-1,1\≤j\≤N---\left(2\right)$

Wherein, initializaing variable α₁(i)=π_ib_i(O₁), and 1≤i≤N；

HMM model λ and current state q_t=S_iWhen determining, the sequence of observations is { O_t+1,O_t+2,...,O_TProbability be taken as backward variable β_t(i), its computing formula is:

${\mathrm{\β}}_t\left(i\right)=\[\underset{j=1}{\overset{N}{\Σ}}{a}_{ij}{b}_j\left(O_{t+1}\right){\mathrm{\β}}_{t+1}\left(j\right)\],t=T-1,T-2,...2,1,1\≤i\≤N---\left(3\right)$

Wherein, initializaing variable β_T(i)=1, and 1≤i≤N；

In order to carry out HMM model training, it is necessary to following variable ξ_t(i j) represents that when HMM model λ and sequence of observations O determines, the state of t is S_i, the state in t+1 moment is in S_jProbability；Variable γ_tI () represents that when HMM model λ and sequence of observations O determines, t state is S_iProbability, ξ_t(i, j) and γ_tI the computing formula of () is as follows:

$\begin{array}{c}{\mathrm{\ξ}}_t(i,j)=P(q_t=S_i,q_{t+1}=S_j|O,\mathrm{\λ})=\frac{P(q_t=S_i,q_{t+1}=S_j|O,\mathrm{\λ})}{P\left(O\right|\mathrm{\λ})}\\ =\frac{{\mathrm{\α}}_t\left(i\right)a_{ij}{b}_j\left(O_{t+1}\right){\mathrm{\β}}_{t+1}\left(j\right)}{\underset{i=1}{\overset{N}{\Σ}}\underset{j=1}{\overset{N}{\Σ}}{\mathrm{\α}}_t\left(i\right)a_{ij}{b}_j\left(O_{t+1}\right){\mathrm{\β}}_{t+1}\left(j\right)}\end{array}---\left(4\right)$

${\mathrm{\γ}}_t\left(i\right)=P(q_t=S_i|O,\mathrm{\λ})=\frac{{\mathrm{\α}}_t\left(i\right){\mathrm{\β}}_t\left(i\right)}{\underset{i=1}{\overset{N}{\Σ}}{\mathrm{\α}}_t\left(i\right){\mathrm{\β}}_t\left(i\right)}---\left(5\right)$

Wherein ${\mathrm{\γ}}_t\left(i\right)=\underset{j=1}{\overset{N}{\Σ}}{\mathrm{\ξ}}_t(i,j);$

The then parameter of model optimizationComputing formula as follows:

$\stackrel{\‾}{{\mathrm{\π}}_i}=\frac{{\mathrm{\γ}}_1\left(i\right)}{\underset{i=1}{\overset{N}{\Σ}}{\mathrm{\γ}}_1\left(i\right)}---\left(6\right)$

$\stackrel{\‾}{a_{ij}}=\frac{\underset{t=1}{\overset{T}{\Σ}}{\mathrm{\ξ}}_t(i,j)}{\underset{t=1}{\overset{t}{\Σ}}{\mathrm{\γ}}_t\left(i\right)},1\≤i\≤N,1\≤j\≤N---\left(7\right)$

$\stackrel{\‾}{b_i\left(k\right)}=\frac{\underset{t=1,o_t=v_t}{\overset{T}{\Σ}}{\mathrm{\γ}}_t\left(i\right)}{\underset{t=1}{\overset{T}{\Σ}}{\mathrm{\γ}}_t\left(i\right)}---\left(8\right)$

HMM model λ is as follows with the conditional probability computing formula of the sequence of observations:

$P\left(O\right|\mathrm{\λ})=\underset{i=1}{\overset{N}{\Σ}}{\mathrm{\α}}_T\left(i\right)---\left(9\right).$

8. the application layer abnormality detection of cloud virtual environment as claimed in claim 7 and processing method, it is characterized in that, the training process of described HMM model comprises: first given initial value: A=1/ (N-1), B=1/ (N-1), π=1/N, calculating according to formula (4) and (5), the value of P (O | λ) is obtained further according to formula (9), carry out successive ignition, relatively each P (O | λ) value, finally draws the model parameter value of optimum and corresponding P (O | λ) threshold values P_max。