Summary of the invention
The present invention provides abnormality detection and the processing method of a kind of cloud virtual environment, ensure that cloud virtual machine can provide reliable service for tenant, improve the abnormal accuracy judged of cloud virtual machine, can not only effectively detect and process the various Internets of cloud virtual machine and the attack of transportation level, additionally it is possible to the attack of the various application layers of effective detection and process cloud virtual machine.
For achieving the above object, the present invention provides application layer abnormality detection and the processing method of a kind of cloud virtual environment, is characterized in, this cloud system comprises cloud controller, and connects application server cluster and the cloud storage equipment of cloud controller;Cloud controller comprises: receive user's request and authenticating user identification module, integrated Security Strategy module, virtual machine state monitoring module;Application server cluster comprises: comprehensive abnormality detection system, HMM model training and online abnormality detection module, application controls module, cluster virtual machine group;
The method comprises:
Cloud controller detects virtual machine state in real time, and when judging that virtual machine is abnormal virtual machine, abnormal virtual machine is carried out comprehensive detection by comprehensive abnormality detection system;
If comprehensive abnormality detection system judges that the end value of abnormal virtual machine comprehensive detection is less than predetermined threshold value Q, then cloud controller calculates the average log-likelihood probit of the abnormality detection of this abnormal virtual machine;
If average log-likelihood probit is more than the maximum application layer exception ultimate value P of HMM abnormality detection and processmax, then this abnormal virtual machine is excessive risk virtual machine, and is isolated by excessive risk virtual machine;If judging, average log-likelihood probit is less than Pmax, then this abnormal virtual machine is low-risk virtual machine, eliminates the Deviant Behavior of this low-risk virtual machine application layer.
Before above-mentioned cloud controller detects virtual machine state in real time, all virtual machines in high in the clouds are carried out Initialize installation by cloud controller, and the physically or logically address of virtual machine is registered in cloud controller.
Above-mentioned cloud controller judges that virtual machine is normal virtual machine, then adopt the status information composition observation sequence of normal virtual machine, training HMM model, designs the online Outlier Detection Algorithm of HMM obtaining the average log-likelihood probit for calculating abnormal virtual machine abnormality detection with this.
Above-mentioned comprehensive abnormality detection system judges that the end value of abnormal virtual machine comprehensive detection is more than predetermined threshold value Q, then comprehensive abnormality detection system eliminates the exception of abnormal virtual machine by abnormality eliminating method.
After above-mentioned excessive risk virtual machine is isolated, the status information of excessive risk virtual machine is write the off-note code library of comprehensive abnormality detection system.
Above-mentioned HMM model is the statistical model describing a Markov process containing implicit unknown parameter, use λ={ A, B, π, N, M} describes, and wherein, N is Hidden Markov Model state number, M is observation number, A is state transition probability matrix, and B is the probability distribution of observation under current state, and π is initial state probabilities distribution;
N valued space is S=(S1,S2,...,SN);
M span is V={V1,V2,...,VM};
A A=(aij) represent, wherein,
The implication of formula (1) is for be in state S when current time ti, transfer to state S in the t+1 momentjProbability;
B B={bj(k) } represent, wherein bj(k)=P (Vk|qt=Sj) its implication: represent and be in state S at moment tj, observation VkThe probability occurred;
π π={ πiRepresent, whereinIt is meant that expression is in state S at initial timeiProbability.
When HMM model λ determines, moment t and current state are SiTime observation sequence be { O1,O2,...,OtProbability be taken as forward variable αt(i), its computing formula is:
Wherein, initializaing variable α1(i)=πibi(O1), and 1≤i≤N;
HMM model λ and current state qt=SiWhen determining, the sequence of observations is { Ot+1,Ot+2,...,OTProbability be taken as backward variable βt(i), its computing formula is:
Wherein, initializaing variable βT(i)=1, and 1≤i≤N;
In order to carry out HMM model training, it is necessary to following variable ξt(i j) represents that when HMM model λ and sequence of observations O determines, the state of t is Si, the state in t+1 moment is in SjProbability;Variable γtI () represents that when HMM model λ and sequence of observations O determines, t state is SiProbability, ξt(i, j) and γtI the computing formula of () is as follows:
Wherein
The then parameter of model optimizationComputing formula as follows:
HMM model λ is as follows with the conditional probability computing formula of the sequence of observations:
The training process of above-mentioned HMM model comprises: first given initial value: A=1/ (N-1), B=1/ (N-1), π=1/N, calculating according to formula (4) and (5), the value of P (O | λ) is obtained further according to formula (9), carry out successive ignition, relatively each P (O | λ) value, finally draw the model parameter value of optimum and corresponding P (O | λ) threshold values Pmax。
Compared to the prior art the abnormality detection of a kind of cloud virtual environment of the present invention and processing method, have an advantage in that, the present invention has ensured the reliability of cloud virtual machine abnormality detection.Adopt what Multiple detection mechanism can be relatively reliable to detect abnormal virtual machine, be not result in the flase drop of some normal virtual machine and affect the service of normal virtual machine cloud tenant;
The present invention improves the accuracy of cloud virtual machine abnormality detection.Adopt the comprehensive abnormality detection system in high in the clouds being made up of multiple isomerous detection engine can accurately detect various Internet to attack and transportation level attack, also can detect certain applications layer attacks simultaneously, adopt HMM Outlier Detection Algorithm can accurately detect various novel virtual machine application layer attack, thus improve the accuracy of cloud virtual machine abnormality detection;
Cloud virtual machine application layer attack abnormality detection technology that the present invention is perfect.Traditional detecting and alarm can only the various Internets of virtual machine be attacked and transportation level is attacked, and the various virus attacks detection of virtual inside is effectively, and novel virtual machine application layer attack is helpless.The present invention uses HMM model and Outlier Detection Algorithm thereof, it is possible to efficient identification goes out the various new application layer attacks for virtual machine, and can carry out quickly processing eliminating these application layer attacks.
Detailed description of the invention
Below in conjunction with accompanying drawing, further illustrate specific embodiments of the invention.
As it is shown in figure 1, be the embodiment of a kind of cloud system.This cloud system comprises: cloud controller 110, and communication connects application server cluster 120 and the cloud storage equipment 130 of cloud controller 110.
Cloud controller 110 comprises: receive user's request and authenticating user identification module, integrated Security Strategy module and virtual machine state monitoring module.
Cloud controller 110 refers to special server or server cluster, it communicates mainly through other servers in public network or private network and high in the clouds, accepting the I/O access request of various procotol user and the identity of user is authenticated, it is the virtual machine space that this user sets up that the authentication of user just can access high in the clouds by rear user.
Application server cluster 120 comprises: comprehensive abnormality detection system, HMM model training and online abnormality detection module, application controls module, and cluster virtual machine group.Cluster virtual machine group comprises some cluster virtual machines, for instance cluster virtual machine 1, cluster virtual machine 2 ... cluster virtual machine N, and each cluster virtual machine includes some virtual machines, for instance VM1, VM2 ... VMn.
Cloud storage equipment 130 comprises: the multiple storage device of cloud system, is mainly used to deposit the data message of cloud tenant.
The HMM modeling method of the present invention is set forth below with an example.
When virtual machine carries out HMM modeling, it is necessary to the comprehensive design parameter analyzing high in the clouds also carries out Initialize installation according to practical situation, specifically comprises:
1) HMM status values: assume that cloud virtual machine state has two kinds, respectively low-risk state, excessive risk state.In the present invention, with 0 representing low-risk state, representing excessive risk state with 1, HMM state space value is S={0,1}.
2) initial state probabilities value: π is set to that π={ 1,0}, concrete meaning is cloud virtual machine state be low-risk probability is 1, and virtual machine state is high risk probability is 0.
3) state-transition matrix: state-transition matrix A is set to Assume that the virtual machine in high in the clouds under normal circumstances is all in normal condition, so by a00,a10Being set to 1, all the other are set to 0.
4) sequence of observations: using cloud tenant in the state behavior of virtual machine end as the sequence of observations, utilize the user behavior record that audit trail system produces to obtain.
5) observation probability distribution: the state according to current cloud virtual machine, carries out rational initial value setting to the behavior probability of occurrence of virtual machine end cloud tenant.
As in figure 2 it is shown, be the embodiment of the application layer abnormality detection of a kind of cloud virtual environment disclosed by the invention and processing method, the method includes the steps of:
S1, high in the clouds all virtual machines carry out Initialize installation, registered in cloud controller by the physically or logically address of virtual machine, in order to all virtual machines in high in the clouds are carried out unified management by cloud controller.
S2, cloud controller formulate corresponding integrated Security Strategy according to the demand for security in high in the clouds, and all virtual machine state information of registration in cloud controller are detected in real time.
Wherein, integrated Security Strategy refers to: virtual machine state information monitoring, abnormality detection and the abnormality processing measure that cloud controller is formulated according to the demand for security of the virtual machine in high in the clouds.
In real time detection refers to: every the virtual machine that virtual machine state monitoring module is cloud system in cloud controller distributes a process collecting these virtual machine state information data, this process by real-time collecting to virtual machine state information Data Concurrent deliver to the virtual machine state monitoring module of cloud controller and process.
Virtual machine state information includes: the cpu busy percentage of virtual machine, GPU utilization rate, hard disk utilization rate, I/O load and memory usage, network bandwidth utilization factor, and they dynamic situations of change in time.
S3, cloud controller virtual machine state monitoring module obtain the status information of virtual machine after, judge that whether this virtual machine is suspicious according to integrated Security Strategy, namely whether virtual machine state is abnormal, if, suspicious for this virtual machine, virtual machine state is abnormal, it is determined that for abnormal virtual machine, then this virtual machine state abnormality mark parameter flag is set to 1, and jumps to S4;If it is not, then this virtual machine state abnormality mark parameter flag is set to 0, and jump to S5.
Wherein, virtual machine state is abnormal, refers to the state generation ANOMALOUS VARIATIONS of virtual machine, as the utilization of CPU, the utilization rate of internal memory, GPU utilization rate in one or more exceed or close to 90%, or huge strong change occurs in short-term, or have significantly different from the state information change of normal virtual machine.
Because when there is abnormal virtual machine, the comprehensive abnormality detection system in cloud system can immediately process and eliminate abnormal (such as: isolate the abnormal application program in abnormal virtual machine or port, or isolate whole virtual machine).So, in usual cloud system, the quantity of the abnormal virtual machine that state is suspicious is less than the half of virtual machine sum.
S4, cloud system the comprehensive abnormality detection system detection flags parameters flag of application server cluster be the virtual machine of 1, and jump to S6.
Wherein, comprehensive abnormality detection system refers to: be provided with the isomerous detection engine that multiple different manufacturers produces beyond the clouds in systematic difference server cluster, abnormal virtual machine can be carried out parallel detection by these isomerous detection engines simultaneously, the abnormality detection result of multiple isomerous detection engines after decision Tree algorithms comprehensive descision as the last abnormality detection result of this virtual machine.
It is normal virtual machine that S5, virtual machine state abnormality mark parameter flag are set to this virtual machine of 0 expression.The virtual machine state monitoring module status information of the virtual machine (normal virtual machine) that some flags parameters flag are 0 forms observation sequence training HMM model.After the training of the judgement and HMM model that complete normal virtual machine, jump to S2, continue all virtual machine state information of registration in cloud controller are detected in real time.
Wherein, normal virtual machine refers in cloud system and not only to be infected but also not by the virtual machine of external attack.
HMM model is a kind of statistical model, it is possible to describe a Markov process containing implicit unknown parameter.HMM model can use λ=A, B, π, N, M} describe, and wherein, N is Hidden Markov Model state number, and M is observation number, and A is state transition probability matrix, and B is the probability distribution of observation under current state, and π be initial state probabilities distribution.
In above-mentioned parameter, N is Hidden Markov Model state number, and its valued space is S=(S1,S2,...,SN);M is the observation under each state in observation sequence, and its span is V={V1,V2,...,VM};A is state transition probability matrix, with A=(aij) represent, wherein,
The implication of formula (1) is for be in state S when current time ti, transfer to state S in the t+1 momentjProbability.B is the probability distribution of observation under current state, uses B={bj(k) } represent, wherein bj(k)=P (Vk|qt=Sj) its implication: represent and be in state S at moment tj, observation VkThe probability occurred.π is initial state probabilities, with π={ πiRepresent, whereinIt is meant that expression is in state S at initial timeiProbability.
In S5, when HMM λ determines, moment t and current state are SiTime observation sequence be { O1,O2,...,OtProbability be taken as forward variable αt(i).Its computing formula is:
Wherein, initializaing variable α1(i)=πibi(O1), and 1≤i≤N.
In S5, HMM λ and current state qt=SiWhen determining, the sequence of observations is { Ot+1,Ot+2,...,OTProbability be taken as backward variable βt(i).Its computing formula is:
Wherein, initializaing variable βT(i)=1, and 1≤i≤N.
In order to carry out model training, it is necessary to following variable ξt(i j) represents that when HMM λ and sequence of observations O determines, the state of t is Si, the state in t+1 moment is in SjProbability;Variable γtI () represents that when HMM λ and sequence of observations O determines, t state is SiProbability.ξt(i, j) and γtI the computing formula of () is as follows:
Wherein
The then parameter of model optimizationComputing formula as follows:
HMM λ is as follows with the conditional probability computing formula of the sequence of observations:
So, the training process of HMM is, first given initial value: A=1/ (N-1), B=1/ (N-1), π=1/N, the calculating according to formula (4) and (5), the value of P (O | λ) is obtained further according to formula (9), carry out successive ignition, relatively each P (O | λ) value, finally draw the model parameter value of optimum and corresponding P (O | λ) threshold values Pmax。
Abnormal virtual machine is carried out comprehensive detection by S6, comprehensive abnormality detection system, it is judged that the end value of comprehensive detection whether less than predetermined threshold value Q, if, end value less than predetermined threshold value Q, then jumps to S8, if not, end value more than predetermined threshold value Q, then jumps to S7.
Wherein, predetermined threshold value Q is the minimum limit value that cloud virtual machine is in normal condition abnormal rate.
S7, cloud system comprehensive abnormality detection system eliminated the abnormality of abnormal virtual machine by its abnormality eliminating method, jump to S2 after having processed, continue all virtual machine state information of registration in cloud controller are detected in real time.
Abnormality eliminating method specifically comprises: the information in conjunction with the off-note code library of cloud system judges that virtual machine is certain application program or port exception, or multiple application exception or multiple port are extremely.If certain application program or port are abnormal, then close certain application program or port;If multiple application exceptions or multiple port are abnormal, then isolate whole virtual machine.
S8, cloud controller virtual machine state monitoring module gather normal virtual machine end status information, this normal virtual machine end status information is formed observation sequence, training obtains HMM model, and design obtains the online Outlier Detection Algorithm of HMM, the abnormal virtual machine that the state that detects is suspicious.
The online Outlier Detection Algorithm of S9, HMM obtains the average log-likelihood probit of virtual machine abnormality detection, and judges that whether average log-likelihood probit is more than Pmax.Wherein, PmaxIt is the maximum application layer exception ultimate value of HMM abnormality detection and process.
If so, this average log-likelihood probit is more than Pmax, it was shown that this abnormal virtual machine is the abnormal virtual machine of high-risk grade, then jump to S11.If it is not, show that the abnormal virtual machine that this abnormal virtual machine is low risk level then jumps to S10.
Concrete, the maximum application layer exception ultimate value P of HMM abnormality detection and processmaxAccording to P value computing formula in S5, formula (9), calculate P value during current abnormal virtual machine, and with predetermined threshold values PmaxCompare.If formula (9) calculates the P≤P of current abnormal virtual machinemax, then judge that this virtual machine is as low-risk virtual machine;If drawing P > Pmax, then judge that this virtual machine risk class is as height, for excessive risk virtual machine.Wherein, excessive risk virtual machine refers to: be infected in cloud system or by the virtual machine of external attack.
S10, abnormal virtual machine for low risk level are likely to belong to application layer attack, and application layer attack to be the port from outside by virtual machine send the attack of mass data stream to virtual machine.Application layer attack can eliminate the Deviant Behavior of application layer in this abnormal virtual machine by HMM abnormality detection and processing method, and jumps to S2, continues all virtual machine state information of registration in cloud controller are detected in real time.
HMM abnormality detection specifically comprises with processing method: the queue different by setting up multiple priority, the more bandwidth resources of queue assignment, calculating resource and the storage resource that priority is high, the queue assignment that priority is low is less or does not distribute bandwidth resources, calculating resource and storage resource in peak period.When the application layer attack of the virtual machine to low risk level processes, putting in Low Priority Queuing by the flow of abnormal, the flow of other normal ports is put in high-priority queue, thus realizing eliminating the purpose of virtual machine application layer attack.
S11, cloud controller adopt isolation mech isolation test directly the abnormal virtual machine (excessive risk virtual machine) of high-risk grade to be isolated, and its status information data is write in the off-note code library of comprehensive abnormality detection system of cloud system, provide foundation for abnormality detection next time.
Isolation mech isolation test refers to that cloud controller passes through mandatory Access Control Mechanism (MAC) and arranges this virtual machine access rights to resource, makes the virtual machine of high-risk grade can not access the resource in high in the clouds;Force the communication process terminating between this virtual machine and other virtual machines simultaneously, effectively protect the resource in high in the clouds and the safety of other normal virtual machines.
Further, in above-mentioned S6, comprehensive abnormality detection system can adopt decision Tree algorithms be hacked or normally, set forth decision Tree algorithms comprehensive descision process used by the comprehensive abnormality detection system in high in the clouds with an example below judging certain abnormal virtual machine.
Assuming that the comprehensive abnormality detection system in high in the clouds is made up of four isomerous detection engines X1, X2, X3, X4, carrying out parallel detection for certain abnormal virtual machine A, tetra-isomerous detection engine detection case of X1, X2, X3, X4 are as shown in table 1.
Detecting and alarm |
X1 |
X2 |
X3 |
X4 |
Normal probability |
0.6 |
0.85 |
0.1 |
0.3 |
Malice probability |
0.4 |
0.15 |
0.9 |
0.7 |
Testing result |
Normally |
Normally |
Maliciously |
Maliciously |
1 four isomerous detection engines of table are to abnormal virtual machine A detection case
Data according to table 1, available decision tree algorithm calculates the comprehensive normal Random entropy of abnormal virtual machine and is comprehensively hacked Random entropy, and it is as follows that it calculates process:
If D is division training tuple carried out by classification, can represent the set of the testing result of isomerous detection engine in the comprehensive abnormality detection system in high in the clouds, then the entropy (entropy) of D is expressed as:
Wherein piRepresent the probability that i-th classification occurs in whole training tuple, can represent the normal probability of the detection abnormal virtual machine A of i-th detecting and alarm in the comprehensive abnormality detection system in high in the clouds or be hacked probability, then to the comprehensive normal Random entropy of abnormal virtual machine A and to be comprehensively hacked Random entropy as follows to seek in table 1 four detecting and alarm:
Info(D)Comprehensive normal Random entropy> Info (D)Comprehensively it is hacked Random entropy
From the foregoing, it will be observed that this abnormal virtual machine A be normal combined chance less than the combined chance for being hacked, thus can determine that this abnormal virtual machine A is hacked.
Comprehensive descision result above also to be determined whether its abnormal rate P being hackedAbnormal probability。
PAbnormal probability=(the comprehensive normal Random entropy-Info (D) of Info (D) is comprehensively hacked Random entropy) the comprehensive normal Random entropy of/Info (D)
If PAbnormal probabilityLess than predetermined threshold value Q, the then normal combined chance showing virtual machine A and the close or normal combined chance of the combined chance being hacked more than the combined chance for being hacked, at this moment this virtual machine HMM Outlier Detection Algorithm carries out application layer attack detection.If the average log-likelihood probit of HMM abnormality detection is more than Pmax, it was shown that this virtual machine is serious from the attack of application layer, it is necessary to isolation processing, otherwise eliminates the exception of this virtual machine with application layer abnormality eliminating method.
Although present disclosure has been made to be discussed in detail already by above preferred embodiment, but it should be appreciated that the description above is not considered as limitation of the present invention.After those skilled in the art have read foregoing, multiple amendment and replacement for the present invention all will be apparent from.Therefore, protection scope of the present invention should be limited to the appended claims.