Study On Security Monitoring Of Cloud Data Center

The current information technology has gradually entered the era of cloud computing,Internet of Things,big data,and mobile Internet.Cloud computing,as a basic platform for other applications,is particularly important in the new era of information technology.Currently,cloud computing also faces security issues such as the escape of virtual machines and the difficulty of east-west traffic monitoring in cloud data centers.In order to effectively protect the security of cloud data centers,this paper first implements a virtual machine integrated monitoring and verification system based on open source software.Based on this,it analyzes and studies the difficulties faced in security monitoring and improvements in key technologies separately from the host and network levels of cloud data center.At the same time,based on multiple real datasets from the Internet,the new monitoring models and methods proposed in this paper were fully evaluated.The experimental results verify the rationality and accuracy of the proposed models and methods at various levels of research.The detailed content is described as follows:(1)Virtual machine comprehensive monitoring and verification system based on open source softwareThis paper first uses existing mature solutions to construct the basic framework of cloud data center virtual machine monitoring.Based on the existing problems of existing solutions,the monitoring and verification system integrate the virtual machine introspection technology with other security monitoring technologies,which has real-time monitoring capabilities of virtual machine memory,network,and files.Compared with existing solutions,the new monitoring and verification system has significant improvements in two places: first,the creation,deletion,and modification of the virtual machine file system can be monitored at the physical host layer;second,compared to the traditional monitoring methods,the new monitoring and verification system does not need to install an agent in the virtual machine.The security tools are highly stealthy and difficult to be detected by the attacker.(2)API call monitoring technology based on virtual machine introspectionAt the virtual machine level,using virtual machine introspection technology to realize steathy virtual machine monitoring can achieve fine-grained system call monitoring,but its performance overhead is large,especially when monitoring the system calls,the CPU in the virtual machine is frequent switching between the virtual machine and the host,and real-time monitoring cannot be realized effectively.For this reason,this paper improves related work and proposes a process-level virtual machine execution monitoring system.On the one hand,it reduces the monitoring range of system calls,and on the other hand it supports the monitoring of user-level API calls,making the results more comprehensive.In addition,a sample injection and snapshot method is also designed to inject the sample to be analyzed into the virtual machine without traces,and the initial state is restored after the operation is completed,thereby improving the automation level of the analysis process.(3)Hypercall attack detection method based on nested virtualizationTo solve the problem that the cloud platform itself may not be trusted,a hypercall attack detection method based on nested virtualization is proposed to detect attacks and illegal actions initiated from the virtual machine monitor level.We utilize hardware feature support,including nested virtualization,extended page table protection,and interrupt exceptions to monitor the virtual machine monitor.Even if the virtual machine monitor is controlled,we can still monitor hypercalls from all virtual machines to detect attacks in a timely manner.In addition,we simulated hypercall-based attacks through hypercall injection and evaluated the performance of the method.Experimental results show that this method can effectively detect hypercall based attacks.(4)Suspicious network flow sampling method in cloud data centerBased on the forwarding control separation and programmable features of software-defined network,a multi-level network traffic sampling and detection model is implemented.On the one hand,historical flow statistics are used to direct traffic sampling within the cloud,and real-time classification and sampling of flows are implemented based on the construction of classification models,which greatly improves the pertinence of sampling and the ability to capture unknown attacks and reduces sampling bandwidth overhead.On the other hand,based on feedback from the intrusion detection system,the sampling scheme is adjusted in real time,which further improves the comprehensiveness of sampling and reduces the probability of known attack flows being missed.The combination of the two methods can effectively solve the problem of east-west traffic monitoring in the cloud.(5)A new cloud botnet detection method based on suspicious flow samplingBased on the above sampling method,we propose a two-stage cloud botnet detection method based on the features of P2 P botnets in the cloud.First,openflow controllers collect flow statistics in real time to detect suspicious flows,and then pass suspicious flows to DPI system for deeper inspection.Experiments show that it can quickly and accurately locate potential P2 P bots,with high accuracy and low false alarm rate,and the performance overhead is within an acceptable range.