Study of Immune-Based Intrusion Detection Technology in Virtual Machines for Cloud Computing Environment

Cloud computing platforms are usually based on virtual machines as the underlying architecture; the security of virtual machine systems is the core of cloud computing security. This paper presents an immune-based intrusion detection model in virtual machines of cloud computing environment, denoted as IB-IDS, to ensure the safety of user-level applications in client virtual machines. In the model, system call sequences and their parameters of processes are used, and environment information in the client virtual machines is extracted. Then the model simulates immune responses to ensure the state of user-level programs, which can detect attacks on the dynamic runtime of applications and has high real-time performance. There are five modules in the model: antigen presenting module, signal acquisition module, immune response module, signal measurement module, and information monitoring module, which are distributed into different levels of virtual machine environment. Performance analysis and experimental results show that the model brings a small performance overhead for the virtual machine system and has a good detection performance. It is applicable to judge the state of user-level application in guest virtual machine, and it is feasible to use it to increase the user-level security in software services of cloud computing platform.

[1]  Alan S. Perelson,et al.  Self-nonself discrimination in a computer , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Wang Lina,et al.  Detecting and Managing Hidden Process via Hypervisor , 2011 .

[3]  Xuxian Jiang,et al.  Countering kernel rootkits with lightweight hook protection , 2009, CCS.

[4]  Emmett Witchel,et al.  Ensuring operating system kernel integrity with OSck , 2011, ASPLOS XVI.

[5]  Jean Goubault-Larrecq,et al.  Some Ideas on Virtualized System Security, and Monitors , 2010, DPM/SETOP.

[6]  Deyi Li,et al.  Artificial Intelligence with Uncertainty , 2004, CIT.

[7]  Jennifer Rexford,et al.  Eliminating the hypervisor attack surface for a more secure cloud , 2011, CCS '11.

[8]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[9]  Paul Helman,et al.  An immunological approach to change detection: algorithms, analysis and implications , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[10]  Arati Baliga,et al.  Detecting Kernel-Level Rootkits Using Data Structure Invariants , 2011, IEEE Transactions on Dependable and Secure Computing.

[11]  Abhinav Srivastava,et al.  Operating System Interface Obfuscation and the Revealing of Hidden Operations , 2011, DIMVA.

[12]  Anoop Gupta,et al.  SPLASH: Stanford parallel applications for shared-memory , 1992, CARN.

[13]  Anoop Gupta,et al.  The SPLASH-2 programs: characterization and methodological considerations , 1995, ISCA.

[14]  Andreas Haeberlen,et al.  Accountable Virtual Machines , 2010, OSDI.

[15]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[16]  Stephanie Forrest,et al.  A Machine Learning Evaluation of an Artificial Immune System , 2005, Evolutionary Computation.

[17]  Weiqing Sun,et al.  Collabra: A Xen Hypervisor Based Collaborative Intrusion Detection System , 2011, 2011 Eighth International Conference on Information Technology: New Generations.

[18]  Mark E. J. Newman,et al.  Technological Networks and the Spread of Computer Viruses , 2004, Science.