雲端運算是目前資訊產業上最熱門的話題之一,近年來,已經有許多公司從傳統租用主機轉移到租用雲端來提供服務。雲端大都採用虛擬化技術以及多租戶架構,也就是說不同租戶的虛擬機器可能會存在同一個實體伺服器內。如果沒有做良好的安全控管,只要有一個租戶的虛擬機器受到感染,其他租戶就可能連帶受到影響。因為虛擬網路環境與實體網路環境的差異,傳統的入侵偵測系統只專注在偵測來自外部的入侵,並無法輕易正確的偵測來自虛擬機的攻擊,為了能全面的防禦威脅,因此在架構上需要做些調整。
本篇論文提出一個靈活的分散式入侵偵測架構,並使用軟體定義網路技術來做防禦。除此之外,本系統也會收集不同節點的警訊,分析其關聯性,並產生安全規則來達到聯合防禦的效果。為了更有效的管理,我們也提供了一個安全控管中心,能針對各別虛擬交換器,制定安全規則。
最後,我們針對所提出的系統,進行效能分析,結果顯示本系統能有效的針對受感染的連線做適當的封鎖,並不會對系統造成太多負荷。

In recent years, Cloud computing has become increasingly popular. Many companies have replaced traditional hosting to cloud hosting. In the Cloud, a multi-tenant and virtual environment, a physical machine may be shared by many tenants(virtual machines). Cloud providers are responsible for tenant isolation, if a tenant (virtual machine) is infected, other tenants will be affected. Because the virtual network environment is very complex, the traditional intrusion detection systems can only detect attacks from external networks, but can not effectively detect the internal traffic(virtual network). In order to fully defend from a threat, we need to redesign the architecture of the intrusion detection system.
In this thesis, we propose a flexible distributed architecture for intrusion detection, and uses software-defined networking technology for defensive purposes. In addition, our system collects alerts from different nodes, and analyzes their correlation to generate security rules to achieve the effect of a joint defense. To make the administrator more effective in management purposes, we also provide a web-based management center to reduce the burden on administrators. Finally, we analyze the performance of the proposed system with a original system. The results show that our system adds slightly overhead, and it can effectively block the malicious flow.

[1] Multitenancy. http://en.wikipedia.org/wiki/Multitenancy.
[2] Peter Mell and Timothy Grance. The nist definition of cloud computing. NIST special publication, 800:145, 2011.
[3] Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. Openflow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2):69-74, 2008.
[4] Open vswitch. http://openvswitch.org/.
[5] Intrusion detection system. http://en.wikipedia.org/wiki/Intrusion_detection_system.
[6] Snort. http://www.snort.org/.
[7] Suricata. http://suricata-ids.org/.
[8] W. Yassin, N.I. Udzir, Z. Muda, A. Abdullah, and M. T. Abdullah. A cloudbased intrusion detection service framework. In Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), 2012 International Conference on, pages 213-218, June 2012.
[9] M. Hussain Irfan Gul. Distributed cloud intrusion detection model. International Journal of Advanced Science and Technology, 34:71-82, 2012.
[10] Chi-Chun Lo, Chun-Chieh Huang, and J. Ku. A cooperative intrusion detection system framework for cloud computing networks. In Parallel Processing Workshops (ICPPW), 2010 39th International Conference on, pages 280-284, Sept 2010.
[11] A. Bakshi and B. Yogesh. Securing cloud from ddos attacks using intrusion detection system in virtual machine. In Communication Software and Networks, 2010. ICCSN '10. Second International Conference on, pages 260-264, Feb 2010.
[12] S. Gupta, S. Horrow, and A. Sardana. Ids based defense for cloud based mobile infrastructure as a service. In Services (SERVICES), 2012 IEEE Eighth World Congress on, pages 199-202, June 2012.
[13] Seungwon Shin and Guofei Gu. Cloudwatcher: Network security monitoring using openflow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?). In Network Protocols (ICNP), 2012 20th IEEE International Conference on, pages 1-6, Oct 2012.
[14] Virtual machine escape. http://en.wikipedia.org/wiki/Virtual_machine_escape.
[15] Ddosim - layer 7 ddos simulator. http://stormsecurity.wordpress.com/2009/03/03/application-layer-ddos-simulator/.
[16] Hping3. http://www.hping.org/hping3.html.