近年來雲端運算的興起與虛擬化技術的成熟，許多企業為了提高伺服器使用率及降低建置的成本，已陸續導入虛擬化技術。然而，虛擬化環境導致了複雜的網路拓撲，虛擬機器可以透過內部虛擬網路傳遞訊息而難以由外部設備監控，使得整個雲端運算環境更容易受到惡意威脅，而近年來在一些企業的雲端環境中也傳出了資安事件，因此需要一個適當的機制去偵測以及防範雲端網路環境中的惡意連線行為。本研究提出一個基於虛擬化平台的網路型入侵偵測系統，由一套多模式比對網路流量分類器改進而來，收集虛擬機器在內部網路環境的封包，使用深層封包探測技術分析封包內容以辨識惡意流量或攻擊行為。本研究改良流量分類器的封包處理程序以增強其入侵偵測之功能。並且在XEN虛擬平台實作與佈署，結合Linux Netfilter架構以監測系統中虛擬機器之間的網路連線，並且能夠有效率地檢測封包以及即時防範雲端網路環境中的惡意威脅。

With the growth of cloud computing and the maturity of virtualization technology, many enterprises keep on virtualizing their servers for increasing the utilization of servers and lowering their costs. However, complex network topology resulted from virtualized infrastructures may make cloud more vulnerable. And some security events occurred on cloud computing platform in recent years. Therefore, a proper mechanism is needed for detection and prevention of malicious traffic. We propose a network intrusion detection system based on virtualization platform. This intrusion detection system is improved from a multi-pattern based network traffic classifier, collecting packets from the virtual network environment and analyzes content of packets to identify malicious network traffic and intrusion attempts with deep packet inspection technique. We improve the intrusion detection features of the network traffic classifier and deploy it in the XEN virtualization platform. Our system combines with Linux Netfilter framework to monitor inter-virtual-machine communications in the virtualization platform. It also inspects packet efficiently and prevents the cloud computing environment from malicious traffic instantly.

[1] Netfilter. [Online]. http://www.netfilter.org/

[2] V. Jacobson, C. Leres, and S. McCanne. libpcap. [Online]. http://www.tcpdump.org

[3] Snort. [Online]. http://www.snort.org/

[4] The Bro Network Security Monitor. [Online]. http://www.bro.org/

[5] K. Wehrle, F. Pählke, H. Ritter, D. Müller, and M. Bechler, The Linux Networking Architecture: Design and Implementation of Network Protocols in the Linux Kernel., 2004.
[6] Y. Qi, L. Xu, B. Yang, Y. Xue, and J. Li, "Packet Classification Algorithms: From Theory to Practice," in INFOCOM 2009, IEEE, 2009, pp. 648–656.
[7] M. Finsterbusch, C. Richter, E. Rocha, and J. Muller, "A Survey of Payload-Based Traffic Classification Approaches," in Communications Surverys & Tutorials, IEEE, 2012.
[8] D. C. Sicker, P. Ohm, and D. Grunwald, "Legal issues surrounding monitoring during network research," in Proc. 7th ACM SIGCOMM conference on Internet measurement, 2007, pp. 141–148.
[9] C. Rotsos, J. Van Gael, A. W. Moore, and Z. Ghahramani, "Probabilistic graphical models for semi-supervised traffic classification," in Proc. 6th International Wireless Communications and Mobile Computing Conference, 2010, pp. 752–757.
[10] P. Piskac and J. Novotny, "Using of time characteristics in data flow for traffic classification," in Proc. 5th international conference on Autonomous infrastructure, management, and security: managing the dynamics of networks and services, 2011, pp. 173–176.
[11] P.-C. Lin, Z.-X. Li, Y.-D. Lin, Y.-C. Lai, and F. Lin, "Profiling and accelerating string matching algorithms in three network content security applications," in IEEE Commun. Surveys & Tutorials, vol. 8, no. 2, 2006, pp. 24– 37.
[12] C. Liu and J. Wu, "Fast Deep Packet Inspection with a Dual Finite Automata," in IEEE Transactions on Computers, vol. 62, no. 2, 2013, pp. 310– 321.
[13] X. Wang, J. Jiang, Y. Tang, B. Liu, and X. Wang, "StriD2FA: Scalable Regular Expression Matching for Deep Packet Inspection," in IEEE International Conference on Communications (ICC), 2011, pp. 1–5.
[14] F. Risso, M. Baldi, O. Morandi, A. Baldini, and P. Monclus, "Lightweight, Payload-Based Traffic Classification: An Experimental Evaluation," in IEEE International Conference on Communications (ICC), 2008, pp. 5869–5875.
[15] C.-H. Chen, "The Design and Implementation of Protocol Classifier Based on Linux Netfilter," in Master's thesis, National Sun Yat-Sen University, 2006.
[16] Y.-W. Chen, "Performance Analysis and Improvement of Classifier Based on Linux Netfilter," in Master's thesis, National Cheng Kung University, 2011.
[17] M.-Y. Liao, M.-Y. Luo, C.-S. Yang, C.-H. Chen, P.-C. Wu, and Y.-C. Chen, "Design and Evaluation of Deep Packet Inspection System: A Case Study," in Networks, IET, 2012, pp. 2-9.
[18] KVM. [Online]. http://www.linux-kvm.org/page/Main_Page

[19] XEN. [Online]. http://www.xenproject.org/

[20] S. Khoudali, K. Benzidane, and A. Sekkaki, "Inter-VM Packet Inspection in Cloud Computing," in Communications, Computers and Applications (MIC-CCA), 2012.
[21] J.-H. Lee, M.-W. Park, J.-H. Eon, and T.-M. Chung, "Multi-level Intrusion Detection System and Log Management in Cloud Computing," in Advanced Communication Technology (ICACT), 2011.
[22] H. Wu, D. Yi, C. Winer, and Y. Li, "Network Security for Virtual Machine in Cloud Computing," in Computer Sciences and Convergence Information Technology (ICCIT), 2010.
[23] H. Jin, G.-F. Xi, D.-Q. Zou, S. Wu, F. Zhoao, M. Li , and W. Zheng, "A VMM-based intrusion prevention system in cloud computing environment," in The Journal of Supercomputing, 2013, pp. 1133-1151.
[24] The Heartbleed Bug. [Online]. http://heartbleed.com/

[25] CVE-2014-3466. [Online]. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466

[26] hping. [Online]. http://www.hping.org/