雲端運算近年來在全球資訊產業是頗為熱門的主題，被視為主要的網路及運算服務提供方式。但相對的，一些舊有的安全問題在雲端服務內將會造成更大的影響與傷害，如帳號盜用與來自內部的威脅等。本論文提出使用異常偵測及隨機重複取樣來將系統的執行程序轉為如購物籃的交易資料，並利用正常交易資料的頻繁模式作為使用者行為的側寫來偵測惡意行為與來自不同使用者的可疑的電腦使用行為。我們利用虛擬機來收集正常的使用者行為與模擬惡意軟體的運作資料，利用這些資料來驗證本論文提出的方法是否可以準確偵測系統上運作的惡意程式。實驗結果顯示我們的系統可以偵測到所有的惡意程式並且僅產生小於4.6%的假警報。同時我們也收集了真實世界的使用者行為資料以驗證我們的系統是否能辨識來自不同使用者的可疑行為。在實驗結果中，我們平均能偵測86%來自不同使用者的可疑行為，且僅產生少於1%的假警報。

Cloud Computing is a mature technology that attracts people’s attention and is considered as the main part of the network and computing service provider in recent years. Some
security issues will be more threatening in cloud computing, such as account theft and insider threat. We propose a framework to utilize anomaly detection and random re-
sampling techniques for profiling a user’s behaviors via the frequent patterns of activated system processes. By utilizing the user profiles learned from normal data, our method can detect malicious activities and discriminate suspicious activities from different users. We use virtual machine (VM) to collect process log of normal users and malicious tools. The collected data are used on verifying if our method can detect the malicious activities on the system. The results show that all the malicious activities are detected with less than 4.6% false-positive rate. We also collect real-world data for testing the ability of discriminating activities collected from different users. The results showed that the user profiles can detect on average 86% suspicious behaviors from different users with less than 1% false positive rate.

[1] Rakesh Agarwal and Ramakrishnan Srikant. Fast algorithms for mining association rules. In Proc. of the 20th VLDB Conference, pages 487–499, 1994.
[2] Michael Armbrust, Armando Fox, Rean Griffith, Anthony D . Joseph, Randy Katz, Andy Konwinski, Gun ho Lee, David Patterson, Ariel Rabkin, Ion Stoica, et al. A view of cloud computing. Communications of the ACM, 53(4):50–58, 2010.
[3] Joffroy Beauquier and Yong-Jie Hu. Intrusion detection based on distance combination. CESSE07, Venice, Italy, World Acacemy of Sciences, WAS, 2007.
[4] Kuan-Ta Chen and Li-Wen Hong. User identification based on game-play activity patterns. In Grenville J. Armitage, editor, NETGAMES, pages 7–12. ACM, 2007.
[5] Cloud Security Alliance. Security guidance for critical areas of focus in cloud computing v2.1. https://cloudsecurityalliance.org/wp-content/uploads/2011/
07/csaguide.v2.1.pdf, December 2009.
[6] Cloud Security Alliance. Top threats to cloud computing v1.0. https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf, March 2010.
[7] Ashish Garg, Ragini Rahalkar, Shambhu Upadhyaya, and Kevin Kwiat. Profiling users in gui based systems for masquerade detection. In Information Assurance Workshop, 2006 IEEE, pages 48–54. IEEE, 2006.
[8] Lucantonio Ghionna, Gianluigi Greco, Antonella Guzzo, and Luigi Pontieri. Outlier detection techniques for process mining applications. Foundations of Intelligent Systems, pages 150–159, 2008.
[9] Anup K. Ghosh, Aaron Schwartzbard, and Michael Schatz. Learning program behavior profiles for intrusion detection. In Proceedings of the Workshop on Intrusion Detection and Network Monitoring, pages 51–62, Berkeley, CA, April 9–12 1999. USENIX Association.
[10] Zeng-You He, Xiao-Fei Xu, and Sheng-Chun Deng. Outlier detection over data streams. In proceeding of the 7th international conference for young computer scientists (ICYCS’03). Citeseer, 2003.
[11] Zeng-You He, Xiao-Fei Xu, Jo-Shua Zhe-Xue Huang, and Sheng-Chun Deng. FP-outlier: Frequent pattern based outlier detection. Computer Science and Information Systems/ComSIS, 2(1):103–118, 2005.
[12] Lin Huang and Mark Stamp. Masquerade detection using profile hidden markov models. Computers & Security, 30(8):732–747, 2011.
[13] Hyperic. Sigar - system information gatherer and reporter. https://support.hyperic.com/display/SIGAR/Home.
[14] Joseph Idziorek, Mark Tannian, and Doug Jacobson. Detecting fraudulent use of cloud resources. In Christian Cachin and Thomas Ristenpart, editors, CCSW, pages 61–72. ACM, 2011.
[15] Han-Sung Kim and Sung-Deok Cha. Empirical evaluation of svm-based masquerade detection using unix commands. Computers & Security, 24(2):160–168, 2005.
[16] Andrew J. Klosterman and Gregory R. Ganger. Secure continuous biometricenhanced authentication.
[17] Yuh-Jye Lee, Yi-Ren Yeh, and Yu-Chiang Frank Wang. Anomaly detection via online oversampling principal component analysis. IEEE Trans. Knowl. Data Eng,
25(7):1460–1470, 2013.
[18] Ling Li and Constantine N. Manikopoulos. Windows nt one-class masquerade detection. In Information Assurance Workshop, 2004. Proceedings from the Fifth Annual IEEE SMC, pages 82–87. IEEE, 2004.
[19] Geng Lin, Glenn Dasmalchi, and Jinzy Zhu. Cloud computing and it as a service: opportunities and challenges. In Web Services, 2008. ICWS’08. IEEE International Conference on, pages 5–5. IEEE, 2008.
[20] Jie Liu, F. Richard Yu, Chung-Horng Lung, and Helen Tang. Optimal combined intrusion detection and biometric-based continuous authentication in high security mobile ad hoc networks. IEEE Transactions on Wireless Communications, 8(2):806–815, 2009.
[21] Roy A. Maxion and Tahlia N. Townsend. Masquerade detection using truncated command lines. In Dependable Systems and Networks, 2002. DSN 2002. Proceedings. International Conference on, pages 219–228. IEEE, 2002.
[22] Arik Messerman, Tarik Mustafic, Seyit Ahmet Camtepe, and Sahin Albayrak. Continuous and non-intrusive identity verification in real-time environments based on free-text keystroke dynamics. In Biometrics (IJCB), 2011 International Joint Conference on, pages 1–8. IEEE, 2011.
[23] Fabian Monrose, Michael K. Reiter, and Susanne Wetzel. Password hardening based on keystroke dynamics. International Journal of Information Security, 1(2):69–83,
2002.
[24] Koichiro Niinuma, Unsang Park, and Anil K. Jain. Soft biometric traits for continuous user authentication. Information Forensics and Security, IEEE Transactions on,
5(4):771–780, 2010.
[25] Jason Nikolai. Detecting unauthorized usage in a cloud using tenant profiles.
[26] Mohammad S. Obaidat and Balqies Sadoun. Verification of computer users using keystroke dynamics. Systems, Man, and Cybernetics, Part B: Cybernetics, IEEE Transactions on, 27(2):261–269, 1997.
[27] E. Olden. Architecting a cloud-scale identity fabric. IEEE Computer, 44(3):52–59,2011.
[28] Hsing-Kuo Pao, Kuan-Ta Chen, and Hong-Chung Chang. Game bot detection via avatar trajectory analysis. IEEE Trans. Comput. Intellig. and AI in Games, 2(3):162–175, 2010.
[29] Hsing-Kuo Pao, Junaidillah Fadlil, Hong-Yi Lin, and Kuan-Ta Chen. Trajectory analysis for user verification and recognition. Knowl.-Based Syst, 34:81–90, 2012.
[30] Jia-Dong Ren, Qun-Hui Wu, Chang-Zhen Hu, and Kun-Sheng Wang. An approach for analyzing infrequent software faults based on outlier detection. In Artificial Intelligence and Computational Intelligence, 2009. AICI’09. International Conference on, volume 4, pages 302–306. IEEE, 2009.
[31] Malek Ben Salem, Shlomo Hershkop, and Salvatore J. Stolfo. A survey of insider attack detection research. In Insider Attack and Cyber Security, pages 69–90. Springer,
2008.
[32] Malek Ben Salem and Salvatore Stolfo. Combining a baiting and a user search profiling techniques for masquerade detection. 2011.
[33] Vyas Sekar and Petros Maniatis. Verifiable resource accounting for cloud computing services. In Christian Cachin and Thomas Ristenpart, editors, CCSW, pages 21–26. ACM, 2011.
[34] Chao Shen, Zhong-Min Cai, and Xiao-Hong Guan. Continuous authentication for mouse dynamics: A pattern-growth approach. In Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on, pages 1–12. IEEE, 2012.
[35] S. J. Shepherd. Continuous authentication by analysis of keyboard typing characteristics. 1995.
[36] Boleslaw K. Szymanski and Yongqiang Zhang. Recursive data mining for masquerade detection and author identification. In Information Assurance Workshop, 2004.
Proceedings from the Fifth Annual IEEE SMC, pages 424–431. IEEE, 2004.
[37] Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall. Intrusion detection for grid and cloud computing. IT Professional, 12(4):38–43,
2010.
[38] Cheng-WeiWang, Vanish Talwar, Karsten Schwan, and Parthasarathy Ranganathan. Online detection of utility cloud anomalies using metric distributions. In NOMS, pages 96–103. IEEE, 2010.
[39] Shu Wu and Sheng-Rui Wang. Parameter-free anomaly detection for categorical data. In Petra Perner, editor, MLDM, volume 6871 of Lecture Notes in Computer Science, pages 112–126. Springer, 2011.
[40] Yi Xie and Shun-Zheng Yu. Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans. Netw, 17(1):15–25, 2009.
[41] Wei Xu, Ling Huang, Armando Fox, David A. Patterson, and Michael I. Jordan. Detecting large-scale system problems by mining console logs. In Johannes F‥urnkranz and Thorsten Joachims, editors, ICML, pages 37–46. Omnipress, 2010.
[42] Wei-Wei Zhang, Jian-Hua Wu, and Jie Yu. An improved method of outlier detection based on frequent pattern. In Information Engineering (ICIE), 2010 WASE International Conference on, volume 2, pages 3–6. IEEE, 2010.
[43] Xiao-Yun Zhou, Zhi-Hui Sun, Baili Zhang, and Yi-Dong Yang. Fast outlier detection algorithm for high dimensional categorical data streams. Ruan Jian Xue Bao(Journal of Software), 18(4):933–942, 2007.