近年來，雲端運算技術在資訊科技產業間蓬勃發展，其中虛擬化在雲端運算技術中扮演重要的角色。雲端服務提供者可藉由虛擬化其實體機器資源，來提供各式虛擬化服務，讓有需求的使用者能隨租即用，並以用多少資源付多少的方式計價。但同時帳號盜用、內部攻擊與惡意程式等威脅也由實體主機蔓延到虛擬主機。而且許多雲端業者的安全認證都是採用認證不認人的單一登入授權機制，這樣的機制並不能確保虛擬機器是否為合法使用者所操作。有鑑於此，持續性驗證機制在虛擬機器上便扮演重要的角色。本論文提出一以應用程式使用紀錄為基礎之持續性虛擬機使用者驗證框架。透過重複取樣、文件分類與機器學習技術，建立使用者應用程式行為之側寫。我們實作此框架，並設計兩種實驗情境來蒐集資料，藉此驗證我們提出的框架是否能夠正確的偵測出惡意軟體的行為與其他使用者的行為。實驗結果顯示，我們在兩者實驗中，皆保持高警報率 (True Positive Rate)與低誤報率 (False Positive Rate)，故我們提出的框架具有持續識別虛擬機器使用者的能力。

In recent years, cloud computing has become a popular technique in the IT industry, and virtualization technique is an important part of cloud computing. One of the cloud service is providing infrastructures that user can rent virtual machines (VMs) when they have requirement immediately and only need to pay for the amount of resource consumed. At the same time, some security issues become more threatening in this situation, such as account theft, insider threat, and malicious applications. Although those threads can be protected by the one-time authorization, there is no guard after logging in the system. In order to address this shortcoming, continuous monitoring mechanisms have become popular. In this thesis, we propose a continuous monitoring framework that utilize text mining, re-sampling and machine learning techniques for profiling user's behaviors with system process log that extracted from user's VM. We implemented this framework as a prototype system for evaluating its performance. We used VM to collect log performed by malicious tools for verifying the ability of our system on detecting malicious activities. We also collect real world data for verifying if our system can detect different user's behaviors. The experimental results showed that our framework has high true positive rate (TPR) to detect malicious behaviors with low false positive rate (FPR). Our results also showed that our proposed framework is preferable for detecting malicious behaviors continuously.

Alpaydin E (2010), "Introduction to Machine Learning 2nd edition" , pp. 489-493. Cambridge, Massachusettls, London, England.

Armbrust M, Fox A, Griffith R, Joseph AD, Katz R, Konwinski A, Lee G, Patterson D, Rabkin A, Stoica I and Zaharia M (2010), "A view of cloud computing", Commun. ACM. New York, NY, USA, April, 2010. Vol. 53(4), pp. 50-58. ACM.

Beauquier J and Hu Y (2007), "Intrusion Detection Based on Distance Combination", Proceedings of World Academy of Science: Engineering and Technology. Vol. 25, pp. 172-180.

Berry M and Browne M (2005), "Understanding Search Engines: Mathematical Modeling and Text Retrieval
" (9780898715811) Society for Industrial and Applied Mathematics.

Chang C-C and Lin C-J (2011), "LIBSVM: A library for support vector machines", ACM Transactions on Intelligent Systems and Technology. Vol. 2, pp. 27:1-27:27.

Chaski CE (2001), "Empirical evaluations of language-based author identification techniques", Forensic Linguistics. Vol. 8, pp. 1-65.

Crosby M and Ikehara C (2004), "Continuous Identity Authentication Using Multimodal Physiological Sensors", Proceedings of SPIE - The International Society for Optical Engineering. Vol. 5404, pp. 393-400.

Deerwester S, Dumais S, Furnas G, Landauer T and Harshman R (1990), "Indexing by Latent Semantic Analysis", Journal of the American Society for Information Science. Vol. 41, pp. 391-407.

De Vel O, Anderson A, Corney M and Mohay G (2001), "Mining e-mail content for author identification forensics", ACM Sigmod Record. Vol. 30(4), pp. 55-64. ACM.

Garg A, Rahalkar R, Upadhyaya S and Kwiat K (2006), "Profiling users in GUI based systems for masquerade detection", In Information Assurance Workshop, 2006 IEEE. , pp. 48-54.

Huang L and Stamp M (2011), "Masquerade detection using profile hidden Markov models ", Computers & Security . Vol. 30(8), pp. 732 - 747.

Hyperic (2013), "Sigar API", \url{http://support.hyperic.com/display/SIGAR/Home}.

Idziorek J, Tannian M and Jacobson D (2011), "Detecting fraudulent use of cloud resources", In Proceedings of the 3rd ACM workshop on Cloud computing security workshop. New York, NY, USA , pp. 61-72. ACM.

Kim H-S and Cha S-D (2005), "Empirical evaluation of SVM-based masquerade detection using UNIX commands", Computers & Security. Vol. 24(2), pp. 160 - 168.

Latendresse M (2005), "Masquerade detection via customized grammars", In Detection of Intrusions and Malware, and Vulnerability Assessment. , pp. 141-159. Springer.

Li L and Manikopoulos CN (2004), "Windows NT one-class masquerade detection", In Information Assurance Workshop, 2004. Proceedings from the Fifth Annual IEEE SMC. , pp. 82-87.

Lin G, Dasmalchi G and Zhu J (2008), "Cloud Computing and IT as a Service: Opportunities and Challenges", In Web Services, 2008. ICWS '08. IEEE International Conference on. , pp. 5-5.
[Abstract]
Manevitz L and Yousef M (2002), "One-Class SVMs for Document Classification", The Journal of Machine Learning Research. Vol. 2, pp. 139-154.

Maxion RA and Townsend TN (2002), "Masquerade detection using truncated command lines", In Dependable Systems and Networks, 2002. DSN 2002. Proceedings. International Conference on. , pp. 219-228.
[Abstract]
Mell P and Grance T (2011), "The NIST definition of cloud computing", NIST special publication. Vol. 800, pp. 145.

Messerman A, Mustafic T, Camtepe SA and Albayrak S (2011), "Continuous and Non-intrusive Identity Verification in Real-time Environments Based on Free-Text Keystroke Dynamics", IEEE International Joint Conference on Biometrics (IJCB). , pp. 1-8.

Monrose F, Reiter M and Wetzel S (1999), "Password Hardening Based on Keystroke Dynamic", Proceedings of the 6th ACM Conference on Computer and Communications Security. , pp. 73-82.

Niinuma K, Park U and Jain A (2010), "Soft Biometric Traits for Continuous User Authentication", IEEE Transactions on Information Forensics and Security. Vol. 5(4), pp. 771-780.

Obaidat M and Sadoun B (1997), "Verification of Computer Users using Keystroke Dynamics", IEEE Transactions on Systems, Man, and Cybernetics (TSMC). Vol. 27(2), pp. 261-269.

Oka M, Oyama Y, Abe H and Kato K (2004), "Anomaly Detection Using Layered Networks Based on Eigen Cooccurrence Matrix", In In RAID 2004 Proceedings, volume 3224 of LNCS. , pp. 223-237. Springer.

Oka M, Oymma Y and Kato K (2004), "Eigen co-occurrence matrix method for masquerade detection", Publications of the Japan Society for Software Science and Technology.

Salem MB, Hershkop S and Stolfo SJ (2008), "A survey of insider attack detection research", In Insider Attack and Cyber Security. , pp. 69-90. Springer.

Salem MB and Stolfo S (2012), "A comparison of one-class bag-of-words user behavior modeling techniques for masquerade detection", Sec. and Commun. Netw.. New York, NY, USA, August, 2012. Vol. 5(8), pp. 863-872. John Wiley & Sons, Inc..

Salem MB and Stolfo S (2012), "Combining a Baiting and a User Search Profiling Techniques for Masquerade Detection", Journal of Wireless Mobile Networks, Ubiquitous Computing and Dependable Applications. Vol. 3(1)

Scholkopf B, Platt JC, Shawe-Taylor J, Smola AJ and Williamson RC (2001), "Estimating the support of a high-dimensional distribution", Neural computation. Vol. 13(7), pp. 1443-1471. MIT Press.

Scholkopf B and Smola AJ (2002), "Learning with kernels: support vector machines, regularization, optimization and beyond" the MIT Press.

Sekar V and Maniatis P (2011), "Verifiable resource accounting for cloud computing services", In Proceedings of the 3rd ACM workshop on Cloud computing security workshop. New York, NY, USA , pp. 21-26. ACM.

Shen C, Cai Z and Guan X (2012), "Continuous Authentication for Mouse Dynamics: A Pattern-Growth Approach", Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). , pp. 1-12.

Szymanski BK and Zhang Y (2004), "Recursive data mining for masquerade detection and author identification", In Information Assurance Workshop, 2004. Proceedings from the Fifth Annual IEEE SMC. , pp. 424-431.

Wang K and Stolfo SJ (2003), "One-Class Training for Masquerade Detection", In 3rd IEEE Conference Data Mining Workshop on Data Mining for Computer Security.

Wikipedia (2013), "Confusion matrix", \url{http://en.wikipedia.org/wiki/Confusion_matrix}.