雲端運算在這幾年來成為全球IT產業、網路以及雲端服務提供者非常熱門的主題。在雲端運算的資訊安全議題中顯示，可能會有更多的威脅指向雲端運算平台，像是帳號盜用和內部的攻擊。攻擊者會想盡辦法竊取雲端服務上使用者的重要資料。我們提出一個利用兩種不同的特徵且結合異常行為偵測的技術來描述使用者的行為，藉由這兩種特徵來偵測所有可疑的使用者行為。其中一個特徵是利用系統資源使用率像是中央處理器以及虛擬記憶體和實體記憶體的使用率當作依據。我們把這個特徵當作描述一個作業系統在每一時間點的狀態。另一個特徵是利用作業系統中的執行程序資訊，像是整個系統正在執行的程序。此特徵可提供作業系統中，正在執行的程序表。對這兩種特徵我們分別產生各自的模型，這兩種模型分別代表了在作業系統中的虛擬層以及應用層的資訊。藉由這兩種模型我們可以更詳細的描述使用者的行為並且在作業系統中偵測異常使用者行為。我的實作了一個能夠直接分析使用者的系統。在實驗中我們約能夠偵測出90%的異常使用者行為以及可接受的誤判率。

Cloud computing is a hot topic in the global IT industry, which is considered as the main
part of the network and computing service providers in recent years. Some security issues
will be more threatening in cloud computing, such as account theft and insider threat.
In a cloud service, the attacker can steal all the data of the account owner. We proposed
a framework to utilize anomaly detection techniques for pro ling user's behavior via two
feature sets, and the user's pro le is used for detecting all the suspicious behaviors. The
rst feature set is extracted from the system resource usage, such as CPU, virtual memory
and physical memory usage. We use this feature set for representing the machine status.
Another feature set is extracted from the process information, such as the system overhead
of each process. This feature set can provide the active process list of the machine. We
generate two models via these two feature sets, which provide di erent views of virtual
layer and application layer. These two models are regarded as a user's pro le for detecting
the anomalous behaviors on the operating system. We implemented a prototype system
and collected the real world dataset for evaluating our framework. The system can detect
out almost 90% of anomaly behaviors with a tolerable false positive rate.

[1] Eytan Adar, Daniel S. Weld, Brian N. Bershad, and Steven S. Gribble. Why we
search: visualizing and predicting user behavior. In Proceedings of the 16th interna-
tional conference on World Wide Web, WWW '07, pages 161-170, New York, NY,
USA, 2007. ACM.
[2] Michael Berry and Gordon Linoff. Mastering Data Mining: The Art and Science of
Customer Relationship Management. John Wiley & Sons, Inc., New York, NY, USA,
1st edition, 1999.
[3] Varun Chandola, Arindam Banerjee, and Vipin Kumar. Anomaly detection: A survey.
ACM Comput. Surv., 41(3):15:1-15:58, July 2009.
[4] Dorothy E. Denning. An intrusion-detection model. Software Engineering, IEEE
Transactions on, SE-13(2):222 - 232, feb. 1987.
[5] James Dougherty, Ron Kohavi, and Mehran Sahami. Supervised and unsupervised
discretization of continuous features. 1995.
[6] Jiaqing Du, Nipun Sehrawat, and Willy Zwaenepoel. Performance profling in a
virtualized environment. In Proceedings of the 2nd USENIX conference on Hot topics
in cloud computing, HotCloud'10, pages 2-2, Berkeley, CA, USA, 2010. USENIX
Association.
[7] Maryam Feily, Alireza Shahrestani, and Sureswaran Ramadass. A survey of botnet
and botnet detection. In Emerging Security Information, Systems and Technologies,
2009. SECURWARE '09. Third International Conference on, pages 268 -273, june
2009.
[8] Lucantonio Ghionna, Gianluigi Greco, Antonella Guzzo, and Luigi Pontieri. Outlier
detection techniques for process mining applications. In Salvatore Gaglio, Ignazio
Infantino, and Domenico Sacca, editors, SEBD, pages 263-270, 2008.
[9] Jiawei Han, Hong Cheng, Dong Xin, and Xifeng Yan. Frequent pattern mining:
current status and future directions. Data Min. Knowl. Discov., 15(1):55-86, August
2007.
[10] Sariel Har-Peled and Soham Mazumdar. On coresets for k-means and k-median
clustering. In Proceedings of the thirty-sixth annual ACM symposium on Theory of
computing, STOC '04, pages 291-300, New York, NY, USA, 2004. ACM.
[11] J. A. Hartigan and M. A. Wong. Algorithm as 136: A k-means clustering algorithm.
Royal Statistical Society, 28(1):100-108, 1979.
[12] A.M. Hay. The derivation of global estimates from a confusion matrix. International
Journal of Remote Sensing, 9(8):1395-1398, 1988.
[13] Simon Haykin. Adaptive filter theory (3rd ed.). Prentice-Hall, Inc., Upper Saddle
River, NJ, USA, 1996.
[14] Zengyou He, Xiaofei Xu, Joshua Zhexue Huang, and Shengchun Deng. FP-outlier:
Frequent pattern based outlier detection. Comput. Sci. Inf. Syst, 2(1):103-118, 2005.
[15] Joseph Idziorek and Mark Tannian. Exploiting cloud utility models for profit and
ruin. In Cloud Computing (CLOUD), 2011 IEEE International Conference on, pages
33 -40, july 2011.
[16] Joseph Idziorek, Mark Tannian, and Doug Jacobson. Detecting fraudulent use of
cloud resources. In Proceedings of the 3rd ACM workshop on Cloud computing secu-
rity workshop, CCSW '11, pages 61-72, New York, NY, USA, 2011. ACM.
[17] Meiko Jensen., Jorg Schwenk., Nils Gruschka, and Luigi Lo Iacono. On technical
security issues in cloud computing. In Cloud Computing, 2009. CLOUD '09. IEEE
International Conference on, pages 109 -116, sept. 2009.
[18] Balachandra Reddy Kandukuri, Ramarkrishna Paturi V., and Atanu Rakshit. Cloud
security issues. In Services Computing, 2009. SCC '09. IEEE International Confer-
ence on, pages 517 -520, sept. 2009.
[19] Danianos Karakos, Sanjeev Khudanpur, Jason Eisner, and Carey E. Priebe. Unsupervised
classification via decision trees: an information-theoretic perspective. In
Acoustics, Speech, and Signal Processing, 2005. Proceedings. (ICASSP '05). IEEE
International Conference on, volume 5, pages v/1081 - v/1084 Vol. 5, march 2005.
[20] Mahendra Kutare, Greg Eisenhauer, Chengwei Wang, Karsten Schwan, Vanish Talwar,
and Matthew Wolf. Monalytics: online monitoring and analytics for managing
large scale data centers. In Proceedings of the 7th international conference on Auto-
nomic computing, ICAC '10, pages 141-150, New York, NY, USA, 2010. ACM.
[21] Yuh-Jye Lee, Yi-Ren Yeh, and Yu-Chiang FrankWang. Anomaly detection via online
over-sampling principal component analysis. Knowledge and Data Engineering, IEEE
Transactions on, PP(99):1, 2012.
[22] Geng Lin, Glenn Dasmalchi, and Jinzy Zhu. Cloud computing and it as a service:
Opportunities and challenges. Web Services, IEEE International Conference on, 0:5,
2008.
[23] Peter Mell and Tim Grance. The NIST Definition of Cloud Computing. Technical
report, July 2009.
[24] Derek Gordon Murray, Grzegorz Milos, and Steven Hand. Improving xen security
through disaggregation. In Proceedings of the fourth ACM SIGPLAN/SIGOPS in-
ternational conference on Virtual execution environments, VEE '08, pages 151-160,
New York, NY, USA, 2008. ACM.
[25] S. Ramgovind, M.M. Eloff, and E. Smith. The management of security in cloud
computing. In Information Security for South Africa (ISSA), 2010, pages 1 -7, aug.
2010.
[26] Jiadong Ren, Qunhui Wu, Changzhen Hu, and Kunsheng Wang. An approach for
analyzing infrequent software faults based on outlier detection. In Artificial Intelli-
gence and Computational Intelligence, 2009. AICI'09. International Conference on,
volume 4, pages 302-306. IEEE, 2009.
[27] Aiman Moyaid Said, Dhanapal Durai Dominic, and Brahim Belhaouari Samir. Frequent
pattern-based outlier detection measurements: A survey. In Research and In-
novation in Information Systems (ICRIIS), 2011 International Conference on, pages
1-6, nov. 2011.
[28] Warren S. Sarle. Algorithms for clustering data. Technometrics, 32(2):227-229, 1990.
[29] Vyas Sekar and Petros Maniatis. Verifiable resource accounting for cloud computing
services. In Proceedings of the 3rd ACM workshop on Cloud computing security
workshop, CCSW '11, pages 21-26, New York, NY, USA, 2011. ACM.
[30] Jin Shao, HaoWei, QianxiangWang, and Hong Mei. A runtime model based monitoring
approach for cloud. In Cloud Computing (CLOUD), 2010 IEEE 3rd International
Conference on, pages 313 -320, july 2010.
[31] Upendra Sharma, Prashant Shenoy, Sanbit Sahu, and Anees Shaikh. Kingfisher:
Cost-aware elasticity in the cloud. In INFOCOM, 2011 Proceedings IEEE, pages 206
-210, april 2011.
[32] James W. Smith and Ian Sommerville. Workload classification & software energy
measurement for efficient scheduling on private cloud platforms. CoRR,
abs/1105.2584, 2011.
[33] Dawn Song, Elaine Shi, Ian Fischer, and Umesh Shankar. Cloud data protection for
the masses. Computer, 45(1):39-45, January 2012.
[34] Borja Sotomayor, Ruben S. Montero, Ignacio M. Llorente, and Ian Foster. Virtual
infrastructure management in private and hybrid clouds. Internet Computing, IEEE,
13(5):14 -22, sept.-oct. 2009.
[35] Gokul Soundararajan, Cristiana Amza, and Ashvin Goel. Database replication
policies for dynamic content applications. In Proceedings of the 1st ACM
SIGOPS/EuroSys European Conference on Computer Systems 2006, EuroSys '06,
pages 89-102, New York, NY, USA, 2006. ACM.
[36] Hanghang Tong, Yasushi Sakurai, Tina Eliassi-Rad, and Christos Faloutsos. Fast
mining of complex time-stamped events. In Proceedings of the 17th ACM conference
on Information and knowledge management, CIKM '08, pages 759-768, New York,
NY, USA, 2008. ACM.
[37] Chengwei Wang, V. Talwar, K. Schwan, and P. Ranganathan. Online detection
of utility cloud anomalies using metric distributions. In Network Operations and
Management Symposium (NOMS), 2010 IEEE, pages 96 -103, april 2010.
[38] Chengwei Wang, K. Viswanathan, L. Choudur, V. Talwar, W. Satterfield, and
K. Schwan. Statistical techniques for online anomaly detection in data centers. In
Integrated Network Management (IM), 2011 IFIP/IEEE International Symposium
on, pages 385 -392, may 2011.
[39] Jiang Wang, Angelos Stavrou, and Anup Ghosh. Hypercheck: a hardware-assisted
integrity monitor. In Proceedings of the 13th international conference on Recent
advances in intrusion detection, RAID'10, pages 158-177, Berlin, Heidelberg, 2010.
Springer-Verlag.
[40] Liu Wenyin, Guanglin Huang, Liu Xiaoyue, Xiaotie Deng, and Zhang Min. Phishing
web page detection. In Document Analysis and Recognition, 2005. Proceedings.
Eighth International Conference on, pages 560 - 564 Vol. 2, aug.-1 sept. 2005.
[41] Svante Wold, Kim Esbensen, and Paul Geladi. Principal component analysis.
Chemometrics and Intelligent Laboratory Systems, 2(1V3):37 - 52, 1987.
Proceedings of the Multivariate StatisticalWorkshop for Geologists and Geochemists.
[42] Shu Wu and Shengrui Wang. Parameter-free anomaly detection for categorical data.
In Petra Perner, editor, MLDM, volume 6871 of Lecture Notes in Computer Science,
pages 112-126. Springer, 2011.
[43] Yi Xie and Shun-Zheng Yu. Monitoring the application-layer ddos attacks for popular
websites. Networking, IEEE/ACM Transactions on, 17(1):15 -25, feb. 2009.
[44] Wei Xu, Ling Huang, Armando Fox, David Patterson, and Michael I. Jordan. Detecting
large-scale system problems by mining console logs. In Proceedings of the
ACM SIGOPS 22nd symposium on Operating systems principles, SOSP '09, pages
117-132, New York, NY, USA, 2009. ACM.
[45] H. Zengyou, X. Xiaofei, and D. Shengchun. Outlier detection over data streams.
In proceeding of the 7th international conference for young computer scientists
(ICYCS'03). Citeseer, 2003.
[46] Weiwei Zhang, Jianhua Wu, and Jie Yu. An improved method of outlier detection
based on frequent pattern. In Information Engineering (ICIE), 2010 WASE Inter-
national Conference on, volume 2, pages 3-6. IEEE, 2010.
[47] Xiao-Yun Zhou, Zhi-Hui Sun, Bai-Li Zhang, and Yi-Dong Yang. Fast outlier detection
algorithm for high dimensional categorical data streams. Ruan Jian Xue Bao(Journal
of Software), 18(4):933-942, 2007.