信息网络安全 ›› 2020, Vol. 20 ›› Issue (9): 92-96.doi: 10.3969/j.issn.1671-1122.2020.09.019

• 入选论文 • 上一篇    下一篇

基于图像和机器学习的虚拟化平台异常检测

王湘懿1,2, 张健1,2()   

  1. 1. 南开大学网络空间安全学院,天津 300350
    2. 天津市网络与数据安全技术重点实验室,天津 300350
  • 收稿日期:2020-07-16 出版日期:2020-09-10 发布日期:2020-10-15
  • 通讯作者: 张健 E-mail:jeffersonzj@qq.com
  • 作者简介:王湘懿(1999—),女,辽宁,硕士研究生,主要研究方向为云安全、网络安全、系统安全|张健(1968—),男,天津,正高级工程师,博士,主要研究方向为云安全、网络安全、系统安全
  • 基金资助:
    天津市重点研发计划(20YFZCGX00680);天津市科技重大专项与工程(19ZXZNGX00090)

Abnormal Behavior Detection of Virtualization Platform Based on Image and Machine Learning

WANG Xiangyi1,2, ZHANG Jian1,2()   

  1. 1. College of Cyber Science, Nankai University, Tianjin 300350, China
    2. Tianjin Key Laboratory of Network and Data Security Technology, Tianjin 300350, China
  • Received:2020-07-16 Online:2020-09-10 Published:2020-10-15
  • Contact: Jian ZHANG E-mail:jeffersonzj@qq.com

摘要:

文章提出一种基于机器学习的虚拟化平台异常行为动态检测方法,该方法依托虚拟化平台,提取正常程序和恶意软件运行过程中的系统内存并转储为文件,将其中的部分信息经SimHash提取形成灰度图像并采用局部二值模式(LBP)进行描述,得到图像的纹理特征,再利用图像的纹理特征训练构建的卷积神经网络,通过生成的模型判断虚拟化平台是否存在异常行为。实验表明,虚拟化平台异常检测率可以达到97.5%,能够有效发现云攻击事件。

关键词: 云计算, 虚拟化, 卷积神经网络, 图像特征, 异常行为检测

Abstract:

This paper proposes a method for dynamically detecting abnormal behavior of a virtualization platform based on machine learning. This method relies on the virtualization platform, extracted the system memory during normal program and malware running and dumps it into a file, extracted part of the information through SimHash to form a grayscale image and used local binary mode(LBP) to describe the texture features of the image. The features of image are used to train the constructed convolutional neural network, and the generated model determines whether the virtualization platform has abnormal behavior. Experiments show that the detection rate of virtualization platform can reach 97.5%, which can effectively detect cloud attack events.

Key words: cloud computing, virtualization, convolutional neural network, image feature, abnormal behavior detection

中图分类号: