隨著網路技術的快速發展，帶動了網路架構的變動。近年來最受到重視的是軟體定義網路(Software Defined Network, SDN)，許多雲端運算的架構都是使用軟體定義網路來建置。雲端運算的服務類型可分為三種：基礎設施即服務(Infrastructure as a service, IaaS)、平台即服務(Platform as a service, PaaS)、軟體即服務(Software as a service, SaaS)。目前有許多的雲端供應商皆有提供虛擬機器之服務，而採用的虛擬化平台大多都是Xen來建置。政府機關、學校、公司已經將其網站及資料庫放置於雲端運算的虛擬機器之上，因而造就虛擬機器的大量使用。然而，伴隨而來的是在雲端運算平台上虛擬機器安全問題等等更多的考驗。
在跨雲端運算環境中，使用者將可能遭受來自四面八方的攻擊，有可能是外部的攻擊，或是內部的攻擊，因此需要入侵偵測與防禦系統來抵擋這些攻擊。而外部的交換器或是內部的虛擬交換器將會接收到這些惡意攻擊之封包，因此本研究利用入侵偵測與防禦軟體需監控於這兩個地方，透過美國史丹福大學所開發的NetFPGA可程式化網卡，與Open vSwitch來架構出OpenFlow軟體定義網路，並研究雲端運算可能會面臨到那些問題。
本論文將利用OpenFlow Switch與Open vSwitch軟體定義網路來建構出跨雲端運算的環境，並使用Xen來提供虛擬機器之服務，而在Xen的主要控制系統上安裝入侵偵測與防禦系統Snort搭配軟體定義網路之形式來保護Xen實體機器上虛擬機器之安全，透過外部機器或是內部虛擬機器攻擊正常的虛擬機器，能夠達到有效的防禦攻擊行為。

With the rapid development of Internet technology, there is bringing about change of network architecture. Software Defined Network (SDN) has been greatly valued over the last few years. Many architectures of cloud computing network are built by Software Defined Network. The service model of cloud computing can be divided into three types: Infrastructure as a service, Platform as a service, and Software as a service. Currently, many cloud providers provide virtual machine service. And their virtualization platform are built by Xen. The inter connection of VM in cloud use the network that are defined and operated by software. The Government, schools, and companies put their websites and databases on the virtual machines in cloud computing. Thus it caused a lot of usage for virtual machine. However, the accompanying issues are virtual machine security and other challenge in cloud computing.
In inter-cloud computing environment, the user may be suffered attacks in all directions. The attacks may come from external or internal. Thus, we need intrusion detection and prevention system to block attacks. External Switch or internal virtual switch can receive these malicious packets. Therefore, our study used intrusion detection and prevention system should monitor the two places. By the Stanford University developed the NetFPGA platform which is based on a programmable NIC, and Open vSwitch to build OpenFlow Software Defined Network.
We use OpenFlow Switch and Open vSwitch Software Defined Network to build inter-cloud computing environment. And also use Xen to provide virtual machine service. We will install intrusion prevention and detection system, Snort, on domain-0 and Software Defined Network to protect the virtual machines on the Xen platform. External machines or internal virtual machines will attack normal virtual machines, our result show that External machines and internal virtual machines can’t attack normal virtual machines.

[1]P. Mell and T. Grance, “The NIST Definition of Cloud Computing,” National Institute of Standards and Technology. September 2011.
[2]Xen。2014年6月28日取自http://xen.org/
[3]Amazon EC2。2014年6月28日取自http://aws.amazon.com/ec2/
[4]Rackspace。2014年6月28日取自http://www.rackspace.com/
[5]GoGrid。2014年6月28日取自http://www.gogrid.com/
[6]如何建構企業專屬的雲端運算平台。2014年6月28日取自http://www.ringline.com.tw/support/techpapers/storage/543-howto.html
[7]G. Gibb, J. W. Lockwood, J. Naous, P. Hartke, and N. McKeown, "NetFPGA─An Open Platform for Teaching How to Build Gigabit-Rate Network Switches and Routers," IEEE Trans. Education, Vol 51, pp. 364-369, August 2008.
[8]NetFPGA：NetFPGA Technical Specifications。
http://www.netfpga.org/php/specs.php
[9]Stanford University Course：CS344: Building an Internet Router。http://yuba.stanford.edu/cs344/
[10]N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, "OpenFlow: enabling innovation in campus networks," ACM SIGCOMM Computer Communication Review, vol. 38, pp. 69-74, 2008.
[11]OpenFlow：OpenFlow Switch Specification Version。https://www.opennetworking.org/sdn-resources/onf-specifications/openflow
[12]J. Naous, D. Erickson, G. A. Covington, G. Appenzeller, and N. McKeown, "Implementing an OpenFlow switch on the NetFPGA platform," in Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, 2008, pp. 1-9.
[13]NOX。http://www.noxrepo.org/
[14]NOX：NOX API notes。
https://github.com/noxrepo/nox-classic/wiki/NOX-API-notes
[15]NOX：NOX GUI。
https://github.com/noxrepo/nox-classic/wiki/NOX-GUI
[16]Gude, N., et al., "NOX: towards an operating system for networks," ACM SIGCOMM Computer Communication Review 38(3): 105-110, 2008.
[17]Wikipedia。http://wikipedia.org/
[18]Xen Virtualization Architecture。http://doc.opensuse.org/products/draft/SLES/SLES-xen_sd_draft/cha.xen.basics.html
[19]教育部顧問室資通安全聯盟，Module 13：入侵偵測。
http://www.slidefinder.net/m/module13--/32677061
[20]Snort。http://www.snort.org/
[21]Pitropakis , N., et al., "It's All in the Cloud: Reviewing Cloud Security," Ubiquitous Intelligence and Computing, IEEE 10th International Conference on and 10th International Conference on Autonomic and Trusted Computing (UIC/ATC), pp. 355 – 362, Dec. 2013.
[22]NOX Install。 http://noxrepo.org/noxwiki/index.php/NOX_Installation
[23]The OpenFlow Switch Consortium。http://www.openflowswitch.org
[24]NETFPGA。http://www.openflow.org/wk/index.php/CentOS_NetFPGA_Install
[25]Xen Startup。http://wiki.xenproject.org/wiki/Xen_Project_Beginners_Guide
[26]Open vSwitch。http://openvswitch.org/
[27]Modi, C.N., et al., "Bayesian Classifier and Snort based network intrusion detection system in cloud computing," Computing Communication & Networking Technologies (ICCCNT), 2012 Third International Conference on, pp. 1-7, July. 2012
[28]K. Greene, "Software-defined networking," Technology review – the 10 emerging technologies of 2009, March 2009.
http://www2.technologyreview.com/article/412194/tr10-software-defined-networking/
[29]陳天豪, "Botnet Detection and Collapse based on Traffic Analysis", 國立中央大學資訊工程所碩士論文 民國 98 年
[30]彭士家, "Botnet Victim Detection and Notification based on Openflow Switch", 國立中央大學資訊工程所碩士論文 民國 99 年
[31]黃勝獅, "Botnet Traffic Analysis and Detection by Using OpenFlow Switch", 國立中央大學資訊工程所碩士論文 民國 100 年
[32]教育學術網路系統安全與惡意程式偵測技術研發建置計畫。
http://www.botnet.tw/