CN104994094A - Virtualization platform safety protection method, device and system based on virtual switch - Google Patents

Virtualization platform safety protection method, device and system based on virtual switch Download PDF

Info

Publication number
CN104994094A
CN104994094A CN201510379913.3A CN201510379913A CN104994094A CN 104994094 A CN104994094 A CN 104994094A CN 201510379913 A CN201510379913 A CN 201510379913A CN 104994094 A CN104994094 A CN 104994094A
Authority
CN
China
Prior art keywords
packet
security policy
virtual switch
network security
interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510379913.3A
Other languages
Chinese (zh)
Other versions
CN104994094B (en
Inventor
汪圣平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Beijing Qianxin Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201510379913.3A priority Critical patent/CN104994094B/en
Publication of CN104994094A publication Critical patent/CN104994094A/en
Application granted granted Critical
Publication of CN104994094B publication Critical patent/CN104994094B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a virtualization platform safety protection method, device and system based on a virtual switch. A first interface in the virtual switch intercepts a data packet on a communication link of the virtual switch, wherein the data packet is transmitted to second equipment by first equipment; characteristic information corresponding to a network security strategy in a data feature library is adopted to detect whether the data packet is safe, if so, then a second interface in the virtual switch transmits the data packet to the second equipment. According to the virtualization platform safety protection method, device and system based on the virtual switch provided by the invention, the communication traffic in the virtual switch can be avoided from being led into an external system to perform security detection, so that the processing efficiency of the security detection can be improved and the time delay of communication interaction can be reduced.

Description

Based on the virtual platform safety protecting method of virtual switch, device and system
Technical field
The present invention relates to communication technical field, particularly relate to a kind of virtual platform safety protecting method based on virtual switch, device and system.
Background technology
Carry out communication interaction by least one virtual switch between equipment on virtual platform, these communication interactions comprise: the communication interaction from physical machine to virtual machine, the communication interaction from virtual machine to physical machine, and the communication interaction between virtual machine.
In order to ensure the communication security of virtual platform, need to carry out safety detection to the communication flows in above-mentioned communication interaction process.Prior art mainly reconfigures the port of the communication equipment related in communication interaction process, the communication flows through all virtual interacting machines is all redirected to external security system and detects.
As can be seen here, prior art needs that all communication flowss are all imported to external security system and detects, and along with the increase of communication flows, importing and exporting of mass data reduces communication efficiency, and external security system easily occurs processing bottleneck, image processing efficiency.
Summary of the invention
The embodiment of the present invention provides a kind of virtual platform safety protecting method based on virtual switch, device and system.Technical scheme is as follows:
According to the first aspect of the embodiment of the present invention, provide a kind of virtual platform safety protecting method based on virtual switch, the method comprises:
Receive the packet that the first interface in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
Adopt data characteristics storehouse to detect described packet and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
Know that described packet meets described network security policy if judge, then give described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection.
According to the second aspect of the embodiment of the present invention, provide a kind of virtual platform safety device based on virtual switch, this device comprises:
Receiver module, the packet that the first interface for receiving in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
Detection module, detect described packet for adopting data characteristics storehouse and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
Sending module, if know that described packet meets described network security policy for judging, then gives described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection.
According to the third aspect of the embodiment of the present invention, provide a kind of virtual platform security protection system based on virtual switch, this system comprises: be positioned at the first equipment on virtual platform, the second equipment, and virtual switch, wherein, described first equipment and the second equipment include: the physical machine on virtual platform, or, be deployed in the virtual machine in physical machine, described virtual switch comprises as above based on the virtual platform safety device of virtual switch.
The virtual platform safety protecting method based on virtual switch that the embodiment of the present invention provides, device and system, by the first interface in virtual switch on the communication link in virtual switch, the first equipment sends to the packet of the second equipment to tackle, adopt in data characteristics storehouse with network security policy characteristic of correspondence infomation detection packet whether safety, if so, then the second equipment is sent to by the second interface in virtual switch.Thus avoid and the communication flows in virtual switch is imported to external system carry out safety detection, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction.
Should be understood that, it is only exemplary and explanatory that above general description and details hereinafter describe, and can not limit the present invention.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of a kind of virtual platform safety protecting method based on virtual switch that the embodiment of the present invention provides;
Fig. 2 is the flow chart of the another kind that provides of the embodiment of the present invention based on the virtual platform safety protecting method of virtual switch;
Fig. 3 is the flow chart of the another kind that provides of the embodiment of the present invention based on the virtual platform safety protecting method of virtual switch;
Fig. 4 is the flow chart of the another kind that provides of the embodiment of the present invention based on the virtual platform safety protecting method of virtual switch;
Fig. 5 is the flow chart of the another kind that provides of the embodiment of the present invention based on the virtual platform safety protecting method of virtual switch;
Fig. 6 is the structural representation of a kind of virtual platform safety device based on virtual switch that the embodiment of the present invention provides;
Fig. 7 is the structural representation of the another kind that provides of the embodiment of the present invention based on the virtual platform safety device of virtual switch;
Fig. 8 is the structural representation of the another kind that provides of the embodiment of the present invention based on the virtual platform safety device of virtual switch;
Fig. 9 is the structural representation of the another kind that provides of the embodiment of the present invention based on the virtual platform safety device of virtual switch;
Figure 10 is the structural representation of the another kind that provides of the embodiment of the present invention based on the virtual platform safety device of virtual switch;
Figure 11 is the structural representation of a kind of virtual platform security protection system based on virtual switch that the embodiment of the present invention provides.
By above-mentioned accompanying drawing, illustrate the embodiment that the present invention is clear and definite more detailed description will be had hereinafter.These accompanying drawings and text description be not in order to limited by any mode the present invention design scope, but by reference to specific embodiment for those skilled in the art illustrate concept of the present invention.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is the flow chart of a kind of virtual platform safety protecting method based on virtual switch that the embodiment of the present invention provides, and as shown in Figure 1, the method specifically comprises:
Step 101, receive the packet that the first interface in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
Virtual platform comprises at least one physical machine, a physical machine can be invented multiple stage virtual machine by Intel Virtualization Technology, and on virtual platform virtual out at least one virtual switch.Wherein, each virtual machine can run different operating system and application, between different virtual machines, and can carry out communication interaction by virtual switch between virtual machine and physical machine.
Because the type of the mutual communicating pair of the enterprising Serial Communication of virtual platform is more, comprise: virtual machine sends packet by virtual switch to virtual machine, or physical machine sends packet by virtual switch to virtual machine, virtual machine sends packet by virtual switch to physical machine.Therefore, in order to the virtual platform safety protecting method based on virtual switch that clearer explanation the present embodiment provides, be specifically described for executive agent carries out communication interaction by virtual switch for the first equipment on virtual platform and the second equipment.Wherein, the first equipment comprises: physical machine or virtual machine; Second equipment comprises: physical machine or virtual machine.
The first interface arranged in virtual switch in advance, first interface is for sending to the packet of the second equipment to tackle to the communication link in virtual switch, the first equipment.It should be noted that, the position of first interface can need to select on the communication link according to practical application, such as: the entrance of communication link, or centre position, namely all can as the setting position of first interface by the position that communication link flows out before virtual switch at packet.
It should be noted that, the generating mode of first interface has a lot, can select according to application needs, the present embodiment does not limit this, illustrate as follows: can be generated in virtual switch by hook Hook program, also can obtain from the control centre virtual platform the interface be cured and install.
When the communication link that the first equipment is set up in advance by virtual switch is to the second equipment sending data bag, first interface for tackling the packet on communication link, and sends to data characteristics storehouse to carry out safety detection.
Step 102, adopt data characteristics storehouse to detect described packet and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
Be previously provided with data characteristics storehouse in virtual switch, include in data characteristics storehouse and network security policy characteristic of correspondence information.Wherein, network security policy comprises: at least one in network legal power audit, network attack detection and flow invasion, can arrange according to the type of service of network application environment and virtual machine and physical machine, the present embodiment does not limit this.Because network security policy is different, therefore, the particular content of characteristic of correspondence information is not identical with the form of expression yet.
When data characteristics storehouse by first interface receive the first equipment send to the packet of the second equipment time, adopt in data characteristics storehouse whether meet default network security policy with this packet of network security policy characteristic of correspondence infomation detection.Because the characteristic information of network security policy is different, therefore, concrete testing process and criterion are also different, can be specifically introduced in subsequent embodiment.
If judge, step 103, knows that described packet meets described network security policy, then give described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection.
If data characteristics storehouse according to network security policy characteristic of correspondence information, judge to know that this packet meets default network security policy, then illustrate that this packet does not have the threat of network attack to the equipment on virtual platform, virtual switch can be passed through, therefore, the second interface is given, to give the second equipment by the second interface by the Packet Generation through safety detection by the Packet Generation through safety detection.
It should be noted that, the second interface is used for forwarding the packet through data characteristics storehouse safety detection.It should be noted that the position of the second interface can need to select on the communication link according to practical application, such as: the outlet of communication link, or the position between first interface to outlet.
It should be noted that, the generating mode of the second interface has a lot, can select according to application needs, the present embodiment does not limit this, illustrate as follows: can be generated in virtual switch by hook Hook program, also can obtain from the control centre virtual platform the interface be cured and install.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, by the first interface in virtual switch on the communication link in virtual switch, the first equipment sends to the packet of the second equipment to tackle, adopt in data characteristics storehouse with network security policy characteristic of correspondence infomation detection packet whether safety, if so, then the second equipment is sent to by the second interface in virtual switch.Thus avoid and the communication flows in virtual switch is imported to external system carry out safety detection, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction.
Fig. 2 is the flow chart of the another kind that provides of the embodiment of the present invention based on the virtual platform safety protecting method of virtual switch, and the present embodiment is described in detail and in virtual switch, generated first interface by hook Hook program; And/or second process of interface, and detect security protection process when knowing that packet is dangerous, as shown in Figure 2, the method specifically comprises:
Step 201, application hooks subprogram arranges the first registration point for tackling described packet on described communication link, and carries out encapsulation to described first registration point and set up described first interface; And/or application hooks subprogram arranges the second registration point for forwarding described packet on described communication link, and encapsulation is carried out to described second registration point set up described second interface;
Application hook Hook program arranges the first registration point for data interception bag on the communication link of virtual switch, and carries out encapsulation to the first registration point and set up first interface.First registration point is the anchor point directly arranged on the communication link for tackling the packet on communication link, the object encapsulated this first registration point realizes the first interface corresponding with interception function, namely in other words, exactly interception mark is stamped to the first registration point, when making packet arrive this first registration point, this packet is tackled.
And/or,
Application hooks subprogram arranges the second registration point for forwarding data bag on the communication link, and carries out encapsulation to the second registration point and set up described second interface.Second registration point is the anchor point directly arranged on the communication link for forwarding after safety detection the packet on communication link, the object encapsulated this second registration point realizes second interface corresponding with forwarding capability, namely in other words, exactly the second registration point is stamped and forward mark, when making packet arrive this second registration point, this packet is forwarded.
Step 202, receive the packet that the first interface in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
When the communication link that the first equipment is set up in advance by virtual switch is to the second equipment sending data bag, first interface for tackling the packet on communication link, and sends to data characteristics storehouse to carry out safety detection.
Step 203, adopt data characteristics storehouse to detect described packet and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
When data characteristics storehouse by first interface receive the first equipment send to the packet of the second equipment time, adopt in data characteristics storehouse whether meet default network security policy with this packet of network security policy characteristic of correspondence infomation detection.Because the characteristic information of network security policy is different, therefore, concrete testing process and criterion are also different, can be specifically introduced in subsequent embodiment.
If judge, step 204, knows that described packet meets described network security policy, then give described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection; Know that described packet does not meet described network security policy if judge, then according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet.
If data characteristics storehouse according to network security policy characteristic of correspondence information, judge to know that this packet meets default network security policy, then illustrate that this packet does not have the threat of network attack to the equipment on virtual platform, virtual switch can be passed through, therefore, the second interface is given, to give the second equipment by the second interface by the Packet Generation through safety detection by the Packet Generation through safety detection.
If data characteristics storehouse according to network security policy characteristic of correspondence information, judge to know that this packet does not meet network security policy, then according to the Cyberthreat type in network security policy, security protection process is carried out to packet, to ensure that this packet with Cyberthreat can not flow out virtual switch and arrive the second equipment.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, the first interface arranged by adopting hook program in virtual switch on the communication link in virtual switch, the first equipment sends to the packet of the second equipment to tackle, adopt in data characteristics storehouse with network security policy characteristic of correspondence infomation detection packet whether safety, if, the second interface then by adopting hook program to arrange in virtual switch sends to the second equipment, if not, then security protection process is carried out to packet.Thus avoid and the communication flows in virtual switch is imported to external system carry out safety detection, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction, and further increasing the fail safe of virtual platform.
For embodiment described in Fig. 2, because network security policy is different, therefore, the characteristic information of network security policy, and concrete testing process is also different with criterion, in order to the process of safety detection is carried out in the above-mentioned employing data characteristics of explanation clearly storehouse to packet, and when judgement knows that described packet does not meet described network security policy, according to the Cyberthreat type in described network security policy, packet is carried out to the process of security protection process, be specifically described by embodiment described in Fig. 3-Fig. 5.
Fig. 3 is the flow chart of the another kind that provides of the embodiment of the present invention based on the virtual platform safety protecting method of virtual switch, the present embodiment is safety detection process when being network legal power audit for network security policy, and when packet is the Cyberthreat type of network legal power audit, packet is carried out to the process of security protection process, as shown in Figure 3, the method specifically comprises:
Step 301, obtains the network access authority information corresponding with the source IP of described packet;
Particularly, when network security policy is network legal power audit, comprise with network security policy characteristic of correspondence information: IP address information, and the network access authority information corresponding with IP address information.
When data characteristics storehouse receives the packet of first interface transmission, resolution data bag obtains source IP address and the object IP address of this packet.Then IP address information in the characteristic information prestored is inquired about, and the network access authority information corresponding with IP address information, obtain the network access authority information corresponding with the source IP of this packet.
Step 302, audits according to the legitimacy of described network access authority infomation detection to object IP;
The legitimacy of network access authority infomation detection to object IP according to obtaining is audited, and namely judges whether this source IP has permission Internet resources corresponding to access object IP according to this network access authority information.Know that if judge source IP has permission Internet resources corresponding to access object IP, then object IP is legal, and this Packet Generation, by safety detection, is given the second equipment by the second interface by this packet.Know that if judge source IP does not have authority to access Internet resources corresponding to object IP, then object IP is illegal, and this packet by safety detection, does not need to carry out security protection process to packet.
If judge, step 303, knows that described object IP is illegal, then according to described, described network access authority information is revised as lawful authority IP to described object IP, and give described second interface by amended Packet Generation.
Know that if judge source IP does not have authority to access Internet resources corresponding to object IP, then object IP is illegal, this packet does not pass through safety detection, therefore, object IP is revised as lawful authority IP by the network access authority information according to obtaining, and give the second interface by amended Packet Generation, give the second equipment by the second interface by this Packet Generation.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, by characteristic of correspondence infomation detection packet whether safety of auditing with network legal power in data characteristics storehouse, if, then send to the second equipment by the second interface in virtual switch, if not, then guarantee the repair free of charge to data the packet changing legitimate access rights into forward.Thus improve the fail safe of virtual platform.
Fig. 4 is the flow chart of the another kind that provides of the embodiment of the present invention based on the virtual platform safety protecting method of virtual switch, the present embodiment is safety detection process when being network attack detection for network security policy, and when packet is the Cyberthreat type of network attack detection, packet is carried out to the process of security protection process, as shown in Figure 4, the method specifically comprises:
Step 401, determines the communication protocol that described packet is applied;
Particularly, when network security policy is network attack detection, comprise with network security policy characteristic of correspondence information: the critical field corresponding with the communication protocol of packet, and attack the descriptor of character string.
When data characteristics storehouse receives the packet of first interface transmission, the communication protocol of resolution data bag determination packet application.The communication protocol of this packet application is obtained from the header file information of this packet.Communication protocol specifically comprises: the standard agreement of HTML (Hypertext Markup Language), Internet Tele Sign-On services, and Simple Mail Transfer protocol.
Step 402, obtains the data message in the critical field corresponding with described communication protocol, judges the descriptor whether comprising described attack character string in the data message in described critical field;
Inquire about critical field corresponding with the communication protocol of packet in the characteristic information prestored, and attack the descriptor of character string.From the critical field corresponding with this communication protocol, obtain data message, judge the descriptor whether comprising attack character string corresponding with communication protocol in characteristic information in the data message in critical field.Know that if judge the data message in critical field does not comprise the descriptor of attacking character string, this Packet Generation, by safety detection, is given the second equipment by the second interface by this packet.Know that if judge the data message in critical field comprises the descriptor of attacking character string, this packet by safety detection, does not need to carry out security protection process to packet.
Step 403, knows that if judge the data message in described critical field comprises the descriptor of attacking character string, then abandons described packet; Or, obtain the packet meeting described network security policy after filtration treatment is carried out to described packet, and send to described second interface.
Know that if judge the data message in critical field comprises the descriptor of attacking character string, this packet by safety detection, therefore, does not then abandon this packet; Or, obtain the packet meeting network security policy after filtration treatment is carried out to this packet, and send to described second interface, give the second equipment by the second interface by this Packet Generation.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, by in data characteristics storehouse with network attack detection characteristic of correspondence infomation detection packet whether safety, if, then send to the second equipment by the second interface in virtual switch, if not, then packet is abandoned or filtration treatment.Thus improve the fail safe of virtual platform.
Fig. 5 is the flow chart of the another kind that provides of the embodiment of the present invention based on the virtual platform safety protecting method of virtual switch, the present embodiment is safety detection process when being flow invasion for network security policy, and when packet is the Cyberthreat type of flow invasion, packet is carried out to the process of security protection process, as shown in Figure 5, the method specifically comprises:
Step 501, mates the header file information of described packet, the form of intermediate file and the form of ends file with the format information in described characteristic information;
Particularly, when network security policy is flow invasion, comprise with network security policy characteristic of correspondence information: the format information of packet, and the interior flow threshold corresponding with described format information of Preset Time, wherein, described format information comprises: at least one in the form of header file information, intermediate file and the form of ends file.
When data characteristics storehouse receives the packet of first interface transmission, resolution data bag, mates the header file information of packet, the form of intermediate file and the form of ends file with the format information in characteristic information.The data format of such as DDOS attack, if in Preset Time end there is the packet of the data format of DDOS attack flow exceed default flow threshold, then illustrate that its object is exactly the process resource that will consume counterpart device in a large number, make its system crash.
Step 502, judges whether the flow of the packet that the match is successful in Preset Time exceedes default flow threshold;
Inquire about in the characteristic information prestored, judge whether the flow of the packet that the match is successful in Preset Time exceedes default flow threshold.Know that the flow in Preset Time is less than or equal to default flow threshold if judge, this Packet Generation, by safety detection, is given the second equipment by the second interface by this packet.Know that the flow in Preset Time is more than or equal to default flow threshold if judge, this packet by safety detection, does not need to carry out security protection process to packet.
Step 503, what know the packet that in Preset Time, the match is successful if judge flows exceed described flow threshold, then abandon described packet.
What know the packet that in Preset Time, the match is successful if judge flows exceed flow threshold, and this packet by safety detection, therefore, does not then abandon this packet.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, by invading characteristic of correspondence infomation detection packet whether safety in data characteristics storehouse with flow, if, then send to the second equipment by the second interface in virtual switch, if not, then packet is abandoned.Thus improve the fail safe of virtual platform.
Fig. 6 is the structural representation of a kind of virtual platform safety device based on virtual switch that the embodiment of the present invention provides, and as shown in Figure 6, this device comprises: receiver module 11, detection module 12 and sending module 13, wherein,
Receiver module 11, the packet that the first interface for receiving in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
Detection module 12, detect described packet for adopting data characteristics storehouse and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
Sending module 13, if know that described packet meets described network security policy for judging, then gives described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection.
The function based on each module in the virtual platform safety device of virtual switch that the present embodiment provides and handling process, can see the embodiment of the method shown in above-mentioned Fig. 1, and it is similar that it realizes principle, repeats no more herein.
The virtual platform safety device based on virtual switch that the present embodiment provides, by the first interface in virtual switch on the communication link in virtual switch, the first equipment sends to the packet of the second equipment to tackle, adopt in data characteristics storehouse with network security policy characteristic of correspondence infomation detection packet whether safety, if so, then the second equipment is sent to by the second interface in virtual switch.Thus avoid and the communication flows in virtual switch is imported to external system carry out safety detection, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction.
Fig. 7 is the structural representation of the another kind that provides of the embodiment of the present invention based on the virtual platform safety device of virtual switch, and as shown in Figure 7, based on embodiment illustrated in fig. 6, this device also comprises: arrange module 14 and processing module 15, wherein,
Module 14 is set, the first registration point for tackling described packet is set on described communication link for application hooks subprogram, and encapsulation is carried out to described first registration point set up described first interface; And/or application hooks subprogram arranges the second registration point for forwarding described packet on described communication link, and encapsulation is carried out to described second registration point set up described second interface.
Processing module 15, if know that described packet does not meet described network security policy for judging, then according to the Cyberthreat type in described network security policy, carries out security protection process to described packet.
The function based on each module in the virtual platform safety device of virtual switch that the present embodiment provides and handling process, can see the embodiment of the method shown in above-mentioned Fig. 2, and it is similar that it realizes principle, repeats no more herein.
The virtual platform safety device based on virtual switch that the present embodiment provides, the first interface arranged by adopting hook program in virtual switch on the communication link in virtual switch, the first equipment sends to the packet of the second equipment to tackle, adopt in data characteristics storehouse with network security policy characteristic of correspondence infomation detection packet whether safety, if, the second interface then by adopting hook program to arrange in virtual switch sends to the second equipment, if not, then security protection process is carried out to packet.Thus avoid and the communication flows in virtual switch is imported to external system carry out safety detection, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction, and further increasing the fail safe of virtual platform.
Fig. 8 is the structural representation of the another kind that provides of the embodiment of the present invention based on the virtual platform safety device of virtual switch, described network security policy is network legal power audit, described and described network security policy characteristic of correspondence information comprises: IP address information, and the network access authority information corresponding with IP address information; As shown in Figure 8, based on embodiment illustrated in fig. 7, this detection module 12 comprises: acquiring unit 121 and auditable unit 122, wherein,
Acquiring unit 121, for obtaining the network access authority information corresponding with the source IP of described packet;
Auditable unit 122, for auditing according to the legitimacy of described network access authority infomation detection to object IP;
Processing module 15, specifically for:
Know that described object IP is illegal if judge, then according to described, described network access authority information is revised as lawful authority IP to described object IP, and give described second interface by amended Packet Generation.
The function based on each module in the virtual platform safety device of virtual switch that the present embodiment provides and handling process, can see the embodiment of the method shown in above-mentioned Fig. 3, and it is similar that it realizes principle, repeats no more herein.
The virtual platform safety device based on virtual switch that the present embodiment provides, by characteristic of correspondence infomation detection packet whether safety of auditing with network legal power in data characteristics storehouse, if, then send to the second equipment by the second interface in virtual switch, if not, then guarantee the repair free of charge to data the packet changing legitimate access rights into forward.Thus improve the fail safe of virtual platform.
Fig. 9 is the structural representation of the another kind that provides of the embodiment of the present invention based on the virtual platform safety device of virtual switch, described network security policy is network attack detection, described and described network security policy characteristic of correspondence information comprises: the critical field corresponding with the communication protocol of packet, and attacks the descriptor of character string; As shown in Figure 9, based on embodiment illustrated in fig. 7, this detection module 12 comprises: determining unit 123 and the first judging unit 124, wherein,
Determining unit 123, for determining the communication protocol that described packet is applied;
First judging unit 124, for obtaining the data message in the critical field corresponding with described communication protocol, judges the descriptor whether comprising described attack character string in the data message in described critical field;
Processing module 15, specifically for:
Know that if judge the data message in described critical field comprises the descriptor of attacking character string, then abandon described packet; Or, obtain the packet meeting described network security policy after filtration treatment is carried out to described packet, and send to described second interface.
The function based on each module in the virtual platform safety device of virtual switch that the present embodiment provides and handling process, can see the embodiment of the method shown in above-mentioned Fig. 3, and it is similar that it realizes principle, repeats no more herein.
The virtual platform safety device based on virtual switch that the present embodiment provides, by in data characteristics storehouse with network attack detection characteristic of correspondence infomation detection packet whether safety, if, then send to the second equipment by the second interface in virtual switch, if not, then packet is abandoned or filtration treatment.Thus improve the fail safe of virtual platform.
Figure 10 is the structural representation of the another kind that provides of the embodiment of the present invention based on the virtual platform safety device of virtual switch, described network security policy is flow invasion, described and described network security policy characteristic of correspondence information comprises: the format information of packet, and the interior flow threshold corresponding with described format information of Preset Time, wherein, described format information comprises: at least one in the form of header file information, intermediate file and the form of ends file; As shown in Figure 10, based on embodiment illustrated in fig. 7, this detection module 12 comprises: matching unit 125 and the second judging unit 126, wherein,
Matching unit 125, for mating the header file information of described packet, the form of intermediate file and the form of ends file with the format information in described characteristic information;
Second judging unit 126, for judging whether the flow of the packet that the match is successful in Preset Time exceedes default flow threshold;
Processing module 15, specifically for:
What know the packet that in Preset Time, the match is successful if judge flows exceed described flow threshold, then abandon described packet.
The function based on each module in the virtual platform safety device of virtual switch that the present embodiment provides and handling process, can see the embodiment of the method shown in above-mentioned Fig. 3, and it is similar that it realizes principle, repeats no more herein.
The virtual platform safety device based on virtual switch that the present embodiment provides, by invading characteristic of correspondence infomation detection packet whether safety in data characteristics storehouse with flow, if, then send to the second equipment by the second interface in virtual switch, if not, then packet is abandoned.Thus improve the fail safe of virtual platform.
Figure 11 is the structural representation of a kind of virtual platform security protection system based on virtual switch that the embodiment of the present invention provides, as shown in figure 11, this system comprises: be positioned at the first equipment 1 on virtual platform, second equipment 2, and the virtual switch 3 be deployed in physical machine, wherein, described first equipment 1 and the second equipment 2 include: the physical machine 4 on virtual platform, or, be deployed in the virtual machine 5 in physical machine, described virtual switch 3 comprises the virtual platform safety device 6 based on virtual switch, embodiment illustrated in fig. 11 is the first virtual machine with the first equipment 1, and second equipment 2 be that to carry out communication interaction by virtual switch 3 be that example carries out example to the second virtual machine.
The function based on each module in the virtual platform security protection system of virtual switch that the present embodiment provides and handling process, can see above-mentioned shown embodiment of the method, and it is similar that it realizes principle, repeats no more herein.
The virtual platform security protection system based on virtual switch that the present embodiment provides, by the first interface in virtual switch on the communication link in virtual switch, the first equipment sends to the packet of the second equipment to tackle, adopt in data characteristics storehouse with network security policy characteristic of correspondence infomation detection packet whether safety, if so, then the second equipment is sent to by the second interface in virtual switch.Thus avoid and the communication flows in virtual switch is imported to external system carry out safety detection, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction.
Embodiments provide following technical scheme:
A1, a kind of virtual platform safety protecting method based on virtual switch, it is characterized in that, described method comprises:
Receive the packet that the first interface in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
Adopt data characteristics storehouse to detect described packet and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
Know that described packet meets described network security policy if judge, then give described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection.
A2, method according to claim A1, is characterized in that, before the packet that the first interface in described reception virtual switch sends, also comprises:
Application hooks subprogram arranges the first registration point for tackling described packet on described communication link, and carries out encapsulation to described first registration point and set up described first interface;
And/or,
Application hooks subprogram arranges the second registration point for forwarding described packet on described communication link, and carries out encapsulation to described second registration point and set up described second interface.
A3, method according to claim A1 or A2, is characterized in that, also comprise:
Know that described packet does not meet described network security policy if judge, then according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet.
A4, method according to claim A3, it is characterized in that, described network security policy comprises:
At least one in network legal power audit, network attack detection and flow invasion.
A5, method according to claim A4, it is characterized in that, described network security policy is network legal power audit, comprises: IP address information with described network security policy characteristic of correspondence information, and the network access authority information corresponding with IP address information;
Described employing data characteristics storehouse is detected described packet and whether is met default network security policy, comprising:
Obtain the network access authority information corresponding with the source IP of described packet, audit according to the legitimacy of described network access authority infomation detection to object IP;
Described according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet, comprising:
Know that described object IP is illegal if judge, then according to described, described network access authority information is revised as lawful authority IP to described object IP, and give described second interface by amended Packet Generation.
A6, method according to claim A4, it is characterized in that, described network security policy is network attack detection, comprises: the critical field corresponding with the communication protocol of packet with described network security policy characteristic of correspondence information, and attacks the descriptor of character string;
Described employing data characteristics storehouse is detected described packet and whether is met default network security policy, comprising:
Determine the communication protocol that described packet is applied;
Obtain the data message in the critical field corresponding with described communication protocol, judge the descriptor whether comprising described attack character string in the data message in described critical field;
Described according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet, comprising:
Know that if judge the data message in described critical field comprises the descriptor of attacking character string, then abandon described packet; Or, obtain the packet meeting described network security policy after filtration treatment is carried out to described packet, and send to described second interface.
A7, method according to claim A4, it is characterized in that, described network security policy is flow invasion, comprise with described network security policy characteristic of correspondence information: the format information of packet, and the interior flow threshold corresponding with described format information of Preset Time, wherein, described format information comprises: at least one in the form of header file information, intermediate file and the form of ends file;
Described employing data characteristics storehouse is detected described packet and whether is met default network security policy, comprising:
The header file information of described packet, the form of intermediate file and the form of ends file are mated with the format information in described characteristic information;
Judge whether the flow of the packet that the match is successful in Preset Time exceedes default flow threshold;
Described according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet, comprising:
What know the packet that in Preset Time, the match is successful if judge flows exceed described flow threshold, then abandon described packet.
B8, a kind of virtual platform safety device based on virtual switch, it is characterized in that, described device comprises:
Receiver module, the packet that the first interface for receiving in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
Detection module, detect described packet for adopting data characteristics storehouse and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
Sending module, if know that described packet meets described network security policy for judging, then gives described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection.
B9, device according to claim B8, is characterized in that, also comprise:
Module is set, the first registration point for tackling described packet is set on described communication link for application hooks subprogram, and encapsulation is carried out to described first registration point set up described first interface;
And/or,
Application hooks subprogram arranges the second registration point for forwarding described packet on described communication link, and carries out encapsulation to described second registration point and set up described second interface.
B10, device according to claim B8 or B9, is characterized in that, also comprise:
Processing module, if know that described packet does not meet described network security policy for judging, then according to the Cyberthreat type in described network security policy, carries out security protection process to described packet.
B11, device according to claim B10, it is characterized in that, described network security policy comprises:
At least one in network legal power audit, network attack detection and flow invasion.
B12, device according to claim B11, it is characterized in that, described network security policy is network legal power audit, and described and described network security policy characteristic of correspondence information comprises: IP address information, and the network access authority information corresponding with IP address information;
Described detection module, comprising:
Acquiring unit, for obtaining the network access authority information corresponding with the source IP of described packet;
Auditable unit, for auditing according to the legitimacy of described network access authority infomation detection to object IP;
Described processing module, specifically for:
Know that described object IP is illegal if judge, then according to described, described network access authority information is revised as lawful authority IP to described object IP, and give described second interface by amended Packet Generation.
B13, device according to claim B11, it is characterized in that, described network security policy is network attack detection, and described and described network security policy characteristic of correspondence information comprises: the critical field corresponding with the communication protocol of packet, and attacks the descriptor of character string;
Described detection module, comprising:
Determining unit, for determining the communication protocol that described packet is applied;
First judging unit, for obtaining the data message in the critical field corresponding with described communication protocol, judges the descriptor whether comprising described attack character string in the data message in described critical field;
Described processing module, specifically for:
Know that if judge the data message in described critical field comprises the descriptor of attacking character string, then abandon described packet; Or, obtain the packet meeting described network security policy after filtration treatment is carried out to described packet, and send to described second interface.
B14, device according to claim B11, it is characterized in that, described network security policy is flow invasion, described and described network security policy characteristic of correspondence information comprises: the format information of packet, and the interior flow threshold corresponding with described format information of Preset Time, wherein, described format information comprises: at least one in the form of header file information, intermediate file and the form of ends file;
Described detection module, comprising:
Matching unit, for mating the header file information of described packet, the form of intermediate file and the form of ends file with the format information in described characteristic information;
Second judging unit, for judging whether the flow of the packet that the match is successful in Preset Time exceedes default flow threshold;
Described processing module, specifically for:
What know the packet that in Preset Time, the match is successful if judge flows exceed described flow threshold, then abandon described packet.
C15, a kind of virtual platform security protection system based on virtual switch, it is characterized in that, described system comprises: be positioned at the first equipment on virtual platform, the second equipment, and virtual switch, wherein, described first equipment and the second equipment include: the physical machine on virtual platform, or, be deployed in the virtual machine in physical machine, described virtual switch comprise as arbitrary in claim 8-14 as described in the virtual platform safety device based on virtual switch.
One of ordinary skill in the art will appreciate that: all or part of step realizing said method embodiment can have been come by the hardware that program command is relevant, aforesaid program can be stored in a computer read/write memory medium, this program, when performing, performs the step comprising said method embodiment; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.
Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.

Claims (10)

1. based on a virtual platform safety protecting method for virtual switch, it is characterized in that, described method comprises:
Receive the packet that the first interface in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
Adopt data characteristics storehouse to detect described packet and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
Know that described packet meets described network security policy if judge, then give described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection.
2. method according to claim 1, is characterized in that, before the packet that the first interface in described reception virtual switch sends, also comprises:
Application hooks subprogram arranges the first registration point for tackling described packet on described communication link, and carries out encapsulation to described first registration point and set up described first interface;
And/or,
Application hooks subprogram arranges the second registration point for forwarding described packet on described communication link, and carries out encapsulation to described second registration point and set up described second interface.
3. method according to claim 1 and 2, is characterized in that, also comprises:
Know that described packet does not meet described network security policy if judge, then according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet.
4. method according to claim 3, is characterized in that, described network security policy comprises:
At least one in network legal power audit, network attack detection and flow invasion.
5. method according to claim 4, is characterized in that, described network security policy is network legal power audit, comprises: IP address information with described network security policy characteristic of correspondence information, and the network access authority information corresponding with IP address information;
Described employing data characteristics storehouse is detected described packet and whether is met default network security policy, comprising:
Obtain the network access authority information corresponding with the source IP of described packet, audit according to the legitimacy of described network access authority infomation detection to object IP;
Described according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet, comprising:
Know that described object IP is illegal if judge, then according to described, described network access authority information is revised as lawful authority IP to described object IP, and give described second interface by amended Packet Generation.
6. method according to claim 4, it is characterized in that, described network security policy is network attack detection, comprises: the critical field corresponding with the communication protocol of packet with described network security policy characteristic of correspondence information, and attacks the descriptor of character string;
Described employing data characteristics storehouse is detected described packet and whether is met default network security policy, comprising:
Determine the communication protocol that described packet is applied;
Obtain the data message in the critical field corresponding with described communication protocol, judge the descriptor whether comprising described attack character string in the data message in described critical field;
Described according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet, comprising:
Know that if judge the data message in described critical field comprises the descriptor of attacking character string, then abandon described packet; Or, obtain the packet meeting described network security policy after filtration treatment is carried out to described packet, and send to described second interface.
7. method according to claim 4, it is characterized in that, described network security policy is flow invasion, comprise with described network security policy characteristic of correspondence information: the format information of packet, and the interior flow threshold corresponding with described format information of Preset Time, wherein, described format information comprises: at least one in the form of header file information, intermediate file and the form of ends file;
Described employing data characteristics storehouse is detected described packet and whether is met default network security policy, comprising:
The header file information of described packet, the form of intermediate file and the form of ends file are mated with the format information in described characteristic information;
Judge whether the flow of the packet that the match is successful in Preset Time exceedes default flow threshold;
Described according to the Cyberthreat type in described network security policy, security protection process is carried out to described packet, comprising:
What know the packet that in Preset Time, the match is successful if judge flows exceed described flow threshold, then abandon described packet.
8. based on a virtual platform safety device for virtual switch, it is characterized in that, described device comprises:
Receiver module, the packet that the first interface for receiving in virtual switch sends, described first interface is for sending to the packet of the second equipment to tackle to the communication link in described virtual switch, the first equipment;
Detection module, detect described packet for adopting data characteristics storehouse and whether meet default network security policy, described data characteristics storehouse comprises: with described network security policy characteristic of correspondence information;
Sending module, if know that described packet meets described network security policy for judging, then gives described second equipment by the second interface in described virtual switch by the Packet Generation through safety detection.
9. device according to claim 8, is characterized in that, also comprises:
Module is set, the first registration point for tackling described packet is set on described communication link for application hooks subprogram, and encapsulation is carried out to described first registration point set up described first interface;
And/or,
Application hooks subprogram arranges the second registration point for forwarding described packet on described communication link, and carries out encapsulation to described second registration point and set up described second interface.
10. the virtual platform security protection system based on virtual switch, it is characterized in that, described system comprises: be positioned at the first equipment on virtual platform, the second equipment, and virtual switch, wherein, described first equipment and the second equipment include: the physical machine on virtual platform, or, be deployed in the virtual machine in physical machine, described virtual switch comprises as claimed in claim 8 or 9 based on the virtual platform safety device of virtual switch.
CN201510379913.3A 2015-07-01 2015-07-01 Virtual platform safety protecting method based on virtual switch, device and system Active CN104994094B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510379913.3A CN104994094B (en) 2015-07-01 2015-07-01 Virtual platform safety protecting method based on virtual switch, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510379913.3A CN104994094B (en) 2015-07-01 2015-07-01 Virtual platform safety protecting method based on virtual switch, device and system

Publications (2)

Publication Number Publication Date
CN104994094A true CN104994094A (en) 2015-10-21
CN104994094B CN104994094B (en) 2016-11-30

Family

ID=54305846

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510379913.3A Active CN104994094B (en) 2015-07-01 2015-07-01 Virtual platform safety protecting method based on virtual switch, device and system

Country Status (1)

Country Link
CN (1) CN104994094B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105590058A (en) * 2015-12-18 2016-05-18 北京奇虎科技有限公司 Virtual machine escape detection method and apparatus
CN106411863A (en) * 2016-09-14 2017-02-15 南京安贤信息科技有限公司 Virtualization platform for processing network traffic of virtual switches in real time
CN106685900A (en) * 2015-11-10 2017-05-17 中国电信股份有限公司 Loophole prevention method and apparatus
CN107306264A (en) * 2016-04-25 2017-10-31 腾讯科技(深圳)有限公司 Network security monitoring method and apparatus
CN107800696A (en) * 2017-10-23 2018-03-13 国云科技股份有限公司 Source discrimination is forged in communication on a kind of cloud platform virtual switch
WO2019153127A1 (en) * 2018-02-06 2019-08-15 Nokia Shanghai Bell Co., Ltd. Method, apparatus, and computer readable medium for providing security service for data center
US11689501B2 (en) 2017-12-27 2023-06-27 Huawei Cloud Computing Technologies Co., Ltd. Data transfer method and virtual switch

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763310A (en) * 2013-12-31 2014-04-30 曙光云计算技术有限公司 Firewall service system and method based on virtual network
CN104023034A (en) * 2014-06-25 2014-09-03 武汉大学 Security defensive system and defensive method based on software-defined network
CN104023035A (en) * 2014-06-26 2014-09-03 浪潮电子信息产业股份有限公司 Method for protecting flow among virtual machines in same security domain

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763310A (en) * 2013-12-31 2014-04-30 曙光云计算技术有限公司 Firewall service system and method based on virtual network
CN104023034A (en) * 2014-06-25 2014-09-03 武汉大学 Security defensive system and defensive method based on software-defined network
CN104023035A (en) * 2014-06-26 2014-09-03 浪潮电子信息产业股份有限公司 Method for protecting flow among virtual machines in same security domain

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685900A (en) * 2015-11-10 2017-05-17 中国电信股份有限公司 Loophole prevention method and apparatus
CN106685900B (en) * 2015-11-10 2020-04-28 中国电信股份有限公司 Vulnerability protection method and device
CN105590058A (en) * 2015-12-18 2016-05-18 北京奇虎科技有限公司 Virtual machine escape detection method and apparatus
CN107306264A (en) * 2016-04-25 2017-10-31 腾讯科技(深圳)有限公司 Network security monitoring method and apparatus
CN107306264B (en) * 2016-04-25 2019-04-02 腾讯科技(深圳)有限公司 Network security monitoring method and apparatus
CN106411863A (en) * 2016-09-14 2017-02-15 南京安贤信息科技有限公司 Virtualization platform for processing network traffic of virtual switches in real time
CN107800696A (en) * 2017-10-23 2018-03-13 国云科技股份有限公司 Source discrimination is forged in communication on a kind of cloud platform virtual switch
CN107800696B (en) * 2017-10-23 2020-07-03 国云科技股份有限公司 Method for identifying communication counterfeiting source on cloud platform virtual switch
US11689501B2 (en) 2017-12-27 2023-06-27 Huawei Cloud Computing Technologies Co., Ltd. Data transfer method and virtual switch
WO2019153127A1 (en) * 2018-02-06 2019-08-15 Nokia Shanghai Bell Co., Ltd. Method, apparatus, and computer readable medium for providing security service for data center
US11558353B2 (en) 2018-02-06 2023-01-17 Nokia Technologies Oy Method, apparatus, and computer readable medium for providing security service for data center

Also Published As

Publication number Publication date
CN104994094B (en) 2016-11-30

Similar Documents

Publication Publication Date Title
CN104994094A (en) Virtualization platform safety protection method, device and system based on virtual switch
CN104601550B (en) Reverse isolation file transmission system and method based on cluster array
US20170012978A1 (en) Secure communication method and apparatus
CN107579991B (en) Method for performing cloud protection authentication on client, server and client
CN112104604B (en) System and method for realizing secure access service based on electric power Internet of things management platform
CN106060003A (en) Network boundary unidirectional isolated transmission device
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
CN104322001A (en) Transport layer security traffic control using service name identification
CN107370715B (en) Network security protection method and device
CN103441983A (en) Information protection method and device based on link layer discovery protocol
CN104717212A (en) Protection method and system for cloud virtual network security
CN114143068A (en) Electric power internet of things gateway equipment container safety protection system and method thereof
CN115603932A (en) Access control method, access control system and related equipment
CN110022319B (en) Attack data security isolation method and device, computer equipment and storage equipment
KR101463873B1 (en) Method and apparatus for preventing data loss
CN105812338B (en) Data access control method and network management equipment
CN105429975A (en) Data safety defense system and method based on cloud terminal, and cloud terminal safety system
CN104601578A (en) Recognition method and device for attack message and core device
CN109886011B (en) Safety protection method and device
CN112995119A (en) Data monitoring method and device
Ponomarev Intrusion Detection System of industrial control networks using network telemetry
CN112751807B (en) Secure communication method, device, system and storage medium
KR102027438B1 (en) Apparatus and method for blocking ddos attack
KR102027434B1 (en) Security apparatus and method for operating the same
Murvay et al. A brief look at the security of DeviceNet communication in industrial control systems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20161117

Address after: 100016 Beijing Chaoyang District Jiuxianqiao Road No. 10, building 15, floor 17, floor 3, 1701-26

Patentee after: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20161223

Address after: 100016 Beijing Chaoyang District Jiuxianqiao Road No. 10, building 15, floor 17, floor 3, 1701-26

Patentee after: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

CB03 Change of inventor or designer information

Inventor after: Wang Shengping

Inventor after: Wu Yunkun

Inventor before: Wang Shengping

CB03 Change of inventor or designer information
CP03 Change of name, title or address

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee after: Qianxin Technology Group Co.,Ltd.

Address before: 100016 Beijing Chaoyang District Jiuxianqiao Road 10, 3 building 15, 17 floors 1701-26

Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

CP03 Change of name, title or address
TR01 Transfer of patent right

Effective date of registration: 20201229

Address after: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing

Patentee after: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

Patentee after: Qianxin Technology Group Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee before: Qianxin Technology Group Co.,Ltd.

TR01 Transfer of patent right
CP03 Change of name, title or address

Address after: 2nd Floor, Building 1, Yard 26, Xizhimenwai South Road, Xicheng District, Beijing, 100032

Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Patentee after: Qianxin Technology Group Co.,Ltd.

Address before: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing

Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

Patentee before: Qianxin Technology Group Co.,Ltd.

CP03 Change of name, title or address