CN105592088A - Virtual machine flow monitoring method and device, and terminal - Google Patents

Virtual machine flow monitoring method and device, and terminal Download PDF

Info

Publication number
CN105592088A
CN105592088A CN201510992379.3A CN201510992379A CN105592088A CN 105592088 A CN105592088 A CN 105592088A CN 201510992379 A CN201510992379 A CN 201510992379A CN 105592088 A CN105592088 A CN 105592088A
Authority
CN
China
Prior art keywords
virtual machine
access
strategy
flowing
mark
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510992379.3A
Other languages
Chinese (zh)
Inventor
汤迪斌
杨晓东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Beijing Qianxin Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Beijing Qianxin Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201510992379.3A priority Critical patent/CN105592088A/en
Publication of CN105592088A publication Critical patent/CN105592088A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a virtual machine flow monitoring method and device. A virtual machine is internally provided with an agent client which is in connection with a control center. The method comprises: the agent client obtaining the access flow of the virtual machine, and performing monitoring on the access flow according to a preset strategy; and the agent client determining whether to intercept the access flow of the virtual machine according to the monitoring result, wherein the preset strategy is a strategy issued by the control center according to the identification of the virtual machine and corresponding to the virtual machine. The method monitors the access flow of each virtual machine through the agent client in the virtual machine, realizes interactive monitoring between virtual machines or virtual machines of different physical terminals, and improves virtual machine inner data security.

Description

A kind of method for supervising of virtual machine flow and device, terminal
Technical field
The present invention relates to Internet technical field, relate in particular to a kind of monitoring side of virtual machine flowMethod and device, terminal.
Background technology
The physical terminal of general enterprises has multiple, and entrance to external world or outlet only have one, logicalCross in this entrance or outlet and add fire wall, carry out border defence, along with cyber-netBecoming increasingly abundant of the class of business of the increasingly extensive and different field of application, under distributed environmentVirtual machine (virtual machine refers to by the mode of software simulation and runs on above physical machine, hasComplete hardware system function, operate in a computer system in complete isolation environment) shouldTransport and give birth to.
Due to virtual many group-calling services, there is no traditional border, therefore cannot to virtual machine withMonitoring alternately between virtual machine or between the virtual machine of different physical terminals, thereforeThe risk that can exist the interdepartmental data of enterprises to be stolen.
Summary of the invention
For the above-mentioned defect existing in prior art, proposed to solve the problems of the technologies described above oneThe method for supervising of kind virtual machine flow and device, terminal.
First aspect, the invention provides a kind of supervising device of virtual machine flow, described deviceBe arranged in described virtual machine, and be connected with control centre, described device comprises:
Acquisition module, for obtaining the flowing of access of described virtual machine;
Monitoring modular, for monitoring described flowing of access according to preset strategy;
Determination module, for according to monitoring result, determines whether to tackle the access of described virtual machineFlow;
Wherein, described preset strategy is that described control centre issues according to the mark of described virtual machineStrategy corresponding to the mark with described virtual machine.
Optionally, the flowing of access of described virtual machine comprises described virtual machine reception request of accessFlow and described virtual machine send the flow of request of access;
Accordingly, described monitoring modular, for:
The flow and the described virtual machine that receive request of access according to described virtual machine send request of accessFlow monitor.
Optionally, described device also comprises: receiver module, and for receiving under described control centreThe preset strategy of sending out.
Optionally, described detection module, for:
Obtain source address, destination address and the visit information of described flowing of access;
Source address, destination address and access letter according to described preset strategy to described flowing of accessBreath is monitored.
Optionally, described determination module, for:
In the time that the flowing of access of described virtual machine does not meet described preset strategy, tackle described accessFlow.
Second aspect, the present invention also provides a kind of supervising device of virtual machine flow, described dressPut with the agent client being arranged in described virtual machine and be connected, described device comprises:
Acquisition module, for obtaining the access rights of multiple virtual machines,
Strategy configuration module, for configuring the plan corresponding with the access rights of described multiple virtual machinesSlightly, described strategy comprises the mark of described virtual machine;
Sending module, for according to the mark of described virtual machine, to the void corresponding with described markAgent client in plan machine sends the strategy corresponding with described mark, acts on behalf of client so that describedEnd is monitored the flowing of access of described virtual machine according to described strategy;
Wherein, the flowing of access of described virtual machine comprises that described virtual machine receives the stream of request of accessAmount and described virtual machine send the flow of request of access.
Optionally, described device also comprises: more new module, and for the strategy having configured is carried outUpgrade.
The third aspect, the present invention also provides a kind of method for supervising of virtual machine flow, described voidIn plan machine, be provided with agent client, described agent client is connected with control centre, described sideMethod comprises:
Described agent client obtains the flowing of access of described virtual machine, according to preset strategy to instituteStating flowing of access monitors;
Described agent client, according to monitoring result, determines whether to tackle the access of described virtual machineFlow;
Wherein, described preset strategy is that described control centre issues according to the mark of described virtual machineStrategy corresponding to the mark with described virtual machine.
Optionally, the flowing of access of described virtual machine comprises described virtual machine reception request of accessFlow and described virtual machine send the flow of request of access;
Accordingly, according to preset strategy, described flowing of access is monitored, comprising:
Described agent client is according to the flow of described virtual machine reception request of access and described virtualMachine sends the flow of request of access and monitors.
Optionally, before obtaining the flowing of access of virtual machine, described method also comprises:
Receive the preset strategy that described control centre issues.
Optionally, describedly according to preset strategy, described flowing of access is monitored, comprising:
Obtain source address, destination address and the visit information of described flowing of access;
Source address, destination address and access letter according to described preset strategy to described flowing of accessBreath is monitored.
Optionally, described according to monitoring result, the access stream that determines whether to tackle described virtual machineAmount, comprising:
If the flowing of access of described virtual machine does not meet described preset strategy, tackle described accessFlow.
Fourth aspect, the present invention also provides a kind of method for supervising of virtual machine flow, described voidIn plan machine, be provided with agent client, described agent client is connected with control centre, described sideMethod comprises:
Described control centre obtains the access rights of multiple virtual machines, and configuration is with described multiple virtualThe strategy corresponding to access rights of machine, described strategy comprises the mark of described virtual machine;
Described control centre is according to the mark of described virtual machine, to corresponding with described mark virtualAgent client in machine sends the strategy corresponding with described mark, so that described agent clientAccording to described strategy, the flowing of access of described virtual machine is monitored;
Wherein, the flowing of access of described virtual machine comprises that described virtual machine receives the stream of request of accessAmount and described virtual machine send the flow of request of access.
Optionally, described control centre after obtaining the access rights of multiple virtual machines, described inMethod also comprises:
The strategy having configured is upgraded.
The 5th aspect, the present invention also provides a kind of terminal, comprises virtual machine and above-mentioned device,Described device is arranged in described virtual machine.
As shown from the above technical solution, the invention provides a kind of virtual machine flow method for supervising andDevice, terminal, by agent client is set in virtual machine, by the generation in each virtual machineReason client is monitored the flowing of access of place virtual machine, has realized virtual machine and virtualMonitoring alternately between machine or between the virtual machine of different physical terminals, has improved voidThe safety of data in plan machine.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, belowTo the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described, aobvious andEasily insight, the accompanying drawing in the following describes is only some embodiments of the present invention, for this areaThose of ordinary skill, is not paying under the prerequisite of creative work, can also be according to theseFigure obtains other accompanying drawing.
The flow process of the method for supervising of a kind of virtual machine flow that Fig. 1 provides for one embodiment of the inventionSchematic diagram;
The stream of the method for supervising of a kind of virtual machine flow that Fig. 2 provides for another embodiment of the present inventionJourney schematic diagram;
The stream of the method for supervising of a kind of virtual machine flow that Fig. 3 provides for another embodiment of the present inventionJourney schematic diagram;
The structure of the supervising device of a kind of virtual machine flow that Fig. 4 provides for one embodiment of the inventionSchematic diagram;
The knot of the supervising device of a kind of virtual machine flow that Fig. 5 provides for another embodiment of the present inventionStructure schematic diagram.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, to the technical side in the embodiment of the present inventionCase is clearly and completely described, and obviously, described embodiment is only one of the present inventionDivide embodiment, instead of whole embodiment. Based on the embodiment in the present invention, this area is generalLogical technical staff is not making the every other embodiment obtaining under creative work prerequisite,All belong to the scope of protection of the invention.
Fig. 1 shows the method for supervising of a kind of virtual machine flow that one embodiment of the invention providesSchematic flow sheet, as shown in Figure 1, is provided with agent client in virtual machine described in the method,Described agent client is connected with control centre, and described method comprises:
101, described agent client obtains the flowing of access of described virtual machine, according to preset strategyDescribed flowing of access is monitored.
Will be understood that, in each virtual machine, be provided with an agent client, this agency visitorFamily end is connected with control centre, control centre according to the virtual machine at agent client place to agencyThe strategy that client push is different, with the void to this agent client place by agent clientThe flowing of access of plan machine is monitored.
Wherein this preset strategy can be that control centre sends to agent client. Concrete,This agent client can enter the accessed flow of place virtual machine and the flow of initiating to accessRow monitoring.
102, described agent client is according to monitoring result, determines whether to tackle described virtual machineFlowing of access.
Wherein, described preset strategy is that described control centre issues according to the mark of described virtual machineStrategy corresponding to the mark with described virtual machine.
It should be noted that, objective by be provided with agency in each virtual machine in the present embodimentFamily end, multiple agent clients have formed a fire wall monitoring system, are equivalent to a fire preventionWall monitoring system is all disposed agent client in each virtual machine by distributed mode,Realize to the traffic monitoring between virtual machine and virtual machine, with respect to one of available technology adoptingFire wall entirety is monitored the flow of all virtual machines, can by virtual machine and virtual machine itBetween or monitoring alternately between the virtual machine of different physical terminals, improved virtual machineThe safety of interior data.
For example, for the administrative department of a company, adopt the mode of prior art, by oneIndividual fire wall carries out the flowing of access of all virtual machines between other departments and this administrative departmentMonitoring, but this fire wall can not be realized the prison between the each virtual machine between administrative departmentControl, and in the present embodiment by distributed mode, agency is all set between each virtual machineClient, can be to the virtual machine of department inside with respect to adopting monoblock type to monitor in existing modeAnd the flow between virtual machine is monitored, improve user's experience.
Each virtual machine includes the mark of virtual machine, because agent client is arranged on eachIn virtual machine, therefore control centre, when to agent client sending strategy, is need to be according to voidThe mark of plan machine issues, and in the time of virtual machine (vm) migration, for example, needs to safeguard in a certain physical machine like thisTime, while substituting in an other physical machine, only need to be to the virtual machine of alternative physical machineInterior agent client sends corresponding strategy, does not need to change virtual machine again, canEnsure the synchronous of strategy and virtual machine.
Said method is the flowing of access to place virtual machine by the agent client in each virtual machineMonitor, realized between virtual machine and virtual machine or different physical terminals virtualMonitoring alternately between machine, has improved the safety of data in virtual machine.
Below by specific embodiment, said method is elaborated.
201, receive the preset strategy that described control centre issues.
In order to meet the business demand of different departments of enterprise, tend to distribute different into different departmentsThe virtual machine of quantity is for it. Wherein multiple virtual machines have separately independently IP address andMark separately. Certainly this mark can be the group character of department inside, and this mark canWith the multiple virtual machines of correspondence, preset strategy can be directly according to group character, to this mark like thisCorresponding virtual machine issues same strategy, simpler, and execution efficiency is high; But for portionIf it is meticulous that the inner leader of door and subordinate distinguish, or it is right to need to keep under strict control between each virtual machineThe strategy of answering, this mark just can be understood as the mark of each virtual machine like this, namely markKnow and virtual machine is relation one to one, issue preset strategy for each mark like this, oftenAll differences of preset strategy that individual mark is corresponding, can realize the flow between each virtual machine like thisMonitoring, although execution efficiency not as above-mentioned group character fast, each virtual machine of can keeping under strict controlBetween flow, ensured the safety of flow between virtual machine. The present embodiment does not issue above-mentionedThe implication of preset strategy and mark limits, and can carry out according to specific circumstances correspondingPlan.
For example, between the virtual machine in the employee's of administrative Human Resources Department physical machine, can adopt groupingMode, between the virtual machine in the physical machine of Finance Department, can adopt mark and virtual machine one by oneCorresponding mode.
202, described agent client obtains the flowing of access of described virtual machine.
Wherein, the flowing of access of described virtual machine comprises that described virtual machine receives the stream of request of accessAmount and described virtual machine send the flow of request of access.
203, according to preset strategy, described flowing of access is monitored.
Above-mentioned flowing of access can comprise receive the flow of request of access and virtual machine send access pleaseThe flow of asking, described agent client receives flow and the institute of request of access according to described virtual machineStating the flow of virtual machine transmission request of access monitors.
Concrete, in the time that flowing of access is monitored, can be in the following manner, specifically bagDraw together following sub-step:
2031, obtain source address, destination address and the visit information of described flowing of access.
Describe as an example of administrative Human Resources Department example, if in the virtual machine in administration manager's physical machineAgent client each flow of the access of obtaining all monitored, obtain flowing of accessSource address, destination address and visit information, the source address of specifically obtaining request of access is appreciated thatFor obtaining the source of request of access, for example, the IP of certain physical host of technology department, orThe mark of the virtual machine in certain physical machine etc.; Destination address is the path of the file of access,Visit information is the file of concrete access.
2032, according to described preset strategy the source address to described flowing of access, destination address andVisit information is monitored.
Preset strategy comprises virtual machine mark, and identifies corresponding strategy with virtual machine, itsIn can comprise some access authority information corresponding with virtual machine mark in this strategy, for example:The IP of the virtual machine of which mark or which physical machine can access, can to which markThe IP access of virtual machine or which physical machine, can be to the virtual machine of which mark or whichWhich file access of the IP of physical machine, and allow virtual machine or which thing of which markThe IP of reason machine accesses which file etc.
For example, on the virtual machine of administrative Human Resources Department, do not allow other departments mark virtual machine andThe IP of physical machine accesses any file, or only allows the file that access is relevant to own information,The file relevant to own information comprises access side's personnel information, for example common reserve fund, social security,The information such as wage. File on administrative personnel manager's virtual machine does not allow portion of administrative Human Resources DepartmentVirtual machine or the physical machine IP of door employee's mark access any fileinfo etc. This tooBe applicable to Finance Department or engineering department, prevent the skill of some corporate financial information or companyArt core is stolen.
204, described according to monitoring result, determine whether to tackle the flowing of access of described virtual machine,If not, execution step 205, does not if so, tackle the flowing of access of virtual machine.
If the flowing of access of 205 described virtual machines does not meet described preset strategy, described in interceptionFlowing of access.
In said method, the strategy that agent client issues according to control centre, to affiliated virtualThe flow of machine is monitored, and wherein the method does not rely on any platform, such as kvm, xen etc.,The virtual machine that only need to arrange in virtual machine or the physical machine of agent client can arrange agencyClient, the method is more convenient to the monitoring of virtual machine, only needs control centre according to voidThe mark of plan machine issues corresponding preset strategy, in addition in the process of virtual machine (vm) migration,Because strategy issues to agent client, instead of issue to virtual machine, therefore,In virtual machine (vm) migration process, no longer need strategy to synchronize with virtual machine, but by virtual to thisThe agent client that machine is corresponding re-issues preset strategy.
Fig. 3 shows the method for supervising of a kind of virtual machine flow that one embodiment of the invention providesSchematic flow sheet, as shown in Figure 3, is provided with agent client in described virtual machine, described agencyClient is connected with control centre, said method comprising the steps of:
301, described control centre obtains the access rights of multiple virtual machines, and configuration is with described multipleThe strategy corresponding to access rights of virtual machine, described strategy comprises the mark of described virtual machine;
These access rights can be understood as the virtual of the mark correspondence obtained for the mark of virtual machineThe authority of the reception request of access of machine and transmission request of access.
302, described control centre is according to the mark of described virtual machine, to corresponding with described markAgent client in virtual machine sends the strategy corresponding with described mark, so that described agency is objectiveFamily end is monitored the flowing of access of described virtual machine according to described strategy;
Wherein, the flowing of access of described virtual machine comprises that described virtual machine receives the stream of request of accessAmount and described virtual machine send the flow of request of access.
In said method control centre according to the mark of virtual machine to the agent client in virtual machineSend the strategy corresponding with the mark of virtual machine, make agent client according to preset strategy to instituteThe flowing of access of virtual machine belonging to is monitored, and has ensured flowing of access between each virtual machineSafety, to inside data of enterprise, certain effect has been played in monitoring.
In addition, because the flowing of access strategy of different virtual machines likely can change, therefore,Described control centre is after obtaining the access rights of multiple virtual machines, and described method also comprises:The strategy having configured is upgraded. Ensure the default of agent client in each virtual machineStrategy is up-to-date strategy, has improved monitoring efficiency.
Fig. 4 shows the knot of the supervising device of a kind of virtual machine flow that the embodiment of the present invention providesStructure schematic diagram, as shown in Figure 4, described device is arranged in described virtual machine, and and control centreConnect, described device comprises:
Acquisition module 41, for obtaining the flowing of access of described virtual machine;
Monitoring modular 42, for monitoring described flowing of access according to preset strategy;
Determination module 43, for according to monitoring result, determines whether to tackle the visit of described virtual machineAsk flow;
Wherein, described preset strategy is that described control centre issues according to the mark of described virtual machineStrategy corresponding to the mark with described virtual machine.
One of the present embodiment preferred embodiment in, the flowing of access bag of described virtual machineDraw together described virtual machine and receive the flow of request of access and the stream of described virtual machine transmission request of accessAmount;
Accordingly, described monitoring modular, for:
The flow and the described virtual machine that receive request of access according to described virtual machine send request of accessFlow monitor.
One of the present embodiment preferred embodiment in, described device also comprises: receive mouldPiece, the preset strategy issuing for receiving described control centre.
One of the present embodiment preferred embodiment in, described detection module, for:
Obtain source address, destination address and the visit information of described flowing of access;
Source address, destination address and access letter according to described preset strategy to described flowing of accessBreath is monitored.
One of the present embodiment preferred embodiment in, described determination module, for:
In the time that the flowing of access of described virtual machine does not meet described preset strategy, tackle described accessFlow.
The present embodiment also provides a kind of terminal, comprises virtual machine and above-mentioned device, described dressPut and be arranged in described virtual machine.
Fig. 5 shows the knot of the supervising device of a kind of virtual machine flow that the embodiment of the present invention providesStructure schematic diagram, is characterized in that, described device be arranged on the client that acts on behalf of in described virtual machineEnd is connected, and described device comprises:
Acquisition module 51, for obtaining the access rights of multiple virtual machines,
Strategy configuration module 52 is corresponding with the access rights of described multiple virtual machines for configuringStrategy, described strategy comprises the mark of described virtual machine;
Sending module 53, for according to the mark of described virtual machine, to corresponding with described markAgent client in virtual machine sends the strategy corresponding with described mark, so that described agency is objectiveFamily end is monitored the flowing of access of described virtual machine according to described strategy;
Wherein, the flowing of access of described virtual machine comprises that described virtual machine receives the stream of request of accessAmount and described virtual machine send the flow of request of access.
One of the present embodiment preferred embodiment in, described device also comprises: upgrade mouldPiece, for upgrading the strategy having configured.
It should be noted that, said apparatus and said method are one to one, in said methodConcrete implementation detail be equally applicable to said apparatus, the present embodiment is no longer to said apparatusConcrete implementation detail is elaborated.
Embodiments of the invention disclose:
The supervising device of A1, a kind of virtual machine flow, is characterized in that, described device is arranged onIn described virtual machine, and be connected with control centre, described device comprises:
Acquisition module, for obtaining the flowing of access of described virtual machine;
Monitoring modular, for monitoring described flowing of access according to preset strategy;
Determination module, for according to monitoring result, determines whether to tackle the access of described virtual machineFlow;
Wherein, described preset strategy is that described control centre issues according to the mark of described virtual machineStrategy corresponding to the mark with described virtual machine.
A2, according to the device described in A1, it is characterized in that the flowing of access bag of described virtual machineDraw together described virtual machine and receive the flow of request of access and the stream of described virtual machine transmission request of accessAmount;
Accordingly, described monitoring modular, for:
The flow and the described virtual machine that receive request of access according to described virtual machine send request of accessFlow monitor.
A3, according to the device described in A1, it is characterized in that, described device also comprises: receive mouldPiece, the preset strategy issuing for receiving described control centre.
A4, according to the device described in A1, it is characterized in that, described detection module, for:
Obtain source address, destination address and the visit information of described flowing of access;
Source address, destination address and access letter according to described preset strategy to described flowing of accessBreath is monitored.
A5, according to the device described in A1 or 4, it is characterized in that, described determination module, for:
In the time that the flowing of access of described virtual machine does not meet described preset strategy, tackle described accessFlow.
The supervising device of B6, a kind of virtual machine flow, is characterized in that, described device and settingAgent client in described virtual machine is connected, and described device comprises:
Acquisition module, for obtaining the access rights of multiple virtual machines,
Strategy configuration module, for configuring the plan corresponding with the access rights of described multiple virtual machinesSlightly, described strategy comprises the mark of described virtual machine;
Sending module, for according to the mark of described virtual machine, to the void corresponding with described markAgent client in plan machine sends the strategy corresponding with described mark, acts on behalf of client so that describedEnd is monitored the flowing of access of described virtual machine according to described strategy;
Wherein, the flowing of access of described virtual machine comprises that described virtual machine receives the stream of request of accessAmount and described virtual machine send the flow of request of access.
B7, according to the device described in B6, it is characterized in that, described device also comprises: upgrade mouldPiece, for upgrading the strategy having configured.
The method for supervising of C8, a kind of virtual machine flow, is characterized in that, in described virtual machine, establishesBe equipped with agent client, described agent client is connected with control centre, and described method comprises:
Described agent client obtains the flowing of access of described virtual machine, according to preset strategy to instituteStating flowing of access monitors;
Described agent client, according to monitoring result, determines whether to tackle the access of described virtual machineFlow;
Wherein, described preset strategy is that described control centre issues according to the mark of described virtual machineStrategy corresponding to the mark with described virtual machine.
C9, according to the method described in C8, it is characterized in that the flowing of access bag of described virtual machineDraw together described virtual machine and receive the flow of request of access and the stream of described virtual machine transmission request of accessAmount;
Accordingly, according to preset strategy, described flowing of access is monitored, comprising:
Described agent client is according to the flow of described virtual machine reception request of access and described virtualMachine sends the flow of request of access and monitors.
C10, according to the method described in C8, it is characterized in that, obtaining the flowing of access of virtual machineBefore, described method also comprises:
Receive the preset strategy that described control centre issues.
C11, according to the method described in C8, it is characterized in that, described according to preset strategy to describedFlowing of access is monitored, and comprising:
Obtain source address, destination address and the visit information of described flowing of access;
Source address, destination address and access letter according to described preset strategy to described flowing of accessBreath is monitored.
C12, according to the method described in C8 or 11, it is characterized in that, described according to monitoring result,The flowing of access that determines whether to tackle described virtual machine, comprising:
If the flowing of access of described virtual machine does not meet described preset strategy, tackle described accessFlow.
The method for supervising of D13, a kind of virtual machine flow, is characterized in that, in described virtual machine, establishesBe equipped with agent client, described agent client is connected with control centre, and described method comprises:
Described control centre obtains the access rights of multiple virtual machines, and configuration is with described multiple virtualThe strategy corresponding to access rights of machine, described strategy comprises the mark of described virtual machine;
Described control centre is according to the mark of described virtual machine, to corresponding with described mark virtualAgent client in machine sends the strategy corresponding with described mark, so that described agent clientAccording to described strategy, the flowing of access of described virtual machine is monitored;
Wherein, the flowing of access of described virtual machine comprises that described virtual machine receives the stream of request of accessAmount and described virtual machine send the flow of request of access.
D14, according to the method described in D13, it is characterized in that, described control centre obtain manyAfter the access rights of individual virtual machine, described method also comprises:
The strategy having configured is upgraded.
E15, a kind of terminal, is characterized in that, comprises virtual machine and as described in any one in A1-5Device, described device is arranged in described virtual machine.
In description of the present invention, a large amount of details are described. But, can understand, thisInventive embodiment can be put into practice in the situation that there is no these details. In some instances,Be not shown specifically known method, structure and technology, so that the not fuzzy reason to this descriptionSeparate.
Similarly, should be appreciated that in order to simplify the present invention and disclose and help to understand each invented partyOne or more in face, in the above in the description of exemplary embodiment of the present invention, thisEach bright feature is grouped together into single embodiment, figure or sometimes in its description.But, the method for the disclosure should not explained and be the following intention of reflection: be required for protectionThe present invention requires than the more feature of the feature of clearly recording in each claim. More trueCut and say, as reflected in claims below, before inventive aspect is to be less thanAll features of disclosed single embodiment. Therefore, follow the claim of detailed description of the inventionBook is incorporated to this detailed description of the invention thus clearly, and wherein each claim itself is as thisThe independent embodiment of invention.
It will be understood by those skilled in the art that and can carry out the module in the equipment in embodimentAdaptively change and they are arranged to the one or more equipment that this embodiment is different that areIn. Module in embodiment or unit or assembly can be combined into a module or unit or groupPart, and can put them in addition multiple submodules or subelement or sub-component. Except thisAt least some in the feature of sample and/or process or unit are mutually exclusive parts, can adoptAny combination is to disclosed in this description (comprising claim, summary and the accompanying drawing followed)All processes or the unit of all features and so disclosed any method or equipment carry out groupClose. Unless clearly statement in addition, this description (comprises claim, the summary and attached followedFigure) in disclosed each feature can be by providing identical, be equal to or the alternative features of similar objectReplace.
In addition, although those skilled in the art will appreciate that embodiment more described hereinComprise some feature instead of further feature included in other embodiment, but different enforcementThe combination of the feature of example means within scope of the present invention and forms different enforcementExample. For example, in the following claims, embodiment's required for protection is one of anyCan use with combination arbitrarily.
All parts embodiment of the present invention can realize with hardware, or with at one or manyThe software module of moving on individual processor realizes, or realizes with their combination. This areaTechnical staff should be appreciated that and can use in practice microprocessor or digital signal processor(DSP) realize according in the equipment of a kind of browser terminal of the embodiment of the present invention some orThe some or all functions of the whole parts of person. The present invention can also be embodied as for carrying out hereThe equipment of part or all of described method or device program (for example, computerProgram and computer program). Realizing program of the present invention and can be stored in computer like thisOn computer-readable recording medium, or can there is the form of one or more signal. Such signal canTo download and to obtain from internet website, or provide on carrier signal, or with any itsHe provides form.
It should be noted above-described embodiment the present invention will be described instead of the present invention is carried outRestriction, and those skilled in the art can in the case of not departing from the scope of claimsDesign alternative embodiment. In the claims, should be by any reference between bracketSymbol construction becomes limitations on claims. Word " comprise " do not get rid of existence be not listed in right wantElement in asking or step. Be positioned at word " " before element or " one " do not get rid of exist multipleSuch element. The present invention can by means of include the hardware of some different elements and byComputer in suitable programming is realized. In the unit claim of having enumerated some devices,Several in these devices can be to carry out imbody by same hardware branch. Word first,Second and the use of C grade do not represent any order. Can be title by these word explanations.
Finally it should be noted that: above each embodiment is only in order to technical scheme of the present invention to be described,Be not intended to limit; Although the present invention is had been described in detail with reference to aforementioned each embodiment,Those of ordinary skill in the art is to be understood that: it still can be recorded aforementioned each embodimentTechnical scheme modify, or some or all of technical characterictic is wherein equal to and is replacedChange; And these amendments or replacement do not make essence disengaging the present invention of appropriate technical solution eachThe scope of embodiment technical scheme, it all should be encompassed in claim of the present invention and descriptionIn the middle of scope.

Claims (10)

1. a supervising device for virtual machine flow, is characterized in that, described device is arranged on instituteState in virtual machine, and be connected with control centre, described device comprises:
Acquisition module, for obtaining the flowing of access of described virtual machine;
Monitoring modular, for monitoring described flowing of access according to preset strategy;
Determination module, for according to monitoring result, determines whether to tackle the access of described virtual machineFlow;
Wherein, described preset strategy is that described control centre issues according to the mark of described virtual machineStrategy corresponding to the mark with described virtual machine.
2. device according to claim 1, is characterized in that, the access of described virtual machineFlow comprises that described virtual machine receives flow and the described virtual machine transmission request of access of request of accessFlow;
Accordingly, described monitoring modular, for:
The flow and the described virtual machine that receive request of access according to described virtual machine send request of accessFlow monitor.
3. device according to claim 1, is characterized in that, described device also comprises:Receiver module, the preset strategy issuing for receiving described control centre.
4. device according to claim 1, is characterized in that, described detection module is usedIn:
Obtain source address, destination address and the visit information of described flowing of access;
Source address, destination address and access letter according to described preset strategy to described flowing of accessBreath is monitored.
5. according to the device described in claim 1 or 4, it is characterized in that, described determination module,Be used for:
In the time that the flowing of access of described virtual machine does not meet described preset strategy, tackle described accessFlow.
6. a supervising device for virtual machine flow, is characterized in that, described device be arranged onAgent client in described virtual machine is connected, and described device comprises:
Acquisition module, for obtaining the access rights of multiple virtual machines,
Strategy configuration module, for configuring the plan corresponding with the access rights of described multiple virtual machinesSlightly, described strategy comprises the mark of described virtual machine;
Sending module, for according to the mark of described virtual machine, to the void corresponding with described markAgent client in plan machine sends the strategy corresponding with described mark, acts on behalf of client so that describedEnd is monitored the flowing of access of described virtual machine according to described strategy;
Wherein, the flowing of access of described virtual machine comprises that described virtual machine receives the stream of request of accessAmount and described virtual machine send the flow of request of access.
7. device according to claim 6, is characterized in that, described device also comprises:More new module, for upgrading the strategy having configured.
8. a method for supervising for virtual machine flow, is characterized in that, in described virtual machine, arrangesHave agent client, described agent client is connected with control centre, and described method comprises:
Described agent client obtains the flowing of access of described virtual machine, according to preset strategy to instituteStating flowing of access monitors;
Described agent client, according to monitoring result, determines whether to tackle the access of described virtual machineFlow;
Wherein, described preset strategy is that described control centre issues according to the mark of described virtual machineStrategy corresponding to the mark with described virtual machine.
9. a method for supervising for virtual machine flow, is characterized in that, in described virtual machine, arrangesHave agent client, described agent client is connected with control centre, and described method comprises:
Described control centre obtains the access rights of multiple virtual machines, and configuration is with described multiple virtualThe strategy corresponding to access rights of machine, described strategy comprises the mark of described virtual machine;
Described control centre is according to the mark of described virtual machine, to corresponding with described mark virtualAgent client in machine sends the strategy corresponding with described mark, so that described agent clientAccording to described strategy, the flowing of access of described virtual machine is monitored;
Wherein, the flowing of access of described virtual machine comprises that described virtual machine receives the stream of request of accessAmount and described virtual machine send the flow of request of access.
10. a terminal, is characterized in that, comprises virtual machine and as arbitrary in claim 1-5Device described in, described device is arranged in described virtual machine.
CN201510992379.3A 2015-12-24 2015-12-24 Virtual machine flow monitoring method and device, and terminal Pending CN105592088A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510992379.3A CN105592088A (en) 2015-12-24 2015-12-24 Virtual machine flow monitoring method and device, and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510992379.3A CN105592088A (en) 2015-12-24 2015-12-24 Virtual machine flow monitoring method and device, and terminal

Publications (1)

Publication Number Publication Date
CN105592088A true CN105592088A (en) 2016-05-18

Family

ID=55931302

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510992379.3A Pending CN105592088A (en) 2015-12-24 2015-12-24 Virtual machine flow monitoring method and device, and terminal

Country Status (1)

Country Link
CN (1) CN105592088A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107360058A (en) * 2017-07-12 2017-11-17 郑州云海信息技术有限公司 A kind of method and device for realizing traffic monitoring
CN107707551A (en) * 2017-10-09 2018-02-16 山东中创软件商用中间件股份有限公司 A kind of method and system of IP access controls
CN108777679A (en) * 2018-05-22 2018-11-09 深信服科技股份有限公司 Flow access relation generation method, device and the readable storage medium storing program for executing of terminal
CN109413110A (en) * 2018-12-19 2019-03-01 武汉思普崚技术有限公司 A kind of method and system of the managing main frame strategy based on firewall policy linkage
CN110198246A (en) * 2018-02-26 2019-09-03 腾讯科技(北京)有限公司 A kind of method and system of traffic monitoring
CN110516431A (en) * 2019-08-29 2019-11-29 北京浪潮数据技术有限公司 Method, system, equipment and the storage medium of dynamic configuration virtual machine operations permission

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7596654B1 (en) * 2006-01-26 2009-09-29 Symantec Operating Corporation Virtual machine spanning multiple computers
CN102043917A (en) * 2010-12-07 2011-05-04 成都市华为赛门铁克科技有限公司 Distributed denial of service (DDOS) attack protection method, device and system for cloud computing system
CN102571698A (en) * 2010-12-17 2012-07-11 中国移动通信集团公司 Access authority control method, system and device for virtual machine
CN102707985A (en) * 2011-03-28 2012-10-03 中兴通讯股份有限公司 Access control method and system for virtual machine system
CN104219260A (en) * 2013-05-30 2014-12-17 中国电信股份有限公司 Method and system for exchanging data between virtual machines in same physical machine and physical host
CN104378387A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Virtual platform information security protection method
CN104901923A (en) * 2014-03-04 2015-09-09 杭州华三通信技术有限公司 Virtual machine access device and method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7596654B1 (en) * 2006-01-26 2009-09-29 Symantec Operating Corporation Virtual machine spanning multiple computers
CN102043917A (en) * 2010-12-07 2011-05-04 成都市华为赛门铁克科技有限公司 Distributed denial of service (DDOS) attack protection method, device and system for cloud computing system
CN102571698A (en) * 2010-12-17 2012-07-11 中国移动通信集团公司 Access authority control method, system and device for virtual machine
CN102707985A (en) * 2011-03-28 2012-10-03 中兴通讯股份有限公司 Access control method and system for virtual machine system
CN104219260A (en) * 2013-05-30 2014-12-17 中国电信股份有限公司 Method and system for exchanging data between virtual machines in same physical machine and physical host
CN104901923A (en) * 2014-03-04 2015-09-09 杭州华三通信技术有限公司 Virtual machine access device and method
CN104378387A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Virtual platform information security protection method

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107360058A (en) * 2017-07-12 2017-11-17 郑州云海信息技术有限公司 A kind of method and device for realizing traffic monitoring
CN107707551A (en) * 2017-10-09 2018-02-16 山东中创软件商用中间件股份有限公司 A kind of method and system of IP access controls
CN110198246A (en) * 2018-02-26 2019-09-03 腾讯科技(北京)有限公司 A kind of method and system of traffic monitoring
CN108777679A (en) * 2018-05-22 2018-11-09 深信服科技股份有限公司 Flow access relation generation method, device and the readable storage medium storing program for executing of terminal
CN108777679B (en) * 2018-05-22 2021-09-17 深信服科技股份有限公司 Method and device for generating traffic access relation of terminal and readable storage medium
CN109413110A (en) * 2018-12-19 2019-03-01 武汉思普崚技术有限公司 A kind of method and system of the managing main frame strategy based on firewall policy linkage
CN110516431A (en) * 2019-08-29 2019-11-29 北京浪潮数据技术有限公司 Method, system, equipment and the storage medium of dynamic configuration virtual machine operations permission
CN110516431B (en) * 2019-08-29 2022-02-18 北京浪潮数据技术有限公司 Method, system, equipment and storage medium for dynamically configuring virtual machine operation authority

Similar Documents

Publication Publication Date Title
CN105592088A (en) Virtual machine flow monitoring method and device, and terminal
US11321108B2 (en) User interface for managing a distributed virtual switch
CN105830394B (en) Configuration method, system and its Virtual NE and network management system of virtual network strategy
US8429630B2 (en) Globally distributed utility computing cloud
US9626526B2 (en) Trusted public infrastructure grid cloud
CN100517287C (en) Sharined physical device among multiple clients
CN103065086B (en) It is applied to DIDS and the method for dynamic virtualization environment
CN112671772B (en) Network security service system and method based on cloud security capability platform
CN104350466B (en) Virtual machine image writes lease
CN107534570A (en) Virtualize network function monitoring
CN103685608B (en) A kind of method and device for automatically configuring secure virtual machine IP address
CN105684357A (en) Management of addresses in virtual machines
EP3374857B1 (en) Dashboard as remote computing services
CN104239814A (en) Mobile office safety method and mobile office safety system
CN103189846A (en) Management of a data network of a computing environment
US20140351409A1 (en) Monitoring client information in a shared environment
US9736038B2 (en) Managing change in an information technology environment
KR101680702B1 (en) System for web hosting based cloud service
Bhowmick et al. Ibm intelligent operations center for smarter cities administration guide
CN106170763A (en) A kind of software check method and apparatus
CN111352737A (en) Container cloud computing service platform based on resource pool
Grandinetti Pervasive cloud computing technologies: future outlooks and interdisciplinary perspectives: future outlooks and interdisciplinary perspectives
CN116746125A (en) Techniques for verifying network policies in a container framework
CN112256498A (en) Fault processing method and device
US11646866B2 (en) Blockchain based service reservation and delegation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160518

WD01 Invention patent application deemed withdrawn after publication