CN105871865A - OpenFlow-based IaaS cloud security state transition analysis system - Google Patents

OpenFlow-based IaaS cloud security state transition analysis system Download PDF

Info

Publication number
CN105871865A
CN105871865A CN201610263310.1A CN201610263310A CN105871865A CN 105871865 A CN105871865 A CN 105871865A CN 201610263310 A CN201610263310 A CN 201610263310A CN 105871865 A CN105871865 A CN 105871865A
Authority
CN
China
Prior art keywords
module
data
security
acquisition module
analysis system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610263310.1A
Other languages
Chinese (zh)
Inventor
戴鸿君
于治楼
郝虹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Group Co Ltd
Original Assignee
Inspur Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Group Co Ltd filed Critical Inspur Group Co Ltd
Priority to CN201610263310.1A priority Critical patent/CN105871865A/en
Publication of CN105871865A publication Critical patent/CN105871865A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an OpenFlow-based IaaS cloud security state transition analysis system, and belongs to the field of cloud computing sacurity. The system comprises an event monitoring module, a data collection module, a database, a security evaluation module and a master control module. The disaster reduction and recovery strategy can be automatically executed when a security problem is confronted even under the dynamic environment like cloud computing IaaS.

Description

IaaS cloud safe condition transfer analysis system based on OpenFlow
Technical field
The present invention relates to cloud computing safe practice, particularly relate to a kind of IaaS cloud safe condition transfer analysis system based on OpenFlow.
Background technology
(1) cloud security background
Based on academic research analysis, the safety problem of cloud computing relates to the most different fields.The processing mode of authentication, authorization, accounting also will be greatly affected: security threat often originates from internal user, so often according to clear and definite global policies, only allowing the user of certification could access appointment resource.The user behavior relevant to platform resource should be supervised so that analyzing and processing violates the behavior of strategy further.Another important work is exactly managing security policies, ensures availability, integrity and confidentiality that whole cloud data store.In this case, advanced encipherment scheme is to ensure that the certification user only specified could access in cloud data store, revise and deletion information.
Virtual technology is the core of IaaS model, and it changes the demand of network security the most rapidly.But virtual level also brings new security challenge, because virtual client is easy to be invaded and damage other virtual machines simultaneously.So one of them possible remedial measure checks virtual machine behavior exactly, meanwhile, check that the mirror image of virtual machine examines their integrity.
(2) OpenFlow and SDN pattern
Realize the mode of virtual experiment platform network processes and configuration based on software defined network (SDN), be a kind of cognitive style new to network.OpenFlow is an implementation of this approach, includes the interface between key-course and data Layer, defines all by setting up the escape way information between the network switch and peripheral control unit, thus carrys out decision logic order according to flow of information.Nowadays SDN is the most attractive to system for cloud computing service, because its a kind of represent network of dynmaic establishing virtual flexibly method, and ensure two layers of isolation of many tenants.
Summary of the invention
For security threat present in current cloud environment, the present invention proposes a kind of IaaS cloud safe condition transfer analysis system based on OpenFlow, network so can be made to obtain greatly motility, it is ensured that the enforcement of dynamic security policy, without the internal structure changing networking component.Such that it is able to also can automatically perform the strategy of mitigation and recovery under IaaS such cloud computing dynamic environment when facing safety problem.
Initially set up each factor multilevel hierarchical structure about system property, according still further to specified criteria, the factor on each level is carried out by comparing, obtain its about last layer time factor important ratio compared with scale, set up judgment matrix and then by calculating eigenvalue and the characteristic vector of judgment matrix, obtain each level factor relative weighting about each factor of last layer time, Single Ordering Weight Value of Hierarchy, and the relative weighting weighted sum of an each factor of level can be used from top to down, obtain each level factor comprehensive importance degree about system integrity attribute, total hierarchial sorting weights, finally by ranking results analysis.
The present invention includes such as lower module:
(1) event-monitoring module, is responsible for notice data acquisition module block system and is attacked, it is achieved Real-time Collection;
(2) data acquisition module, has been responsible for the online acquisition of various assessment data;Data collection agent to have a higher execution efficiency, consumes system and Internet resources as few as possible, and it has included discussing property, has understood judgment matrix and have data acquisition module defense and destroy data acquisition module.Network performance acquisition module and network-side System Data Collection Module;
(3) data base, is used for storing the network information and host information collected, provides data for security state evaluation module;
(4) security assessment module, mainly according to the data gathered, uses assessment algorithm to calculate actual security performance;Shown by original data processing, assessment algorithm and result and form;
(5) top control module, is responsible for the traffic control of whole system, is the interactive interface of native system and user.
The invention has the beneficial effects as follows
(1) can create the application of oneself on key-course, completely isolated with the network equipment come.Therefore new agreement or application program can be write, without affecting the internal structure of equipment;
(2) SDN relates to the global view availability of network itself, so being easy to make a response event, and changes topology.
OpenFlow can make network obtain greatly motility, guarantee the enforcement of dynamic security policy, without the internal structure changing networking component, this be also OpenFlow be considered as a kind of effective means in the face of leak, even also can automatically perform the strategy of mitigation and recovery as cloud computing IaaS under dynamic environment when facing safety problem at one.
Accompanying drawing explanation
Fig. 1 is the general frame schematic diagram of the present invention.
Detailed description of the invention
In the face of present disclosure carries out more detailed elaboration:
Framework is mainly analyzed from three different layers, and cloud layer illustrates Liang Ge data center, and position is connected by the backbone network of a private firm, and there is the IaaS cluster of oneself in each data center, and has a host node for being responsible for all of infrastructure.At virtual level, view is independently of a particular platform being deployed in data center, about organizational structure, each physical machine, i.e. " calculates " node, creates a virtual switch carry all of client network interface.At virtual switch layer, using OpenvSwitch technology, it is provided that a set function, OpenFlow agreement therein is it is achieved that the stream table of switch is programmed by the controller of OpenFlow.
Security state evaluation is by being subjected to attack or the security attribute value (i.e. verity, confidentiality, integrity, the anti-property denied, controllability and availability) of the network system that breaks down is estimated, and draw quantized result, thus the safe condition of system is estimated.When safety failure occurs, by the security state evaluation to information system, can more rationally, scientifically formulate security strategy, and respond in time, thus be effectively improved safety and the biological treatability of network system.Use the method assessment security of system state of step analysis.The superiors are destination layers, followed by rule layer and sub-criterion, and sub-criterion is in alignment with, decompose again.
Specifics according to system and target call, initially set up each factor multilevel hierarchical structure about system property, according still further to a certain specified criteria, the factor on each level is carried out by comparing, obtain its about last layer time factor important ratio compared with scale, set up judgment matrix and then by calculating eigenvalue and the characteristic vector of judgment matrix, obtain each level factor relative weighting about each factor of last layer time, Single Ordering Weight Value of Hierarchy, and the relative weighting weighted sum of an each factor of level can be used from top to down, obtain each level factor comprehensive importance degree about system integrity attribute, total hierarchial sorting weights, finally by ranking results analysis.
Each functions of modules is as follows:
(1) event-monitoring module is responsible for notifying that data acquisition module block system is attacked, it is achieved Real-time Collection.
(2) data acquisition module has been responsible for the online acquisition of various assessment data.Data collection agent to have a higher execution efficiency, consumes system and Internet resources as few as possible, and it has included discussing property, has understood judgment matrix and have data acquisition module defense and destroy data acquisition module.Network performance acquisition module and network-side System Data Collection Module.
(3) data base is used for storing the network information and host information collected, and provides data for security state evaluation module.
(4) security assessment module is mainly according to the data gathered, and uses assessment algorithm to calculate actual security performance.Shown by original data processing, assessment algorithm and result and form.
(5) top control module is responsible for the traffic control of whole system, is the interactive interface of native system and user.
Strategy will be triggered alternately by the manager and OpenFlow controller with IaaS, after a virtual test platform suffers that attack is detected, the strategy that we intend to implement mainly moves to same infrastructure but in different data centers the VM being hacked, after migration completes, correlator may indicate that controller changes before client the flow of information of virtual switch in the physical node of trustship, to ensure the transparency of position.

Claims (3)

1. IaaS cloud safe condition transfer analysis system based on OpenFlow, it is characterised in that
Including such as lower module:
(1) event-monitoring module, is responsible for notice data acquisition module block system and is attacked, it is achieved Real-time Collection;
(2) data acquisition module, has been responsible for the online acquisition of various assessment data;
(3) data base, is used for storing the network information and host information collected, provides data for security state evaluation module;
(4) security assessment module, mainly according to the data gathered, uses assessment algorithm to calculate actual security performance;
(5) top control module, is responsible for the traffic control of whole system, is the interactive interface of native system and user.
Analysis system the most according to claim 1, it is characterized in that, data collection agent to have a higher execution efficiency, consumes system and Internet resources as few as possible, and it has included discussing property, has understood judgment matrix and have data acquisition module defense and destroy data acquisition module;Network performance acquisition module and network-side System Data Collection Module.
Analysis system the most according to claim 1, it is characterised in that security assessment module is shown by original data processing, assessment algorithm and result and forms.
CN201610263310.1A 2016-04-26 2016-04-26 OpenFlow-based IaaS cloud security state transition analysis system Pending CN105871865A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610263310.1A CN105871865A (en) 2016-04-26 2016-04-26 OpenFlow-based IaaS cloud security state transition analysis system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610263310.1A CN105871865A (en) 2016-04-26 2016-04-26 OpenFlow-based IaaS cloud security state transition analysis system

Publications (1)

Publication Number Publication Date
CN105871865A true CN105871865A (en) 2016-08-17

Family

ID=56628277

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610263310.1A Pending CN105871865A (en) 2016-04-26 2016-04-26 OpenFlow-based IaaS cloud security state transition analysis system

Country Status (1)

Country Link
CN (1) CN105871865A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101820413A (en) * 2010-01-08 2010-09-01 中国科学院软件研究所 Method for selecting optimized protection strategy for network security
CN102340485A (en) * 2010-07-19 2012-02-01 中国科学院计算技术研究所 Network security situation awareness system and method based on information correlation
US20130254895A1 (en) * 2012-03-22 2013-09-26 Los Alamos National Security, Llc Non-harmful insertion of data mimicking computer network attacks
CN104618373A (en) * 2015-01-30 2015-05-13 哈尔滨工业大学 Service security quantitative evaluation method and system suitable for cloud computing platform

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101820413A (en) * 2010-01-08 2010-09-01 中国科学院软件研究所 Method for selecting optimized protection strategy for network security
CN102340485A (en) * 2010-07-19 2012-02-01 中国科学院计算技术研究所 Network security situation awareness system and method based on information correlation
US20130254895A1 (en) * 2012-03-22 2013-09-26 Los Alamos National Security, Llc Non-harmful insertion of data mimicking computer network attacks
CN104618373A (en) * 2015-01-30 2015-05-13 哈尔滨工业大学 Service security quantitative evaluation method and system suitable for cloud computing platform

Similar Documents

Publication Publication Date Title
CN107659543B (en) Protection method for APT (android packet) attack of cloud platform
US20150363600A1 (en) Method, Apparatus, and System for Data Protection
CN101512510B (en) It is intended to provide the method and system of network management based on definition and application network management
KR102542720B1 (en) System for providing internet of behavior based intelligent data security platform service for zero trust security
CN104392175A (en) System and method and device for processing cloud application attack behaviors in cloud computing system
CN108881110A (en) A kind of safety situation evaluation and defence policies joint decision method and system
Khaneghah et al. Challenges of process migration to support distributed exascale computing environment
CN106487810A (en) A kind of cloud platform security postures cognitive method
CN105933361A (en) Big data security protection cloud system based on trusted calculation
CN111953732B (en) Resource scheduling method and device in cloud computing system
Belej et al. Developing a Model of Cloud Computing Protection System for the Internet of Things
Wang et al. IndustEdge: A time-sensitive networking enabled edge-cloud collaborative intelligent platform for smart industry
CN109241062A (en) A kind of generation method and device of government data catalogue
Korman et al. Analyzing the effectiveness of attack countermeasures in a scada system
JP2023550974A (en) Image-based malicious code detection method and device and artificial intelligence-based endpoint threat detection and response system using the same
CN105608380B (en) Cloud computing security evaluation method based on life cycle of virtual machine
Dehraj et al. Incorporating autonomicity and trustworthiness aspects for assessing software quality
CN107347064A (en) Cloud computing platform Tendency Prediction method based on neural network algorithm
CN105871865A (en) OpenFlow-based IaaS cloud security state transition analysis system
Peng et al. Sensing network security prevention measures of BIM smart operation and maintenance system
Wei Application of Bayesian algorithm in risk quantification for network security
Effendy et al. Investigations on rating computer sciences conferences: An experiment with the microsoft academic graph dataset
CN107835153B (en) Vulnerability situation data fusion method
Azaiez et al. A multi-agent system architecture for self-healing cloud infrastructure
Malyuk et al. Information security theory for the future internet

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160817