CN107506640A - Virtual machine guard system - Google Patents
Virtual machine guard system Download PDFInfo
- Publication number
- CN107506640A CN107506640A CN201710504090.1A CN201710504090A CN107506640A CN 107506640 A CN107506640 A CN 107506640A CN 201710504090 A CN201710504090 A CN 201710504090A CN 107506640 A CN107506640 A CN 107506640A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- cloud
- protection
- security
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 claims abstract description 25
- 238000013461 design Methods 0.000 claims abstract description 7
- 230000006870 function Effects 0.000 claims description 10
- 208000018208 Hyperimmunoglobulinemia D with periodic fever Diseases 0.000 claims description 3
- 206010072219 Mevalonic aciduria Diseases 0.000 claims description 3
- 238000004891 communication Methods 0.000 claims description 3
- 229920005669 high impact polystyrene Polymers 0.000 claims description 3
- 239000004797 high-impact polystyrene Substances 0.000 claims description 3
- DTXLBRAVKYTGFE-UHFFFAOYSA-J tetrasodium;2-(1,2-dicarboxylatoethylamino)-3-hydroxybutanedioate Chemical compound [Na+].[Na+].[Na+].[Na+].[O-]C(=O)C(O)C(C([O-])=O)NC(C([O-])=O)CC([O-])=O DTXLBRAVKYTGFE-UHFFFAOYSA-J 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 19
- 230000002155 anti-virotic effect Effects 0.000 abstract description 4
- 238000012550 audit Methods 0.000 abstract description 4
- 230000006872 improvement Effects 0.000 abstract description 4
- 238000007689 inspection Methods 0.000 abstract description 3
- 230000002265 prevention Effects 0.000 abstract description 2
- 230000007547 defect Effects 0.000 description 4
- 230000005059 dormancy Effects 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000000034 method Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 238000002059 diagnostic imaging Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004134 energy conservation Methods 0.000 description 1
- 238000005265 energy consumption Methods 0.000 description 1
- 235000021384 green leafy vegetables Nutrition 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 206010022000 influenza Diseases 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000033001 locomotion Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000035699 permeability Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Abstract
Virtual machine guard system, it is related to a kind of improvement of dummy machine system, and in particular to a kind of improvement of virtual machine guard system.For publicly-owned/privately owned cloud environments of VMWare and the all-around service device security platform of Amazon cloud platforms, its function includes Malware protection, Web prestige monitoring service, fire wall, Intrusion prevention, integrality monitoring and daily record inspection audit etc.;It form transparent monitoring virtual unit of the use based on VMWare vShield Endpoint by transparent monitoring virtual unit, security client (in physical machine dispose), administrative center and cloud security service network, and the design of no agency substantially reduces overhead.The present invention is full-featured:Including antivirus protection, transparent protection (no proxy access) and safe cloud service (web prestige) function;Transparent protection, advanced technology;Hot patch technology.
Description
Technical field
The present invention relates to a kind of improvement of dummy machine system, and in particular to a kind of improvement of virtual machine guard system.
Background technology
Virtual machine technique is one kind of virtualization technology, and things is exactly transformed into by so-called virtualization technology from a kind of form
Another form, the most frequently used virtualization technology have a virtualization of internal memory in operating system, and user needs interior during actual motion
The memory size of physical machine may be far longer than by depositing space, using the virtualization technology of internal memory, user can will a part it is hard
Disk virtually turns to internal memory, and this is transparent to user.And for example, virtual private network technology (VPN) can be utilized in public network
One safety of middle virtualization, stable " tunnel ", user's perceptual image are the same using private network.
But the security threat of virtual machine is also more and more beyond the clouds at present, such as safeguard structure defect, virtual boundary prestige
The side of body, virtual boundary threat, virtual boundary threat, resource abuse, resource abuse, safeguard structure defect, side channel are threatened, maliciously used
Family etc..Particularly safeguard structure defect and the new malicious attack of virtual boundary and permeability behavior are increasingly common.
The content of the invention
In view of the defects and deficiencies of the prior art, the present invention intends to provide a kind of virtual machine guard system, its work(
Can be comprehensively, it is possible to achieve antivirus protection is transparent to protect, without proxy access and secure cloud service function;Transparent protection:With saving
Overhead, the advantages that advanced technology.
To achieve the above object, the present invention is using following technical scheme:For publicly-owned/privately owned cloud environments of VMWare and
The all-around service device security platform of Amazon cloud platforms, its function include Malware protection, Web prestige monitoring service, prevented
Wall with flues, Intrusion prevention, integrality monitoring and daily record inspection audit etc.;Cloud provider can be allowed with suitable safety cost, efficiently
Ground structure meets the cloud platform of compliance requirement corresponding to PCI DSS2.0, HIPAA, NIST and SAS 70;It is by transparent monitoring
Virtual unit, security client (being disposed in physical machine), administrative center and the composition use of cloud security service network are based on
VMWare vShield Endpoint transparent monitoring virtual unit, VM private communication channels can be detected, virtual machine jumps and right
The new example of virtual machine is created and protected;Compared with needing to configure the Symantec/McAfee products of client in virtual machine,
Design without agency substantially reduces overhead.
Described Symantec carries out the protection of cloud security using a series of sub- products, wherein main Protection Product is
" critical system protection solution " and " data center's security bundle ".Critical system securing software by provide HIDS and
HIPS, protect the safety of VMWare vSphere main frames, there is provided monitoring and centralized management to file, network.Data center
Security bundle (Server Plus) is made up of the terminal security module in the transparent monitoring module and virtual machine on main frame, can
The functions such as transparent monitoring, offline leak repairing are provided for virtual machine.
The present invention is full-featured:Including antivirus protection, transparent protection (no proxy access) and safe cloud service (web prestige)
Function;Transparent protection:Save overhead, advanced technology;Hot patch technology:The operating virtual machine kernels of patch, do not shut down
In the case of new leak (1day protection) known to protection;Dormancy patching technology:Virtual machine patch installing to dormancy, solves protection
Clearance issues.
Embodiment
Present embodiment use technical scheme be:Put down for publicly-owned/privately owned cloud environments of VMWare and Amazon clouds
The all-around service device security platform of platform, its function include Malware protection, Web prestige monitoring service, fire wall, invasion resistance
Only, integrality monitoring and daily record inspection audit etc.;Cloud provider can be allowed efficiently to build and meet with suitable safety cost
The cloud platform of compliance requirement corresponding to PCI DSS2.0, HIPAA, NIST and SAS 70;It is by transparent monitoring virtual unit, peace
Full client (being disposed in physical machine), administrative center and cloud security service network composition use and are based on VMWare vShield
Endpoint transparent monitoring virtual unit, VM private communication channels, virtual machine jump and the new example to virtual machine can be detected and created
Build and protected;With needed in virtual machine configure client Symantec/McAfee products compared with, the design of no agency make be
System expense substantially reduces.
Described Symantec carries out the protection of cloud security using a series of sub- products, wherein main Protection Product is
" critical system protection solution " and " data center's security bundle ".Critical system securing software by provide HIDS and
HIPS, protect the safety of VMWare vSphere main frames, there is provided monitoring and centralized management to file, network.Data center
Security bundle (Server Plus) is made up of the terminal security module in the transparent monitoring module and virtual machine on main frame, can
The functions such as transparent monitoring, offline leak repairing are provided for virtual machine.
VMWare in present embodiment;Configuration manager vCenter Configuration Manager;Network is pacified
Full vEdge Security (VXLAN);Terminal security provides vShield Endpoint and gives cooperation manufacturer.Demand of Nation:Realize
Freely efficiently circulation that is information-based, ensureing information, improves social production rate using information technology, promotes social harmony;Cloud computing
Be information industry at present fastest-rising developing direction, it is necessary to occupy commanding elevation and state in terms of cloud computing using advanced technology
Border market, create new economic development chance;Ensure that the CIA greens of information with sovereign right calculate, intelligence computation.Application demand:IT industry
Application to cloud computing;Virtualized using PaaS, container, quick development of new applications and provide service;(case:36kr, treat
Look into);Using IaaS, the application of rapid deployment oneself, elasticity setting computing resource dosage, is changed into enjoyment from traditional machine room on demand
Data center's uniform server safeguards service;(case:The application case of Ali's cloud, cloud game service device);Using SaaS, carry out
The shared and analysis mash up of resource, data, reconstruct new cloud service (case:The data of ifttt, microblogging and Taobao are handed over
Change).
Demand of these applications of IT industry to cloud service:The automation of configuration, it is flexibly flexible and transportable:Increase deployment effect
Rate, change the stable cloud service of can deployment (adjusting system is pretty troublesome) less or not as far as possible:Not delay machine and loss data
For the performance monitoring and audit of cloud:Can be that Cloud Server rents third-party performance monitoring and Analysis Service.(case:
CloudPhysics) safe compliance:Close rule==and trust==safety.(case:aws).
Non- IT industry:Medical industry:Cloud storage (medical imaging), cloud OA (electronic health record, write a prescription), knowledge base (analysis);Political affairs
Business cloud:Cloud OA (Government Process), data sharing (public security cloud);Industry is sold soon:Desktop virtualization (easy to maintain, uniform service).
To the demand of cloud service:Can from it is existing configuration smooth migration to cloud, (configuration of network, the compatibility of system, is moved
Move);Maintenance becomes simple rather than complexity (centralization);Business fluency (virtual network network speed, virtual engine efficiency);Data confidentiality
Property (C);Data analysis (big data).
The growth requirement of the industry:Technology high density virtual machine, lightweight system (improve efficiency, cost-effective);Energy-conservation
Environmentally friendly (power saving)
Change can deployment less or not as far as possible.Industry:Standardization:Compliance, standardized operation and management band letter
Appoint;Sectionalization:Development is directed to the service of cloud service, such as monitoring, management, safety;Expanded:Extension virtualization, pair of softening
As, such as NFV (telecommunication bureau's virtualization), SDN (software defined network).
Low energy consumption data center design problem --- energy-conserving and environment-protective;
Lightweight virtual machine designs --- efficiency is improved, limitation function ensures safety;
Virtualization hardware designs --- and efficiency is improved, establishes compatible PC frameworks, is adapted to the framework of an empty more and more void one.
(utilizing PC frameworks, realize conventional large scale computer, the function structure of medium-sized machine);
Safety standard is formulated and compliance --- and safety code is defined with specification, safety rule are realized using the technology of correlation
Model;
Realize the potentially attack to virtual machine architecture, and to the protection of this attack-- because virtualization attack does not have
There is the actual example for causing serious consequence, so being all not concerned with.Realize that this attack can just provide better protection against.
The encryption of data shares and cryptogram computation --- SaaS shared datas.
Present embodiment is full-featured:Including antivirus protection, transparent protection (no proxy access) and safe cloud service
(web prestige) function;Transparent protection:Save overhead, advanced technology;Hot patch technology:In the operating virtual machines of patch
Core, it is non-stop-machine in the case of new leak (1day protection) known to protection;Dormancy patching technology:Benefit is beaten to the virtual machine of dormancy
Fourth, solve protection clearance issues.
It is described above, it is merely illustrative of the technical solution of the present invention and unrestricted, those of ordinary skill in the art are to this hair
The other modifications or equivalent substitution that bright technical scheme is made, without departing from the spirit and scope of technical solution of the present invention,
It all should cover among scope of the presently claimed invention.
Claims (2)
1. virtual machine guard system, it is characterised in that:For publicly-owned/privately owned cloud environments of VMWare and the full side of Amazon cloud platforms
Position server security platform;It is by transparent monitoring virtual unit, security client (in physical machine dispose), administrative center and cloud
Secure service network composition uses the transparent monitoring virtual unit based on VMWare vShield Endpoint, can detect VM
Private communication channel, virtual machine jump and the new example to virtual machine are created and protected;With needing to configure client in virtual machine
Symantec/McAfee products are compared, and the design of no agency substantially reduces overhead.
2. virtual machine guard system according to claim 1, it is characterised in that:Described Symantec uses a series of sons
Product carries out the protection of cloud security, and critical system securing software is by providing HIDS and HIPS, protection VMWare vSphere
The safety of main frame, there is provided monitoring and centralized management to file, network;Data center's security bundle (Server Plus) by
In transparent monitoring module and virtual machine on main frame terminal security module composition, can be provided for virtual machine it is transparent monitor, from
The functions such as line leak repairing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710504090.1A CN107506640A (en) | 2017-06-28 | 2017-06-28 | Virtual machine guard system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710504090.1A CN107506640A (en) | 2017-06-28 | 2017-06-28 | Virtual machine guard system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107506640A true CN107506640A (en) | 2017-12-22 |
Family
ID=60679342
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710504090.1A Pending CN107506640A (en) | 2017-06-28 | 2017-06-28 | Virtual machine guard system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107506640A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102523215A (en) * | 2011-12-15 | 2012-06-27 | 北京海云捷迅科技有限公司 | Virtual machine (VM) online antivirus system based on KVM virtualization platform |
| CN103067380A (en) * | 2012-12-26 | 2013-04-24 | 北京启明星辰信息技术股份有限公司 | Deployment configuration method and system of virtual safety device |
| CN103973676A (en) * | 2014-04-21 | 2014-08-06 | 蓝盾信息安全技术股份有限公司 | Cloud computing safety protection system and method based on SDN |
-
2017
- 2017-06-28 CN CN201710504090.1A patent/CN107506640A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102523215A (en) * | 2011-12-15 | 2012-06-27 | 北京海云捷迅科技有限公司 | Virtual machine (VM) online antivirus system based on KVM virtualization platform |
| CN103067380A (en) * | 2012-12-26 | 2013-04-24 | 北京启明星辰信息技术股份有限公司 | Deployment configuration method and system of virtual safety device |
| CN103973676A (en) * | 2014-04-21 | 2014-08-06 | 蓝盾信息安全技术股份有限公司 | Cloud computing safety protection system and method based on SDN |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11531757B2 (en) | Ransomware detection and mitigation | |
| Zhang et al. | Cloudvisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization | |
| Pék et al. | A survey of security issues in hardware virtualization | |
| US8938782B2 (en) | Systems and methods for providing network access control in virtual environments | |
| US11265291B2 (en) | Malicious packet filtering by a hypervisor | |
| Anwar et al. | Cross-VM cache-based side channel attacks and proposed prevention mechanisms: A survey | |
| KR20180129830A (en) | System and method for decrypting network traffic in a virtualized environment | |
| CN103002445A (en) | Safe mobile electronic equipment for providing application services | |
| JP6580138B2 (en) | Processor, method and computer program for supporting secure objects | |
| US11755753B2 (en) | Mechanism to enable secure memory sharing between enclaves and I/O adapters | |
| US11343082B2 (en) | Resource sharing for trusted execution environments | |
| US11876815B2 (en) | Device anomaly detection | |
| CN109587106A (en) | Cross-domain safety in the cloud of password subregion | |
| Yao et al. | CryptVMI: A flexible and encrypted virtual machine introspection system in the cloud | |
| US10169584B1 (en) | Systems and methods for identifying non-malicious files on computing devices within organizations | |
| CN104639313B (en) | A kind of detection method of cryptographic algorithm | |
| US20230236870A1 (en) | Safe entropy source for encrypted virtual machines | |
| US10025617B2 (en) | Steganographic message passing between a virtual machine and a hypervisor | |
| CN107506640A (en) | Virtual machine guard system | |
| Medeiros et al. | Multi-tenant isolation of what? building a secure tenant isolation architecture for cloud networks | |
| US9912787B2 (en) | Zero-copy multiplexing using copy-on-write | |
| Kanoongo et al. | Exposition of solutions to hypervisor vulnerabilities | |
| Kumar et al. | Virtualization Backbone of Cloud Computing-Analysis | |
| Londhe et al. | Imperial Analysis of Threats and Vulnerabilities in Cloud Computing. | |
| Adla | Comparing performance of HyperV and VMware considering network isolation in virtual machines |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171222 |