CN107645472A - A kind of virtual machine traffic detecting system based on OpenFlow - Google Patents
A kind of virtual machine traffic detecting system based on OpenFlow Download PDFInfo
- Publication number
- CN107645472A CN107645472A CN201610578003.2A CN201610578003A CN107645472A CN 107645472 A CN107645472 A CN 107645472A CN 201610578003 A CN201610578003 A CN 201610578003A CN 107645472 A CN107645472 A CN 107645472A
- Authority
- CN
- China
- Prior art keywords
- openflow
- virtual machine
- flow
- module
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Virtual machine under cloud platform interacts flow inside physical machine, without passing through the security components such as fire wall.Can not be network boundary be acquired and is detected the problem of for this kind of flow, a kind of virtual machine traffic detecting system based on OpenFlow is invented, it substitutes conventional switch using Opennow virtual switches and controller, based on OpenFlow technical controlling flow repeating process, the security component for being directed to outside is handled.Test result indicates that system can be handled flow to be regulated guiding intruding detection system, and the flow that can provide two kinds of granularities of switch-level and virtual machine-level simultaneously redirects control on the premise of virtual machine network normal use is met.The solution cloud computing environment down-off test problems in classical scenario are realized by way of being drained to virtual machine, while the extended operation of flow processing can be easily realized based on OpenFlow.
Description
Art
The present invention relates to a kind of detecting system, more particularly to a kind of virtual machine traffic detecting system based on OpenFlow.
Background technology
In legacy network, security protection task is mainly responsible for by the security component of network boundary, such as fire wall, invasion inspection
Examining system (Intmsion Detection System, IDs) etc., this kind of safeguard to flow by being detected and being filtered
Means guarantee network security.Realized yet with cloud computing bottom architecture by virtualization technology, virtual machine (Vinual
Machine, VM) between communication process completed in the shared drive of physical machine, secure group of the flow not through network boundary
Part, so if attack inside cloud, then traditional safety prevention measure will be entirely ineffective.
In view of the above-mentioned problems, document takes the mode of monitoring virtual machine running status to ensure the safety of dummy machine system,
Common practice is to carry out implementing monitoring from the angle of invention part and process.Such as the exception of monitoring system daily record invention part, protection
Sensitive data invention part, invention part accessing operation is intercepted, forbid illegal and high-risk system to call, intercept operating system thing
Part simultaneously carries out Semantics Reconstruction etc..Part document in virtual machine then by asking that performing strict access control mechanisms realizes that guarantee is arranged
Apply, such as realize or improve BLP (Beu.LaPadula) model, based on this kind of thought, also achieve many typical applications at present
And model, such as Cisco network admittance control (Network Admission contml, NAc), trust computing group it is credible
Network connection (Tmsted Network connect, TNC) and network access protection (the Nemork Access of Microsoft
Protection, NAP) etc..The way of this kind of Intrusion Detection based on host improves the security of dummy machine system to a certain extent above,
But there is also some shortcomings in other respects:1) every main frame all bears the protection task of itself, so as to add main frame
Load and operating cost;2) because All Policies are all based on main frame, and information interchange and shared mechanism are lacked, therefore
Protective unit can not obtain the protection information and attack situation of other main frames, so as to cause to protect the limitation of information.
The content of the invention
The purpose of the present invention is can not to devise one kind network boundary is acquired and is detected the problem of for this kind of flow
Virtual machine traffic detecting system based on OpenFlow.
The technical solution adopted for the present invention to solve the technical problems is:
Virtual machine traffic detecting system based on OpenFlow is designed using distributed frame, mainly includes virtual switch mould
Block, control module, intrusion detection module and system configuration management module.
Described virtual switch module realizes the function of OpenFlow virtual switches.
Described control module is responsible for virtual switch module and formulates forwarding strategy, and is moved according to configuration and solicited message
State formulates flow and redirects rule.
Described system is under LAMP environment based on assembly portion such as Snon, MySQL, intrusion detection database analysis consoles
The processing that intrusion detection module does flow process problem is affixed one's name to.
Each modular unit of described system is deployed in a distributed manner on each node of network and Numerous, therefore also passes through net
The program of network centralized configuration come simplify deployment and management work, that is, develop system configuration management module.
The white virtual machine of described flow flows through virtual switch module.
The flow table that described virtual switch module is formulated according to control module determines how packet forwards, now data
Bag may redirect rule according to flow and be redirected to intrusion detection module.
Described intrusion detection module is detected to it after capturing the flow of redirection and is forwarded to destination host.
Described system configuration management module provides the graphical interfaces for operating and configuring to each modular assembly, system administration
Member can be managed across network to each module at any time.
The beneficial effects of the invention are as follows:
Virtual machine traffic detecting system based on OpenFlow be able to will be treated on the premise of virtual machine network normal use is met
Supervision flow is oriented to intruding detection system and handled, and can provide two kinds of granularities of switch-level and virtual machine-level simultaneously
Flow redirects control.Realize solve the detection of cloud computing environment down-off in classical scenario by way of being drained to virtual machine
Problem, while the extended operation of flow processing can be easily realized based on OpenFlow.
Brief description of the drawings
The present invention is further described with reference to the accompanying drawings and examples.
Fig. 1 is system construction drawing.
Fig. 2 is virtual switch module process data packet procedures.
Fig. 3 is that control module formulates the regular flow of redirection.
Fig. 4 is the structure chart and data handling procedure of intrusion detection module.
Fig. 5 is the MVc frameworks of SCMP modules.
Embodiment
As shown in figure 1, the virtual machine traffic detecting system based on OpenFlow is designed using distributed frame, mainly include
Virtual switch module, control module, intrusion detection module and system configuration management module.Design philosophy is by under cloud platform
Deploying virtual machine instead of traditional exchange in OpenFlow virtual networks, using virtual switch and OpenFlow controllers
Machine, so as to realize the control to flow repeating process by OpenFlow modes.So virtual machine traffic once outflow just
By virtual switch and the cooperation forwarding of OpenFlow controllers, then formulate redirection rule in controller end and redirect flow
Handled to external security component.By being detected at security component using traditional safeguard procedures to flow and mistake
Filter, so as to solve the problems, such as the traffic security in cloud computing scene.
With the continuous expansion of internet scale, various new network applications emerge in an endless stream, therefore to transmission via net
It is required that also improving constantly.But inadequate natural endowment be present in all many-sides in the existing network architecture, the route as network core
Device and switch device can not provide the autgmentability for adapting to network Development requirement, and these on the basis of current network framework
The processing logic burning of equipment within hardware, can not be changed, so that transmission via net is more difficult easily.It is current in order to solve
TcP/IP architecture problem encountered, many countries and mechanism have carried out research and the experiment work of Novel Internet in succession
Make, the Future Internet research and experiment project FIRE of GENI and PlanetLab projects, European Union such as the U.S., Japan
CoreLab etc..At present, there is provided the software implementation routing plan of programmable interface has obtained extensive concern, wherein software defined network
Network SDN new network framework causes the very big repercussion of academia and industrial circle.At the same time, OpenFlow is tentatively realized
SDN design philosophy, SDN technology advances are promoted, and become a kind of implementation for the SDN being most widely used.
OpenFlow concept is proposed by McKeown of Stanford University etc. earliest, afterwards as the sub-project of GENI plans.0penFlow
Core concept be to be decomposed the forwarding behavior of legacy network devices, the action that an originally step is completed is existing empty by OpenFlow
Intend interchanger and controller cooperation is completed, so as to which the datum plane in network equipment repeating process and control plane are separated with reality
The flattening of existing network processing layers time.In this separation architecture, researcher can be flexible, high by the control plane of high level
Personalized forwarding strategy or the new procotol of test etc. are formulated in effect ground, so as to being realized on the basis of existing network infrastructure and
Dispose new network framework.In OpenFlow virtual networks, the most important component of two classes is generally included:OpenFlow is virtually handed over
Change planes and controller.How flow table (now Table) determination data bag that virtual switch is safeguarded by it forwards, flow table definition
It is many to include a series of matching fields (such as data wrap into mouth, IP address, protocol type, link layer address, port numbers), meter
Number device and the flow table item (now entry) of action (such as forward, abandon, modification packet header domain), in forwarding, virtual switch will
Extract packet information and matched with the field in flow table item, be carried out acting accordingly once the match is successful.It is virtual to hand over
Change planes only be responsible for according to flow table indicate forwarding data be but indifferent to how flow table is formulated, actually flow table by controller formulate and under
Virtual switch is issued, and controller can be safeguarded in virtual switch through network in the form of OpenFlow is defined at any time
Flow table, OpenFlow are exactly to realize that datum plane separates with control plane in this way.
As shown in Fig. 2 virtual switch module and control module realize packet forwarding and flow redirection function, invasion
Detection module is responsible for detecting flow, and system configuration management module provides configuration and management work(for distributed part
Energy.In the case where a typical virtual machine traffic redirects scene, its workflow is:The white virtual machine of flow flows through virtual switch
Module;The flow table that virtual switch module is formulated according to control module determines how packet forwards, and now packet may root
Rule, which is redirected, according to flow is redirected to intrusion detection module;Intrusion detection module is entered after capturing the flow of redirection to it
Row detects and is forwarded to destination host;System configuration management module provides figure circle for operating and configuring to each modular assembly
Face, system manager can be managed across network to each module at any time.
Virtual switch module realizes the work(of virtual switch that is controllable, easily extending by way of OpenFLow
Can, specific control strategy is formulated by the controller of outside, it is achieved thereby that datum plane and control plane in repeating process
Separation.In the network architecture of this separation, the coupling of each module of system is reduced, Each performs its own functions for each module, so as to
To be more absorbed in the task and goal of itself.It is noted that virtual switch module simply realizes virtual switch
Function, there is provided the ability of packet forwarding, but known nothing for processes such as redirections, because in 0penn continents virtual net
In network, the component is executor --- the processing rule mechanical treatment made according to control module.Just because of this
Kind feature, also causes virtual switch module to provide good autgmentability to outside, because formulating a new expanded function
It need to only be established relevant regulations in controller end.Virtual switch module provides the function of expansible interchanger, from
And established relevant regulations by 0penFlow controllers and complete virtual machine traffic forwarding and redirection task.In systems, it is empty
Intend switch module to interact with control module based on OpenFlow agreements, and the processing data packets rule issued according to control module
(flow table) is forwarded to the flow up to virtual switch, and virtual switch module cooperates and handled flow redirection with control module
Process be:When packet reaches, the flow table that virtual switch module extracts packet information and safeguarded therewith is matched, such as
The match is successful then performs corresponding action for fruit;Otherwise initiate to establish the request of flow table to controller, the big portion in virtual switch
Shunting table is all to be established under this opportunity by controller.The OpenFlow protocol sections of virtual switch module are based primarily upon
0penswitch realizes that 0pen vswitch are mainly realized by c language, therefore has well on UNIX/unux platforms
Transplantability.Compared with traditional interchanger, 0pen vSwitch simplify the process of maintenance, configuration, management by programming extension,
Provide higher flexibility and controlling.
As shown in figure 3, control module assists virtual switch processing in general as the controller in OpenFlow agreements
Data forwarding task, and realize that dynamic configuration flow redirects the function of rule.Control module is based primarily upon the maintenance of Nicim companies
Open source projects N0X entangle realization, NOX studies to control one or more OpenFlow interchangers to provide a programming platform
Personnel can realize the OpenFlow network control supervisors of oneself based on the DLL that NOX is provided.The control mould of system
Block realizes the controller example (hereinafter referred to as example) of a management multiple switch, and example realizes packet and reaches, hands over
The processing procedure for the events such as connection, interchanger disconnection, port status change of changing planes, and the information realization obtained according to these events
Exchanger information study (safeguarding interchanger dpid, port information etc.), MAC (Media Access contr01) address are learned
Functions such as (mapping relations for safeguarding MAC and port numbers) is practised, and the function of base switch is realized with this.The present invention is to example
When realizing, there is provided the redirection Rulemaking and management function of two kinds of granularities of switch-level and virtual machine-level, its principle be
During the two kinds of operations of macjds_table and dp_ids-table of its internal maintenance allocation list as formulate redirect it is regular according to
According to.Example formulates the step of redirecting flow table as depicted in the flow chart of fig.3, (preserves virtual hand in dp_ids-table tables first
The redirection information changed planes) according to dpid (interchanger number) search whether exist the packet corresponding to exchanger information, from
And decide whether to issue redirection flow table in switch-level;If without redirection rule accordingly in dp-ids-table tables
Then, then searched in mac-ids-table tables (redirection information for preserving virtual machine) according to src-mac of packet, from
And decide whether to formulate in virtual machine-level and redirect rule.The function of redirection is mainly by OpenFlow agreements by packet
Purpose MAc is revised as redirecting MAC to realize.The present invention is when realizing, there is provided operationally carries out long distance moving to allocation list
The interface of state modification, therefore, allocation list can both specify before operation according to configuration invention part, can pass through again during operation
The interface dynamic that example provides is changed., only need to be by network to specifically when developer redirects regular using interface configuration
Location and port send the message for meeting specific format.
As shown in figure 4, intrusion detection module is mainly detected and analyzed to redirection flow in system, so as to find cloud
Calculate the sign of internal behavior and the attack for whether having and violating security strategy.Intrusion detection module mainly include detection components,
Output database and Data Analysis Platform.Detection components realize IDs Core Feature;Output database is used for preserving attack traffic
And warning information;Data Analysis Platform is analyzed the data in output database.Detection components are based primarily upon Snort realities
Existing, snort mainly includes Packet Sniffer, preprocessor, detecting and alarm and the several parts of output module.The present invention uses
For MySQL as output database, Data Analysis Platform is based primarily upon ACID realizations, and ACID accesses MySQL numbers by ADODB components
According to storehouse.Data packet capturing gives the data captured to packet decoder processing, passes to preprocessor after decoding, in advance
Processor can also discriminate whether it is to attack data (such as the mark that detection TCP bags are abnormal by checking abnormal packet header behavior
Information);Detecting and alarm is detected based on snort rules after pretreatment, is inserted once the data that note abnormalities will pass through output
Part record data or alarm.The information of output database recording exceptional data bag, Data Analysis Platform pass through in output database
Information attack data are carried out to analyze based on statistical and generate Visual Chart.
As shown in figure 5, due to each modular unit distributed deployment in each node of network and number it is various, so as to cause to run
Period configures more difficult to each part, therefore the present invention by way of sending control instruction network based on realizing to each mould
The management platform of block centralized configuration, i.e. system configuration management module (SCMP).SCMP exchanges one with each module every special time
Secondary data, data message represent with JSON forms, SCMP according to each module information table of the data maintenance interacted with each module, and with
This provides the graphical interfaces of configuration management operation.SCMP is based on the realization of MVC (Model, View, Controller) framework, such as Fig. 5
It is shown, mainly include SCMP Server, SCMP window and Service SCMP Server according to coming automatic network and figure circle
The corresponding Service of request call in face carries out actual business processing, and according to the result of processing reply network data and more
New graphical interfaces;SCMP window illustrate the information of each module of system and the graphical interface of operation to system manager;
Service includes the business processing object for being supplied to SCMP Server to call and the data object of correlation.System configuration manages mould
The major function of block includes starting, closing, inquiring about, edits each module, and sets controller for virtual switch module, sets
IDS, open ACID analysis platforms etc..
Claims (9)
1. a kind of virtual machine traffic detecting system based on OpenFlow is designed using distributed frame, mainly including virtual switch
Machine module, control module, intrusion detection module and system configuration management module.
2. the virtual machine traffic detecting system according to claim 1 based on OpenFlow, it is characterized in that described is virtual
Switch module realizes the function of OpenFlow virtual switches.
3. the virtual machine traffic detecting system according to claim 1 based on OpenFlow, it is characterized in that described control
Module is responsible for virtual switch module and formulates forwarding strategy, and formulates flow according to configuration and solicited message dynamic and redirect rule
Then.
4. the virtual machine traffic detecting system according to claim 1 based on OpenFlow, it is characterized in that described system
The deployment of components such as Snon, MySQL, intrusion detection database analysis console intrusion detection module is based under LAMP environment to do
The processing of flow process problem.
5. the virtual machine traffic detecting system according to claim 1 based on OpenFlow, it is characterized in that described system
Each modular unit is deployed in a distributed manner on each node of network and Numerous, thus also by the program of network centralized configuration come
Simplify deployment and management work, that is, develop system configuration management module.
6. the virtual machine traffic detecting system according to claim 1 based on OpenFlow, it is characterized in that described flow
White virtual machine flows through virtual switch module.
7. the virtual machine traffic detecting system according to claim 1 based on OpenFlow, it is characterized in that described is virtual
The flow table that switch module is formulated according to control module determines how packet forwards, and now packet may be reset according to flow
Intrusion detection module is redirected to rule.
8. the virtual machine traffic detecting system according to claim 1 based on OpenFlow, it is characterized in that described invasion
Detection module is detected to it after capturing the flow of redirection and is forwarded to destination host.
9. the virtual machine traffic detecting system according to claim 1 based on OpenFlow, it is characterized in that described system
Configuration management module provides the graphical interfaces for operating and configuring to each modular assembly, and system manager can cross over network at any time
Each module is managed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610578003.2A CN107645472A (en) | 2016-07-21 | 2016-07-21 | A kind of virtual machine traffic detecting system based on OpenFlow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610578003.2A CN107645472A (en) | 2016-07-21 | 2016-07-21 | A kind of virtual machine traffic detecting system based on OpenFlow |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107645472A true CN107645472A (en) | 2018-01-30 |
Family
ID=61108484
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610578003.2A Pending CN107645472A (en) | 2016-07-21 | 2016-07-21 | A kind of virtual machine traffic detecting system based on OpenFlow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107645472A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108833304A (en) * | 2018-06-26 | 2018-11-16 | 郑州云海信息技术有限公司 | The management method and device of message in cloud data system |
| CN109088827A (en) * | 2018-07-11 | 2018-12-25 | 新华三云计算技术有限公司 | virtual machine traffic processing method, device and host |
| CN110213181A (en) * | 2019-04-28 | 2019-09-06 | 华为技术有限公司 | Data drainage device and data drainage method in virtual network |
| CN113132349A (en) * | 2021-03-12 | 2021-07-16 | 中国科学院信息工程研究所 | Agent-free cloud platform virtual flow intrusion detection method and device |
| CN113347036A (en) * | 2021-06-04 | 2021-09-03 | 上海天旦网络科技发展有限公司 | Method and system for realizing cloud environment bypass monitoring by utilizing public cloud storage |
| US11228492B2 (en) | 2019-01-08 | 2022-01-18 | Red Hat Israel, Ltd. | Debugging a network switch by replaying configuration |
-
2016
- 2016-07-21 CN CN201610578003.2A patent/CN107645472A/en active Pending
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108833304A (en) * | 2018-06-26 | 2018-11-16 | 郑州云海信息技术有限公司 | The management method and device of message in cloud data system |
| CN109088827A (en) * | 2018-07-11 | 2018-12-25 | 新华三云计算技术有限公司 | virtual machine traffic processing method, device and host |
| CN109088827B (en) * | 2018-07-11 | 2019-12-13 | 新华三云计算技术有限公司 | Virtual machine flow processing method and device and host |
| US11228492B2 (en) | 2019-01-08 | 2022-01-18 | Red Hat Israel, Ltd. | Debugging a network switch by replaying configuration |
| CN110213181A (en) * | 2019-04-28 | 2019-09-06 | 华为技术有限公司 | Data drainage device and data drainage method in virtual network |
| CN113132349A (en) * | 2021-03-12 | 2021-07-16 | 中国科学院信息工程研究所 | Agent-free cloud platform virtual flow intrusion detection method and device |
| CN113347036A (en) * | 2021-06-04 | 2021-09-03 | 上海天旦网络科技发展有限公司 | Method and system for realizing cloud environment bypass monitoring by utilizing public cloud storage |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107645472A (en) | A kind of virtual machine traffic detecting system based on OpenFlow | |
| CN104506507B (en) | A kind of sweet net safety protective system and method for SDN | |
| US10015188B2 (en) | Method for mitigation of cyber attacks on industrial control systems | |
| CN108683682A (en) | A kind of ddos attack detection and defence method and system based on software defined network | |
| CN107770174A (en) | A kind of intrusion prevention system and method towards SDN | |
| CN104954367B (en) | A kind of cross-domain ddos attack means of defence of internet omnidirectional | |
| CN103684922B (en) | Outlet information privacy checking detection platform system based on SDN (self-defending network) and detection method | |
| CN109962903A (en) | A kind of home gateway method for safety monitoring, device, system and medium | |
| CN103973676A (en) | Cloud computing safety protection system and method based on SDN | |
| CN109391613A (en) | A kind of intelligent substation method for auditing safely based on SCD parsing | |
| CN103491060B (en) | A kind of method, apparatus and system of defence Web attacks | |
| CN108900541A (en) | One kind being directed to cloud data center SDN Security Situation Awareness Systems and method | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| CN108011894A (en) | Botnet detecting system and method under a kind of software defined network | |
| CN105051696A (en) | An improved streaming method and system for processing network metadata | |
| CN105827629B (en) | Software definition safe flow guide device and its implementation under cloud computing environment | |
| CN109347847A (en) | A kind of smart city security assurance information system | |
| CN108123919A (en) | The monitoring guard system and method for network | |
| CN107222451A (en) | data flow monitoring method and device | |
| CN108306747A (en) | A kind of cloud security detection method, device and electronic equipment | |
| CN108234223A (en) | A kind of security service design method of data center's total management system | |
| CN107786495A (en) | Cloud environment network security protection system | |
| CN108449228A (en) | Message processing method and the network equipment | |
| CN107204866A (en) | The implementation method of multi-tenant service chaining transmission is solved based on VXLAN technologies | |
| CN105429974B (en) | A kind of intrusion prevention system and method towards SDN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180130 |