CN116450283A - Virtual machine security management method, system, device, equipment and medium - Google Patents
Virtual machine security management method, system, device, equipment and medium Download PDFInfo
- Publication number
- CN116450283A CN116450283A CN202310086647.XA CN202310086647A CN116450283A CN 116450283 A CN116450283 A CN 116450283A CN 202310086647 A CN202310086647 A CN 202310086647A CN 116450283 A CN116450283 A CN 116450283A
- Authority
- CN
- China
- Prior art keywords
- data
- message
- data message
- processing
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 31
- 238000012545 processing Methods 0.000 claims abstract description 190
- 238000000034 method Methods 0.000 claims abstract description 45
- 230000009471 action Effects 0.000 claims description 67
- 230000015654 memory Effects 0.000 claims description 18
- 230000002155 anti-virotic effect Effects 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 14
- 238000012544 monitoring process Methods 0.000 abstract description 5
- 230000008569 process Effects 0.000 description 23
- 238000010586 diagram Methods 0.000 description 18
- 238000002955 isolation Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 9
- 241000700605 Viruses Species 0.000 description 7
- 238000013075 data extraction Methods 0.000 description 7
- 238000012986 modification Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 239000003053 toxin Substances 0.000 description 2
- 231100000765 toxin Toxicity 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a virtual machine security management method, a system, a device, equipment and a medium, which are used for solving the problem that the security of a virtual system is not high enough in the prior art. In the method, a first data message entering a virtual machine is acquired, and the first data message is safely processed; if the security processing result comprises continuous processing, generating a second data message according to the first data message and a data destination address carried in the first data message; performing security processing on the second data message; and if the security processing result comprises sending processing, forwarding a second data message flowing out of the virtual machine according to the data destination address. Because the method carries out the whole-course safety protection on all the data streams entering and exiting the virtual machine, the potential safety hazard caused by bypassing the safety monitoring of the data is avoided, the safety protection is carried out on the data streams of the virtual platform, and the safety of the virtual system is improved.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, a system, an apparatus, a device, and a medium for managing virtual machine security.
Background
The server system is faced with network virus and malicious software attacks, and in a virtualized environment, a virtualized platform is matched with network security software in order to effectively prevent possible malicious attacks of an intranet for a virtualized server and a virtual desktop, so that network security problems such as network virus release prevention, network traffic access control, regional logic isolation, various flooding attack identification and interception and the like in the virtual system are solved.
In the related technology, the monitored virtual system flow is determined through an operating system, safety software/antivirus software and a monitoring kernel protocol stack, and the monitored virtual system flow is redirected to the safety software for safety protection, but in the method, the flow which is not monitored can bypass and cannot be redirected to the safety software, so that prevention and control dead angles cannot be avoided, potential safety hazards exist, and the safety of the virtual system is not high enough.
Disclosure of Invention
The embodiment of the application provides a virtual machine security management method, a system, a device, equipment and a medium, which are used for solving the problem that the security of a virtual system is not high enough in the prior art.
In a first aspect, an embodiment of the present application provides a method for security management of a virtual machine, where the method includes:
Acquiring a first data message entering a virtual machine, and performing security processing on the first data message;
if the safety processing result of the first data message comprises continuous processing, generating a second data message according to the first data message and a data destination address carried in the first data message;
performing security processing on the second data message;
and if the security processing result of the second data message comprises sending processing, forwarding the second data message flowing out of the virtual machine according to the data destination address.
In a second aspect, embodiments of the present application further provide a virtual machine security management system, where the virtual machine security management system includes a first virtual machine and a second virtual machine;
the first virtual machine is used for acquiring a first data message entering the first virtual machine and carrying out security processing on the first data message; if the safety processing result of the first data message comprises continuous processing, generating a second data message according to the first data message and a data destination address carried in the first data message; performing security processing on the second data message; if the security processing result of the second data message comprises sending processing, forwarding the second data message flowing out of the first virtual machine according to the data destination address;
And the second virtual machine is used for receiving the second data message.
In a third aspect, an embodiment of the present application further provides a virtual machine security management apparatus, where the apparatus includes:
the first processing module is used for acquiring a first data message entering the virtual machine and carrying out safety processing on the first data message;
the generation module is used for generating a second data message according to the first data message and the data destination address carried in the first data message if the safety processing result of the first data message comprises continuous processing;
the second processing module is also used for carrying out safety processing on the second data message;
and the sending module is used for forwarding the second data message flowing out of the virtual machine according to the data destination address if the security processing result of the second data message comprises sending processing.
In a fourth aspect, an embodiment of the present application further provides an electronic device, where the electronic device includes at least a processor and a memory, where the processor is configured to implement the steps of the virtual machine security management method according to any one of the preceding claims when executing a computer program stored in the memory.
In a fifth aspect, embodiments of the present application further provide a computer readable storage medium storing a computer program, where the computer program when executed by a processor implements the steps of the virtual machine security management method according to any one of the above.
In the embodiment of the application, the first data message entering the virtual machine is acquired, and the first data message is safely processed; if the security processing result comprises continuous processing, generating a second data message according to the first data message and a data destination address carried in the first data message; performing security processing on the second data message; and if the security processing result comprises sending processing, forwarding a second data message flowing out of the virtual machine according to the data destination address. According to the method, the first data message entering the virtual machine and the second data message exiting the virtual machine are safely processed, namely, all data streams entering and exiting the virtual machine are safely protected in the whole process, potential safety hazards caused by bypassing safety monitoring of the data are avoided, so that the data streams of the virtual platform are safely protected, and the safety of a virtual system is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a virtual machine security management process according to some embodiments of the present application;
FIG. 2 is a block diagram of a software system for virtual machine security management according to some embodiments of the present application;
FIG. 3 is a schematic diagram of a security management flow of a virtual machine according to some embodiments of the present application;
FIG. 4 is a schematic diagram of a process for generating a second data message according to some embodiments of the present application;
FIG. 5 is a schematic structural diagram of a virtual machine security management system according to some embodiments of the present application;
FIG. 6 is a schematic structural diagram of a virtual machine security management apparatus according to some embodiments of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For purposes of clarity and implementation of the present application, the following description will make clear and complete descriptions of exemplary implementations of the present application with reference to the accompanying drawings in which exemplary implementations of the present application are illustrated, it being apparent that the exemplary implementations described are only some, but not all, of the examples of the present application.
It should be noted that the brief description of the terms in the present application is only for convenience in understanding the embodiments described below, and is not intended to limit the embodiments of the present application. Unless otherwise indicated, these terms should be construed in their ordinary and customary meaning.
The terms "first," second, "" third and the like in the description and in the claims and in the above-described figures are used for distinguishing between similar or similar objects or entities and not necessarily for limiting a particular order or sequence, unless otherwise indicated. It is to be understood that the terms so used are interchangeable under appropriate circumstances.
The terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a product or apparatus that comprises a list of elements is not necessarily limited to all elements explicitly listed, but may include other elements not expressly listed or inherent to such product or apparatus.
The term "module" refers to any known or later developed hardware, software, firmware, artificial intelligence, fuzzy logic, or combination of hardware or/and software code that is capable of performing the function associated with that element.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.
The foregoing description, for purposes of explanation, has been presented in conjunction with specific embodiments. However, the illustrative discussions above are not intended to be exhaustive or to limit the embodiments to the precise forms disclosed above. Many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles and the practical application, to thereby enable others skilled in the art to best utilize the embodiments and various embodiments with various modifications as are suited to the particular use contemplated.
The embodiment of the application provides a virtual machine security management method, a system, a device, equipment and a medium, wherein the method acquires a first data message entering a virtual machine and carries out security processing on the first data message; if the security processing result comprises continuous processing, generating a second data message according to the first data message and a data destination address carried in the first data message; performing security processing on the second data message; and if the security processing result comprises sending processing, forwarding a second data message flowing out of the virtual machine according to the data destination address. According to the method, the first data message entering the virtual machine and the second data message exiting the virtual machine are safely processed, namely, all data streams entering and exiting the virtual machine are safely protected in the whole process, potential safety hazards caused by bypassing safety monitoring of the data are avoided, so that the data streams of the virtual platform are safely protected, and the safety of a virtual system is improved.
Example 1:
fig. 1 is a schematic diagram of a virtual machine security management process according to some embodiments of the present application, where the process includes:
s101: and acquiring a first data message entering the virtual machine, and performing security processing on the first data message.
The virtual machine security management method provided by the embodiment of the application is applied to the electronic equipment, wherein the electronic equipment is provided with the virtual machine, and the optional electronic equipment is provided with the physical network card. The electronic device may be implemented by a virtualization system for providing a software environment for virtual machines, virtual switch (Openvswitch) cores, program execution, and data processing when securely managing virtual machines.
The electronic device may obtain a first data packet from a data source, which may include a virtual machine or a physical network card, that enters the virtual machine.
The electronic device can perform security processing on the first data message entering the virtual machine, and determine a security processing result of the first data message, wherein the security processing result comprises continuous processing and message discarding. If there are a plurality of first data messages, the electronic device can perform security processing on all the first data messages. If the first data message is a safe data stream, determining a safe processing result as continuous processing; if the first data message is an unsafe data stream, determining the safe processing result as a discarded message, and ending the processing of the first data message.
The security processes include, for example, network security data processes and/or anti-virus processes. The network security data processing may include access control, security domain, traffic audit, etc.; the anti-virus treatment may include virus checking, etc. In particular, the security process may process the first data message and/or the second data message based on a network security data processing engine and/or an anti-virus engine. Where access control refers to preventing unauthorized access to any resource. A security domain is a logical region that consists of a set of systems that have the same security requirements and trust each other. The flow audit is to dynamically monitor communication content, network behavior and network flow in real time through collecting, analyzing and identifying network data, discover and capture various sensitive information and illegal behaviors, and realize alarm response. The virus checking means that virus checking software is run, whether a memory, a boot zone (including a main boot zone), a file system, a network and the like are infected with a definite city is detected, and the found virus name can be accurately reported.
Because all data streams entering the virtual machine are safely processed, no traffic which is not monitored exists, and the safety of the virtual system is improved.
S102: if the safety processing result of the first data message comprises continuous processing, generating a second data message according to the first data message and the data destination address carried in the first data message.
If the safety processing result of the first data message is that the processing is continued, determining a data destination address carried in the first data message according to the first data message, specifically, determining the data destination address carried in the first data message by analyzing a message header of the first data message.
According to the first data message and the data destination address carried in the first data message, the corresponding message action can be adopted to process the first data message, and a second data message is generated.
S103: and carrying out security processing on the second data message.
And carrying out security processing on the second data message, and determining a security processing result of the second data message, wherein the security processing result comprises sending processing and discarding the message. If the second data message is a safe data stream, determining that the safe processing result is transmission processing; if the second data message is an unsafe data stream, determining that the safe processing result is a discarded message, and ending the processing of the second data message.
S104: and if the security processing result of the second data message comprises sending processing, forwarding the second data message flowing out of the virtual machine according to the data destination address.
And if the security processing result of the second data message is that the second data message is sent, forwarding the second data message flowing out of the virtual machine according to the data destination address, and forwarding the second data message to a data destination corresponding to the data destination address. The data destination corresponding to the data destination address may include a virtual machine or a physical network card.
According to the method, the first data message entering the virtual machine and the second data message exiting the virtual machine are safely processed, namely, all data streams entering and exiting the virtual machine are safely protected in the whole process, potential safety hazards caused by bypassing safety monitoring of the data are avoided, so that the data streams of the virtual platform are safely protected, and the safety of a virtual system is improved.
Example 2:
based on the above embodiment, in the embodiment of the present application, generating, according to the first data packet and the data destination address, a second data packet includes:
according to the first data message, analyzing a message header of the first data message, and determining a data destination address in the message header;
Searching a message action corresponding to a message header in a pre-stored kernel flow table;
and processing the first data message according to the data destination address by adopting a message action to generate a second data message.
The header of the first data message may carry the data destination address, so that the data destination address may be determined in the header by parsing the header of the first data message. Specifically, the header of the first data packet includes: a source medium access control (Media Access Control, MAC) address, a destination MAC address, a source internet protocol (Internet Protocol, IP) address, a destination IP address, a protocol field, a source port, a destination port; wherein the port may comprise a transmission control protocol (Transmission Control Protocol, TCP) port number or a user datagram protocol (User Datagram Protocol, UDP) port number. The data destination address includes one or more of the following: destination MAC address, destination IP address, or destination port.
The electronic equipment (or the virtual machine on the electronic equipment) stores a kernel flow table in advance, and the kernel flow table stores the corresponding relation between the message action and the message header, so that the electronic equipment can match the message header with the information in the kernel flow table, determine a matching result and then perform a corresponding process according to the matching result. The kernel flow table may include an openvwatch kernel flow table; the message action may include adding, deleting, or modifying a message header, e.g., adding a message header may include adding a data destination address; matching the header with information in the core flow table may be to determine whether information included in the header is included in the core flow table. If the information included in the message header is contained in the kernel flow table, determining a matching result as matching; and if the information included in the message header is not included in the kernel flow table, determining that the matching result is not matched.
The kernel flow table comprises the following components: the message input interface, the source MAC address, the destination MAC address, the source IP address, the destination IP address, the protocol field, the source port, the destination port and other matching fields and message actions.
The message action comprises adding a message header, and the message action can be used for adding a data destination address to the first data message so as to obtain a second data message, so that when the matching result is matching, the message action is adopted, and the data destination address is added to the first data message according to the data destination address so as to generate the second data message.
Example 3:
on the basis of the above embodiments, in an embodiment of the present application, the method further includes:
if the data destination address corresponding to the message header is not found in the kernel flow table, updating the kernel flow table according to the message header and a preset message action;
searching a message action corresponding to the message header in the updated kernel flow table;
and processing the first data message according to the data destination address by adopting a message action to generate a second data message.
When the matching result is unmatched, that is, when the data destination address corresponding to the message header is not found in the kernel flow table, updating the kernel flow table according to the message header and the data destination address of the first data message and a preset message action, and storing the updated kernel flow table by the electronic equipment (or the virtual machine on the electronic equipment). Specifically, a destination MAC address of the first data packet is determined by analyzing a packet header of the first data packet, and a data destination address is searched according to the destination MAC address of the first data packet, where the data destination address may include one or more of a destination MAC address, a destination IP address, and a destination port, and the packet header, the data destination address, and a preset packet action are stored in a core flow table based on the packet header, the data destination address, and the preset packet action of the first data packet, and the core flow table is updated to obtain an updated core flow table. The preset message action may include adding a message header, that is, adding a data destination address.
Because the corresponding relation between the message header and the message action of the first data message is stored in the updated kernel flow table, the message action corresponding to the message header can be searched in the updated kernel flow table; the message action determined in the updated core flow table at this time may be a preset message action, for example, but not limited to, adding the preset message action.
The preset message action can comprise adding a message header, and the message action can be used for adding a data destination address to the first data message so as to obtain a second data message, so that the message action is adopted, and the data destination address is added to the first data message according to the data destination address to generate the second data message.
Example 4:
based on the above embodiments, the present application provides a architecture diagram of a software system for virtual machine security management based on a virtualization platform. As shown in fig. 2, the software system for virtual machine security management includes a source data extraction module, a security processing module, a security domain isolation module, an intermediate state control module, a redirection module and a user state module.
The virtualization system is used for providing a software environment for a virtual machine, an Openvswitch kernel, program running and data processing.
The source data extraction module is used for obtaining the first data message from the data source and forwarding the first data message to the security processing module. Wherein the data source includes a virtual machine or a physical network card. The source data extraction module streams the first data message to the security processing module.
The safety processing module is connected with the source data extraction module and the intermediate state control module; the system is used for providing a network security data processing engine and an anti-virus engine, and based on the network security data processing engine and the anti-virus engine, the data messages from the drainage module are processed safely, and the security processing result is determined. The data from the drainage module may be a first data message drained by the source data extraction module and/or a second data message drained by the intermediate state control module.
Specifically, the security processing module includes a network security data processing engine and an antivirus engine. The security processing module performs security processing on the first data message to obtain a first result; and the security processing module performs security processing on the second data message to obtain a second result. Security processing includes access control, security domain, traffic inspection, virus checking, and the like.
The security domain isolation module, for example, includes a kernel flow table. The method comprises the steps of receiving a first data message and a first result forwarded by a security processing module, discarding the first data message and ending the processing if the first result is a discarded message; if the first result is that the processing is continued, the security domain isolation module queries the kernel flow table according to the first data message to obtain a matching result and a second data message. The security domain isolation module is further configured to forward the second data packet to the intermediate state control module.
The intermediate state control module is used for draining the second data message to the security processing module.
The redirection module is configured to receive the second data packet forwarded by the security processing module and the second result, and send the second data packet, where the second result is the sending process, to the data destination; discarding the second data message with the second result being the discard message, and ending the processing. Wherein the data destination comprises a virtual machine or a physical network card.
The user mode module is used for performing user mode processing on the first data message when the matching result is unmatched. Specifically, the data destination address is found according to the destination MAC address of the first data packet, and the core flow table is updated based on the data destination address and the header of the first data packet.
Based on the software system for virtual machine security management shown in fig. 2, the virtual machine security management in the embodiment of the present application may specifically include the following processing flows, see fig. 3:
s301: the source data extraction module acquires a first data message from a data source and forwards the first data message to the security processing module.
The data source may include a virtual machine or a physical network card.
Forwarding the first data message to the security processing module may include: and calling an application program interface (Application Programming Interface, API) provided by the linux netfilter framework, and streaming the first data message to the security processing module.
S302: and the security processing module performs security processing on the first data message and determines a first result.
The security processing module receives the first data message drained by the source data extraction module, performs security processing on the first data message based on the network security data processing engine and the antivirus engine, and determines a first result. Where security processing may include access control, security domains, traffic auditing, toxin checking, etc.
The first result comprises continuing to process and discarding the message, and if the first data message is a safe data stream, the first result is determined to be continued to process; if the first data message is an unsafe data stream, determining the first result as a discard message.
S303: if the first result is that the message is discarded, discarding the first data message and ending the processing; if the first result is that the processing is continued, the first data message is forwarded to a security domain isolation module, the security domain isolation module queries a kernel flow table according to the first data message, and generates a second data message according to the first data message and a data destination address.
The process of generating the second data packet may refer to fig. 4, which includes the following steps:
s401: if the first result is that the processing is continued, the message header of the first data message is analyzed, the message action corresponding to the message header is searched in a pre-stored kernel flow table, and the message action is matched with the kernel flow table, so that a matching result is determined.
The message header comprises: source MAC address, destination MAC address, source IP address, destination IP address, protocol field, source port (TCP port number or UDP port number), destination port.
The kernel flow table includes: the message input interface, the source MAC address, the destination MAC address, the source IP address, the destination IP address, the protocol field, the source port (TCP port number or UDP port number), the destination port and other matching fields and the message action. The message action comprises the following steps: the header is added, i.e. a data destination address is added, which may comprise an IP address and/or a port address. The message action is used for adding a data destination address to the first data message so as to generate a second data message.
S402: judging whether the matching result is matching, if so, executing S403; if not, S404 is performed.
The matching result is matching and unmatched, and when the message header of the first data message is contained in the kernel flow table, the matching result is matching; when the header of the first data message is not contained in the core flow table, the matching result is unmatched.
S403: and adding a data destination address to the first data message to generate a second data message.
And when the matching result is that the first data message is matched, determining a message action corresponding to the first data message in the kernel flow table, and adding a message header, namely adding a data destination address, to the first data message according to the message action to generate a second data message. Wherein the message action includes adding, deleting or modifying a message header, e.g., adding a message header may include adding a data destination address.
S404: and forwarding the first data message to the user mode module.
And forwarding the first data message from the security domain isolation module to the user mode module.
S405: the user mode module searches the data destination address according to the destination MAC address of the first data message, and updates the kernel flow table based on the data destination address and the message header of the first data message.
The user mode module functionally includes: find data destination address and update to kernel flow table. The user mode module transmits the instruction for updating the kernel flow table to the security domain isolation module, and the security domain isolation module updates the kernel flow table according to the instruction for updating the kernel flow table sent by the user mode module and determines the updated kernel flow table.
The updating of the kernel flow table may include adding the header and the preset message action to the kernel flow table.
S406: and adding a data destination address to the first data message to generate a second data message.
The updated kernel flow table contains the message header of the first data message and the preset message action, and the message action corresponding to the message header is searched in the updated kernel flow table, wherein the message action can comprise adding the message header, so that the message action can be adopted to add the data destination address to the first data message to generate the second data message.
S304: the security domain isolation module forwards the second data message to the intermediate state control module, and the intermediate state control module forwards the second data message to the security processing module.
The intermediate state control module forwarding the second data packet to the security processing module may include: and calling an API provided by the linux netfilter framework, and draining the second data message to the security processing module.
S305: and the security processing module performs security processing on the second data message and determines a second result.
The security processing module receives a second data message drained by the intermediate state control module, and performs security processing on the second data message based on the network security data processing engine and the anti-virus engine to determine a second result. Where security processing may include access control, security domains, traffic auditing, toxin checking, etc.
The second result comprises sending processing and discarding the message, and if the second data message is a safe data stream, the second result is determined to be the sending processing; if the second data message is an unsafe data stream, determining the second result as a discard message.
S306: if the second result is the discard message, discarding the second data message and ending the processing; and if the second result is transmission processing, forwarding the second data message to a redirection module, wherein the redirection module transmits the second data message to a data destination corresponding to the data destination address.
The data destination corresponding to the data destination address may include a virtual machine or a physical network card.
According to the method, network security control such as access control based on state detection fine granularity, security domain isolation of a virtual system and the like is carried out on the virtual machine data flow, security protection measures such as intrusion detection, flow audit, access control, identification interception of various flooding attacks and the like are realized on a virtual system host and a virtual machine side in a cloud virtualization scene, and higher security is provided for the virtual system.
Example 5:
based on the same concept, fig. 5 is a schematic structural diagram of a virtual machine security management system according to an embodiment of the present application, where the virtual machine security management system includes: a first virtual machine 501 and a second virtual machine 502;
the first virtual machine 501 is configured to obtain a first data packet that enters the first virtual machine, and perform security processing on the first data packet; if the safety processing result of the first data message comprises continuous processing, generating a second data message according to the first data message and a data destination address carried in the first data message; performing security processing on the second data message; if the security processing result of the second data message comprises sending processing, forwarding the second data message flowing out of the first virtual machine according to the data destination address;
a second virtual machine 502, configured to receive a second data packet.
The first virtual machine 501 is specifically configured to parse a header of the first data packet according to the first data packet, and determine a data destination address in the header; searching a message action corresponding to a message header in a pre-stored kernel flow table; and processing the first data message according to the data destination address by adopting a message action to generate a second data message.
The first virtual machine 501 is further configured to update the kernel flow table according to the message header and a preset message action if the data destination address corresponding to the message header is not found in the kernel flow table; searching a message action corresponding to the message header in the updated kernel flow table; and processing the first data message according to the data destination address by adopting a message action to generate a second data message.
The security processes include network security data processing and/or anti-virus processing.
Example 6:
based on the same technical concept, on the basis of the above embodiments, the present application provides a virtual machine security management apparatus, and fig. 6 is a schematic structural diagram of a virtual machine security management apparatus provided in some embodiments of the present application, as shown in fig. 6, where the apparatus includes:
the first processing module 601 is configured to obtain a first data packet that enters the virtual machine, and perform security processing on the first data packet;
the generating module 602 is configured to generate a second data packet according to the first data packet and a data destination address carried in the first data packet if the security processing result of the first data packet includes continuing processing;
the second processing module 603 is further configured to perform security processing on the second data packet;
And the sending module 604 is configured to forward the second data packet flowing out of the virtual machine according to the data destination address if the security processing result of the second data packet includes sending processing.
In a possible implementation manner, the generating module 602 is specifically configured to parse a header of the first data packet according to the first data packet, and determine a data destination address in the header; searching a message action corresponding to a message header in a pre-stored kernel flow table; and processing the first data message according to the data destination address by adopting a message action to generate a second data message.
In a possible implementation manner, the generating module 602 is further configured to update the kernel flow table according to the message header and a preset message action if the data destination address corresponding to the message header is not found in the kernel flow table; searching a message action corresponding to the message header in the updated kernel flow table; and processing the first data message according to the data destination address by adopting a message action to generate a second data message.
In one possible implementation, the security process includes network security data processing and/or anti-virus processing.
Example 9:
based on the same technical concept, the present application further provides an electronic device, and fig. 7 is a schematic structural diagram of the electronic device provided in the embodiment of the present application, as shown in fig. 7, including: a processor 701, a communication interface 702, a memory 703 and a communication bus 704, wherein the processor 701, the communication interface 702 and the memory 703 communicate with each other through the communication bus 704;
the memory 703 stores a computer program that, when executed by the processor 701, causes the processor 701 to perform the steps of:
acquiring a first data message entering a virtual machine, and performing security processing on the first data message;
if the safety processing result of the first data message comprises continuous processing, generating a second data message according to the first data message and a data destination address carried in the first data message;
performing security processing on the second data message;
and if the security processing result of the second data message comprises sending processing, forwarding the second data message flowing out of the virtual machine according to the data destination address.
In a possible implementation manner, the processor 701 is specifically configured to parse a header of the first data packet according to the first data packet, and determine a data destination address in the header; searching a message action corresponding to a message header in a pre-stored kernel flow table; and processing the first data message according to the data destination address by adopting a message action to generate a second data message.
In a possible implementation manner, the processor 701 is further configured to update the core flow table according to the header and a preset message action if the data destination address corresponding to the header is not found in the core flow table; searching a message action corresponding to the message header in the updated kernel flow table; and processing the first data message according to the data destination address by adopting a message action to generate a second data message.
In one possible implementation, the security process includes network security data processing and/or anti-virus processing.
The communication bus mentioned for the above-mentioned electronic devices may be a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus or an EISA (Extended Industry Standard Architecture ) bus, or the like. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface 702 is used for communication between the electronic device and other devices described above.
The Memory may include RAM (Random Access Memory ) or NVM (Non-Volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit, an NP (Network Processor ), etc.; but may also be a DSP (Digital Signal Processing, digital instruction processor), application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like.
Example 10:
based on the same technical idea, the embodiments of the present application provide a computer readable storage medium, in which a computer program executable by an electronic device is stored, which when executed on the electronic device, causes the electronic device to perform the following steps:
acquiring a first data message entering a virtual machine, and performing security processing on the first data message;
if the safety processing result of the first data message comprises continuous processing, generating a second data message according to the first data message and a data destination address carried in the first data message;
performing security processing on the second data message;
and if the security processing result of the second data message comprises sending processing, forwarding the second data message flowing out of the virtual machine according to the data destination address.
In one possible implementation, generating the second data packet according to the first data packet and the data destination address includes:
according to the first data message, analyzing a message header of the first data message, and determining a data destination address in the message header;
searching a message action corresponding to a message header in a pre-stored kernel flow table;
and processing the first data message according to the data destination address by adopting a message action to generate a second data message.
In one possible embodiment, the method further comprises:
if the data destination address corresponding to the message header is not found in the kernel flow table, updating the kernel flow table according to the message header and a preset message action;
searching a message action corresponding to the message header in the updated kernel flow table;
and processing the first data message according to the data destination address by adopting a message action to generate a second data message.
In one possible implementation, the security process includes network security data processing and/or anti-virus processing.
The computer readable storage medium may be any available medium or data storage device that can be accessed by a processor in an electronic device, including but not limited to magnetic memories such as floppy disks, hard disks, magnetic tapes, magneto-optical disks (MO), etc., optical memories such as CD, DVD, BD, HVD, etc., and semiconductor memories such as ROM, EPROM, EEPROM, nonvolatile memories (NAND FLASH), solid State Disks (SSD), etc.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.
Claims (10)
1. A method for virtual machine security management, the method comprising:
acquiring a first data message entering the virtual machine, and performing security processing on the first data message;
if the safety processing result of the first data message comprises continuous processing, generating a second data message according to the first data message and a data destination address carried in the first data message;
performing security processing on the second data message;
and if the security processing result of the second data message comprises sending processing, forwarding the second data message flowing out of the virtual machine according to the data destination address.
2. The method of claim 1, wherein generating a second data message from the first data message and the data destination address comprises:
according to the first data message, analyzing a message header of the first data message, and determining a data destination address in the message header;
searching a message action corresponding to the message header in a pre-stored kernel flow table;
and processing the first data message according to the data destination address by adopting the message action to generate the second data message.
3. The method according to claim 2, wherein the method further comprises:
if the data destination address corresponding to the message header is not found in the kernel flow table, updating the kernel flow table according to the message header and a preset message action;
searching a message action corresponding to the message header in the updated kernel flow table;
and processing the first data message according to the data destination address by adopting the message action to generate the second data message.
4. A method according to any of claims 1-3, characterized in that the security processing comprises network security data processing and/or anti-virus processing.
5. The virtual machine security management system is characterized by comprising a first virtual machine and a second virtual machine;
the first virtual machine is used for acquiring the first data message entering the first virtual machine and carrying out safety processing on the first data message; if the safety processing result of the first data message comprises continuous processing, generating a second data message according to the first data message and a data destination address carried in the first data message; performing security processing on the second data message; if the security processing result of the second data message comprises sending processing, forwarding the second data message flowing out of the first virtual machine according to the data destination address;
The second virtual machine is configured to receive the second data packet.
6. The system of claim 5, wherein the first virtual machine is specifically configured to parse a header of the first data packet according to the first data packet, and determine a data destination address in the header; searching a message action corresponding to the message header in a pre-stored kernel flow table; and processing the first data message according to the data destination address by adopting the message action to generate the second data message.
7. The system of claim 6, wherein the first virtual machine is further configured to update the core flow table according to the header and a preset message action if the data destination address corresponding to the header is not found in the core flow table; searching a message action corresponding to the message header in the updated kernel flow table; and processing the first data message according to the data destination address by adopting the message action to generate the second data message.
8. A virtual machine security management apparatus, the apparatus comprising:
The first processing module is used for acquiring a first data message entering the virtual machine and carrying out security processing on the first data message;
the generation module is used for generating a second data message according to the first data message and the data destination address carried in the first data message if the safety processing result of the first data message comprises continuous processing;
the second processing module is used for carrying out safety processing on the second data message;
and the sending module is used for forwarding the second data message flowing out of the virtual machine according to the data destination address if the security processing result of the second data message comprises sending processing.
9. An electronic device comprising at least a processor and a memory, wherein the processor is configured to implement the steps of a virtual machine security management method according to any of claims 1-4 when executing a computer program stored in the memory.
10. A computer storage medium, characterized in that it stores a computer program executable by an electronic device, which when run on said electronic device causes said electronic device to perform the steps of a virtual machine security management method according to any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310086647.XA CN116450283A (en) | 2023-01-19 | 2023-01-19 | Virtual machine security management method, system, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310086647.XA CN116450283A (en) | 2023-01-19 | 2023-01-19 | Virtual machine security management method, system, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116450283A true CN116450283A (en) | 2023-07-18 |
Family
ID=87126204
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310086647.XA Pending CN116450283A (en) | 2023-01-19 | 2023-01-19 | Virtual machine security management method, system, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116450283A (en) |
-
2023
- 2023-01-19 CN CN202310086647.XA patent/CN116450283A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10803168B2 (en) | Rendering an object using multiple versions of an application in a single process for dynamic malware analysis | |
| EP3171572B1 (en) | Network security protection method and device | |
| CN112702300B (en) | Security vulnerability defense method and device | |
| CN107426242B (en) | Network security protection method, device and storage medium | |
| US10187422B2 (en) | Mitigation of computer network attacks | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| US10216931B2 (en) | Detecting an attempt to exploit a memory allocation vulnerability | |
| TW201703486A (en) | Delivering security functions to distributed networks | |
| US20150052520A1 (en) | Method and apparatus for virtual machine trust isolation in a cloud environment | |
| US10505975B2 (en) | Automatic repair of corrupt files for a detonation engine | |
| JP2008011537A (en) | Packet classification for network security device | |
| CN104023034A (en) | Security defensive system and defensive method based on software-defined network | |
| JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
| EP3337106B1 (en) | Identification system, identification device and identification method | |
| US9491190B2 (en) | Dynamic selection of network traffic for file extraction shellcode detection | |
| JP5739034B1 (en) | Attack detection system, attack detection device, attack detection method, and attack detection program | |
| CN113079151B (en) | Abnormality processing method and device, electronic equipment and readable storage medium | |
| KR101768079B1 (en) | System and method for improvement invasion detection | |
| JP6592196B2 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
| KR101767591B1 (en) | System and method for improvement invasion detection | |
| JP7166969B2 (en) | Router attack detection device, router attack detection program, and router attack detection method | |
| CN116450283A (en) | Virtual machine security management method, system, device, equipment and medium | |
| CN114281547B (en) | Data message processing method and device, electronic equipment and storage medium | |
| Cedeno | Mitigating cyberattacks affecting resource-constrained devices through moving target defense (mtd) mechanisms | |
| TWI711939B (en) | Systems and methods for malicious code detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |