CN101465770B - Method for disposing inbreak detection system - Google Patents

Method for disposing inbreak detection system Download PDF

Info

Publication number
CN101465770B
CN101465770B CN2009100762324A CN200910076232A CN101465770B CN 101465770 B CN101465770 B CN 101465770B CN 2009100762324 A CN2009100762324 A CN 2009100762324A CN 200910076232 A CN200910076232 A CN 200910076232A CN 101465770 B CN101465770 B CN 101465770B
Authority
CN
China
Prior art keywords
virtual machine
intrusion detection
virtual
abnormal
switch
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009100762324A
Other languages
Chinese (zh)
Other versions
CN101465770A (en
Inventor
李建欣
怀进鹏
李博
李沁
陈阳
胡春明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN2009100762324A priority Critical patent/CN101465770B/en
Publication of CN101465770A publication Critical patent/CN101465770A/en
Application granted granted Critical
Publication of CN101465770B publication Critical patent/CN101465770B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to an intrusion detection system deployment method, including that: an abnormity monitoring module monitors and identifies an abnormal virtual machine; when abnormity is identified, a deployment actuator is indicated to locally start up and operate an intrusion detection virtual machine; the deployment actuator acquires an abnormal virtual machine mark from the abnormity monitoring module and sets up the connection between a virtual switcher and an intrusion detection virtual machine according to the abnormal virtual machine mark; and the virtual switcher sends the message sending to or coming from the abnormal virtual machine to the intrusion detection virtual machine through a special detection virtual network card so as to carry out intrusion detection analysis. The intrusion detection system deployment method, based on virtual machine technology, realizes the flexible deployment of the intrusion detection system and identifies the abnormal virtual machine by monitoring the abnormity values of the virtual machines so as to pertinently start up the intrusion detection virtual machine to conduct intrusion detection to the massage transmitted by the intrusion detection virtual machine. The intrusion detection system can be deployed more flexibly in a network system, thus reducing the intrusion detection load and improves intrusion detection accuracy and efficiency.

Description

Method for disposing inbreak detection system
Technical field
The present invention relates to intruding detection system deployment techniques, relate in particular to a kind of method for disposing inbreak detection system based on virtual machine.
Background technology
Intruding detection system (Intrusion Detection Systems; Hereinafter to be referred as: IDS), be successfully applied in the network environment of government, enterprise and each major company, and brought into play very important effect as an important component part of network security.IDS mainly comprises transducer, functional modules such as invasion analysis module, intrusion response module and supervisor console, during its work, utilize transducer to intercept and capture the raw data packets that comprises message in the network, be transferred to the invasion analysis module and seek invasion trace and other sensitive informations, and offer intrusion response module and supervisor console to finish response to invading.At present, how disposing IDS is the key of IDS success to detect invasion accurately and efficiently with attacking.
At present, most IDS is the combination of hardware and software on the market.The key that IDS disposes in network is the deployment of transducer, hardware sensor need be placed on the crucial network egress and the network segment that needs key monitoring, and its deployment way is relevant with network organization and structure.In shared formula network, shared network link between the computer, transducer can directly listen to packets all in the network segment.And extensively in the switching network of employing, then exist problems in present institute.If switching equipment Support Port Mirroring function then the packet that flows to each port can be duplicated portion and give policing port, and transducer directly is connected with policing port, but this way can influence the performance of switching equipment to a great extent; If switching equipment is not support image feature, then need in network, to increase miscellaneous equipment and change network topology structure, share the formula listening mode as adopting, or the packet in the switching network is analyzed and handled by splitter (TAP) equipment by hub.In addition, some other specific I DS, for example " Cisco IDS ", its transducer are built in " Cisco " self router and firewall product usually.
Another influences IDS deployment success whether factor is the deployed position of IDS in network.Difference according to the IDS deployed position can be divided into following several mode:
(1) boundary protection: in most of networks, boundary protection is meant that IDS is deployed in the link between local area network (LAN) and internet (Internet), and any connection to the internet all needs monitored.
(2) to the business parnter connection---extension net (Extranets): IDS is deployed between local area network and the business parnter's local area network (LAN), transducer can monitor data streams flowing on the link between local area network and the business parnter's local area network (LAN).Because if any one local area network (LAN) has security vulnerabilities, it is vulnerable that another local area network (LAN) also can become.
(3) IDS is deployed in the key network segment of internal network: overwhelming majority's loss of network attack comes from the attack that organization inside is carried out.In key sector, for example the Web portal of research and development department, Finance Department etc. is disposed IDS, can effectively monitor the data flow between different departmental networks.
In addition, IDS usually is used with fire compartment wall.According to the relation between IDS and the fire compartment wall deployed position, the deployment of IDS can have following three kinds of modes:
(1) be deployed in outside the fire compartment wall: this arrangement makes transducer can monitor all attacks from the internet, can protect isolated area (Demilitarized Zone; Hereinafter to be referred as: installed device has not under fire also been protected fire compartment wall simultaneously effectively DMZ).Shortcoming is that IDS will can increase the load of self greatly directly in the face of entering whole flows of network, is faced with simultaneously by the danger of directtissima;
(2) IDS is deployed in the fire compartment wall: this mode makes IDS can be absorbed in the attack and the attack that comes from local area network (LAN) inside of firewall-penetrating, and the keeper can be clear which attack has really constituted threat to the network of oneself;
(3) IDS is deployed in inside and outside the fire compartment wall: can detect from all inside and outside attacks, but cost is significantly increased.
Comprehensive above-mentioned introduction as can be seen, the deployment of current I DS exists problems:
At first, the present IDS overwhelming majority is based on the product of hardware, and cost height and deployment are got up convenient inadequately, flexible.
Secondly, the deployment way of IDS in network environment depends on concrete network topology structure.Share in the formula network, though IDS can directly monitor the all-network flow, but this shared mode has also increased security risk, because be connected to the computer of this network as long as network interface card is made as the network message that promiscuous mode promptly may detect other computer, equally also can intercept the warning message of IDS; In switching network, then existing needs problems such as extra hardware supports, performance reduction and topological structure are changed.
Once more; continuous growth along with Internet service; the network size of each company and enterprise constantly enlarges, and single deployment way such as the inside and outside and boundary protection of fire compartment wall can't satisfy the needs of intrusion detection, and multiposition, omnibearing deployment bring high cost expense undoubtedly.Because network size is bigger, IDS has increased the operating load of IDS on the one hand greatly often in the face of huge network traffics, makes IDS be difficult to distinguish normal discharge and malicious attack on the other hand.
At last, IDS is just fixing once deployed position, is difficult to the dynamic scope of adjusting monitoring, can't detect suspicious network traffics and intrusion behavior targetedly, thereby cause rate of false alarm and rate of failing to report too high, reduced the correctness and the efficient of intruding detection system to a great extent.
Summary of the invention
The purpose of this invention is to provide a kind of method for disposing inbreak detection system,, and improve intrusion detection accuracy and efficient with the flexibility of raising intruding detection system deployment.
For achieving the above object, the invention provides a kind of method for disposing inbreak detection system, comprising:
The exceptional value of step 10, each virtual machine of abnormal monitoring module monitors is with the identification abnormal virtual machine;
Step 20, when described abnormal monitoring module recognizes abnormal virtual machine, the indication deployment actuator starts the operation intrusion detection virtual machine in this locality;
Step 30, described deployment actuator are obtained the abnormal virtual machine sign from described abnormal monitoring module, and according to described abnormal virtual machine sign are set being connected of virtual switch and described intrusion detection virtual machine;
Step 40, described virtual switch will mail to or send to described intrusion detection virtual machine from the message of described abnormal virtual machine by the detection particular virtual network interface card on the intrusion detection virtual machine, to carry out the intrusion detection analysis.
By above technical scheme as can be known, the present invention is based on virtual machine technique and realized the flexible deployment of intruding detection system, identify abnormal virtual machine by monitoring, the message that it transmitted is carried out intrusion detection thereby start intrusion detection virtual machine targetedly to the virtual machine exceptional value.Technical scheme of the present invention can make the deployment of intruding detection system in network system more flexible, owing to can adjust monitoring range, thus reduced intrusion detection load, and with strong points, therefore can improve intrusion detection accuracy and efficient.
Description of drawings
Fig. 1 for method for disposing inbreak detection system of the present invention based on the dummy machine system structural representation;
Fig. 2 is the flow chart of method for disposing inbreak detection system first embodiment of the present invention;
Fig. 3 for method for disposing inbreak detection system first embodiment of the present invention based on the dummy machine system structural representation;
Fig. 4 is for starting the flow chart of operation intrusion detection virtual machine among method for disposing inbreak detection system first embodiment of the present invention;
Fig. 5 is the schematic diagram in message transmissions path among method for disposing inbreak detection system first embodiment of the present invention;
Fig. 6 is the flow chart of method for disposing inbreak detection system second embodiment of the present invention;
Fig. 7 is the schematic diagram in message transmissions path among method for disposing inbreak detection system second embodiment of the present invention;
Fig. 8 is the flow chart of method for disposing inbreak detection system the 3rd embodiment of the present invention;
Fig. 9 is the flow chart of method for disposing inbreak detection system the 4th embodiment of the present invention;
Figure 10 is the flow chart of method for disposing inbreak detection system the 5th embodiment of the present invention.
Embodiment
The virtual machine technique that is based on method for disposing inbreak detection system of the present invention realizes, can realize by in waiting to dispose the computer of IDS software virtual machine being installed, and " vmware ", " xen " etc. for example are installed.Virtual machine technique can be simulated the computer system with complete hardware system function by software.Wherein, software specifically refers to monitor of virtual machine (Virtual Machine Monitor; Hereinafter to be referred as: VMM) software, it can encapsulate, isolates, monitors and manage a plurality of virtual machine instance, makes on same the physical computer and can not move polytype operating system independently, mutually with conflicting.In addition, virtual machine technique provides new mode for the distribution of software with deployment.Software encapsulation in virtual machine image, is utilized the technology such as deployment, migration of virtual machine, can under network environment, realize the distribution and the deployment of software neatly.Be illustrated in figure 1 as method for disposing inbreak detection system of the present invention based on the dummy machine system structural representation, this dummy machine system is arranged in the physical computer, comprise the VMM 300 that is installed on the computer hardware layer 400, and be connected each virtual machine 100 on the virtual switch 303 of VMM 300, virtual switch 303 is with the network interconnection device of having of realizing of form of software with the hardware switch identical functions, dispose a common Microsoft Loopback Adapter 101 on each virtual machine 100 respectively, common Microsoft Loopback Adapter 101 links to each other to come mutual message by virtual switch 303 with physical network.Except that virtual switch 303 waits other original modules, abnormal monitoring module 301 and deployment actuator 302 have also been set up among the VMM 300.Abnormal monitoring module 301 links to each other with each virtual machine 100 respectively, is used to monitor the state of each virtual machine 100, and links to each other with deployment actuator 302, so that indication deployment actuator 302 is finished relevant deployment operation.Method for disposing inbreak detection system of the present invention promptly is based on virtual machine technique and disposes intruding detection system, thereby realizes the intrusion detection to this computer system.
Also in conjunction with the accompanying drawings the present invention is described in further detail below by specific embodiment.
Method for disposing inbreak detection system first embodiment
Fig. 2 is the flow chart of method for disposing inbreak detection system first embodiment of the present invention.The method of present embodiment can realize based on above-mentioned dummy machine system, specifically comprise following basic step:
The exceptional value of step 10, each virtual machine of abnormal monitoring module monitors is with the identification abnormal virtual machine;
Step 20, when the abnormal monitoring module recognizes abnormal virtual machine, the indication deployment actuator starts the operation intrusion detection virtual machine in this locality.As shown in Figure 3, intrusion detection virtual machine 200 also is a virtual machine, and IDS is installed on it.Parameter by the configuration startup file, the system of this intrusion detection virtual machine 200 is configured to load id S when starting operation, promptly when intrusion detection virtual machine 200 starts operation, IDS also correspondingly starts operation, this intrusion detection virtual machine 200 is provided with two Microsoft Loopback Adapters, wherein a Microsoft Loopback Adapter is common Microsoft Loopback Adapter 101, be used for the message of mutual this intrusion detection virtual machine 200 as transmission between common virtual machine and the virtual switch 303, finish proper network communication, the control information of IDS, detecting the warning message that is produced when attacking all can transmit by this common Microsoft Loopback Adapter 101.Another piece Microsoft Loopback Adapter is exclusively used in transmission message to be detected for detecting particular virtual network interface card 202, anyly sends to the IDS institute check and analysis of the network message that detects particular virtual network interface card 202 on all can invaded detection virtual machine 200;
Step 30, deployment actuator are obtained the abnormal virtual machine sign that recognizes from the abnormal monitoring module, and according to the abnormal virtual machine sign are set being connected of virtual switch and intrusion detection virtual machine;
Step 40, virtual switch will mail to or send to intrusion detection virtual machine from the message of this abnormal virtual machine by the detection particular virtual network interface card on the intrusion detection virtual machine, so that carry out the intrusion detection analysis, realize the mutual message of abnormal virtual machine is detected.
In the present embodiment, being implemented as follows of each step:
For step 10, VMM is as the important component part of software virtual machine, can monitor the parameters such as CPU usage, memory usage, network bandwidth occupancy of the virtual machine of operation on it in real time.Because network attack and intrusion event often are accompanied by phenomenons such as cpu load is too high, the network bandwidth exhausts, so in the step 10 of present embodiment, abnormal monitoring module among the VMM just can judge whether to exist abnormal virtual machine according to the real-time running data that VMM provided, whether need to dispose intrusion detection virtual machine.The concrete mode of abnormal monitoring module identification abnormal virtual machine can have multiple, for example, one of the parameters such as CPU usage, memory usage and network bandwidth occupancy of virtual machine or combination in any can be monitored as exceptional value, reach and just judge that this virtual machine is an abnormal virtual machine when setting threshold values when monitoring exceptional value.Concrete, a kind of preferable implementation of above-mentioned steps 10 can be for carrying out following step:
Step a10, VMM gather the service data of current virtual machine in real time, mainly comprise parameters such as CPU usage, memory usage and network bandwidth occupancy;
Step a11, abnormal monitoring module are monitored CPU usage, memory usage and the network bandwidth occupancy of each virtual machine that collects respectively;
Step a12, any reaches when setting threshold values in CPU usage, memory usage and network bandwidth occupancy when the abnormal monitoring module monitors, and identification corresponding virtual machine is an abnormal virtual machine.
For step 20, after identifying abnormal virtual machine, the abnormal monitoring module promptly can instruction unit administration's actuator finish startup to intrusion detection virtual machine.A kind of preferable implementation of step 20 is as follows, is illustrated in figure 4 as the flow chart that starts the operation intrusion detection virtual machine among method for disposing inbreak detection system first embodiment of the present invention:
Step 21, when the abnormal monitoring module recognizes abnormal virtual machine, the indication deployment actuator inquire about whether have intrusion detection virtual machine in local system, if exist, then execution in step 22, as if not existing, then execution in step 23;
Step 22, deployment actuator judge whether local intrusion detection virtual machine is moved, if then execution in step 30, if not, then start this intrusion detection virtual machine of operation, and execution in step 30;
Step 23, deployment actuator are obtained the intrusion detection virtual machine image file;
Step 24, deployment actuator start the operation intrusion detection virtual machine according to the intrusion detection virtual machine image file in this locality.
Whether the preferable implementation of above-mentioned steps 20 is provided with the concrete state that deployment actuator is judged intrusion detection virtual machine, promptly exist, and then judges whether operation if exist.Dedicated memory space can be set in the system deposit the intrusion detection virtual machine mirror image, so-called virtual machine image has promptly encapsulated the disk file of whole operation system, comprises other system file and intruding detection system file.Deployment actuator can check whether exist the intrusion detection virtual machine image file to determine whether to exist intrusion detection virtual machine in this dedicated memory space.If exist, then can utilize the VMM built-in command to detect this intrusion detection virtual machine and whether move.
Above-mentioned intrusion detection virtual machine image file can be to be stored in this locality in advance, preferably can be stored in the NetWare file server in the network, for there being the dummy machine system that needs to download.Then above-mentioned steps 23, the step that deployment actuator is obtained the intrusion detection virtual machine image file is specially: deployment actuator is downloaded from NetWare file server and is obtained the intrusion detection virtual machine image file in the dedicated memory space of this locality, is saved in the local directory.Concrete network configuration can be as shown in Figure 3, and deployment actuator 302 can be connected to physical network by the I/O port of hardware layer, and then is connected to NetWare file server 500, downloads the intrusion detection virtual machine image file from NetWare file server 500.
Above-mentioned intrusion detection virtual machine image file is to be stored in the NetWare file server in advance.Wherein, the intrusion detection virtual machine image file is next pre-prepd by intruding detection system being encapsulated in the virtual machine image, mainly comprises two-part operation, the one, create the static virtual machine image that comprises intruding detection system; The 2nd, generate the configuration file of this virtual machine image.Virtual machine image and configuration file are formed the intrusion detection virtual machine image file jointly.
A kind of preferable concrete operations mode that generates virtual machine image is to comprise following steps:
Step a01, one of establishment meet software virtual machine required standard mirror-image format file;
Step a02, in another computer, an operating system is installed, and IDS is installed therein in the mode of minimizing;
Step a03, this operating system All Files is copied in the standard mirror-image format file together with IDS;
Step a04, revise the startup file of this operating system, make this intrusion detection virtual machine load id S automatically when starting;
Step a05, in this operating system, can increase a network interface card as detecting the particular virtual network interface card,, be specifically designed to and monitor the network message that abnormal virtual machine is transmitted by IDS is used by revising the network interface card configuration information.
A kind of preferable concrete operations mode that generates configuration file is to comprise following steps:
The essential information of step b01, configuration intrusion detection virtual machine is as the indispensable information of virtual machine activations such as virtual machine title, disc information;
The network configuration information of step b02, configuration intrusion detection virtual machine wherein is provided with common Microsoft Loopback Adapter and the link information that detects the particular virtual network interface card, and the deployment of network configuration information and intrusion detection virtual machine is closely related.Common Microsoft Loopback Adapter links to each other with virtual switch, as the communication of intruding detection system virtual machine itself, detects the network traffics that the particular virtual network interface card is used to receive the needs monitoring.
So deployment actuator is specifically as follows according to the intrusion detection virtual machine image file starts the operation intrusion detection virtual machine in this locality step 24:
Step 241, deployment actuator at first start intrusion detection virtual machine according to the essential information in the configuration file that comprises in the intrusion detection virtual machine image file;
Step 242, deployment actuator start the common Microsoft Loopback Adapter of intrusion detection virtual machine respectively and detect the particular virtual network interface card according to the network configuration information in the configuration file, to be connected into virtual switch respectively, specifically can adopt the bridge mode to link to each other.Be exclusively used in IDS owing to detect the particular virtual network interface card, detect the particular virtual network interface card, all will be detected by IDS so after this any network traffics are sent to.
For step 30, identifying abnormal virtual machine, when deployment actuator starts the operation intrusion detection virtual machine, also can from the abnormal monitoring module, obtain the abnormal virtual machine sign, send it to virtual switch, need monitor any platform virtual machine network flow with the notice virtual switch, make virtual switch can in subsequent step, change the transmission means of abnormal virtual machine association message.Can set up being connected between virtual switch and the intrusion detection virtual machine by the mirror port mode in the present embodiment, then step 30 is specially and carries out following step:
Step a31, deployment actuator are obtained the abnormal virtual machine sign from the abnormal monitoring module, and the abnormal virtual machine sign is sent to local common virtual switch;
Step a32, common virtual switch are opened a mirror port according to the abnormal virtual machine sign, and set up being connected of detection particular virtual network interface card on this mirror port and the intrusion detection virtual machine, this mirror port is exclusively used in to duplicate and mails to or from the message of abnormal virtual machine, and is transferred to and detects the particular virtual network interface card.
For step 40, this step mainly by virtual switch with detect cooperating of particular virtual network interface card, realized mailing to or sent to intrusion detection virtual machine and carried out check and analysis from the message of abnormal virtual machine.Specifically can adopt the mode of virtual switch mirror port, the function class of this mode and hardware switch traffic mirroring port seemingly, promptly on switch, open a mirror port, this mirror port with specify monitored port corresponding, when monitored port need send or receive message, then will all copy on the mirror port by all messages of this monitored port, and by on the equipment that mirror port is transferred to mirror port links to each other.Wherein, mail to or from the message of abnormal virtual machine at the transmission path in the dummy machine system shown in the direction of arrow among Fig. 5, and step 40 is specially and carries out following step:
Step a41, common virtual switch be as virtual switch, will mail to or from the message of abnormal virtual machine, copy to mirror port and send to and detect the particular virtual network interface card, thereby send to intrusion detection virtual machine, to carry out the intrusion detection analysis.
After this, if testing result is normal, then virtual switch can send to message this abnormal virtual machine or send to network according to normal route.As can be seen from Figure 5, the virtual machine in the dummy machine system connects by a virtual switch, and virtual switch links to each other with extraneous network.When virtual switch received network message, it can be forwarded to the purpose virtual machine with message, and other virtual machines can't be received message.
Present embodiment has been realized the flexible deployment of intruding detection system identifying abnormal virtual machine by the monitoring to the virtual machine exceptional value based on virtual machine technique, thereby start intrusion detection virtual machine targetedly the message that it transmitted is carried out intrusion detection.This technical scheme can make the deployment of intruding detection system in network system more flexible, owing to can adjust monitoring range, thus reduced intrusion detection load, and with strong points, therefore can improve intrusion detection accuracy and efficient.
Method for disposing inbreak detection system second embodiment
Figure 6 shows that the flow chart of method for disposing inbreak detection system second embodiment of the present invention.The difference of present embodiment and above-mentioned first embodiment is: adopt another kind of mode to transmit the message of abnormal virtual machine, this mode can be described as two virtual switch modes, promptly in VMM, increase the particular virtual switch of an intruding detection system newly, specific implementation form in " Linux " is a bridge, original virtual switch is common virtual switch, the Microsoft Loopback Adapter of abnormal virtual machine is added this particular virtual switch can realize monitoring.Then step 30 is specially and carries out following step:
Step b31, deployment actuator are obtained the abnormal virtual machine sign from the abnormal monitoring module, and the abnormal virtual machine sign is sent to local common virtual switch and particular virtual switch;
Step b32, common virtual switch set up with intrusion detection virtual machine on being connected of common Microsoft Loopback Adapter, and being connected of cancellation and abnormal virtual machine, the particular virtual switch is set up and being connected of detection particular virtual network interface card, and being connected of foundation and abnormal virtual machine.
After this, the message that virtual switch will mail to abnormal virtual machine in the step 40 sends to intrusion detection virtual machine by the detection particular virtual network interface card on the intrusion detection virtual machine, to carry out step that intrusion detection analyzes specifically as shown in Figure 6, comprising:
Step b41, virtual switch are common virtual switch, when common virtual switch receives the message that mails to abnormal virtual machine from network, message are sent to intrusion detection virtual machine;
Step b42, intrusion detection virtual machine will detect to normal message and send to the particular virtual switch by detecting the particular virtual network interface card;
Step b43, particular virtual switch send to abnormal virtual machine with the message that receives.
Virtual switch will send to intrusion detection virtual machine by the detection particular virtual network interface card on the intrusion detection virtual machine from the message of abnormal virtual machine in the described step 40, be specially to carry out the intrusion detection analysis:
Step c41, virtual switch are the particular virtual switch, when the particular virtual switch receives message from abnormal virtual machine, message are sent to intrusion detection virtual machine by detecting the particular virtual network interface card;
Step c42, intrusion detection virtual machine will detect to normal message and send to common virtual switch;
Step c43, common virtual switch are sent to network with the message that receives.
The above-mentioned transmission path that mails to the abnormal virtual machine message is shown in the direction of arrow among Fig. 7, and is opposite with the direction of arrow among Fig. 7 from the message transmissions path of abnormal virtual machine.Processing is mail to and from the order of the message of abnormal virtual machine in no particular order, can be carried out synchronously.
In the present embodiment, mail to or, therefore can detectedly analyze from the message of the abnormal virtual machine intrusion detection virtual machine of all will flowing through.Under the mode of this pair of virtual switch, intrusion detection virtual machine has been served as the role of router, therefore need when the operation intrusion detection virtual machine, open route forwarding function wherein, as promptly corresponding in " Linux " system be that " ip-forward " parameter is set.
Present embodiment has realized that in the mode of newly-increased particular virtual switch the message that abnormal virtual machine is transmitted is sent to intrusion detection virtual machine to be detected, and its realization is easy.The technical scheme of present embodiment makes the deployment of IDS more flexible, the restriction of having avoided network topology structure to change, and with strong points to pathological system to be monitored, help reducing message flow to be detected, reduce system burden, improve the accuracy and the efficient that detect.
Method for disposing inbreak detection system the 3rd embodiment
Fig. 8 is the flow chart of method for disposing inbreak detection system the 3rd embodiment of the present invention, and present embodiment can the foregoing description be the basis, and difference is that step 10 is specially the following step of execution:
The virtual disk files of step b11, each virtual machine of abnormal monitoring module carry calculates the cryptographic Hash of the critical system file in the virtual disk files, and is saved in the buffer memory of abnormal monitoring module;
Step b12, abnormal monitoring module are reaching setting-up time week after date, recomputate the cryptographic Hash of critical system file, and the cryptographic Hash that recomputates and the cryptographic Hash of buffer memory are compared;
Step b13, judge comparative result when inconsistent when the abnormal monitoring module, then discerning the corresponding virtual machine is abnormal virtual machine.
In actual applications, the hacker is in the process of invasion computer system, in order to reenter later on or this main frame of Long-distance Control, often to stay back door, modal way is to revise critical system file, for example registration table under " windows ", "/etc/passwd " under " Linux ", "/etc/shadow " etc.At such intrusion behavior, the abnormal monitoring module can be made regular check on these critical system files, changes if find file, then is identified as unusual.
A kind of mode of said method in the present embodiment for judging that virtual machine is whether unusual, judge that the unusual mode of virtual machine is not limited to two kinds of above-mentioned steps a10~a12 and b11~b13, other should be in the parameter value of paying close attention to can also to detect virtual machine, aforesaid way can independently adopt, also can be in conjunction with the condition as the identification abnormal virtual machine.
The technical scheme of present embodiment can dynamic flexible identifying and need carry out the virtual machine that intrusion detection analyzes and dispose intruding detection system targetedly it is detected, it is excessive to have avoided intruding detection system to detect flow, the problem that load is excessive can effectively improve the accuracy rate of warning.
Method for disposing inbreak detection system the 4th embodiment
Fig. 9 is the flow chart of method for disposing inbreak detection system the 4th embodiment of the present invention.For the abnormal virtual machine of being monitored by I DS, if in designated time intervals, do not find intrusion event, then can cancel monitoring to abnormal virtual machine, implement the anti-deployment of IDs.Present embodiment can above-mentioned first embodiment technical scheme be the basis, the mode for starting mirror port also comprises the steps: after step a41
Step a51, after intrusion detection virtual machine operation, the abnormal monitoring module starts timer, when receiving the warning message that intrusion detection virtual machine sends with the timer zero clearing;
Step a52, abnormal monitoring module judge whether timer reaches the setting-up time value, if then execution in step a53 if not, then continues timing, and returns execution in step a52;
Step a53, abnormal monitoring module indication deployment actuator send monitoring cancellation message respectively to virtual switch and intrusion detection virtual machine, and to close the mirror port of virtual switch, promptly corresponding flow is duplicated in cancellation when flow arrives virtual switch.Intrusion detection virtual machine also out of service simultaneously.
Present embodiment is the obstruction mode to cancelling of intrusion detection, if the fixed time, does not for example receive the warning message of intrusion detection virtual machine at interval in 1 minute, then notifies deployment actuator cancellation monitoring.
The technical scheme of present embodiment not only can be disposed IDS flexibly based on virtual machine technique, and can instead flexibly dispose, and cancels the detection of IDS, and then can reduce unnecessary detection burden, improves system works efficient.
Method for disposing inbreak detection system the 5th embodiment
Figure 10 is the flow chart of method for disposing inbreak detection system the 5th embodiment of the present invention.Present embodiment can above-mentioned second embodiment technical scheme be the basis, for the mode of two virtual switches, after step b43, also comprise the steps:
Step b51, after intrusion detection virtual machine operation, the abnormal monitoring module starts timer, when receiving the warning message that intrusion detection virtual machine sends with the timer zero clearing;
Step b52, abnormal monitoring module judge whether timer reaches setting-up time, if then execution in step b53 if not, then continues timing, and returns execution in step b52;
Step b53, abnormal monitoring module indication deployment actuator send monitoring cancellation message respectively to common virtual switch and dedicated virtual machine switch;
Being connected of common Microsoft Loopback Adapter on the cancellation of step b54, common virtual switch and the intrusion detection virtual machine, and being connected of foundation and abnormal virtual machine, the cancellation of particular virtual switch is connected with detection particular virtual network interface card, and being connected of cancellation and abnormal virtual machine, and intrusion detection virtual machine out of service.
In the present embodiment, when deployment actuator indication cancellation monitoring, can send monitoring cancellation message respectively, notify them that two Microsoft Loopback Adapters of intrusion detection virtual machine are removed to common virtual switch and dedicated virtual machine switch; Then the Microsoft Loopback Adapter of abnormal virtual machine is transferred on the common virtual switch from the particular virtual switch, recovered legacy network structure shown in Figure 1, next can close intrusion detection virtual machine.
The technical scheme of present embodiment not only can be disposed IDS flexibly based on virtual machine technique, and can instead flexibly dispose, and cancels the detection of IDS, and then can reduce unnecessary detection burden, improves system works efficient.
The present invention proposes a kind of method for disposing inbreak detection system that utilizes virtual machine technique.This method has following characteristics and advantage with respect to traditional dispositions method:
(1) adopt the Software deployment mode, intruding detection system is packaged in the virtual machine image, the characteristics of utilizing the virtual machine dynamic flexible to dispose realize the deployment as required of intruding detection system.
(2) adopt virtual switch connection ID S and monitored system, unified the deployment way of IDS in network, solved problems such as needing additional hardware support and topological structure change in the former deployment way.
(3) introduced automatic deployment mechanisms, the load of virtual machine and network condition in the real-time monitoring system, when finding suspicious actions, dynamically dispose IDS, whole process does not need manual intervention, and can the self adaptation adjustment scope of monitoring, with a definite target in view malicious traffic stream and intrusion behavior are detected, thereby improved the efficient and the accuracy that detect.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (10)

1. a method for disposing inbreak detection system is characterized in that, comprising:
The exceptional value of step 10, each virtual machine of abnormal monitoring module monitors is with the identification abnormal virtual machine;
Step 20, when described abnormal monitoring module recognizes abnormal virtual machine, the indication deployment actuator starts the operation intrusion detection virtual machine in this locality;
Step 30, described deployment actuator are obtained the abnormal virtual machine sign from described abnormal monitoring module, and according to described abnormal virtual machine sign are set being connected of virtual switch and described intrusion detection virtual machine;
Step 40, described virtual switch will mail to or send to described intrusion detection virtual machine from the message of described abnormal virtual machine by the detection particular virtual network interface card on the intrusion detection virtual machine, to carry out the intrusion detection analysis.
2. method for disposing inbreak detection system according to claim 1 is characterized in that, described step 10 is specially:
Step a11, described abnormal monitoring module are monitored CPU usage, memory usage and the network bandwidth occupancy of each virtual machine respectively;
Step a12, any reaches when setting threshold values in CPU usage, memory usage and network bandwidth occupancy when described abnormal monitoring module monitors, and identification corresponding virtual machine is an abnormal virtual machine.
3. method for disposing inbreak detection system according to claim 1 is characterized in that, described step 10 is specially:
The virtual disk files of step b11, described each virtual machine of abnormal monitoring module carry calculates the cryptographic Hash of critical system file in the described virtual disk files, and is saved in the buffer memory;
Step b12, described abnormal monitoring module recomputate the cryptographic Hash of described critical system file at setting-up time week after date, and the cryptographic Hash that recomputates and the cryptographic Hash of buffer memory are compared;
Step b13, judge comparative result when inconsistent when described abnormal monitoring module, then discerning the corresponding virtual machine is abnormal virtual machine.
4. method for disposing inbreak detection system according to claim 1 is characterized in that, described step 20 is specially:
Step 21, when described abnormal monitoring module recognizes abnormal virtual machine, indicate described deployment actuator in local system, to inquire about and whether have intrusion detection virtual machine, if exist, then execution in step 22, if do not exist, then execution in step 23;
Step 22, described deployment actuator judge whether local described intrusion detection virtual machine is moved, if then execution in step 30, if not, then start the described intrusion detection virtual machine of operation, and execution in step 30;
Step 23, described deployment actuator are from local or obtain the intrusion detection virtual machine image file from NetWare file server;
Step 24, described deployment actuator start the described intrusion detection virtual machine of operation according to described intrusion detection virtual machine image file in this locality.
5. method for disposing inbreak detection system according to claim 4 is characterized in that, described step 24 is specially:
Step 241, described deployment actuator start described intrusion detection virtual machine according to the essential information in the configuration file in the described intrusion detection virtual machine image file;
Step 242, described deployment actuator start the common Microsoft Loopback Adapter on the described intrusion detection virtual machine respectively and detect the particular virtual network interface card, to be connected into described virtual switch respectively according to the network configuration information in the described configuration file.
6. method for disposing inbreak detection system according to claim 1 is characterized in that:
Described virtual switch comprises common virtual switch, and described step 30 is specially:
Step a31, described deployment actuator are obtained the abnormal virtual machine sign from described abnormal monitoring module, and described abnormal virtual machine sign is sent to local common virtual switch;
Step a32, described common virtual switch are opened mirror port according to described abnormal virtual machine sign, and set up being connected of detection particular virtual network interface card on described mirror port and the described intrusion detection virtual machine, described mirror port is used to duplicate and mails to or from the message of abnormal virtual machine and be transferred to
Described detection particular virtual network interface card,
Described step 40 is specially:
Step a41, described common virtual switch will mail to or from the message of described abnormal virtual machine, copy to described mirror port and send to described detection particular virtual network interface card, thereby send to described intrusion detection virtual machine, to carry out the intrusion detection analysis.
7. method for disposing inbreak detection system according to claim 6 is characterized in that, also comprises after the described step a41:
Step a51, after the operation of described intrusion detection virtual machine, described abnormal monitoring module starts timer, when receiving the warning message that described intrusion detection virtual machine sends with the timer zero clearing;
Step a52, described abnormal monitoring module judge whether described timer reaches the setting-up time value, if, execution in step a53 then;
Step a53, described abnormal monitoring module indicate described deployment actuator to send monitoring cancellation message respectively to described common virtual switch and described intrusion detection virtual machine, closing the mirror port of described common virtual switch, and described intrusion detection virtual machine out of service.
8. method for disposing inbreak detection system according to claim 1 is characterized in that, described virtual switch comprises common virtual switch and particular virtual switch, and described step 30 is specially:
Step b31, described deployment actuator are obtained the abnormal virtual machine sign from described abnormal monitoring module, and described abnormal virtual machine sign is sent to local common virtual switch and particular virtual switch;
Step b32, described common virtual switch set up with described intrusion detection virtual machine on being connected of common Microsoft Loopback Adapter, and being connected of cancellation and described abnormal virtual machine, described particular virtual switch is set up and being connected of described detection particular virtual network interface card, and being connected of foundation and described abnormal virtual machine.
9. method for disposing inbreak detection system according to claim 8 is characterized in that,
The message that virtual switch will mail to described abnormal virtual machine in the described step 40 sends to described intrusion detection virtual machine by the detection particular virtual network interface card on the intrusion detection virtual machine, is specially to carry out the intrusion detection analysis:
Step b41, described virtual switch are described common virtual switch, when described common virtual
When switch receives the message that mails to abnormal virtual machine from network, message is sent to described intrusion detection virtual machine;
Step b42, described intrusion detection virtual machine will detect to normal message and send to described particular virtual switch by described detection particular virtual network interface card;
Step b43, described particular virtual switch send to described abnormal virtual machine with the message that receives,
Virtual switch will send to described intrusion detection virtual machine by the detection particular virtual network interface card on the intrusion detection virtual machine from the message of described abnormal virtual machine in the described step 40, be specially to carry out the intrusion detection analysis:
Step c41, described virtual switch are described particular virtual switch, when described particular virtual switch receives message from abnormal virtual machine, message are sent to described intrusion detection virtual machine by detecting the particular virtual network interface card;
Step c42, described intrusion detection virtual machine will detect to normal message and send to common virtual switch;
Step c43, described common virtual switch are sent to network with the message that receives.
10. method for disposing inbreak detection system according to claim 9 is characterized in that, also comprises after the described step b43:
Step b51, after intrusion detection virtual machine operation, described abnormal monitoring module starts timer, when receiving the warning message that described intrusion detection virtual machine sends with the timer zero clearing;
Step b52, described abnormal monitoring module judge whether timer reaches setting-up time, if, execution in step b53 then;
Step b53, described abnormal monitoring module indicate described deployment actuator to send monitoring cancellation message respectively to common virtual switch and dedicated virtual machine switch;
Being connected of common Microsoft Loopback Adapter on step b54, the cancellation of described common virtual switch and the described intrusion detection virtual machine, and being connected of foundation and described abnormal virtual machine, described particular virtual switch cancellation is connected with described detection particular virtual network interface card, and being connected of cancellation and described abnormal virtual machine, and described intrusion detection virtual machine out of service.
CN2009100762324A 2009-01-06 2009-01-06 Method for disposing inbreak detection system Expired - Fee Related CN101465770B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100762324A CN101465770B (en) 2009-01-06 2009-01-06 Method for disposing inbreak detection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100762324A CN101465770B (en) 2009-01-06 2009-01-06 Method for disposing inbreak detection system

Publications (2)

Publication Number Publication Date
CN101465770A CN101465770A (en) 2009-06-24
CN101465770B true CN101465770B (en) 2011-04-06

Family

ID=40806145

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100762324A Expired - Fee Related CN101465770B (en) 2009-01-06 2009-01-06 Method for disposing inbreak detection system

Country Status (1)

Country Link
CN (1) CN101465770B (en)

Families Citing this family (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8599854B2 (en) * 2010-04-16 2013-12-03 Cisco Technology, Inc. Method of identifying destination in a virtual environment
CN102043917B (en) * 2010-12-07 2012-10-17 成都市华为赛门铁克科技有限公司 Distributed denial of service (DDOS) attack protection method, device and system for cloud computing system
CN102088379B (en) * 2011-01-24 2013-03-13 国家计算机网络与信息安全管理中心 Detecting method and device of client honeypot webpage malicious code based on sandboxing technology
CN102244622B (en) * 2011-07-25 2015-03-11 北京网御星云信息技术有限公司 Virtual gateway protection method, virtual security gateway and system for server virtualization
CN102523209B (en) * 2011-12-06 2015-07-08 北京航空航天大学 Dynamic adjustment method and device of safety inspection virtual machines
CN103067356B (en) * 2012-12-12 2017-03-08 北京启明星辰信息技术股份有限公司 Ensure the system and method for business virtual machine safety
CN103023704B (en) * 2012-12-24 2016-04-06 北京启明星辰信息技术股份有限公司 Virtual network service equipment access method and system
CN103065086B (en) * 2012-12-24 2016-09-07 北京启明星辰信息技术股份有限公司 It is applied to DIDS and the method for dynamic virtualization environment
US9251115B2 (en) 2013-03-07 2016-02-02 Citrix Systems, Inc. Dynamic configuration in cloud computing environments
CN104660554A (en) * 2013-11-19 2015-05-27 北京天地超云科技有限公司 Method for implementing communication data security of virtual machines
CN104683165B (en) * 2013-11-27 2018-06-22 北京天地超云科技有限公司 The monitoring method of virtual machine network data under a kind of Xen virtualized environments
CN104702571B (en) * 2013-12-06 2018-02-02 北京天地超云科技有限公司 A kind of intrusion detection method of Xen virtualized environments lower network data
CN105306234A (en) * 2014-06-19 2016-02-03 中兴通讯股份有限公司 Equipment monitoring method and device
CN104123510A (en) * 2014-08-04 2014-10-29 上海斐讯数据通信技术有限公司 Method for verifying running mapping files
CN105007261A (en) * 2015-06-02 2015-10-28 华中科技大学 Security protection method for image file in virtual environment
CN105262768A (en) * 2015-11-04 2016-01-20 上海科技网络通信有限公司 Behavior detection system based on mixed models in cloud computing platform and method
CN105491123B (en) * 2015-12-04 2019-02-22 北京航空航天大学 Communication means and device between container
CN105791286B (en) * 2016-03-01 2018-10-02 上海海事大学 The abnormality detection and processing method of cloud virtual environment
CN107515772A (en) * 2016-06-15 2017-12-26 中兴通讯股份有限公司 A kind of detection KVM virtual machines hang dead method and device
CN107800663B (en) * 2016-08-31 2020-04-28 华为数字技术(苏州)有限公司 Method and device for detecting flow offline file
EP3425501B1 (en) 2016-11-17 2021-01-13 Huawei Technologies Co., Ltd. Mirror image file conversion method and apparatus
CN108228308B (en) * 2016-12-21 2021-07-06 中国电信股份有限公司 Monitoring method and device for virtual machine
CN106845231B (en) * 2016-12-30 2020-05-19 北京瑞星网安技术股份有限公司 Safety protection method and device based on virtualization environment
JP6396519B2 (en) 2017-01-23 2018-09-26 ファナック株式会社 System for detecting intrusion into communication environment, and intrusion detection method
CN106790291B (en) * 2017-03-09 2020-04-03 腾讯科技(深圳)有限公司 Intrusion detection prompting method and device
CN107566493B (en) * 2017-09-06 2020-05-22 中国科学院信息工程研究所 Agent node creating method, agent service method and system for complex user requirements
CN108363611A (en) * 2017-11-02 2018-08-03 北京紫光恒越网络科技有限公司 Method for managing security, device and the omnidirectional system of virtual machine
CN107896215A (en) * 2017-11-24 2018-04-10 北京国网富达科技发展有限责任公司 A kind of dispositions method and device of the intruding detection system based on virtual machine
CN110362994B (en) 2018-03-26 2023-06-20 华为技术有限公司 Malicious file detection method, device and system
WO2021160395A1 (en) * 2020-02-11 2021-08-19 Continental Teves Ag & Co. Ohg Method for edge computing-based detecting of intrusions and anomalies
CN112997467B (en) * 2020-09-18 2022-08-19 华为技术有限公司 Intrusion monitoring system, method and related product
CN112929373B (en) * 2021-02-07 2022-09-06 河南信大网御科技有限公司 Intranet equipment protection method
CN113676363B (en) * 2021-10-22 2022-02-18 南京赛宁信息技术有限公司 Network target range flow generation system and method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0362105A2 (en) * 1988-09-29 1990-04-04 International Business Machines Corporation Method for processing program threads of a distributed application program by a host computer and an intelligent work station in an SNA LU 6.2 network environment
CN101305561A (en) * 2005-08-23 2008-11-12 耐特罗诺密系统有限公司 Flow control based on flow policies in a communication network
CN101309180A (en) * 2008-06-21 2008-11-19 华中科技大学 Security network invasion detection system suitable for virtual machine environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0362105A2 (en) * 1988-09-29 1990-04-04 International Business Machines Corporation Method for processing program threads of a distributed application program by a host computer and an intelligent work station in an SNA LU 6.2 network environment
CN101305561A (en) * 2005-08-23 2008-11-12 耐特罗诺密系统有限公司 Flow control based on flow policies in a communication network
CN101309180A (en) * 2008-06-21 2008-11-19 华中科技大学 Security network invasion detection system suitable for virtual machine environment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Kenichi Kourai等.HyperSpector: virtual distributed monitoring environments for secure intrusion detection.《Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments》.2005,197-207. *
叶润国等.浅析天阗IDS协议自识别技术.《计算机安全》.2006,(第11期), *
徐向阳.基于虚拟技术的学生机房安全研究.《光盘技术》.2008,(第04期), *

Also Published As

Publication number Publication date
CN101465770A (en) 2009-06-24

Similar Documents

Publication Publication Date Title
CN101465770B (en) Method for disposing inbreak detection system
CN110572412A (en) Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof
US7493659B1 (en) Network intrusion detection and analysis system and method
US20070266433A1 (en) System and Method for Securing Information in a Virtual Computing Environment
Zargar et al. DCDIDP: A distributed, collaborative, and data-driven intrusion detection and prevention framework for cloud computing environments
CN107896215A (en) A kind of dispositions method and device of the intruding detection system based on virtual machine
CN100435513C (en) Method of linking network equipment and invading detection system
US20060037075A1 (en) Dynamic network detection system and method
US20040221178A1 (en) Firewall system and method via feedback from broad-scope monitoring for intrusion detection
EP3465987B1 (en) Logging of traffic in a computer network
WO2012172509A2 (en) Systems and methods that perform application request throttling in a distributed computing environment
CN100486180C (en) Local network safety management method based on IEEE 802.1X protocol
CN101034976B (en) Intrusion detection in an IP connected security system
Nitin et al. Intrusion detection and prevention system (idps) technology-network behavior analysis system (nbas)
CN112165459A (en) Application method for automatically switching to host honeypot based on alarm honeypot information analysis
Man et al. A collaborative intrusion detection system framework for cloud computing
Ma et al. A design of firewall based on feedback of intrusion detection system in cloud environment
KR20040036228A (en) The system and method of malicious traffic detection and response in network
CN117319032A (en) Network security active defense method and system
KR101871406B1 (en) Method for securiting control system using whitelist and system for the same
KR100466798B1 (en) Public network and private network combination security system and method thereof
CN115514519B (en) Active defense method based on transverse micro-isolation and plug-in
CN104283730A (en) Loop detecting method and system
KR101454838B1 (en) Cloud enterprise security management system for interworking of Hypervisor-based virtual network and host intrusion prevention system
KR20170133790A (en) Apparatus and method for against suspicious traffic based context cognition

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110406

Termination date: 20140106