CN101465770B - Method for disposing inbreak detection system - Google Patents
Method for disposing inbreak detection system Download PDFInfo
- Publication number
- CN101465770B CN101465770B CN2009100762324A CN200910076232A CN101465770B CN 101465770 B CN101465770 B CN 101465770B CN 2009100762324 A CN2009100762324 A CN 2009100762324A CN 200910076232 A CN200910076232 A CN 200910076232A CN 101465770 B CN101465770 B CN 101465770B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- intrusion detection
- virtual
- abnormal
- switch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an intrusion detection system deployment method, including that: an abnormity monitoring module monitors and identifies an abnormal virtual machine; when abnormity is identified, a deployment actuator is indicated to locally start up and operate an intrusion detection virtual machine; the deployment actuator acquires an abnormal virtual machine mark from the abnormity monitoring module and sets up the connection between a virtual switcher and an intrusion detection virtual machine according to the abnormal virtual machine mark; and the virtual switcher sends the message sending to or coming from the abnormal virtual machine to the intrusion detection virtual machine through a special detection virtual network card so as to carry out intrusion detection analysis. The intrusion detection system deployment method, based on virtual machine technology, realizes the flexible deployment of the intrusion detection system and identifies the abnormal virtual machine by monitoring the abnormity values of the virtual machines so as to pertinently start up the intrusion detection virtual machine to conduct intrusion detection to the massage transmitted by the intrusion detection virtual machine. The intrusion detection system can be deployed more flexibly in a network system, thus reducing the intrusion detection load and improves intrusion detection accuracy and efficiency.
Description
Technical field
The present invention relates to intruding detection system deployment techniques, relate in particular to a kind of method for disposing inbreak detection system based on virtual machine.
Background technology
Intruding detection system (Intrusion Detection Systems; Hereinafter to be referred as: IDS), be successfully applied in the network environment of government, enterprise and each major company, and brought into play very important effect as an important component part of network security.IDS mainly comprises transducer, functional modules such as invasion analysis module, intrusion response module and supervisor console, during its work, utilize transducer to intercept and capture the raw data packets that comprises message in the network, be transferred to the invasion analysis module and seek invasion trace and other sensitive informations, and offer intrusion response module and supervisor console to finish response to invading.At present, how disposing IDS is the key of IDS success to detect invasion accurately and efficiently with attacking.
At present, most IDS is the combination of hardware and software on the market.The key that IDS disposes in network is the deployment of transducer, hardware sensor need be placed on the crucial network egress and the network segment that needs key monitoring, and its deployment way is relevant with network organization and structure.In shared formula network, shared network link between the computer, transducer can directly listen to packets all in the network segment.And extensively in the switching network of employing, then exist problems in present institute.If switching equipment Support Port Mirroring function then the packet that flows to each port can be duplicated portion and give policing port, and transducer directly is connected with policing port, but this way can influence the performance of switching equipment to a great extent; If switching equipment is not support image feature, then need in network, to increase miscellaneous equipment and change network topology structure, share the formula listening mode as adopting, or the packet in the switching network is analyzed and handled by splitter (TAP) equipment by hub.In addition, some other specific I DS, for example " Cisco IDS ", its transducer are built in " Cisco " self router and firewall product usually.
Another influences IDS deployment success whether factor is the deployed position of IDS in network.Difference according to the IDS deployed position can be divided into following several mode:
(1) boundary protection: in most of networks, boundary protection is meant that IDS is deployed in the link between local area network (LAN) and internet (Internet), and any connection to the internet all needs monitored.
(2) to the business parnter connection---extension net (Extranets): IDS is deployed between local area network and the business parnter's local area network (LAN), transducer can monitor data streams flowing on the link between local area network and the business parnter's local area network (LAN).Because if any one local area network (LAN) has security vulnerabilities, it is vulnerable that another local area network (LAN) also can become.
(3) IDS is deployed in the key network segment of internal network: overwhelming majority's loss of network attack comes from the attack that organization inside is carried out.In key sector, for example the Web portal of research and development department, Finance Department etc. is disposed IDS, can effectively monitor the data flow between different departmental networks.
In addition, IDS usually is used with fire compartment wall.According to the relation between IDS and the fire compartment wall deployed position, the deployment of IDS can have following three kinds of modes:
(1) be deployed in outside the fire compartment wall: this arrangement makes transducer can monitor all attacks from the internet, can protect isolated area (Demilitarized Zone; Hereinafter to be referred as: installed device has not under fire also been protected fire compartment wall simultaneously effectively DMZ).Shortcoming is that IDS will can increase the load of self greatly directly in the face of entering whole flows of network, is faced with simultaneously by the danger of directtissima;
(2) IDS is deployed in the fire compartment wall: this mode makes IDS can be absorbed in the attack and the attack that comes from local area network (LAN) inside of firewall-penetrating, and the keeper can be clear which attack has really constituted threat to the network of oneself;
(3) IDS is deployed in inside and outside the fire compartment wall: can detect from all inside and outside attacks, but cost is significantly increased.
Comprehensive above-mentioned introduction as can be seen, the deployment of current I DS exists problems:
At first, the present IDS overwhelming majority is based on the product of hardware, and cost height and deployment are got up convenient inadequately, flexible.
Secondly, the deployment way of IDS in network environment depends on concrete network topology structure.Share in the formula network, though IDS can directly monitor the all-network flow, but this shared mode has also increased security risk, because be connected to the computer of this network as long as network interface card is made as the network message that promiscuous mode promptly may detect other computer, equally also can intercept the warning message of IDS; In switching network, then existing needs problems such as extra hardware supports, performance reduction and topological structure are changed.
Once more; continuous growth along with Internet service; the network size of each company and enterprise constantly enlarges, and single deployment way such as the inside and outside and boundary protection of fire compartment wall can't satisfy the needs of intrusion detection, and multiposition, omnibearing deployment bring high cost expense undoubtedly.Because network size is bigger, IDS has increased the operating load of IDS on the one hand greatly often in the face of huge network traffics, makes IDS be difficult to distinguish normal discharge and malicious attack on the other hand.
At last, IDS is just fixing once deployed position, is difficult to the dynamic scope of adjusting monitoring, can't detect suspicious network traffics and intrusion behavior targetedly, thereby cause rate of false alarm and rate of failing to report too high, reduced the correctness and the efficient of intruding detection system to a great extent.
Summary of the invention
The purpose of this invention is to provide a kind of method for disposing inbreak detection system,, and improve intrusion detection accuracy and efficient with the flexibility of raising intruding detection system deployment.
For achieving the above object, the invention provides a kind of method for disposing inbreak detection system, comprising:
The exceptional value of step 10, each virtual machine of abnormal monitoring module monitors is with the identification abnormal virtual machine;
By above technical scheme as can be known, the present invention is based on virtual machine technique and realized the flexible deployment of intruding detection system, identify abnormal virtual machine by monitoring, the message that it transmitted is carried out intrusion detection thereby start intrusion detection virtual machine targetedly to the virtual machine exceptional value.Technical scheme of the present invention can make the deployment of intruding detection system in network system more flexible, owing to can adjust monitoring range, thus reduced intrusion detection load, and with strong points, therefore can improve intrusion detection accuracy and efficient.
Description of drawings
Fig. 1 for method for disposing inbreak detection system of the present invention based on the dummy machine system structural representation;
Fig. 2 is the flow chart of method for disposing inbreak detection system first embodiment of the present invention;
Fig. 3 for method for disposing inbreak detection system first embodiment of the present invention based on the dummy machine system structural representation;
Fig. 4 is for starting the flow chart of operation intrusion detection virtual machine among method for disposing inbreak detection system first embodiment of the present invention;
Fig. 5 is the schematic diagram in message transmissions path among method for disposing inbreak detection system first embodiment of the present invention;
Fig. 6 is the flow chart of method for disposing inbreak detection system second embodiment of the present invention;
Fig. 7 is the schematic diagram in message transmissions path among method for disposing inbreak detection system second embodiment of the present invention;
Fig. 8 is the flow chart of method for disposing inbreak detection system the 3rd embodiment of the present invention;
Fig. 9 is the flow chart of method for disposing inbreak detection system the 4th embodiment of the present invention;
Figure 10 is the flow chart of method for disposing inbreak detection system the 5th embodiment of the present invention.
Embodiment
The virtual machine technique that is based on method for disposing inbreak detection system of the present invention realizes, can realize by in waiting to dispose the computer of IDS software virtual machine being installed, and " vmware ", " xen " etc. for example are installed.Virtual machine technique can be simulated the computer system with complete hardware system function by software.Wherein, software specifically refers to monitor of virtual machine (Virtual Machine Monitor; Hereinafter to be referred as: VMM) software, it can encapsulate, isolates, monitors and manage a plurality of virtual machine instance, makes on same the physical computer and can not move polytype operating system independently, mutually with conflicting.In addition, virtual machine technique provides new mode for the distribution of software with deployment.Software encapsulation in virtual machine image, is utilized the technology such as deployment, migration of virtual machine, can under network environment, realize the distribution and the deployment of software neatly.Be illustrated in figure 1 as method for disposing inbreak detection system of the present invention based on the dummy machine system structural representation, this dummy machine system is arranged in the physical computer, comprise the VMM 300 that is installed on the computer hardware layer 400, and be connected each virtual machine 100 on the virtual switch 303 of VMM 300, virtual switch 303 is with the network interconnection device of having of realizing of form of software with the hardware switch identical functions, dispose a common Microsoft Loopback Adapter 101 on each virtual machine 100 respectively, common Microsoft Loopback Adapter 101 links to each other to come mutual message by virtual switch 303 with physical network.Except that virtual switch 303 waits other original modules, abnormal monitoring module 301 and deployment actuator 302 have also been set up among the VMM 300.Abnormal monitoring module 301 links to each other with each virtual machine 100 respectively, is used to monitor the state of each virtual machine 100, and links to each other with deployment actuator 302, so that indication deployment actuator 302 is finished relevant deployment operation.Method for disposing inbreak detection system of the present invention promptly is based on virtual machine technique and disposes intruding detection system, thereby realizes the intrusion detection to this computer system.
Also in conjunction with the accompanying drawings the present invention is described in further detail below by specific embodiment.
Method for disposing inbreak detection system first embodiment
Fig. 2 is the flow chart of method for disposing inbreak detection system first embodiment of the present invention.The method of present embodiment can realize based on above-mentioned dummy machine system, specifically comprise following basic step:
The exceptional value of step 10, each virtual machine of abnormal monitoring module monitors is with the identification abnormal virtual machine;
In the present embodiment, being implemented as follows of each step:
For step 10, VMM is as the important component part of software virtual machine, can monitor the parameters such as CPU usage, memory usage, network bandwidth occupancy of the virtual machine of operation on it in real time.Because network attack and intrusion event often are accompanied by phenomenons such as cpu load is too high, the network bandwidth exhausts, so in the step 10 of present embodiment, abnormal monitoring module among the VMM just can judge whether to exist abnormal virtual machine according to the real-time running data that VMM provided, whether need to dispose intrusion detection virtual machine.The concrete mode of abnormal monitoring module identification abnormal virtual machine can have multiple, for example, one of the parameters such as CPU usage, memory usage and network bandwidth occupancy of virtual machine or combination in any can be monitored as exceptional value, reach and just judge that this virtual machine is an abnormal virtual machine when setting threshold values when monitoring exceptional value.Concrete, a kind of preferable implementation of above-mentioned steps 10 can be for carrying out following step:
Step a10, VMM gather the service data of current virtual machine in real time, mainly comprise parameters such as CPU usage, memory usage and network bandwidth occupancy;
Step a11, abnormal monitoring module are monitored CPU usage, memory usage and the network bandwidth occupancy of each virtual machine that collects respectively;
Step a12, any reaches when setting threshold values in CPU usage, memory usage and network bandwidth occupancy when the abnormal monitoring module monitors, and identification corresponding virtual machine is an abnormal virtual machine.
For step 20, after identifying abnormal virtual machine, the abnormal monitoring module promptly can instruction unit administration's actuator finish startup to intrusion detection virtual machine.A kind of preferable implementation of step 20 is as follows, is illustrated in figure 4 as the flow chart that starts the operation intrusion detection virtual machine among method for disposing inbreak detection system first embodiment of the present invention:
Whether the preferable implementation of above-mentioned steps 20 is provided with the concrete state that deployment actuator is judged intrusion detection virtual machine, promptly exist, and then judges whether operation if exist.Dedicated memory space can be set in the system deposit the intrusion detection virtual machine mirror image, so-called virtual machine image has promptly encapsulated the disk file of whole operation system, comprises other system file and intruding detection system file.Deployment actuator can check whether exist the intrusion detection virtual machine image file to determine whether to exist intrusion detection virtual machine in this dedicated memory space.If exist, then can utilize the VMM built-in command to detect this intrusion detection virtual machine and whether move.
Above-mentioned intrusion detection virtual machine image file can be to be stored in this locality in advance, preferably can be stored in the NetWare file server in the network, for there being the dummy machine system that needs to download.Then above-mentioned steps 23, the step that deployment actuator is obtained the intrusion detection virtual machine image file is specially: deployment actuator is downloaded from NetWare file server and is obtained the intrusion detection virtual machine image file in the dedicated memory space of this locality, is saved in the local directory.Concrete network configuration can be as shown in Figure 3, and deployment actuator 302 can be connected to physical network by the I/O port of hardware layer, and then is connected to NetWare file server 500, downloads the intrusion detection virtual machine image file from NetWare file server 500.
Above-mentioned intrusion detection virtual machine image file is to be stored in the NetWare file server in advance.Wherein, the intrusion detection virtual machine image file is next pre-prepd by intruding detection system being encapsulated in the virtual machine image, mainly comprises two-part operation, the one, create the static virtual machine image that comprises intruding detection system; The 2nd, generate the configuration file of this virtual machine image.Virtual machine image and configuration file are formed the intrusion detection virtual machine image file jointly.
A kind of preferable concrete operations mode that generates virtual machine image is to comprise following steps:
Step a01, one of establishment meet software virtual machine required standard mirror-image format file;
Step a02, in another computer, an operating system is installed, and IDS is installed therein in the mode of minimizing;
Step a03, this operating system All Files is copied in the standard mirror-image format file together with IDS;
Step a04, revise the startup file of this operating system, make this intrusion detection virtual machine load id S automatically when starting;
Step a05, in this operating system, can increase a network interface card as detecting the particular virtual network interface card,, be specifically designed to and monitor the network message that abnormal virtual machine is transmitted by IDS is used by revising the network interface card configuration information.
A kind of preferable concrete operations mode that generates configuration file is to comprise following steps:
The essential information of step b01, configuration intrusion detection virtual machine is as the indispensable information of virtual machine activations such as virtual machine title, disc information;
The network configuration information of step b02, configuration intrusion detection virtual machine wherein is provided with common Microsoft Loopback Adapter and the link information that detects the particular virtual network interface card, and the deployment of network configuration information and intrusion detection virtual machine is closely related.Common Microsoft Loopback Adapter links to each other with virtual switch, as the communication of intruding detection system virtual machine itself, detects the network traffics that the particular virtual network interface card is used to receive the needs monitoring.
So deployment actuator is specifically as follows according to the intrusion detection virtual machine image file starts the operation intrusion detection virtual machine in this locality step 24:
Step 241, deployment actuator at first start intrusion detection virtual machine according to the essential information in the configuration file that comprises in the intrusion detection virtual machine image file;
Step 242, deployment actuator start the common Microsoft Loopback Adapter of intrusion detection virtual machine respectively and detect the particular virtual network interface card according to the network configuration information in the configuration file, to be connected into virtual switch respectively, specifically can adopt the bridge mode to link to each other.Be exclusively used in IDS owing to detect the particular virtual network interface card, detect the particular virtual network interface card, all will be detected by IDS so after this any network traffics are sent to.
For step 30, identifying abnormal virtual machine, when deployment actuator starts the operation intrusion detection virtual machine, also can from the abnormal monitoring module, obtain the abnormal virtual machine sign, send it to virtual switch, need monitor any platform virtual machine network flow with the notice virtual switch, make virtual switch can in subsequent step, change the transmission means of abnormal virtual machine association message.Can set up being connected between virtual switch and the intrusion detection virtual machine by the mirror port mode in the present embodiment, then step 30 is specially and carries out following step:
Step a31, deployment actuator are obtained the abnormal virtual machine sign from the abnormal monitoring module, and the abnormal virtual machine sign is sent to local common virtual switch;
Step a32, common virtual switch are opened a mirror port according to the abnormal virtual machine sign, and set up being connected of detection particular virtual network interface card on this mirror port and the intrusion detection virtual machine, this mirror port is exclusively used in to duplicate and mails to or from the message of abnormal virtual machine, and is transferred to and detects the particular virtual network interface card.
For step 40, this step mainly by virtual switch with detect cooperating of particular virtual network interface card, realized mailing to or sent to intrusion detection virtual machine and carried out check and analysis from the message of abnormal virtual machine.Specifically can adopt the mode of virtual switch mirror port, the function class of this mode and hardware switch traffic mirroring port seemingly, promptly on switch, open a mirror port, this mirror port with specify monitored port corresponding, when monitored port need send or receive message, then will all copy on the mirror port by all messages of this monitored port, and by on the equipment that mirror port is transferred to mirror port links to each other.Wherein, mail to or from the message of abnormal virtual machine at the transmission path in the dummy machine system shown in the direction of arrow among Fig. 5, and step 40 is specially and carries out following step:
Step a41, common virtual switch be as virtual switch, will mail to or from the message of abnormal virtual machine, copy to mirror port and send to and detect the particular virtual network interface card, thereby send to intrusion detection virtual machine, to carry out the intrusion detection analysis.
After this, if testing result is normal, then virtual switch can send to message this abnormal virtual machine or send to network according to normal route.As can be seen from Figure 5, the virtual machine in the dummy machine system connects by a virtual switch, and virtual switch links to each other with extraneous network.When virtual switch received network message, it can be forwarded to the purpose virtual machine with message, and other virtual machines can't be received message.
Present embodiment has been realized the flexible deployment of intruding detection system identifying abnormal virtual machine by the monitoring to the virtual machine exceptional value based on virtual machine technique, thereby start intrusion detection virtual machine targetedly the message that it transmitted is carried out intrusion detection.This technical scheme can make the deployment of intruding detection system in network system more flexible, owing to can adjust monitoring range, thus reduced intrusion detection load, and with strong points, therefore can improve intrusion detection accuracy and efficient.
Method for disposing inbreak detection system second embodiment
Figure 6 shows that the flow chart of method for disposing inbreak detection system second embodiment of the present invention.The difference of present embodiment and above-mentioned first embodiment is: adopt another kind of mode to transmit the message of abnormal virtual machine, this mode can be described as two virtual switch modes, promptly in VMM, increase the particular virtual switch of an intruding detection system newly, specific implementation form in " Linux " is a bridge, original virtual switch is common virtual switch, the Microsoft Loopback Adapter of abnormal virtual machine is added this particular virtual switch can realize monitoring.Then step 30 is specially and carries out following step:
Step b31, deployment actuator are obtained the abnormal virtual machine sign from the abnormal monitoring module, and the abnormal virtual machine sign is sent to local common virtual switch and particular virtual switch;
Step b32, common virtual switch set up with intrusion detection virtual machine on being connected of common Microsoft Loopback Adapter, and being connected of cancellation and abnormal virtual machine, the particular virtual switch is set up and being connected of detection particular virtual network interface card, and being connected of foundation and abnormal virtual machine.
After this, the message that virtual switch will mail to abnormal virtual machine in the step 40 sends to intrusion detection virtual machine by the detection particular virtual network interface card on the intrusion detection virtual machine, to carry out step that intrusion detection analyzes specifically as shown in Figure 6, comprising:
Step b41, virtual switch are common virtual switch, when common virtual switch receives the message that mails to abnormal virtual machine from network, message are sent to intrusion detection virtual machine;
Step b42, intrusion detection virtual machine will detect to normal message and send to the particular virtual switch by detecting the particular virtual network interface card;
Step b43, particular virtual switch send to abnormal virtual machine with the message that receives.
Virtual switch will send to intrusion detection virtual machine by the detection particular virtual network interface card on the intrusion detection virtual machine from the message of abnormal virtual machine in the described step 40, be specially to carry out the intrusion detection analysis:
Step c41, virtual switch are the particular virtual switch, when the particular virtual switch receives message from abnormal virtual machine, message are sent to intrusion detection virtual machine by detecting the particular virtual network interface card;
Step c42, intrusion detection virtual machine will detect to normal message and send to common virtual switch;
Step c43, common virtual switch are sent to network with the message that receives.
The above-mentioned transmission path that mails to the abnormal virtual machine message is shown in the direction of arrow among Fig. 7, and is opposite with the direction of arrow among Fig. 7 from the message transmissions path of abnormal virtual machine.Processing is mail to and from the order of the message of abnormal virtual machine in no particular order, can be carried out synchronously.
In the present embodiment, mail to or, therefore can detectedly analyze from the message of the abnormal virtual machine intrusion detection virtual machine of all will flowing through.Under the mode of this pair of virtual switch, intrusion detection virtual machine has been served as the role of router, therefore need when the operation intrusion detection virtual machine, open route forwarding function wherein, as promptly corresponding in " Linux " system be that " ip-forward " parameter is set.
Present embodiment has realized that in the mode of newly-increased particular virtual switch the message that abnormal virtual machine is transmitted is sent to intrusion detection virtual machine to be detected, and its realization is easy.The technical scheme of present embodiment makes the deployment of IDS more flexible, the restriction of having avoided network topology structure to change, and with strong points to pathological system to be monitored, help reducing message flow to be detected, reduce system burden, improve the accuracy and the efficient that detect.
Method for disposing inbreak detection system the 3rd embodiment
Fig. 8 is the flow chart of method for disposing inbreak detection system the 3rd embodiment of the present invention, and present embodiment can the foregoing description be the basis, and difference is that step 10 is specially the following step of execution:
The virtual disk files of step b11, each virtual machine of abnormal monitoring module carry calculates the cryptographic Hash of the critical system file in the virtual disk files, and is saved in the buffer memory of abnormal monitoring module;
Step b12, abnormal monitoring module are reaching setting-up time week after date, recomputate the cryptographic Hash of critical system file, and the cryptographic Hash that recomputates and the cryptographic Hash of buffer memory are compared;
Step b13, judge comparative result when inconsistent when the abnormal monitoring module, then discerning the corresponding virtual machine is abnormal virtual machine.
In actual applications, the hacker is in the process of invasion computer system, in order to reenter later on or this main frame of Long-distance Control, often to stay back door, modal way is to revise critical system file, for example registration table under " windows ", "/etc/passwd " under " Linux ", "/etc/shadow " etc.At such intrusion behavior, the abnormal monitoring module can be made regular check on these critical system files, changes if find file, then is identified as unusual.
A kind of mode of said method in the present embodiment for judging that virtual machine is whether unusual, judge that the unusual mode of virtual machine is not limited to two kinds of above-mentioned steps a10~a12 and b11~b13, other should be in the parameter value of paying close attention to can also to detect virtual machine, aforesaid way can independently adopt, also can be in conjunction with the condition as the identification abnormal virtual machine.
The technical scheme of present embodiment can dynamic flexible identifying and need carry out the virtual machine that intrusion detection analyzes and dispose intruding detection system targetedly it is detected, it is excessive to have avoided intruding detection system to detect flow, the problem that load is excessive can effectively improve the accuracy rate of warning.
Method for disposing inbreak detection system the 4th embodiment
Fig. 9 is the flow chart of method for disposing inbreak detection system the 4th embodiment of the present invention.For the abnormal virtual machine of being monitored by I DS, if in designated time intervals, do not find intrusion event, then can cancel monitoring to abnormal virtual machine, implement the anti-deployment of IDs.Present embodiment can above-mentioned first embodiment technical scheme be the basis, the mode for starting mirror port also comprises the steps: after step a41
Step a51, after intrusion detection virtual machine operation, the abnormal monitoring module starts timer, when receiving the warning message that intrusion detection virtual machine sends with the timer zero clearing;
Step a52, abnormal monitoring module judge whether timer reaches the setting-up time value, if then execution in step a53 if not, then continues timing, and returns execution in step a52;
Step a53, abnormal monitoring module indication deployment actuator send monitoring cancellation message respectively to virtual switch and intrusion detection virtual machine, and to close the mirror port of virtual switch, promptly corresponding flow is duplicated in cancellation when flow arrives virtual switch.Intrusion detection virtual machine also out of service simultaneously.
Present embodiment is the obstruction mode to cancelling of intrusion detection, if the fixed time, does not for example receive the warning message of intrusion detection virtual machine at interval in 1 minute, then notifies deployment actuator cancellation monitoring.
The technical scheme of present embodiment not only can be disposed IDS flexibly based on virtual machine technique, and can instead flexibly dispose, and cancels the detection of IDS, and then can reduce unnecessary detection burden, improves system works efficient.
Method for disposing inbreak detection system the 5th embodiment
Figure 10 is the flow chart of method for disposing inbreak detection system the 5th embodiment of the present invention.Present embodiment can above-mentioned second embodiment technical scheme be the basis, for the mode of two virtual switches, after step b43, also comprise the steps:
Step b51, after intrusion detection virtual machine operation, the abnormal monitoring module starts timer, when receiving the warning message that intrusion detection virtual machine sends with the timer zero clearing;
Step b52, abnormal monitoring module judge whether timer reaches setting-up time, if then execution in step b53 if not, then continues timing, and returns execution in step b52;
Step b53, abnormal monitoring module indication deployment actuator send monitoring cancellation message respectively to common virtual switch and dedicated virtual machine switch;
Being connected of common Microsoft Loopback Adapter on the cancellation of step b54, common virtual switch and the intrusion detection virtual machine, and being connected of foundation and abnormal virtual machine, the cancellation of particular virtual switch is connected with detection particular virtual network interface card, and being connected of cancellation and abnormal virtual machine, and intrusion detection virtual machine out of service.
In the present embodiment, when deployment actuator indication cancellation monitoring, can send monitoring cancellation message respectively, notify them that two Microsoft Loopback Adapters of intrusion detection virtual machine are removed to common virtual switch and dedicated virtual machine switch; Then the Microsoft Loopback Adapter of abnormal virtual machine is transferred on the common virtual switch from the particular virtual switch, recovered legacy network structure shown in Figure 1, next can close intrusion detection virtual machine.
The technical scheme of present embodiment not only can be disposed IDS flexibly based on virtual machine technique, and can instead flexibly dispose, and cancels the detection of IDS, and then can reduce unnecessary detection burden, improves system works efficient.
The present invention proposes a kind of method for disposing inbreak detection system that utilizes virtual machine technique.This method has following characteristics and advantage with respect to traditional dispositions method:
(1) adopt the Software deployment mode, intruding detection system is packaged in the virtual machine image, the characteristics of utilizing the virtual machine dynamic flexible to dispose realize the deployment as required of intruding detection system.
(2) adopt virtual switch connection ID S and monitored system, unified the deployment way of IDS in network, solved problems such as needing additional hardware support and topological structure change in the former deployment way.
(3) introduced automatic deployment mechanisms, the load of virtual machine and network condition in the real-time monitoring system, when finding suspicious actions, dynamically dispose IDS, whole process does not need manual intervention, and can the self adaptation adjustment scope of monitoring, with a definite target in view malicious traffic stream and intrusion behavior are detected, thereby improved the efficient and the accuracy that detect.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (10)
1. a method for disposing inbreak detection system is characterized in that, comprising:
The exceptional value of step 10, each virtual machine of abnormal monitoring module monitors is with the identification abnormal virtual machine;
Step 20, when described abnormal monitoring module recognizes abnormal virtual machine, the indication deployment actuator starts the operation intrusion detection virtual machine in this locality;
Step 30, described deployment actuator are obtained the abnormal virtual machine sign from described abnormal monitoring module, and according to described abnormal virtual machine sign are set being connected of virtual switch and described intrusion detection virtual machine;
Step 40, described virtual switch will mail to or send to described intrusion detection virtual machine from the message of described abnormal virtual machine by the detection particular virtual network interface card on the intrusion detection virtual machine, to carry out the intrusion detection analysis.
2. method for disposing inbreak detection system according to claim 1 is characterized in that, described step 10 is specially:
Step a11, described abnormal monitoring module are monitored CPU usage, memory usage and the network bandwidth occupancy of each virtual machine respectively;
Step a12, any reaches when setting threshold values in CPU usage, memory usage and network bandwidth occupancy when described abnormal monitoring module monitors, and identification corresponding virtual machine is an abnormal virtual machine.
3. method for disposing inbreak detection system according to claim 1 is characterized in that, described step 10 is specially:
The virtual disk files of step b11, described each virtual machine of abnormal monitoring module carry calculates the cryptographic Hash of critical system file in the described virtual disk files, and is saved in the buffer memory;
Step b12, described abnormal monitoring module recomputate the cryptographic Hash of described critical system file at setting-up time week after date, and the cryptographic Hash that recomputates and the cryptographic Hash of buffer memory are compared;
Step b13, judge comparative result when inconsistent when described abnormal monitoring module, then discerning the corresponding virtual machine is abnormal virtual machine.
4. method for disposing inbreak detection system according to claim 1 is characterized in that, described step 20 is specially:
Step 21, when described abnormal monitoring module recognizes abnormal virtual machine, indicate described deployment actuator in local system, to inquire about and whether have intrusion detection virtual machine, if exist, then execution in step 22, if do not exist, then execution in step 23;
Step 22, described deployment actuator judge whether local described intrusion detection virtual machine is moved, if then execution in step 30, if not, then start the described intrusion detection virtual machine of operation, and execution in step 30;
Step 23, described deployment actuator are from local or obtain the intrusion detection virtual machine image file from NetWare file server;
Step 24, described deployment actuator start the described intrusion detection virtual machine of operation according to described intrusion detection virtual machine image file in this locality.
5. method for disposing inbreak detection system according to claim 4 is characterized in that, described step 24 is specially:
Step 241, described deployment actuator start described intrusion detection virtual machine according to the essential information in the configuration file in the described intrusion detection virtual machine image file;
Step 242, described deployment actuator start the common Microsoft Loopback Adapter on the described intrusion detection virtual machine respectively and detect the particular virtual network interface card, to be connected into described virtual switch respectively according to the network configuration information in the described configuration file.
6. method for disposing inbreak detection system according to claim 1 is characterized in that:
Described virtual switch comprises common virtual switch, and described step 30 is specially:
Step a31, described deployment actuator are obtained the abnormal virtual machine sign from described abnormal monitoring module, and described abnormal virtual machine sign is sent to local common virtual switch;
Step a32, described common virtual switch are opened mirror port according to described abnormal virtual machine sign, and set up being connected of detection particular virtual network interface card on described mirror port and the described intrusion detection virtual machine, described mirror port is used to duplicate and mails to or from the message of abnormal virtual machine and be transferred to
Described detection particular virtual network interface card,
Described step 40 is specially:
Step a41, described common virtual switch will mail to or from the message of described abnormal virtual machine, copy to described mirror port and send to described detection particular virtual network interface card, thereby send to described intrusion detection virtual machine, to carry out the intrusion detection analysis.
7. method for disposing inbreak detection system according to claim 6 is characterized in that, also comprises after the described step a41:
Step a51, after the operation of described intrusion detection virtual machine, described abnormal monitoring module starts timer, when receiving the warning message that described intrusion detection virtual machine sends with the timer zero clearing;
Step a52, described abnormal monitoring module judge whether described timer reaches the setting-up time value, if, execution in step a53 then;
Step a53, described abnormal monitoring module indicate described deployment actuator to send monitoring cancellation message respectively to described common virtual switch and described intrusion detection virtual machine, closing the mirror port of described common virtual switch, and described intrusion detection virtual machine out of service.
8. method for disposing inbreak detection system according to claim 1 is characterized in that, described virtual switch comprises common virtual switch and particular virtual switch, and described step 30 is specially:
Step b31, described deployment actuator are obtained the abnormal virtual machine sign from described abnormal monitoring module, and described abnormal virtual machine sign is sent to local common virtual switch and particular virtual switch;
Step b32, described common virtual switch set up with described intrusion detection virtual machine on being connected of common Microsoft Loopback Adapter, and being connected of cancellation and described abnormal virtual machine, described particular virtual switch is set up and being connected of described detection particular virtual network interface card, and being connected of foundation and described abnormal virtual machine.
9. method for disposing inbreak detection system according to claim 8 is characterized in that,
The message that virtual switch will mail to described abnormal virtual machine in the described step 40 sends to described intrusion detection virtual machine by the detection particular virtual network interface card on the intrusion detection virtual machine, is specially to carry out the intrusion detection analysis:
Step b41, described virtual switch are described common virtual switch, when described common virtual
When switch receives the message that mails to abnormal virtual machine from network, message is sent to described intrusion detection virtual machine;
Step b42, described intrusion detection virtual machine will detect to normal message and send to described particular virtual switch by described detection particular virtual network interface card;
Step b43, described particular virtual switch send to described abnormal virtual machine with the message that receives,
Virtual switch will send to described intrusion detection virtual machine by the detection particular virtual network interface card on the intrusion detection virtual machine from the message of described abnormal virtual machine in the described step 40, be specially to carry out the intrusion detection analysis:
Step c41, described virtual switch are described particular virtual switch, when described particular virtual switch receives message from abnormal virtual machine, message are sent to described intrusion detection virtual machine by detecting the particular virtual network interface card;
Step c42, described intrusion detection virtual machine will detect to normal message and send to common virtual switch;
Step c43, described common virtual switch are sent to network with the message that receives.
10. method for disposing inbreak detection system according to claim 9 is characterized in that, also comprises after the described step b43:
Step b51, after intrusion detection virtual machine operation, described abnormal monitoring module starts timer, when receiving the warning message that described intrusion detection virtual machine sends with the timer zero clearing;
Step b52, described abnormal monitoring module judge whether timer reaches setting-up time, if, execution in step b53 then;
Step b53, described abnormal monitoring module indicate described deployment actuator to send monitoring cancellation message respectively to common virtual switch and dedicated virtual machine switch;
Being connected of common Microsoft Loopback Adapter on step b54, the cancellation of described common virtual switch and the described intrusion detection virtual machine, and being connected of foundation and described abnormal virtual machine, described particular virtual switch cancellation is connected with described detection particular virtual network interface card, and being connected of cancellation and described abnormal virtual machine, and described intrusion detection virtual machine out of service.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009100762324A CN101465770B (en) | 2009-01-06 | 2009-01-06 | Method for disposing inbreak detection system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009100762324A CN101465770B (en) | 2009-01-06 | 2009-01-06 | Method for disposing inbreak detection system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101465770A CN101465770A (en) | 2009-06-24 |
CN101465770B true CN101465770B (en) | 2011-04-06 |
Family
ID=40806145
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2009100762324A Expired - Fee Related CN101465770B (en) | 2009-01-06 | 2009-01-06 | Method for disposing inbreak detection system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101465770B (en) |
Families Citing this family (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8599854B2 (en) * | 2010-04-16 | 2013-12-03 | Cisco Technology, Inc. | Method of identifying destination in a virtual environment |
CN102043917B (en) * | 2010-12-07 | 2012-10-17 | 成都市华为赛门铁克科技有限公司 | Distributed denial of service (DDOS) attack protection method, device and system for cloud computing system |
CN102088379B (en) * | 2011-01-24 | 2013-03-13 | 国家计算机网络与信息安全管理中心 | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology |
CN102244622B (en) * | 2011-07-25 | 2015-03-11 | 北京网御星云信息技术有限公司 | Virtual gateway protection method, virtual security gateway and system for server virtualization |
CN102523209B (en) * | 2011-12-06 | 2015-07-08 | 北京航空航天大学 | Dynamic adjustment method and device of safety inspection virtual machines |
CN103067356B (en) * | 2012-12-12 | 2017-03-08 | 北京启明星辰信息技术股份有限公司 | Ensure the system and method for business virtual machine safety |
CN103023704B (en) * | 2012-12-24 | 2016-04-06 | 北京启明星辰信息技术股份有限公司 | Virtual network service equipment access method and system |
CN103065086B (en) * | 2012-12-24 | 2016-09-07 | 北京启明星辰信息技术股份有限公司 | It is applied to DIDS and the method for dynamic virtualization environment |
US9251115B2 (en) | 2013-03-07 | 2016-02-02 | Citrix Systems, Inc. | Dynamic configuration in cloud computing environments |
CN104660554A (en) * | 2013-11-19 | 2015-05-27 | 北京天地超云科技有限公司 | Method for implementing communication data security of virtual machines |
CN104683165B (en) * | 2013-11-27 | 2018-06-22 | 北京天地超云科技有限公司 | The monitoring method of virtual machine network data under a kind of Xen virtualized environments |
CN104702571B (en) * | 2013-12-06 | 2018-02-02 | 北京天地超云科技有限公司 | A kind of intrusion detection method of Xen virtualized environments lower network data |
CN105306234A (en) * | 2014-06-19 | 2016-02-03 | 中兴通讯股份有限公司 | Equipment monitoring method and device |
CN104123510A (en) * | 2014-08-04 | 2014-10-29 | 上海斐讯数据通信技术有限公司 | Method for verifying running mapping files |
CN105007261A (en) * | 2015-06-02 | 2015-10-28 | 华中科技大学 | Security protection method for image file in virtual environment |
CN105262768A (en) * | 2015-11-04 | 2016-01-20 | 上海科技网络通信有限公司 | Behavior detection system based on mixed models in cloud computing platform and method |
CN105491123B (en) * | 2015-12-04 | 2019-02-22 | 北京航空航天大学 | Communication means and device between container |
CN105791286B (en) * | 2016-03-01 | 2018-10-02 | 上海海事大学 | The abnormality detection and processing method of cloud virtual environment |
CN107515772A (en) * | 2016-06-15 | 2017-12-26 | 中兴通讯股份有限公司 | A kind of detection KVM virtual machines hang dead method and device |
CN107800663B (en) * | 2016-08-31 | 2020-04-28 | 华为数字技术(苏州)有限公司 | Method and device for detecting flow offline file |
EP3425501B1 (en) | 2016-11-17 | 2021-01-13 | Huawei Technologies Co., Ltd. | Mirror image file conversion method and apparatus |
CN108228308B (en) * | 2016-12-21 | 2021-07-06 | 中国电信股份有限公司 | Monitoring method and device for virtual machine |
CN106845231B (en) * | 2016-12-30 | 2020-05-19 | 北京瑞星网安技术股份有限公司 | Safety protection method and device based on virtualization environment |
JP6396519B2 (en) | 2017-01-23 | 2018-09-26 | ファナック株式会社 | System for detecting intrusion into communication environment, and intrusion detection method |
CN106790291B (en) * | 2017-03-09 | 2020-04-03 | 腾讯科技(深圳)有限公司 | Intrusion detection prompting method and device |
CN107566493B (en) * | 2017-09-06 | 2020-05-22 | 中国科学院信息工程研究所 | Agent node creating method, agent service method and system for complex user requirements |
CN108363611A (en) * | 2017-11-02 | 2018-08-03 | 北京紫光恒越网络科技有限公司 | Method for managing security, device and the omnidirectional system of virtual machine |
CN107896215A (en) * | 2017-11-24 | 2018-04-10 | 北京国网富达科技发展有限责任公司 | A kind of dispositions method and device of the intruding detection system based on virtual machine |
CN110362994B (en) | 2018-03-26 | 2023-06-20 | 华为技术有限公司 | Malicious file detection method, device and system |
WO2021160395A1 (en) * | 2020-02-11 | 2021-08-19 | Continental Teves Ag & Co. Ohg | Method for edge computing-based detecting of intrusions and anomalies |
CN112997467B (en) * | 2020-09-18 | 2022-08-19 | 华为技术有限公司 | Intrusion monitoring system, method and related product |
CN112929373B (en) * | 2021-02-07 | 2022-09-06 | 河南信大网御科技有限公司 | Intranet equipment protection method |
CN113676363B (en) * | 2021-10-22 | 2022-02-18 | 南京赛宁信息技术有限公司 | Network target range flow generation system and method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0362105A2 (en) * | 1988-09-29 | 1990-04-04 | International Business Machines Corporation | Method for processing program threads of a distributed application program by a host computer and an intelligent work station in an SNA LU 6.2 network environment |
CN101305561A (en) * | 2005-08-23 | 2008-11-12 | 耐特罗诺密系统有限公司 | Flow control based on flow policies in a communication network |
CN101309180A (en) * | 2008-06-21 | 2008-11-19 | 华中科技大学 | Security network invasion detection system suitable for virtual machine environment |
-
2009
- 2009-01-06 CN CN2009100762324A patent/CN101465770B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0362105A2 (en) * | 1988-09-29 | 1990-04-04 | International Business Machines Corporation | Method for processing program threads of a distributed application program by a host computer and an intelligent work station in an SNA LU 6.2 network environment |
CN101305561A (en) * | 2005-08-23 | 2008-11-12 | 耐特罗诺密系统有限公司 | Flow control based on flow policies in a communication network |
CN101309180A (en) * | 2008-06-21 | 2008-11-19 | 华中科技大学 | Security network invasion detection system suitable for virtual machine environment |
Non-Patent Citations (3)
Title |
---|
Kenichi Kourai等.HyperSpector: virtual distributed monitoring environments for secure intrusion detection.《Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments》.2005,197-207. * |
叶润国等.浅析天阗IDS协议自识别技术.《计算机安全》.2006,(第11期), * |
徐向阳.基于虚拟技术的学生机房安全研究.《光盘技术》.2008,(第04期), * |
Also Published As
Publication number | Publication date |
---|---|
CN101465770A (en) | 2009-06-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101465770B (en) | Method for disposing inbreak detection system | |
CN110572412A (en) | Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof | |
US7493659B1 (en) | Network intrusion detection and analysis system and method | |
US20070266433A1 (en) | System and Method for Securing Information in a Virtual Computing Environment | |
Zargar et al. | DCDIDP: A distributed, collaborative, and data-driven intrusion detection and prevention framework for cloud computing environments | |
CN107896215A (en) | A kind of dispositions method and device of the intruding detection system based on virtual machine | |
CN100435513C (en) | Method of linking network equipment and invading detection system | |
US20060037075A1 (en) | Dynamic network detection system and method | |
US20040221178A1 (en) | Firewall system and method via feedback from broad-scope monitoring for intrusion detection | |
EP3465987B1 (en) | Logging of traffic in a computer network | |
WO2012172509A2 (en) | Systems and methods that perform application request throttling in a distributed computing environment | |
CN100486180C (en) | Local network safety management method based on IEEE 802.1X protocol | |
CN101034976B (en) | Intrusion detection in an IP connected security system | |
Nitin et al. | Intrusion detection and prevention system (idps) technology-network behavior analysis system (nbas) | |
CN112165459A (en) | Application method for automatically switching to host honeypot based on alarm honeypot information analysis | |
Man et al. | A collaborative intrusion detection system framework for cloud computing | |
Ma et al. | A design of firewall based on feedback of intrusion detection system in cloud environment | |
KR20040036228A (en) | The system and method of malicious traffic detection and response in network | |
CN117319032A (en) | Network security active defense method and system | |
KR101871406B1 (en) | Method for securiting control system using whitelist and system for the same | |
KR100466798B1 (en) | Public network and private network combination security system and method thereof | |
CN115514519B (en) | Active defense method based on transverse micro-isolation and plug-in | |
CN104283730A (en) | Loop detecting method and system | |
KR101454838B1 (en) | Cloud enterprise security management system for interworking of Hypervisor-based virtual network and host intrusion prevention system | |
KR20170133790A (en) | Apparatus and method for against suspicious traffic based context cognition |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C17 | Cessation of patent right | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110406 Termination date: 20140106 |