CN103178988B - The monitoring method and system of the virtual resources that a kind of performance optimizes - Google Patents
The monitoring method and system of the virtual resources that a kind of performance optimizes Download PDFInfo
- Publication number
- CN103178988B CN103178988B CN201310048933.3A CN201310048933A CN103178988B CN 103178988 B CN103178988 B CN 103178988B CN 201310048933 A CN201310048933 A CN 201310048933A CN 103178988 B CN103178988 B CN 103178988B
- Authority
- CN
- China
- Prior art keywords
- module
- monitoring
- virtual machine
- event
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The present invention relates to the monitoring system method and system of the virtual resources that a kind of performance optimizes, the system of physical server and the runnability of guest virtual machine and guest virtual machine is first called event in virtual machine monitor layer and is monitored by the method, and according to the physical server monitored and the runnability of guest virtual machine, according to priority and security strategy, the system of described monitoring is called event at secure virtual machine and carry out data process, after data process, send control instruction call event for the operation calling virtual resources with control system.The monitoring system method and system of the virtual resources that performance involved in the present invention optimizes, can effectively monitoring system overall operation and safe condition, and good Consumer's Experience can be reached.
Description
Technical field
The present invention relates to Intel Virtualization Technology and field of information security technology, the monitoring method and system of the virtual resources that a kind of performance optimizes.
Background technology
Intel Virtualization Technology is a kind of in the widely used technology of IT circles, large-scale use due to cloud computing technology, Intel Virtualization Technology, particularly server virtualization technology are fast-developing and change rapidly the looks of IT, and fundamentally change the calculation of people.By being virtualized by physical resource, server resource can be distributed to multiple virtual machine, virtualization supports that different application, even not same operating system run on same station server.By combining with cloud computing technology, it is provided that configure means, quick deployment mode flexibly and calculating resource can be saved.
But, while bringing huge advantage, Intel Virtualization Technology also brings the biggest security risk being different from conventional security pattern.After the virtualization of physical resource, a physical server may run multiple stage virtual machine.Actual calculating resource (CPU, internal memory, disk, network etc.) forms virtual resources by virtualization and is shared by different virtual machines.During the most actually used, different virtual machines is actually in shared same physical server resource, simply for them, thinking and exclusively enjoying system resource, whole resource-sharing uses process to be dispatched by virtualization modules (such as virtual machine monitors such as Xen).Once assailant utilizes its leak invasive system, and virtualization modules just can affect all virtual machines run on it, and then threatens all application and user data run on a virtual machine, and therefore the security protection for virtual machine is most important.Intel Virtualization Technology brings new security threat mainly to be had: the isolating problem of virtual resources: under multi-tenant environment, the different business systems of different tenant may be run in same cloud platform, the resource of tenant is faced with by the threat of other tenant's unauthorized access, the security incidents such as the malice of the most a certain tenant or maloperation likely can widen one's influence other tenant's operation system of same cloud platform, and other tenant is caused security threat;Virtual Machine Manager layer (VMM) safety problem: owing to Virtual Machine Manager layer runs on more higher rank than virtual machine, the therefore attack to Virtual Machine Manager layer, just threaten all virtual machines run on Same Physical server;Virtual machine escape problem: if the rogue program run in virtual machine walks around the security mechanism of virtual machine itself, it is thus achieved that some authority of Virtual Machine Manager layer or physical server, just all virtual machines on Same Physical server are created threat;Virtual network security risk: under cloud computing environment, due to the extensive application of virtual network resource, traditional network boundary thickens.Traditional safety equipment, such as fire wall, IDS, IPS etc., physical boundary can only be deployed in, communication between virtual machine on Same Physical computer cannot be carried out fine-granularity access control, if aggressive behavior is a certain virtual machine in cloud platform, just can walk around all of network boundary safeguard procedures, attack from inside to other virtual machine, whole the virtual network even safe operation of cloud computing platform time serious, may be threatened.
The isolation mech isolation test of existing Intel Virtualization Technology self can only solve basic application program running environment isolation, can not prevent routine access from crossing the border or unauthorized access.And sharing of the physical resource of this reality often causes data to be easier to by unauthorized access, the program of such as different virtual machine is when public same caches, once the program of one of them virtual machine is utilized by malicious code, just easily causes the data of another virtual machine by unauthorized access or leakage.
Current existing resolving ideas is by should be for monitoring the safety behavior of upper-layer client virtual machine in virtual machine monitor layer deployment secure, its system is called and intercepts, affix one's name to secure virtual machine in internal system simultaneously, the system of interception is called and carries out safety analysis and carry out real-time response according to security strategy, determine this system is called clearance or intercepts.This solution can solve most secure virtual machine problem, but its main shortcoming is exactly secure virtual machine and guest virtual machine can ask to use system resource simultaneously, and the request of virtual resources is used proportional by the two.If guest virtual machine heavy traffic, needs carry out a large amount of system and call, secure virtual machine will carry out substantial amounts of actual time safety simultaneously and process task, thus cause secure virtual machine and the situation of guest virtual machine contention system resource, aggravation entirety resource at double is nervous, cause physical server overall performance drastically to decline, thus bring bad customer experience.For free system resources, secure virtual machine Partial security function can only be decreased or turned off by force, therefore bring the loss of safety.
Summary of the invention
The present invention is directed to existing monitoring guest virtual machine safety technology exist secure virtual machine and guest virtual machine contention resource cause systematic function decline so that make customer experience difference and produce safety loss problem, the monitoring method of the virtual resources that a kind of performance optimizes is provided, can effectively monitoring system overall operation and safe condition, and good Consumer's Experience can be reached.The invention still further relates to the monitoring system of the virtual resources that a kind of performance optimizes.
Technical scheme is as follows:
The monitoring method of the virtual resources that a kind of performance optimizes, it is characterized in that, first in virtual machine monitor layer, the system of physical server and the runnability of guest virtual machine and guest virtual machine is called event to be monitored, and according to the physical server monitored and the runnability of guest virtual machine, according to priority and security strategy, the system of described monitoring is called event at secure virtual machine and carry out data process, after data process, send control instruction call event for the operation calling virtual resources with control system.
In virtual machine monitor layer, the system of guest virtual machine is called event to be monitored obtaining event data, being monitored obtaining performance monitoring data to the runnability of physical server and guest virtual machine, system is called event and is carried out a kind of security strategy of data process by the offer of described performance monitoring data.
After monitoring obtains event data, first described event data is carried out semantic conversion process, described event data is converted to high-level semantics from rudimentary semanteme, after semantic conversion processes, again event data is carried out data process.
Event of calling the system monitored carries out data process and includes dispatch deal, real time data processing and daily record and alert process, described dispatch deal is that event data is carried out priority judgement and scheduling, the event data of low priority is carried out daily record and alert process, the event data of high priority is carried out real time data processing.
The event data of described high priority is analyzed by safety monitoring module and carries out real time data processing according to security strategy, and sends control instruction after real time data processing and call event for the operation calling virtual resources with control system;
And/or, described daily record and alert process are that the event data to low priority first carries out log recording, then carry out post review by safety monitoring module, and carry out alert process according to security strategy.
The monitoring system of the virtual resources that a kind of performance optimizes, it is characterized in that, including interconnective security incident monitoring and respond module and data processing module, described security incident monitoring and respond module are arranged on virtual machine monitor layer, it is monitored for the runnability of physical server and guest virtual machine and the system of guest virtual machine are called event, and monitoring information is sent to data processing module;Described data processing module is arranged at secure virtual machine, for according to the physical server monitored and the runnability of guest virtual machine, according to priority and security strategy, described system is called event and carry out data process, and send control instruction and call event for the operation calling virtual resources at data process backward security event-monitoring and respond module with control system.
Described security incident monitoring and respond module include security incident monitoring module, security incident response module and performance monitoring module, the system of guest virtual machine is called event and is monitored obtaining event data and sending described event data to data processing module by described security incident monitoring module, the runnability of physical server and guest virtual machine is monitored obtaining performance monitoring data by described performance monitoring module, described performance monitoring data is supplied to data processing module and carries out a kind of security strategy of data process, described security incident response module receives the control instruction that sends of data processing module and responds.
Described data processing module includes semantic processes module, core processing module and the security policy module being sequentially connected with, and described core processing module is connected with security policy module, performance monitoring module and security incident response module respectively;Described semantic processes module is connected with security incident monitoring module, for described event data is carried out semantic conversion process, from rudimentary semanteme, described event data is converted to high-level semantics, inputs to core processing module after semantic conversion processes;Described core processing module carries out data process according to the performance monitoring data that the security strategy in security policy module and performance monitoring module obtain to event data, and sends control instruction in data process backward security event response module.
Described core processing module includes schedule process module, real time data processing module and daily record and alert process module, described real time data processing module and daily record are connected with schedule process module respectively with alert process module, described schedule process module is connected with performance monitoring module and semantic processes module respectively, described real time data processing module and daily record are all connected with security policy module with alert process module, and described real time data processing module is connected with security incident response module;Described schedule process module carries out priority judgement and dispatch deal to event data, described real time data processing module carries out real time data processing and sends control instruction, described daily record and alert process module in real time data processing backward security event response module the event data of low priority is carried out daily record and alert process the event data of high priority.
Described real time data processing module and daily record are all connected with security policy module by one or more safety monitoring modules with alert process module;The event data of high priority is analyzed by safety monitoring module and carries out real time data processing according to security strategy by described real time data processing module;
And/or, described daily record and alert process module first carry out log recording to the event data of low priority, then carry out post review by safety monitoring module, and carry out alert process according to security strategy;
And/or, described safety monitoring module is intrusion detection module and/or intrusion prevention module and/or file access control module.
The technique effect of the present invention is as follows:
The present invention relates to the monitoring method of the virtual resources that a kind of performance optimizes, first in virtual machine monitor layer, the system of physical server and the runnability of guest virtual machine and guest virtual machine is called event to be monitored, can effectively guard physical server and the operation of guest virtual machine and safe condition, simultaneously according to the physical server monitored and the runnability of guest virtual machine, according to priority and security strategy, the system of described monitoring is called event by secure virtual machine and carry out data process, and send control instruction and call event for the operation calling virtual resources with control system after data process.nullThe running status of physical server and guest virtual machine is obtained by the runnability of monitoring physical server and guest virtual machine,I.e. obtaining system is in busy or idle condition,And then the system of guest virtual machine is called event i.e. security incident be scheduling according to priority and security strategy,And send the operation of control instruction control virtual resources (i.e. hardware resource),Such as can system busy and idle time security incident taked different data processing methods,Only the security incident that priority ratio is higher is preferentially carried out real time data processing when system is busy,To priority than relatively low security incident carry out as first record again when the system free time afterwards the mode such as examining division reason process,Secure virtual machine and the situation of guest virtual machine contention system resource can be prevented effectively from,Also can avoid a large amount of security incident of discard processing because resource is nervous simultaneously,Cause the situation that security of system declines.The monitoring method of virtual resources that performance of the present invention optimizes so that overall virtual resources reaches reasonable distribution and adjusts, it is to avoid the problem that physical server overall performance declines, it is possible to reach good Consumer's Experience;And without being decreased or turned off the security function of secure virtual machine, it is to avoid safety loss, improve the security of system performance of secure virtual machine.
The monitoring method of the virtual resources that performance of the present invention optimizes, the system of described monitoring is called event according to priority and security strategy and is carried out data process by secure virtual machine, specifically include and be scheduling processing, real time data processing and daily record and alert process, by dispatch deal, event data is carried out priority judgement and scheduling, and combine the runnability of the physical server of security strategy and monitoring and the runnability of guest virtual machine, the runnability of physical server and guest virtual machine can also be as one of security strategy, after dispatch deal, the event data of low priority is carried out daily record and alert process, the event data of high priority is carried out real time data processing, and after real time data processing, send control instruction call event for the operation calling virtual resources with control system.More clearly according to the running status of physical server and guest virtual machine, security incident can be scheduling data to process, strictly avoid secure virtual machine and guest virtual machine to ask to use system virtualization resource to cause the problem in resource anxiety simultaneously, enhance the security performance of secure virtual machine, further enhance customer experience.
nullThe monitoring system of the virtual resources that performance involved in the present invention optimizes,In virtual machine monitor layer, security incident monitoring and respond module are set,The runnability of physical server and the runnability of guest virtual machine and system are called event implementation monitoring means,Can effectively guard physical server and guest virtual machine runs and safe condition,Data processing module is set in secure virtual machine simultaneously,The physical server monitored according to security incident monitoring and respond module and the runnability of guest virtual machine,The system of guest virtual machine is called event (or referred to as security incident) according to priority and security strategy to carrying out data process,And send control instruction and call event for the operation calling virtual resources at data process backward security event-monitoring and respond module with control system,So can be prevented effectively from secure virtual machine and the situation of guest virtual machine contention system resource,Also will not miss security incident simultaneously,Can accomplish that high-level security incident monitors priority treatment in real time,The function that low level security incident processes afterwards.
Accompanying drawing explanation
Fig. 1 is the structural representation of the monitoring system of the virtual resources that performance of the present invention optimizes.
Fig. 2 is the preferred structure schematic diagram of the security incident monitoring in Fig. 1 and respond module.
Fig. 3 is the preferred structure schematic diagram of the data processing module in Fig. 1.
Fig. 4 is the preferred structure schematic diagram of the monitoring system of the virtual resources that performance of the present invention optimizes.
Fig. 5 is the workflow diagram of the monitoring system of the virtual resources that the performance of the present invention shown in Fig. 4 optimizes.
Fig. 6 is the flow chart of the monitoring method of the virtual resources that performance of the present invention optimizes.
Fig. 7 is the preferred flow charts of the monitoring method of the virtual resources that performance of the present invention optimizes.
Detailed description of the invention
The present invention will be described below in conjunction with the accompanying drawings.
The present invention relates to the monitoring system of the virtual resources that a kind of performance optimizes, its structural representation, as it is shown in figure 1, include two parts in logic, i.e. includes interconnective security incident monitoring and respond module and data processing module.Security incident monitoring and respond module are arranged on virtual machine monitor layer, it is monitored for the runnability of physical server and guest virtual machine and the system of guest virtual machine are called event, and monitoring information is sent to data processing module, this monitoring information includes that the monitoring information of the runnability of physical server and guest virtual machine and the system of guest virtual machine call the monitoring information of event.Further, each guest virtual machine may have identical or different operating system, there is the situation that the hardware resource (CPU, internal memory, hard disk, network etc.) of multiple application generation guest virtual machine calls in every client virtual chance, be deployed in the security incident monitoring of virtual machine monitor layer and respond module provide the performance monitoring function to system (being made up of physical server and its guest virtual machine), and the sorts of systems of guest virtual machine is called interception, monitor and process response function.Security incident monitoring and respond module are responsible for the runnability of collection monitoring physical server and the runnability of guest virtual machine, i.e. monitoring system overall operation performance, and performance monitoring data can be sent to data processing module for one of its strategy doing dispatch deal, performance monitoring data stream as depicted is 3..Monitoring information is sent to data processing module monitoring after the system that virtual resources conducts interviews by guest virtual machine calls event by security incident monitoring and respond module, and according to the control of data processing module, system being called event respond, event data stream as depicted is 1..Data processing module is arranged at secure virtual machine, data process is carried out for described system being called event according to priority and security strategy, and send control instruction and call event for the operation calling virtual resources at data process backward security event-monitoring and respond module with control system, further, the data processing module being deployed on secure virtual machine, it is provided that security incident is processed and the function of security control.After receiving the event data stream of security incident monitoring and respond module, data processing module processes, and according to security strategy and result, security incident monitoring and respond module is sent control instruction, and 2. as depicted control flow.
For the monitoring system of the virtual resources that the performance shown in Fig. 1 optimizes, the preferred structure of its security incident monitoring being deployed in virtual machine monitor layer and respond module is as shown in Figure 2.Security incident monitoring and respond module include security incident monitoring module, security incident response module and performance monitoring module, wherein, the overall performance that physical server and guest virtual machine are run by performance monitoring module is monitored obtaining performance monitoring data, performance monitoring data can be supplied to data processing module and carry out a kind of security strategy of event scheduling data process, sending performance monitoring data to data processing module, performance monitoring data stream as depicted is 3.;The system of guest virtual machine is called event and is monitored obtaining event data and sending described event data to the data processing module being positioned on secure virtual machine by security incident monitoring module, 1. event data stream as depicted, send the control 2. of control stream further according to data processing module and this event transferred to security incident response resume module or directly lets pass;Security incident response module receives the control instruction that sends of data processing module and responds, specifically security incident response module sends according to data processing module and controls stream control instruction 2. and the system received is called event process, refusal or this subsystem of letting pass call the access for virtual resources and operate, wherein, safety response module call event to carry out process to the system received can being system to be called event implementation fuzzy control process according to control instruction, such as when system call event be file access time, when the control instruction that data processing module sends is to process, safety response module can read file content etc. by Fuzzy Processing.
For the monitoring system of the virtual resources that the performance shown in Fig. 1 optimizes, the preferred structure of its data processing module being deployed on secure virtual machine is as shown in Figure 3.Security incident can be processed by data processing module, and this data processing module have employed priority dispatching method, it is possible to reduces the performance loss that generation comes because of the resource occupation of security function self.Data processing module includes semantic processes module, core processing module, security policy module and one or more safety monitoring module, and core processing module is all connected with security incident monitoring and respond module with semantic processes module;Core processing module includes schedule process module, real time data processing module and daily record and alert process module, real time data processing module and daily record are connected with schedule process module respectively with alert process module, schedule process module is connected with semantic processes module, and schedule process module is all connected with security incident monitoring and respond module with real time data processing module;Real time data processing module and daily record are all connected with security policy module by one or more safety monitoring modules with alert process module.
In figure 3, semantic processes module carries out semantic conversion process for the event data monitoring security incident monitoring and respond module, described event data is converted to high-level semantics from rudimentary semanteme, i.e. by identifying the affiliated party of security incident and relating to virtual resources attribute and access environment context etc. and process, after semantic conversion processes, input the schedule process module to core processing module.Core processing module carries out data process according to the performance monitoring data that the security strategy in the security policy module arranged in advance and security incident monitoring and respond module obtain to event data, and sends control instruction at data process backward security event-monitoring and respond module.Wherein the schedule process module in core processing module carries out priority judgement and dispatch deal according to security strategy and performance monitoring data to event data, the performance monitoring data that the runnability of performance monitoring module monitoring physical server and the runnability of guest virtual machine respectively obtain can carry out the foundation of strategy process collectively as core processing module, the security incident of low priority is transferred to daily record and alert process module carry out daily record and alert process, daily record and alert process module specific works can be that the event data to low priority first carries out log recording, again until after the physical server systems free time time carry out post review by each safety monitoring module, joumaling data stream as depicted is 5., and carry out message alert process according to security strategy;Real time data processing module is transferred to carry out real time data processing the security incident of high priority, real time data processing module real time propelling movement is analyzed to safety monitoring module, and analysis result is returned real time data processing module, 4., real time data processing module sends control instruction according to the analysis result of safety monitoring module to security incident monitoring and respond module to real-time processing data stream as depicted.Schedule process module is in addition to judging priority according to security strategy and semantic conversion result, can also be estimated according to the current runnability that the security incident monitoring of virtual machine monitor layer and respond module obtain, and can dynamically adjust the security strategy in Dispatch Safety policy module, if physical server systems is busy, then major part security incident is only carried out log recording and message alert process by daily record and alert process module, pass through the security incident that real time data processing resume module minority safe level is high the most in real time;If physical server systems relative free, then suitably more security incident can be processed in real time by real time data processing module.
Safety monitoring module: can be made up of multiple modules, such as intrusion detection module (ids module), intrusion prevention module (IPS module), file access control module etc., each module stresses different safety monitoring functions.Different according to monitoring function, the incoming event of the guest virtual machine that real-time processing data stream is 4. corresponding can be partial event or whole event.Security incident can be analyzed processing by disparate modules parallel, and result is submitted to security policy module.Security policy module: configuration security strategy, and as the input of various safety monitoring modules, is also the input that carries out priority judgement of the schedule process module in core processing module simultaneously.
Fig. 4 is the preferred structure schematic diagram of the monitoring system of the virtual resources that performance of the present invention optimizes, and this system uses the preferred security incident monitoring shown in Fig. 2 and respond module, and the preferred data processing module shown in Fig. 3.Concrete parts between security incident monitoring and respond module with data processing module are connected as follows: semantic processes module is connected with security incident monitoring module, event data for obtaining the monitoring of security incident monitoring module carries out semantic conversion process, and event data stream as depicted is 1..Performance monitoring module is connected with schedule process module, and for the performance monitoring module performance monitoring data that obtains of monitoring being delivered to schedule process module using the reference frame as its dispatch deal, performance monitoring data stream as depicted is 3..Real time data processing module is connected with security incident monitoring module and security incident response module respectively, 2. as depicted control flow, security incident monitoring module can call event according to the control instruction directly clearance system received or transfer to security incident response resume module, security incident response module can be let pass after system being called event interception or process according to the control instruction received, security incident monitoring module is set and security incident response module is all able to receive that the control instruction that real time data processing module sends, it is possible to increase running efficiency of system.The function that security incident monitoring module and security incident response module can certainly receive control instruction merges, and is placed in any one module of the two module.
The workflow of the monitoring system of the virtual resources that performance of the present invention described in Fig. 4 optimizes is as shown in Figure 5:
1), guest virtual machine send system and call event request, such as I/O request etc., this system is called event and is properly termed as again security incident;
2), security incident monitoring module intercept and capture this system and call, event data is transferred to semantic processes module;
3), semantic processes module carry out security incident semantic conversion, will conversion after event data transfer to schedule process module;
4), schedule process module obtain current system performance monitoring data from performance monitoring module, be comprehensively scheduling according to security strategy processing simultaneously:
A) if the security incident of low priority, this security incident is transferred to daily record and alert process module carry out log recording, reads daily record by safety monitoring module when waiting the physical server systems free time afterwards and carry out post review operation;
B) if the security incident of high priority, real time data processing module is transferred in this security incident;
5) this event is pushed to the safety monitoring module of each needs and carries out real time data processing by, real time data processing module;
6), safety monitoring module carries out security analysis operations according to the security strategy in security policy module to this security incident, analysis result is returned real time data processing module, safety monitoring module may comprise the module of multiple parallel processing, such as IDS, IPS, file access control module etc.;
7), real time data processing module according to current safety strategy and the analysis result of safety monitoring module, make and assign control instruction to security incident monitoring module and security incident response module;
8), security incident monitoring module operates according to control instruction:
A), control instruction for let pass, this system of the most directly letting pass calls event;
B), control instruction for process, then this system is called event and transfers to security incident response resume module;
9), security incident response module processes according to control instruction:
A), control instruction for intercept, then intercept this and instruct and return error message;
B), control instruction for processing, then this system called let pass after event processes according to processing instruction.
Compared to existing virtualization safety monitoring technology, the monitoring system system of the virtual resources of performance optimization of the present invention has the advantage that and need not in guest virtual machine installation agent, and the building block of system of the present invention is mounted on virtual machine monitor layer and secure virtual machine;Can compatible different safety monitoring module, support third-party security extensions functionality;According to system virtualization resource (hardware resource in other words) behaviour in service, dynamic dispatching secure processing operations, select to process in real time or logging operations by this security incident according to priority, secure virtual machine and guest virtual machine can be avoided the occurrence of and grab the situation that the systematic function that system virtualization resource causes drastically declines, carry out Safety Examination operation again when can wait the physical server systems free time simultaneously, accomplish that high-level security incident monitors priority treatment in real time, the function of low level security incident post review, the security of system that when avoiding system busy, a large amount of security incident of discard processing causes declines problem, can also more efficiently utilize system virtualization resource, well balance performance and safety, dynamically adjust monitoring strategies, on the premise of guaranteeing safety, improve Consumer's Experience.
The invention still further relates to the monitoring method of the virtual resources that a kind of performance optimizes, its flow chart is as shown in Figure 6, first in virtual machine monitor layer, the system of physical server and the runnability of guest virtual machine and guest virtual machine is called event to be monitored, monitoring physical server and the runnability i.e. monitoring system overall performance of guest virtual machine, according to the system overall operation performance monitored, according to priority and security strategy, the system of described monitoring is called event at secure virtual machine and carry out data process, after data process, send control instruction call event for the operation calling virtual resources with control system.
The monitoring method of the virtual resources that performance of the present invention optimizes, corresponding with the monitoring system of the virtual resources that above-mentioned performance of the present invention optimizes.In virtual machine monitor layer, the system of guest virtual machine is called event to be monitored obtaining event data, being monitored obtaining performance monitoring data to the runnability of physical server and guest virtual machine, this performance monitoring data can provide and system is called event carry out a kind of security strategy of data process.Preferably, after monitoring obtains event data, first described event data is carried out semantic conversion process, described event data is converted to high-level semantics from rudimentary semanteme, after semantic conversion processes, again event data is carried out data process.
In virtual machine monitor layer, the system of physical server and the runnability of guest virtual machine and guest virtual machine is called event to be monitored, can effectively guard physical server and guest virtual machine runs and safe condition;Security incident to monitoring carries out data process according to priority and security strategy again, these data process can include dispatch deal, real time data processing and daily record and alert process, wherein, dispatch deal is, according to security strategy and performance monitoring data, event data is carried out priority judgement and dispatch deal, the event data of low priority is carried out daily record and alert process, such as, the event data of low priority is first carried out log recording, carry out post review by safety monitoring module again, and carry out alert process according to security strategy;The event data of high priority is carried out real time data processing, such as, the event data of high priority is analyzed by safety monitoring module and carries out real time data processing according to security strategy, and sends control instruction after real time data processing and call event for the operation calling virtual resources with control system.Consider monitoring physical server and the getable performance monitoring data of maneuverability of guest virtual machine, obtain the running status of physical server, it is such as in busy or idle condition, and obtain operation and the safe condition of guest virtual machine, and then security of system event scheduling is processed, if physical server systems is busy, then only monitoring high priority security incident in real time, real time propelling movement processes to safety monitoring module;Low priority security incident is then recorded into daily record, treats that physical server systems idle is read daily record by each safety monitoring module again and carries out Safety Examination.Monitoring method of the present invention can be prevented effectively from secure virtual machine and the situation of guest virtual machine contention system resource, also can avoid a large amount of security incident of discard processing because resource is nervous simultaneously, cause the situation that security of system declines, reach high-level security incident monitoring in real time to process, the function of low level security incident post review.
Fig. 7 is the preferred flow charts of the monitoring method of the virtual resources that performance of the present invention optimizes.
1), guest virtual machine send system and call event request, such as I/O request etc., this system is called event and is properly termed as again security incident;
2), by security incident monitoring this system of intercepting and capturing is called, security event data is carried out semantic conversion process;
3) event data after, semantic conversion processes enters dispatch deal;
4), dispatch deal from the monitoring of the runnability to physical server and guest virtual machine, obtain current system performance monitoring data, be comprehensively scheduling according to security strategy processing simultaneously:
A) if the security incident of low priority, this security incident is carried out daily record and alert process, i.e. first log recording, reads daily record by safety monitoring module when waiting the physical server systems free time afterwards and carry out post review operation;
B) if the security incident of high priority, this security incident is carried out real time data processing;
5), this event is pushed to the safety monitoring module of each needs and carries out real time data processing by real time data processing;
6), safety monitoring module according to security strategy, this security incident is carried out security analysis operations, safety monitoring module may comprise the module of multiple parallel processing, such as IDS, IPS, file access control module etc.;
7), according to the analysis result of current safety strategy and safety monitoring module, make and assign control instruction;
8), event is called for the operation calling virtual resources by control instruction control system:
A), control instruction for let pass, this system of the most directly letting pass calls event;
B), control instruction for intercept, then intercept this and instruct and return error message;
C), control instruction for processing, then this system called let pass after event processes according to processing instruction.
It should be pointed out that, that the above detailed description of the invention can make those skilled in the art that the invention is more fully understood, but limit the invention never in any form.Therefore; although this specification is referring to the drawings and embodiment has been carried out detailed description to the invention; but; skilled artisan would appreciate that; still the invention can be modified or equivalent; in a word, all are without departing from the technical scheme of the spirit and scope of the invention and improvement thereof, and it all should be contained in the middle of the protection domain of the invention patent.
Claims (9)
1. the monitoring method of the virtual resources of a performance optimization, it is characterized in that, first in virtual machine monitor layer, the system of physical server and the runnability of guest virtual machine and guest virtual machine being called event to be monitored, it is security incident that described system calls event;And according to the physical server monitored and the runnability of guest virtual machine, according to priority and the security strategy of the security incident of guest virtual machine, the security incident of the described guest virtual machine of monitoring is carried out data process at secure virtual machine, described data process and include dispatch deal, real time data processing and daily record and alert process, described dispatch deal is that security event data is carried out priority judgement and scheduling, the security event data of low priority is carried out daily record and alert process, the security event data of high priority is carried out real time data processing;After data process, send control instruction call event for the operation calling virtual resources with control system.
The monitoring method of the virtual resources that performance the most according to claim 1 optimizes, it is characterized in that, in virtual machine monitor layer, the system of guest virtual machine is called event to be monitored obtaining event data, being monitored obtaining performance monitoring data to the runnability of physical server and guest virtual machine, system is called event and is carried out a kind of security strategy of data process by the offer of described performance monitoring data.
The monitoring method of the virtual resources that performance the most according to claim 2 optimizes, it is characterized in that, after monitoring obtains event data, first described event data is carried out semantic conversion process, described event data is converted to high-level semantics from rudimentary semanteme, after semantic conversion processes, again event data is carried out data process.
The monitoring method of the virtual resources that performance the most according to claim 1 optimizes, it is characterized in that, the event data of described high priority is analyzed by safety monitoring module and carries out real time data processing according to security strategy, and sends control instruction after real time data processing and call event for the operation calling virtual resources with control system;
And/or, described daily record and alert process are that the event data to low priority first carries out log recording, then carry out post review by safety monitoring module, and carry out alert process according to security strategy.
5. the monitoring system of the virtual resources of a performance optimization, it is characterized in that, including interconnective security incident monitoring and respond module and data processing module, described security incident monitoring and respond module are arranged on virtual machine monitor layer, it is monitored for the runnability of physical server and guest virtual machine and the system of guest virtual machine are called event, it is security incident that described system calls event, and sends monitoring information to data processing module;Described data processing module is arranged at secure virtual machine, for according to the physical server monitored and the runnability of guest virtual machine, the priority of security incident and security strategy according to guest virtual machine carry out data process to the security incident of described guest virtual machine, described data process and include security event data is carried out priority judgement and scheduling, the security event data of low priority is carried out daily record and alert process, the security event data of high priority is carried out real time data processing;Described data processing module sends control instruction and calls event for the operation calling virtual resources at data process backward security event-monitoring and respond module with control system.
The monitoring system of the virtual resources that performance the most according to claim 5 optimizes, it is characterized in that, described security incident monitoring and respond module include security incident monitoring module, security incident response module and performance monitoring module, the system of guest virtual machine is called event and is monitored obtaining event data and sending described event data to data processing module by described security incident monitoring module, the runnability of physical server and guest virtual machine is monitored obtaining performance monitoring data by described performance monitoring module, described performance monitoring data is supplied to data processing module and carries out a kind of security strategy of data process, described security incident response module receives the control instruction that sends of data processing module and responds.
The monitoring system of the virtual resources that performance the most according to claim 6 optimizes, it is characterized in that, described data processing module includes semantic processes module, core processing module and the security policy module being sequentially connected with, and described core processing module is connected with security policy module, performance monitoring module and security incident response module respectively;Described semantic processes module is connected with security incident monitoring module, for described event data is carried out semantic conversion process, from rudimentary semanteme, described event data is converted to high-level semantics, inputs to core processing module after semantic conversion processes;Described core processing module carries out data process according to the performance monitoring data that the security strategy in security policy module and performance monitoring module obtain to event data, and sends control instruction in data process backward security event response module.
The monitoring system of the virtual resources that performance the most according to claim 7 optimizes, it is characterized in that, described core processing module includes schedule process module, real time data processing module and daily record and alert process module, described real time data processing module and daily record are connected with schedule process module respectively with alert process module, described schedule process module is connected with performance monitoring module and semantic processes module respectively, described real time data processing module and daily record are all connected with security policy module with alert process module, described real time data processing module is connected with security incident response module;Described schedule process module carries out priority judgement and dispatch deal to event data, described real time data processing module carries out real time data processing and sends control instruction, described daily record and alert process module in real time data processing backward security event response module the event data of low priority is carried out daily record and alert process the event data of high priority.
The monitoring system of the virtual resources that performance the most according to claim 8 optimizes, it is characterised in that described real time data processing module and daily record are all connected with security policy module by one or more safety monitoring modules with alert process module;The event data of high priority is analyzed by safety monitoring module and carries out real time data processing according to security strategy by described real time data processing module;
And/or, described daily record and alert process module first carry out log recording to the event data of low priority, then carry out post review by safety monitoring module, and carry out alert process according to security strategy;
And/or, described safety monitoring module is intrusion detection module and/or intrusion prevention module and/or file access control module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310048933.3A CN103178988B (en) | 2013-02-06 | 2013-02-06 | The monitoring method and system of the virtual resources that a kind of performance optimizes |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310048933.3A CN103178988B (en) | 2013-02-06 | 2013-02-06 | The monitoring method and system of the virtual resources that a kind of performance optimizes |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103178988A CN103178988A (en) | 2013-06-26 |
| CN103178988B true CN103178988B (en) | 2016-08-03 |
Family
ID=48638620
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310048933.3A Active CN103178988B (en) | 2013-02-06 | 2013-02-06 | The monitoring method and system of the virtual resources that a kind of performance optimizes |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103178988B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103870749B (en) * | 2014-03-20 | 2017-11-07 | 中国科学院信息工程研究所 | A kind of safety monitoring system and method for realizing dummy machine system |
| CN104883273B (en) * | 2015-05-05 | 2018-04-27 | 广州杰赛科技股份有限公司 | The processing method and system of service impact model in virtualization services management platform |
| CN105426758B (en) * | 2015-12-18 | 2018-07-27 | 北京奇虎科技有限公司 | A kind of means of defence and device of virtual machine escape |
| CN106407078B (en) * | 2016-09-26 | 2019-06-25 | 中国工商银行股份有限公司 | Client performance monitoring device and method based on information exchange |
| CN106845214A (en) * | 2016-12-29 | 2017-06-13 | 北京瑞星信息技术股份有限公司 | Based on safety protecting method and system under virtualized environment |
| CN106845215B (en) * | 2016-12-30 | 2020-04-14 | 北京瑞星网安技术股份有限公司 | Safety protection method and device based on virtualization environment |
| CN107896215A (en) * | 2017-11-24 | 2018-04-10 | 北京国网富达科技发展有限责任公司 | A kind of dispositions method and device of the intruding detection system based on virtual machine |
| CN109144671A (en) * | 2018-08-21 | 2019-01-04 | 郑州云海信息技术有限公司 | The management method and device of virtual machine in cloud data system |
| CN110049116A (en) * | 2019-04-04 | 2019-07-23 | 厦门网宿有限公司 | A kind of method and system of intelligent scheduling service request |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102156665A (en) * | 2011-04-13 | 2011-08-17 | 杭州电子科技大学 | Differential serving method for virtual system competition resources |
| CN102567077A (en) * | 2011-12-15 | 2012-07-11 | 杭州电子科技大学 | Virtualized resource distribution method based on game theory |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399698A (en) * | 2007-09-30 | 2009-04-01 | 华为技术有限公司 | Safety management system, device and method |
| CN101582788B (en) * | 2008-05-12 | 2011-08-31 | 北京启明星辰信息技术股份有限公司 | Grading processing method and grading processing system for security event |
| CN101309180B (en) * | 2008-06-21 | 2010-12-08 | 华中科技大学 | Security network invasion detection system suitable for virtual machine environment |
| US8121618B2 (en) * | 2009-10-28 | 2012-02-21 | Digimarc Corporation | Intuitive computing methods and systems |
-
2013
- 2013-02-06 CN CN201310048933.3A patent/CN103178988B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102156665A (en) * | 2011-04-13 | 2011-08-17 | 杭州电子科技大学 | Differential serving method for virtual system competition resources |
| CN102567077A (en) * | 2011-12-15 | 2012-07-11 | 杭州电子科技大学 | Virtualized resource distribution method based on game theory |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103178988A (en) | 2013-06-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103178988B (en) | The monitoring method and system of the virtual resources that a kind of performance optimizes | |
| US9166988B1 (en) | System and method for controlling virtual network including security function | |
| WO2021017279A1 (en) | Cluster security management method and apparatus based on kubernetes and network domain, and storage medium | |
| CN101309180B (en) | Security network invasion detection system suitable for virtual machine environment | |
| CN103065086B (en) | It is applied to DIDS and the method for dynamic virtualization environment | |
| CN104378387A (en) | Method for protecting information security under virtualization platform | |
| CN103902885A (en) | Virtual machine security isolation system and method oriented to multi-security-level virtual desktop system | |
| CN112766672A (en) | Network security guarantee method and system based on comprehensive evaluation | |
| CN105376251A (en) | Intrusion detection method and intrusion detection system based on cloud computing | |
| CN103067356B (en) | Ensure the system and method for business virtual machine safety | |
| CN104767741A (en) | Calculation service separating and safety protecting system based on light virtual machine | |
| KR102088308B1 (en) | Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv | |
| CN112579288A (en) | Cloud computing-based intelligent security data management system | |
| CN103870749A (en) | System and method for implementing safety monitoring of virtual machine system | |
| CN110365674A (en) | A kind of method, server and system for predicting network attack face | |
| Wang et al. | A centralized HIDS framework for private cloud | |
| CN105893211A (en) | Method and system for monitoring | |
| CN114493203A (en) | Method and device for safety arrangement and automatic response | |
| CN107203413A (en) | A kind of resource data dispatches system and method | |
| CN105303102A (en) | Secure access method for virtual machine and virtual machine system | |
| CN112688914A (en) | Intelligent cloud platform dynamic sensing method | |
| CN105704087B (en) | A kind of device and its management method for realizing network security management based on virtualization | |
| CN107608758A (en) | A kind of virtual machine file integrality monitoring method and system | |
| CN105808441B (en) | A kind of various dimensions performance diagnogtics analysis method | |
| CN104601378A (en) | Virtual resource flexible scheduling implementation method combining application performance indicator monitoring data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |