CN103258160A - Method for monitoring cloud security under virtualization environment - Google Patents
Method for monitoring cloud security under virtualization environment Download PDFInfo
- Publication number
- CN103258160A CN103258160A CN2013102089956A CN201310208995A CN103258160A CN 103258160 A CN103258160 A CN 103258160A CN 2013102089956 A CN2013102089956 A CN 2013102089956A CN 201310208995 A CN201310208995 A CN 201310208995A CN 103258160 A CN103258160 A CN 103258160A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- cloud
- flow
- cloud security
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method for monitoring cloud security under a virtualization environment, and belongs to the technical field of computer information security. Virtual machine security software is directly deployed inside a cloud server end, and through the utilization of opened API interfaces of virtual machines, traffic exchange among all the virtual machines is firstly led into the virtual machine security software to be checked before entering the virtual machines. Compared with the prior art, the method for monitoring the cloud security under the virtualization environment further prevents network threats which develop rapidly and are dynamic, and improves integral safety performance of cloud computing under the virtualization environment.
Description
Technical field
The present invention relates to a kind of computer information safety technique field, specifically the cloud security monitoring method under a kind of virtualized environment.
Background technology
Traditional enterprise traffic model is relatively simple, various application standard flows and burst flow is regular follows, even to relatively large data center, still can protect targetedly according to the significance level of web application server, the processing power of safety equipment is not had too high requirement.
In traditional security threat detecting pattern, client secure software or hardware security gateway have served as the main body of threat detection, and all flows all will be finished whole threat detection in client or gateway.The advantage of this pattern is all to detect that to handle time-delay based on this locality less, but because client is separate, the isolation between the system has stoped sharing of threat detection result.This also means in the A of enterprise detected novel threat still may damage the whole security protection of formation in enterprise B.
Virtual is the of paramount importance technical support of present cloud computing, needs the support of the resources such as storage, calculating and network security in the whole virtualized environment.Aspect this, take an early lead based on the Intel Virtualization Technology of server, begun application deployment widely.Based on this virtualized environment, the security threat of system and requirement of shelter have also produced new variation.
The tradition risk remains unchanged, and protection object enlarges.On the one hand, some security risks are not evaded because of virtualized generation.Although the single physical server can be divided into a plurality of virtual machines, but at each virtual machine, it is basic identical with original separate unit server that its service bearer and service provide, therefore the problem that faces of the server under the conventional model, virtual machine can run into too, such as the leak of the access security of operation system, the operating system of safe isolation, server or virtual machine between the different business systems and application program is attacked, the antivirus protection of operation system etc.; On the other hand, the appearance of server virtualization, enlarged the object range that needs protection, just need to consider with Hypervisor and vCenter to be the special virtualization software of representative as the IPS intrusion prevention system, owing to itself residing specific position and the importance in total system, any security breaches are utilized, and all may cause configuration confusion or the service disconnection of whole servers of whole virtualized environment.
Monitoring resource under the cloud computing environment is the important component part of cloud computing platform resource management, for resource distribution, task scheduling and load balancing etc. provide foundation.Since transparent virtualization and the elastification of resource under the cloud computing environment, and need use resource to charge to the user, and therefore original monitoring resource method can not satisfy the requirement of cloud computing environment fully.
Summary of the invention
Technical assignment of the present invention provides a kind of Cyberthreat that further prevents from increasing fast and having dynamic, the cloud security monitoring method under a kind of virtualized environment of the general safety performance under the raising cloud computing virtualized environment.
Technical assignment of the present invention is realized in the following manner, directly dispose secure virtual machine software in the inside of the server end of cloud, by the utilization to the open api interface of virtual machine, the exchange of flow between all virtual machines before entering into virtual machine, is incorporated into secure virtual machine software earlier and checks.
Secure virtual machine software is the secure virtual machine software of VMware exploitation.
Described flow refers to the horizontal flow between the virtual machine.
Horizontal flow safety between the virtual machine: the flow between the different virtual machine of same server will directly exchange inner realization of server end, secure virtual machine software is disposed in the inside of server end, by the utilization to the open api interface of virtual machine, the exchange of flow between all virtual machines before entering into virtual machine, is incorporated into secure virtual machine software earlier and checks.
Can be divided into different security domains with different virtual machines according to demand this moment, and dispose the strategy of isolating and exchanging visits between various security domains.
Cloud security monitoring method under a kind of virtualized environment of the present invention is called C/C++ by virtual machine monitor and Java and is obtained state of resources information.
Vertical flow between the virtual machine comprises the normal discharge request of access from the client to the server end, and the flow of three layers of forwarding between the different virtual machine; Vertically the exchange of flow must check through the external hardware safety protection layer of cloud, the device type of the protection of hardware safety protection layer is based on products such as fire wall and intrusion prevention systems, require fire wall or intrusion prevention equipment to possess the ability of INLINE blocking-up security attack in the mode of disposing, the position of deployment can other hang over convergence-level or be serially connected in core layer and convergence-level between.
VMware is that global desktop is to the leading manufacturer of data center's virtualization solution.Be in world-leading status in virtual and cloud computing architecture field, provide through the solution of customer authentication can by reduce complicacy and more flexible, delivery service improves IT efficient promptly.The VMware virtual machine is the virtual platform of VMware company exploitation.
Cloud security monitoring method under a kind of virtualized environment of the present invention has the following advantages: further prevent from increasing fast and having the Cyberthreat of dynamic, improve the general safety performance under the cloud computing virtualized environment; Thereby, have good value for applications.
Description of drawings
The present invention is further described below in conjunction with accompanying drawing.
Accompanying drawing 1 is the structured flowchart of an example of the cloud security monitoring method under a kind of virtualized environment.
The VM flow is redirected to secure virtual machine among the figure, and the flow that is virtual machine is incorporated into the example that secure virtual machine software checks.
Embodiment
Explain below with reference to Figure of description and specific embodiment the cloud security monitoring method under a kind of virtualized environment of the present invention being done.
Embodiment:
Cloud security monitoring method under a kind of virtualized environment of the present invention, directly dispose secure virtual machine software in the inside of the server end of cloud, by the utilization to the open api interface of virtual machine, flow between all virtual machines exchange before, is incorporated into secure virtual machine software earlier and checks entering into virtual machine (being called for short VM).
Secure virtual machine software is the secure virtual machine software of VMware exploitation.
Described flow refers to the horizontal flow between the virtual machine.
Horizontal flow safety between the virtual machine: the flow between the different virtual machine of same server will directly exchange inner realization of server end, secure virtual machine software is disposed in the inside of server end, by the utilization to the open api interface of virtual machine, the exchange of flow between all virtual machines before entering into virtual machine, is incorporated into secure virtual machine software earlier and checks.
Can be divided into different security domains with different virtual machines according to demand this moment, and dispose the strategy of isolating and exchanging visits between various security domains.
Cloud security monitoring method under a kind of virtualized environment of the present invention is called C/C++ by virtual machine monitor and Java and is obtained state of resources information.
Vertical flow between the virtual machine comprises the normal discharge request of access from the client to the server end, and the flow of three layers of forwarding between the different virtual machine; Vertically the exchange of flow must check through the external hardware safety protection layer of cloud, the device type of the protection of hardware safety protection layer is based on products such as fire wall and intrusion prevention systems, require fire wall or intrusion prevention equipment to possess the ability of INLINE blocking-up security attack in the mode of disposing, the position of deployment can other hang over convergence-level or be serially connected in core layer and convergence-level between.
Cloud security monitoring method under a kind of virtualized environment of the present invention except the described technical characterictic of instructions, is the known technology of those skilled in the art.
Claims (4)
1. the cloud security monitoring method under the virtualized environment, it is characterized in that directly disposing secure virtual machine software in the inside of the server end of cloud, by the utilization to the open api interface of virtual machine, the exchange of flow between all virtual machines before entering into virtual machine, is incorporated into secure virtual machine software earlier and checks.
2. the cloud security monitoring method under a kind of virtualized environment according to claim 1 is characterized in that secure virtual machine software is the secure virtual machine software of VMware exploitation.
3. the cloud security monitoring method under a kind of virtualized environment according to claim 1 is characterized in that described flow refers to the horizontal flow between the virtual machine.
4. according to the cloud security monitoring method under claim 1 or the 3 described a kind of virtualized environments, it is characterized in that the horizontal flow safety between the virtual machine: the flow between the different virtual machine of same server will directly exchange inner realization of server end, secure virtual machine software is disposed in the inside of server end, by the utilization to the open api interface of virtual machine, the exchange of flow between all virtual machines before entering into virtual machine, is incorporated into secure virtual machine software earlier and checks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013102089956A CN103258160A (en) | 2013-05-30 | 2013-05-30 | Method for monitoring cloud security under virtualization environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013102089956A CN103258160A (en) | 2013-05-30 | 2013-05-30 | Method for monitoring cloud security under virtualization environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103258160A true CN103258160A (en) | 2013-08-21 |
Family
ID=48962070
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013102089956A Pending CN103258160A (en) | 2013-05-30 | 2013-05-30 | Method for monitoring cloud security under virtualization environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103258160A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103500304A (en) * | 2013-10-13 | 2014-01-08 | 西安电子科技大学 | Virtual machine personalized security monitoring system and method based on Xen |
| CN104301321A (en) * | 2014-10-22 | 2015-01-21 | 北京启明星辰信息技术股份有限公司 | Method and system for achieving distributed network safety protection |
| CN104660554A (en) * | 2013-11-19 | 2015-05-27 | 北京天地超云科技有限公司 | Method for implementing communication data security of virtual machines |
| CN105224387A (en) * | 2015-09-07 | 2016-01-06 | 浪潮集团有限公司 | A kind of security deployment method of virtual machine under cloud computing |
| CN105592016A (en) * | 2014-10-29 | 2016-05-18 | 国家电网公司 | Virtual machine protection device of power information system in cloud environment |
| CN107430647A (en) * | 2015-03-25 | 2017-12-01 | 国际商业机器公司 | Security in software definition architecture |
| TWI732180B (en) * | 2019-02-21 | 2021-07-01 | 中華電信股份有限公司 | Malicious file isolation system |
-
2013
- 2013-05-30 CN CN2013102089956A patent/CN103258160A/en active Pending
Non-Patent Citations (1)
| Title |
|---|
| 王哲 等: "《云计算安全方案与部署研究》", 《电信科学》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103500304A (en) * | 2013-10-13 | 2014-01-08 | 西安电子科技大学 | Virtual machine personalized security monitoring system and method based on Xen |
| CN103500304B (en) * | 2013-10-13 | 2016-06-29 | 西安电子科技大学 | Virtual machine personalized secure based on Xen monitors system and monitoring method |
| CN104660554A (en) * | 2013-11-19 | 2015-05-27 | 北京天地超云科技有限公司 | Method for implementing communication data security of virtual machines |
| CN104301321A (en) * | 2014-10-22 | 2015-01-21 | 北京启明星辰信息技术股份有限公司 | Method and system for achieving distributed network safety protection |
| CN104301321B (en) * | 2014-10-22 | 2018-04-27 | 北京启明星辰信息技术股份有限公司 | A kind of method and system for realizing distributed network security protection |
| CN105592016A (en) * | 2014-10-29 | 2016-05-18 | 国家电网公司 | Virtual machine protection device of power information system in cloud environment |
| CN105592016B (en) * | 2014-10-29 | 2019-04-30 | 国家电网公司 | The protective device of virtual machine under a kind of cloud environment of power information system |
| CN107430647A (en) * | 2015-03-25 | 2017-12-01 | 国际商业机器公司 | Security in software definition architecture |
| CN107430647B (en) * | 2015-03-25 | 2021-01-01 | 国际商业机器公司 | Method and system for providing security within a software defined infrastructure |
| CN105224387A (en) * | 2015-09-07 | 2016-01-06 | 浪潮集团有限公司 | A kind of security deployment method of virtual machine under cloud computing |
| TWI732180B (en) * | 2019-02-21 | 2021-07-01 | 中華電信股份有限公司 | Malicious file isolation system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103258160A (en) | Method for monitoring cloud security under virtualization environment | |
| US9935971B2 (en) | Mitigation of virtual machine security breaches | |
| US10356127B2 (en) | Methods and systems for applying security policies in a virtualization environment | |
| KR101535502B1 (en) | System and method for controlling virtual network including security function | |
| WO2016082501A1 (en) | Method, apparatus and system for processing cloud application attack behaviours in cloud computing system | |
| CN102244622B (en) | Virtual gateway protection method, virtual security gateway and system for server virtualization | |
| CN103685608B (en) | A kind of method and device for automatically configuring secure virtual machine IP address | |
| Zou et al. | Design and implementation of a trusted monitoring framework for cloud platforms | |
| CN102930213A (en) | Security monitoring system and security monitoring method based on virtual machine | |
| Wu et al. | Identification and evaluation of sharing memory covert timing channel in Xen virtual machines | |
| CN107622199B (en) | Channel attack defense method and device for Flush-Reload cache side in cloud environment | |
| CN103178988B (en) | The monitoring method and system of the virtual resources that a kind of performance optimizes | |
| CN103984536B (en) | I/O request number systems and its method in a kind of cloud computing platform | |
| CN103065086A (en) | Distributed intrusion detection system and method applied to dynamic virtualization environment | |
| Jithin et al. | Virtual machine isolation: A survey on the security of virtual machines | |
| US11079940B2 (en) | Bandwidth management of memory through containers | |
| CN104866407A (en) | Monitoring system and method in virtual machine environment | |
| CN105303102A (en) | Secure access method for virtual machine and virtual machine system | |
| CN103581325A (en) | Cloud computing resource pool system and implement method thereof | |
| CN105704087B (en) | A kind of device and its management method for realizing network security management based on virtualization | |
| Yao et al. | Guaranteeing fault-tolerant requirement load balancing scheme based on VM migration | |
| Wang et al. | Svmdf: A secure virtual machine deployment framework to mitigate co-resident threat in cloud | |
| Manavi et al. | Hierarchical secure virtualization model for cloud | |
| Xie et al. | Detection of Service Level Agreement (SLA) Violations in Memory Management in Virtual Machines | |
| CN111262815A (en) | Virtual host management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130821 |