CN103457945A - Intrusion detection method and system - Google Patents
Intrusion detection method and system Download PDFInfo
- Publication number
- CN103457945A CN103457945A CN2013103816159A CN201310381615A CN103457945A CN 103457945 A CN103457945 A CN 103457945A CN 2013103816159 A CN2013103816159 A CN 2013103816159A CN 201310381615 A CN201310381615 A CN 201310381615A CN 103457945 A CN103457945 A CN 103457945A
- Authority
- CN
- China
- Prior art keywords
- detection
- thread
- intrusion detection
- virtual machine
- intrusion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to an intrusion detection method and system. The intrusion detection method is used for detecting the security threat of nodes of virtual machines in a virtual computing environment, and comprises the steps of, step one, deploying detection files remotely for a detection target, and establishing an intrusion detection thread remotely for the detection target, wherein the intrusion detection thread at least comprises one security detection strategy; step two, executing the intrusion detection thread established through the step one, detecting the security threat in the detection target by the means of matching a data packet protocol and all the protocols in each security detection strategy in the intrusion detection thread, and carrying out response according to detection results, wherein the data packet protocol is a protocol peeled out of the data packets of the detection target; step three, inquiring update information of the security detection strategies regularly, and updating the security detection strategies of the intrusion detection thread executed in the step two according to the update information. The intrusion detection method and system improve the detection performance of the security threat of the virtual computing environment.
Description
Technical field
The present invention relates to areas of information technology, relate in particular to a kind of intrusion detection method and system.
Background technology
Along with the increased popularity of Intel Virtualization Technology, increasing for the attack of virtual computational resource.Therefore virtual security monitoring is subject to numerous researchers' favor.Yet because virtual machine has quick startup, fast quick-recovery, closes and the characteristics such as migration, and may there be the virtual machine of multiple different operating system type in the Same Physical main frame, and virtualized computing environment often need to be in different physical host deploy simultaneously.Above-mentioned reason causes traditional network invasion monitoring means can not well be applicable to the detection of virtual Abnormal network traffic.
For virtualized intrusion detection method, mainly comprise based on finite-state automata, based on specific operation system type and special services, based on the multimachine joint-detection, based on methods such as newly-built intrusion detection territories at present.
(1) method based on finite-state automata.The dynamic of virtual machine state of giving chapter and verse changes, and builds finite-state automata, utilizes finite-state automata automatically to adapt to virtual machine state and changes, and realizes the detection and response of abnormal behaviour.
(2) method based on specific operation system type and special services.Consider that the virtual machine number is numerous and move the impact of wherein each kind service on the network invasion monitoring performance, proposed only to load the inbreak detection rule of specific operation system and operation service, reduce the loading number of inbreak detection rule, improve the detection performance of intruding detection system; Utilize virtual machine System Map to obtain the OS Type of virtual machine and the state of operation service, load specific intrusion rule, the abnormal network behavior of fast detecting.
(3) method based on the multimachine joint-detection.Create one and there is the client territory (hereinafter to be referred as Domain U) of identical privilege for disposing the management control module of intruding detection system with the privileged domain (hereinafter to be referred as Domain 0) of Xen, detect abnormal behaviour by hypercalls integrity detection and the root of obtaining hypercalls, and take corresponding responsive measures; The management control module of the intruding detection system in a physical host is abnormal or while losing efficacy; it can be passed to the intruding detection system in other physical hosts by abnormal behavior by the alternative channel of virtual network, realizes the purpose of " strange land " detection abnormal behaviour.
(4) based on newly-built intrusion detection territory method.Provide the intrusion detection service by setting up an independent intrusion detection territory for other virtual machines, VMM(Virtual Machine Monitor, monitor of virtual machine) system call in case sensor interception virtual machine, and be passed to the intruding detection system in intrusion detection territory by the VMM interface, according to different security strategies, the intrusion detection territory assistant of VMM can take corresponding response for invasion.
The defect that these several intrusion detection methods exist is: 1) do not consider that the variation of virtual network topology structure and virtual physical environment is to invading the deployment detected and detecting the impact brought; 2) can not fully effectively detect the dynamic change of virtual machine node, can not effectively obtain the essential information of virtual machine node, to carry out intrusion detection targetedly; 3) abnormal network behavior that can not the detection of dynamic virtual computation environmental.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of intrusion detection method and system, and the security threat that improves virtual computation environmental detects performance.
For solving the problems of the technologies described above, the present invention proposes a kind of intrusion detection method, the security threat for detection of the virtual machine node in virtual computation environmental comprises:
Further, above-mentioned intrusion detection method also can have following characteristics, and described step 1 comprises sub-step 11: be the long-range establishment virtual machine node of described detection target dynamic change monitoring thread; ?
Described intrusion detection method also comprises
Described step 3 comprises sub-step 31: the dynamic-change information reported according to step 4 is controlled the renewal operation of intrusion detection thread.
Further, above-mentioned intrusion detection method also can have following characteristics, and described sub-step 31 comprises:
When dynamic-change information is the virtual machine node log-on message, be the virtual machine node establishment intrusion detection thread started the safety detection strategy of controlling this thread load default;
When dynamic-change information is the virtual machine node migration information, for creating the intrusion detection thread and control this thread, the virtual machine node of moving loads the original safety detection strategy of this virtual machine;
Be in dynamic-change information that virtual machine node is dead, when collapse or closing information, discharge the intrusion detection resource of this virtual machine, and close the intrusion detection thread of this virtual machine;
When dynamic-change information is safety detection policy update information, control corresponding intrusion detection thread and complete the operation of safety detection policy update, the safety detection strategy after the utilization of intrusion detection thread is upgraded is detected.
Further, above-mentioned intrusion detection method also can have following characteristics, and described step 2 comprises:
Step 21, the corresponding rear end network interface card capture-data bag from virtual machine node;
Step 22 successively separates data pack protocol from the packet of catching, and the data pack protocol that the separates agreement corresponding with safety detection strategy in the intrusion detection thread is successively mated;
Step 23,, judge that this packet is as the abnormal data bag, otherwise judge that this packet is as normal data packet during the data packet matched all accord that in the intrusion detection thread, safety detection strategy is corresponding what catch;
Step 24, process the packet of catching according to the result of determination of default response policy and step 23.
Further, above-mentioned intrusion detection method also can have following characteristics, and described step 1 comprises:
Read support server the Resources list of virtual computation environmental, extract server info, described server info comprises server ip address, server user's name and encrypted message corresponding to server;
According to described server info, the long-range monitored directory of setting up under the corresponding catalogue of server;
Long-range to described monitored directory distribution detection file;
Detection file in the described monitored directory of Long-distance Control is carried out, and creates the intrusion detection thread.
For solving the problems of the technologies described above, the invention allows for a kind of intruding detection system, the security threat for detection of the virtual machine node in virtual computation environmental comprises:
Deployment module, be used to and detect target remote deployment detection file, and be the long-range establishment intrusion detection of described detection target thread, and described intrusion detection thread at least comprises a safety detection strategy;
Detection module, for carrying out the intrusion detection thread of disposing module creation, the mode that all accord by each the safety detection strategy by data pack protocol and described intrusion detection thread is mated detects security threat, and responded the agreement of described data pack protocol for peeling off out according to testing result from the packet of described detection target;
Update module, detect tactful lastest imformation for regular query safe, and upgrade the safety detection strategy in the performed intrusion detection thread of detection module according to this lastest imformation.
Further, above-mentioned intruding detection system also can have following characteristics, and described deployment module comprises the monitoring deployment unit, is used to the long-range establishment virtual machine node of described detection target dynamic change monitoring thread;
Described intruding detection system also comprises monitoring module, and the virtual machine node dynamic change monitoring thread created for carrying out the monitoring deployment unit, obtain the virtual machine node dynamic-change information, and report deployment module;
Update module also comprises control unit, controls the renewal operation of intrusion detection thread for the dynamic-change information reported according to monitoring module.
Further, above-mentioned intruding detection system also can have following characteristics, and described control unit comprises:
Starting and control subelement, for when dynamic-change information is the virtual machine node log-on message, is the virtual machine node establishment intrusion detection thread started the safety detection strategy of controlling this thread load default;
Subelement is controlled in migration, for when dynamic-change information is the virtual machine node migration information, for the virtual machine node of moving creates the intrusion detection thread and controls this thread, loads the original safety detection strategy of this virtual machine;
The closing control subelement, in dynamic-change information being that virtual machine node is dead, when collapse or closing information, discharging the intrusion detection resource of this virtual machine, and close the intrusion detection thread of this virtual machine;
Upgrade to control subelement, when in dynamic-change information, being safety detection policy update information, controlling corresponding intrusion detection thread and complete the operation of safety detection policy update, the safety detection strategy after the utilization of intrusion detection thread is upgraded is detected.
Further, above-mentioned intruding detection system also can have following characteristics, and described detection module comprises:
Capturing unit, for the rear end network interface card capture-data bag corresponding from virtual machine node;
Matching unit, successively separate data pack protocol for the packet from catching, and the data pack protocol that the separates agreement corresponding with safety detection strategy in the intrusion detection thread is successively mated;
Judging unit, during for data packet matched safety detection strategy of intrusion detection thread is corresponding what catch all accord, judge that this packet is as the abnormal data bag, otherwise judge that this packet is as normal data packet;
Response unit, process the packet of catching for the result of determination of the response policy according to default and judging unit.
Further, above-mentioned intruding detection system also can have following characteristics, and described deployment module comprises:
Reading unit, for reading support server the Resources list of virtual computation environmental, extract server info, and described server info comprises server ip address, server user's name and encrypted message corresponding to server;
Catalogue is set up unit, for the server info extracted according to reading unit, and the long-range monitored directory of setting up under the corresponding catalogue of server;
Dispatching Unit, detect file for long-range to described monitored directory distribution;
Creating unit, carry out for the detection file of the described monitored directory of Long-distance Control, creates the intrusion detection thread.
Intrusion detection method of the present invention and system, applied widely, controllability good, strong adaptability, the security threat that has therefore improved virtual computation environmental detects performance.And intrusion detection method of the present invention and system can also realize more fine-grained intrusion detection.
The accompanying drawing explanation
The flow chart that Fig. 1 is intrusion detection method in the embodiment of the present invention;
Fig. 2 is the deployment flow chart in the embodiment of the present invention;
Fig. 3 is the overhaul flow chart in the embodiment of the present invention;
Fig. 4 is dynamic programming detector tree schematic diagram in the embodiment of the present invention;
Fig. 5 is the renewal flow chart in the embodiment of the present invention;
The structured flowchart that Fig. 6 is intruding detection system in the embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing, principle of the present invention and feature are described, example, only for explaining the present invention, is not intended to limit scope of the present invention.
Intrusion detection method of the present invention is for detection of the security threat of the virtual machine node in virtual computation environmental.
The flow chart that Fig. 1 is intrusion detection method in the embodiment of the present invention.As shown in Figure 1, in the present embodiment, intrusion detection method can comprise the steps:
Step S101, detect file for detecting the target remote deployment, and be the long-range establishment intrusion detection of described detection target thread, and wherein, the intrusion detection thread at least comprises a safety detection strategy;
(1) dynamic change of intrusion detection thread and virtual machine node detects thread by carrying out intrusion detection program establishment automatically.
(2) detecting file is the intrusion detection program file, be deployed on support server.
(3) remote deployment of detection file is the Resources list file by support server.
Particularly, the deployment operation of this step is carried out by the management cluster server of virtual platform.Intrusion detection method of the present invention has been abandoned the otherness between the different virtual platform, utilized the general character of different virtual platform, be a kind of based on virtualized general intrusion detection method, be applicable to already present all virtual platforms, compared with prior art greatly expanded the scope of application.
By the mode of management cluster server unified plan, intrusion detection method of the present invention can also be realized the centralized management control of testing process.Such as, can be according to the actual conditions of virtual back-up environment, the deployment of centralized control intruding detection system (carrying out the system of intrusion detection method of the present invention); Can detect demand, establishment, renewal, migration and the extinction etc. of centralized control intrusion detection thread according to virtual machine node and security threat; Can manage the safety detection strategy concentratedly, with centralized control security threat testing process.
Step S102, carry out the intrusion detection thread that S101 creates, the mode that all accord by each the safety detection strategy by data pack protocol and described intrusion detection thread is mated detects the security threat in described detection target, and responded according to testing result, wherein, the agreement of data pack protocol for peeling off out the packet from detecting target;
Step S103, regularly query safe detects tactful lastest imformation, and upgrades the safety detection strategy in the performed intrusion detection thread of S102 according to this lastest imformation.
By this step, can be according to the dynamic change of virtual machine node, dynamically complete the automatic switchover between the processes such as intrusion detection thread creation, migration and extinction, simultaneously can also be for newfound security threat, dynamically update the safety detection strategy of intrusion detection thread, effectively to detect newfound security threat.
In embodiments of the present invention, step S101 may further include following sub-step:
Read support server the Resources list of virtual computation environmental, extract server info, wherein server info comprises server ip address, server user's name and encrypted message corresponding to server;
According to server info, the long-range monitored directory of setting up under the corresponding catalogue of server;
Long-range to monitored directory distribution detection file;
Detection file in the Long-distance Control monitored directory is carried out, and creates the intrusion detection thread.
In concrete application example, step S101 can adopt the deployment flow process shown in Fig. 2 to realize.
Fig. 2 is the deployment flow chart in the embodiment of the present invention.As shown in Figure 2, in the present embodiment, disposing flow process can comprise the steps:
Step S201, read support server the Resources list of virtual computation environmental;
The purpose that reads support server the Resources list is to extract server info, and wherein server info comprises encrypted message that server ip address, server user's name and server are corresponding etc.
Step S202, judge in support server the Resources list whether do not read in addition server, if having, performs step S203, otherwise process ends;
Step S203, the Long-distance Control server creates monitored directory;
The virtual platform keeper (detects file by the management cluster server to the support server telecopy intruding detection system executable file of virtual machine node according to the Resources list file of virtual back-up environment, also referred to as intrusion detection program), long-range execution, control intruding detection system and start operation, and establishment intrusion detection main thread and virtual machine node dynamic change monitoring thread, start to carry out the intrusion detection task, complete to detect and dispose.
Detecting file is the intrusion detection program file, detects file and is deployed on support server by Long-distance Control.Particularly, the remote deployment of detection file is to realize by the Resources list file of support server.The dynamic change detection thread of intrusion detection main thread and virtual machine node creates automatically by the execution intrusion detection program.
Step S204, detect file to the long-range transmission of support server;
Step S205, Long-distance Control detects file and moves in support server;
Step S206, create the intrusion detection main thread;
In this step, can also create virtual machine node dynamic change monitoring thread simultaneously.
Step S207, the intrusion detection main thread, according to the safety detection strategy, creates the intrusion detection thread, by the intrusion detection thread, loads the safety detection strategy, returns to step S201.
That is to say, the relation between intrusion detection main thread and intrusion detection thread is that the intrusion detection thread is created by the intrusion detection main thread.
In embodiments of the present invention, step S102 can comprise following sub-step:
The corresponding rear end network interface card capture-data bag from virtual machine node;
Successively separate data pack protocol from the packet of catching, and the data pack protocol that the separates agreement corresponding with safety detection strategy in the intrusion detection thread is successively mated;
, judge that this packet is as the abnormal data bag, otherwise judge that this packet is as normal data packet during the data packet matched all accord that in the intrusion detection thread, a certain safety detection strategy is corresponding what catch;
Process the packet of catching according to default response policy and result of determination.
In concrete application example, step S102 can adopt the testing process shown in Fig. 3 to realize.Fig. 3 is the overhaul flow chart in the embodiment of the present invention.As shown in Figure 3, in the present embodiment, testing process can comprise the steps:
Step S301, the corresponding rear end network interface card capture-data bag from the virtual machine node Microsoft Loopback Adapter;
Microsoft Loopback Adapter is the virtual network device that VMM distributes to virtual machine node, with respect to the real network equipment.
Visible by this step, apply intrusion detection method of the present invention, security threat that not only can the detection node particle size fraction, can also go deep into, to concrete network interface card, carrying out more fine-grained security threat and detecting; Aspect security threat detection range, the present invention not only can utilize the safety detection strategy to be detected, can also be in conjunction with dynamically updating function, obtain the even changes in amplitude of the network traffics of network interface card of virtual machine node, utilized other network flow analysis method by the virtual platform keeper, find wherein hiding security threat.
Step S302, judge whether that packet is untreated in addition, if perform step S303, otherwise execution step S303;
Step S303 extracts the data pack protocol head from packet, and the agreement corresponding with safety detection strategy in the intrusion detection thread mated;
Step S304, judge whether that also protocols having is not mated, if perform step S305, otherwise execution step S306;
Step S305, judge that this packet is without threat;
Step S306, judge that this packet is as the abnormal data bag, carries out the response action.
The abnormal data bag refers to the packet that has security threat.
The response action can be carried out according to default response policy.For example, if through judging, packet is the abnormal data bag, the main information of this abnormal data bag is uploaded in the management cluster database, prepares against the later stage and further researchs and analyses confirmation.
In order to carry out safety detection, can create dynamic programming detector tree as shown in Figure 4.
The constructive process of the dynamic programming detector tree shown in Fig. 4 is as follows:
(1) obtain the safety detection strategy and analyze, extracting corresponding data packet head information, for the data packet head information of disappearance, supplementing with corresponding general rule head, such as safety detection strategy: TCP.Sport=80& & TCP.Dport=6123 Action=Log, supplement general ethernet rule head and general purpose I P rule head, forms complete safety and detect strategy: Ethernet.Smac=0& & Ethernet.Dmac=0 IP.SIP=0& & IP.DIP=0 TCP.Sport=80& & TCP.Dport=6123 Action=Log;
(2) complete safety detection strategy is inserted into to dynamic programming and detects in tree, detect the level of tree according to dynamic programming, bed-by-bed analysis is to obtain suitable insertion position;
(3) if dynamic programming detects the current respective rule header that is inserted into the safety detection strategy that do not exist of tree, give the newly-built child's node of current data packet protocol header, to create current regular header, and then detect tactful data according to residue successively, create data pack protocol head and regular head, diversion treatments (7);
(4) if dynamic programming detects the corresponding regular header of the current existence of tree, according to the corresponding data pack protocol header of this sub-tree structure diversion treatments (5) or processing (6);
(5) if corresponding data pack protocol head does not exist, create this data pack protocol head, and, according to remaining detection strategy, create its descendants's node, the rule head that completes whole piece safety detection strategy inserts, diversion treatments (7);
(6), if corresponding data pack protocol head exists,, according to the information of corresponding data packet protocol head, reprocessing (3) and the operation of processing (4), insert diversion treatments (7) until complete the tactful rule head of whole piece security threat detection;
(7) if detect tactful rule head, all insertion is complete, last rule head is created to child's node, creates the rule body structure, completes the insertion of whole piece safety detection strategy.
During the safety detection strategy matching, packet is carried out to successively data packet head to be peeled off, successively with dynamic programming, detecting the rule head of setting the respective protocol head from the underlying protocol to the upper-layer protocol is mated, if can mate some rule body nodes fully, it is leafy node, explanation detects security threat, carries out corresponding response action; If in matching process, fail to detect in tree and match corresponding protocol header or regular head in dynamic programming, or rule body Incomplete matching, illustrate that there is not security threat in this packet.
In embodiments of the present invention, step S101 can comprise sub-step: for detecting the long-range establishment virtual machine node of target dynamic change monitoring thread; Now, intrusion detection method can also comprise step: carry out virtual machine node dynamic change monitoring thread, obtain the virtual machine node dynamic-change information and report.Now step S103 comprises sub-step: control the renewal operation of intrusion detection thread according to the dynamic-change information reported.Further, control the renewal operation of intrusion detection thread according to the dynamic-change information reported, this sub-step can further include following sub-step:
When dynamic-change information is the virtual machine node log-on message, be the virtual machine node establishment intrusion detection thread started the safety detection strategy of controlling this thread load default;
When dynamic-change information is the virtual machine node migration information, for creating the intrusion detection thread and control this thread, the virtual machine node of moving loads the original safety detection strategy of this virtual machine;
Be in dynamic-change information that virtual machine node is dead, when collapse or closing information, discharge the intrusion detection resource of this virtual machine, and close the intrusion detection thread of this virtual machine.
When dynamic-change information is safety detection policy update information, control corresponding intrusion detection thread and complete the operation of safety detection policy update, the safety detection strategy after the utilization of intrusion detection thread is upgraded is detected.
To state variation such as the obstruction of virtual machine node and hang-up, the intrusion detection main thread will not be taked any operation.Because the obstruction of virtual machine node and suspended state can not produce network packet, its corresponding intrusion detection thread also can block or hang up, so the intrusion detection main thread is not taked any processing to it.
In embodiments of the present invention, intrusion detection method can also comprise step: carry out virtual machine node dynamic change monitoring thread, obtain the virtual machine node essential information and report.The virtual machine node essential information can comprise whole flow of node state, storage allocation size, internal memory use amount, CPU quantity, network interface card quantity, network interface card Mac address and network interface card etc.
In concrete application example, step S103 can adopt the more new technological process shown in Fig. 5 to realize.
Fig. 5 is the renewal flow chart in the embodiment of the present invention.As shown in Figure 5, in the present embodiment, more new technological process can comprise the steps:
Step S501, arrange timer regularly to detect the safety detection policy update;
When timer is set, need to as timing etc., be arranged timer parameter.
Step S502, judge whether timing arrives, if perform step S503;
Step S503, the intrusion detection main thread detects the safety detection policy update;
Step S504, judged whether renewal, if perform step S505, otherwise execution step S511;
Step S505, whether the strategy that judgement is upgraded has corresponding intrusion detection thread to exist, if perform step S506, otherwise execution step S508;
Step S506, intrusion detection thread backward loads the safety detection strategy upgraded, execution step S507;
Step S507, judge whether loaded, if perform step S510;
Step S508, the intrusion detection main thread creates the intrusion detection thread, execution step S509;
Step S509, newly-built intrusion detection thread loads the safety detection strategy upgraded, execution step S510;
Step S510, according to the intrusion detection thread execution safety detection of upgrading;
Step S511, judge whether virtual machine node changes, if perform step S512, otherwise execution step S502;
Step S512, judge whether virtual machine node starts, if perform step S514, otherwise execution step S513;
Step S513, to the virtual machine node of closing, discharge the corresponding intrusion detection thread of this virtual machine node, execution step S514;
Step S514, upgrade virtual machine node information.
Intrusion detection method of the present invention has following advantage:
(1) intrusion detection method of the present invention is a kind of based on virtualized universal network intrusion detection framework, has versatility.The present invention has abandoned the otherness between the different virtual platform, has utilized the general character of different virtual platform, is a kind of based on virtualized universal network intrusion detection framework, is applicable to already present all virtual platforms.
(2) intrusion detection method of the present invention can be realized centralized management control function.The present invention can manage virtual computation environmental concentratedly, for the virtual platform keeper provides concentrated, unified management function: can be according to the actual conditions of virtual back-up environment, the deployment of centralized control intruding detection system; Can detect demand, establishment, renewal, migration and the extinction etc. of centralized control intrusion detection thread according to virtual machine node and security threat; Can manage the security threat strategy concentratedly, with centralized control security threat testing process.
(3) intrusion detection method of the present invention can realize dynamically updating function.The present invention not only can, according to the dynamic change of virtual machine node, dynamically complete the automatic switchover between the processes such as intrusion detection thread creation, migration and extinction; Also can dynamically update the security threat strategy of intrusion detection thread for newfound security threat, effectively to detect newfound security threat simultaneously.
(4) intrusion detection method of the present invention can be realized the fine granularity measuring ability.The present invention not only can the detection node particle size fraction security threat, also can be deep enough to concrete network interface card, carry out more fine-grained security threat and detect.
Visible, intrusion detection method of the present invention, have applied widely, the advantages such as controllability good, strong adaptability, and can realize more fine-grained intrusion detection.
The invention allows for a kind of intruding detection system, in order to carry out above-mentioned intrusion detection method, the explanation of the invention described above intrusion detection method part all is applicable to intruding detection system of the present invention.
The structured flowchart that Fig. 6 is intruding detection system in the embodiment of the present invention.As shown in Figure 6, in the present embodiment, intruding detection system is for detection of the security threat of the virtual machine node in virtual computation environmental, and this system can comprise deployment module 610, detection module 620 and update module 630.Deployment module 610, detection module 620 and update module 630 are connected in turn.Wherein, deployment module 610 is used to and detects target remote deployment detection file, and, for detecting the long-range establishment intrusion detection of target thread, wherein, the intrusion detection thread at least comprises a safety detection strategy.The intrusion detection thread that detection module 620 creates for carrying out deployment module 610, the mode that all accord by each the safety detection strategy by data pack protocol and described intrusion detection thread is mated detects security threat, and responded according to testing result, wherein, the agreement of data pack protocol for peeling off out the packet from detecting target.Update module 630 is for regular inquiry lastest imformation, and upgrades the safety detection strategy in the performed intrusion detection thread of detection module 620 according to this lastest imformation.
In embodiments of the present invention, deployment module 610 can comprise the monitoring deployment unit.The monitoring deployment unit is used to and detects the long-range establishment virtual machine node of target dynamic change monitoring thread.Now, intruding detection system also comprises monitoring module, and the virtual machine node dynamic change monitoring thread that monitoring module creates for carrying out the monitoring deployment unit, obtain the virtual machine node dynamic-change information, and report deployment module.Now, update module also comprises control unit, and control unit is controlled the renewal operation of intrusion detection thread for the dynamic-change information reported according to monitoring module.
Further, this control unit may further include to start and controls subelement, migration control subelement, closing control subelement and upgrade and control subelement.Wherein, starting and control subelement for when dynamic-change information is the virtual machine node log-on message, is the virtual machine node establishment intrusion detection thread started the safety detection strategy of controlling this thread load default.Migration is controlled subelement for when dynamic-change information is the virtual machine node migration information, for the virtual machine node of moving creates the intrusion detection thread and controls this thread, loads the original safety detection strategy of this virtual machine.The closing control subelement, in dynamic-change information being that virtual machine node is dead, when collapse or closing information, discharging the intrusion detection resource of this virtual machine, and closes the intrusion detection thread of this virtual machine.Upgrade and control subelement for when dynamic-change information is safety detection policy update information, control corresponding intrusion detection thread and complete the operation of safety detection policy update, the safety detection strategy after the utilization of intrusion detection thread is upgraded is detected.
In embodiments of the present invention, detection module 620 may further include capturing unit, matching unit, judging unit and response unit.Wherein, capturing unit is for the rear end network interface card capture-data bag corresponding from virtual machine node.Matching unit is for successively separating data pack protocol from the packet of catching, and the data pack protocol that the separates agreement corresponding with safety detection strategy in the intrusion detection thread is successively mated.Judging unit during for data packet matched a certain safety detection strategy of intrusion detection thread is corresponding what catch all accord, is judged that this packet is as the abnormal data bag, otherwise is judged that this packet is as normal data packet.Response unit is processed the packet of catching for the result of determination according to default response policy and judging unit.
In embodiments of the present invention, deployment module can comprise that reading unit, catalogue set up unit, Dispatching Unit and creating unit.Wherein, reading unit, for reading support server the Resources list of virtual computation environmental, extracts server info, and described server info comprises server ip address, server user's name and encrypted message corresponding to server.Catalogue is set up the server info of unit for extracting according to reading unit, the long-range monitored directory of setting up under the corresponding catalogue of server.Dispatching Unit detects file for long-range to described monitored directory distribution.Creating unit is carried out for the detection of Long-distance Control monitored directory, creates the intrusion detection thread.
Intruding detection system of the present invention, have applied widely, the advantages such as controllability good, strong adaptability, and can realize more fine-grained intrusion detection.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (10)
1. an intrusion detection method, the security threat for detection of the virtual machine node in virtual computation environmental, is characterized in that, comprising:
Step 1, detect file for detecting the target remote deployment, and be the long-range establishment intrusion detection of described detection target thread, and described intrusion detection thread at least comprises a safety detection strategy;
Step 2, the intrusion detection thread that execution step one creates, the mode that all accord by each the safety detection strategy by data pack protocol and described intrusion detection thread is mated detects the security threat in described detection target, and responded the agreement of described data pack protocol for peeling off out according to testing result from the packet of described detection target;
Step 3, regularly query safe detects tactful lastest imformation, and according to this lastest imformation step of updating two the safety detection strategy in performed intrusion detection thread.
2. intrusion detection method according to claim 1, is characterized in that, described step 1 comprises sub-step 11: be the long-range establishment virtual machine node of described detection target dynamic change monitoring thread; ?
Described intrusion detection method also comprises
Step 4, carry out described virtual machine node dynamic change monitoring thread, obtains the virtual machine node dynamic-change information and report;
Described step 3 comprises sub-step 31: the dynamic-change information reported according to step 4 is controlled the renewal operation of intrusion detection thread.
3. intrusion detection method according to claim 2, is characterized in that, described sub-step 31 comprises:
When dynamic-change information is the virtual machine node log-on message, be the virtual machine node establishment intrusion detection thread started the safety detection strategy of controlling this thread load default;
When dynamic-change information is the virtual machine node migration information, for creating the intrusion detection thread and control this thread, the virtual machine node of moving loads the original safety detection strategy of this virtual machine;
Be in dynamic-change information that virtual machine node is dead, when collapse or closing information, discharge the intrusion detection resource of this virtual machine, and close the intrusion detection thread of this virtual machine;
When dynamic-change information is safety detection policy update information, control corresponding intrusion detection thread and complete the operation of safety detection policy update, the safety detection strategy after the utilization of intrusion detection thread is upgraded is detected.
4. intrusion detection method according to claim 1, is characterized in that, described step 2 comprises:
Step 21, the corresponding rear end network interface card capture-data bag from virtual machine node;
Step 22 successively separates data pack protocol from the packet of catching, and the data pack protocol that the separates agreement corresponding with safety detection strategy in the intrusion detection thread is successively mated;
Step 23,, judge that this packet is as the abnormal data bag, otherwise judge that this packet is as normal data packet during the data packet matched all accord that in the intrusion detection thread, safety detection strategy is corresponding what catch;
Step 24, process the packet of catching according to the result of determination of default response policy and step 23.
5. intrusion detection method according to claim 1, is characterized in that, described step 1 comprises:
Read support server the Resources list of virtual computation environmental, extract server info, described server info comprises server ip address, server user's name and encrypted message corresponding to server;
According to described server info, the long-range monitored directory of setting up under the corresponding catalogue of server;
Long-range to described monitored directory distribution detection file;
Detection file in the described monitored directory of Long-distance Control is carried out, and creates the intrusion detection thread.
6. an intruding detection system, the security threat for detection of the virtual machine node in virtual computation environmental, is characterized in that, comprising:
Deployment module, be used to and detect target remote deployment detection file, and be the long-range establishment intrusion detection of described detection target thread, and described intrusion detection thread at least comprises a safety detection strategy;
Detection module, for carrying out the intrusion detection thread of disposing module creation, the mode that all accord by each the safety detection strategy by data pack protocol and described intrusion detection thread is mated detects security threat, and responded the agreement of described data pack protocol for peeling off out according to testing result from the packet of described detection target;
Update module, detect tactful lastest imformation for regular query safe, and upgrade the safety detection strategy in the performed intrusion detection thread of detection module according to this lastest imformation.
7. intruding detection system according to claim 6, is characterized in that, described deployment module comprises the monitoring deployment unit, is used to the long-range establishment virtual machine node of described detection target dynamic change monitoring thread;
Described intruding detection system also comprises monitoring module, and the virtual machine node dynamic change monitoring thread created for carrying out the monitoring deployment unit, obtain the virtual machine node dynamic-change information, and report deployment module;
Update module also comprises control unit, controls the renewal operation of intrusion detection thread for the dynamic-change information reported according to monitoring module.
8. intruding detection system according to claim 7, is characterized in that, described control unit comprises:
Starting and control subelement, for when dynamic-change information is the virtual machine node log-on message, is the virtual machine node establishment intrusion detection thread started the safety detection strategy of controlling this thread load default;
Subelement is controlled in migration, for when dynamic-change information is the virtual machine node migration information, for the virtual machine node of moving creates the intrusion detection thread and controls this thread, loads the original safety detection strategy of this virtual machine;
The closing control subelement, in dynamic-change information being that virtual machine node is dead, when collapse or closing information, discharging the intrusion detection resource of this virtual machine, and close the intrusion detection thread of this virtual machine;
Upgrade to control subelement, when in dynamic-change information, being safety detection policy update information, controlling corresponding intrusion detection thread and complete the operation of safety detection policy update, the safety detection strategy after the utilization of intrusion detection thread is upgraded is detected.
9. intruding detection system according to claim 6, is characterized in that, described detection module comprises:
Capturing unit, for the rear end network interface card capture-data bag corresponding from virtual machine node;
Matching unit, successively separate data pack protocol for the packet from catching, and the data pack protocol that the separates agreement corresponding with safety detection strategy in the intrusion detection thread is successively mated;
Judging unit, during for data packet matched safety detection strategy of intrusion detection thread is corresponding what catch all accord, judge that this packet is as the abnormal data bag, otherwise judge that this packet is as normal data packet;
Response unit, process the packet of catching for the result of determination of the response policy according to default and judging unit.
10. intruding detection system according to claim 6, is characterized in that, described deployment module comprises:
Reading unit, for reading support server the Resources list of virtual computation environmental, extract server info, and described server info comprises server ip address, server user's name and encrypted message corresponding to server;
Catalogue is set up unit, for the server info extracted according to reading unit, and the long-range monitored directory of setting up under the corresponding catalogue of server;
Dispatching Unit, detect file for long-range to described monitored directory distribution;
Creating unit, carry out for the detection file of the described monitored directory of Long-distance Control, creates the intrusion detection thread.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013103816159A CN103457945A (en) | 2013-08-28 | 2013-08-28 | Intrusion detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013103816159A CN103457945A (en) | 2013-08-28 | 2013-08-28 | Intrusion detection method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103457945A true CN103457945A (en) | 2013-12-18 |
Family
ID=49739899
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013103816159A Pending CN103457945A (en) | 2013-08-28 | 2013-08-28 | Intrusion detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103457945A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104462955A (en) * | 2014-12-25 | 2015-03-25 | 中国科学院信息工程研究所 | Host behavior active detection system and method based on virtualization |
| CN104502982A (en) * | 2014-12-11 | 2015-04-08 | 哈尔滨工程大学 | Indoor passive human-body detection method with free checking of fine granularity |
| CN105072115A (en) * | 2015-08-12 | 2015-11-18 | 国家电网公司 | Information system invasion detection method based on Docker virtualization |
| CN106844144A (en) * | 2016-12-29 | 2017-06-13 | 广州凯耀资产管理有限公司 | A kind of secure virtual machine monitoring method |
| CN107124400A (en) * | 2017-04-01 | 2017-09-01 | 中国科学院信息工程研究所 | Intrusion prevention device and method based on security strategy |
| CN104935580B (en) * | 2015-05-11 | 2018-09-11 | 国家电网公司 | Information security control method based on cloud platform and system |
| CN109040125A (en) * | 2018-09-18 | 2018-12-18 | 郑州云海信息技术有限公司 | Message filtering method and device in virtual machine |
| CN109618139A (en) * | 2019-01-10 | 2019-04-12 | 深圳市华金盾信息科技有限公司 | A kind of intelligent video monitoring system and method for view-based access control model routing |
| CN111901291A (en) * | 2020-06-03 | 2020-11-06 | 中国科学院信息工程研究所 | Network intrusion detection method and device |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101309180A (en) * | 2008-06-21 | 2008-11-19 | 华中科技大学 | Security network invasion detection system suitable for virtual machine environment |
| CN101350745A (en) * | 2008-08-15 | 2009-01-21 | 北京启明星辰信息技术股份有限公司 | Intrude detection method and device |
| CN101410803A (en) * | 2006-01-24 | 2009-04-15 | 思杰系统有限公司 | Methods and systems for providing access to a computing environment |
| US20090222558A1 (en) * | 2003-09-19 | 2009-09-03 | Vmware, Inc. | Managing Network Data Transfers in a Virtual Computer System |
| CN101753377A (en) * | 2009-12-29 | 2010-06-23 | 吉林大学 | p2p_botnet real-time detection method and system |
| CN102053873A (en) * | 2011-01-13 | 2011-05-11 | 浙江大学 | Method for ensuring fault isolation of virtual machines of cache-aware multi-core processor |
| CN102184120A (en) * | 2011-05-06 | 2011-09-14 | 中兴通讯股份有限公司 | Management method, monitoring system and monitoring agent module for Java virtual machine |
| US20110299537A1 (en) * | 2010-06-04 | 2011-12-08 | Nakul Pratap Saraiya | Method and system of scaling a cloud computing network |
| CN102929769A (en) * | 2012-09-06 | 2013-02-13 | 华中科技大学 | Virtual machine internal-data acquisition method based on agency service |
-
2013
- 2013-08-28 CN CN2013103816159A patent/CN103457945A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090222558A1 (en) * | 2003-09-19 | 2009-09-03 | Vmware, Inc. | Managing Network Data Transfers in a Virtual Computer System |
| CN101410803A (en) * | 2006-01-24 | 2009-04-15 | 思杰系统有限公司 | Methods and systems for providing access to a computing environment |
| CN101309180A (en) * | 2008-06-21 | 2008-11-19 | 华中科技大学 | Security network invasion detection system suitable for virtual machine environment |
| CN101350745A (en) * | 2008-08-15 | 2009-01-21 | 北京启明星辰信息技术股份有限公司 | Intrude detection method and device |
| CN101753377A (en) * | 2009-12-29 | 2010-06-23 | 吉林大学 | p2p_botnet real-time detection method and system |
| US20110299537A1 (en) * | 2010-06-04 | 2011-12-08 | Nakul Pratap Saraiya | Method and system of scaling a cloud computing network |
| US8989187B2 (en) * | 2010-06-04 | 2015-03-24 | Coraid, Inc. | Method and system of scaling a cloud computing network |
| CN102053873A (en) * | 2011-01-13 | 2011-05-11 | 浙江大学 | Method for ensuring fault isolation of virtual machines of cache-aware multi-core processor |
| CN102184120A (en) * | 2011-05-06 | 2011-09-14 | 中兴通讯股份有限公司 | Management method, monitoring system and monitoring agent module for Java virtual machine |
| CN102929769A (en) * | 2012-09-06 | 2013-02-13 | 华中科技大学 | Virtual machine internal-data acquisition method based on agency service |
Non-Patent Citations (2)
| Title |
|---|
| 付宇玲: "《基于协议分析的网络入侵检测系统的研究与设计》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 杨卫平: "《面向虚拟机的网络入侵检测系统》", 《万方数据库》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104502982A (en) * | 2014-12-11 | 2015-04-08 | 哈尔滨工程大学 | Indoor passive human-body detection method with free checking of fine granularity |
| CN104502982B (en) * | 2014-12-11 | 2017-04-12 | 哈尔滨工程大学 | Indoor passive human-body detection method with free checking of fine granularity |
| CN104462955B (en) * | 2014-12-25 | 2017-04-05 | 中国科学院信息工程研究所 | It is a kind of to be based on virtualized Host behavior active detecting system and method |
| CN104462955A (en) * | 2014-12-25 | 2015-03-25 | 中国科学院信息工程研究所 | Host behavior active detection system and method based on virtualization |
| CN104935580B (en) * | 2015-05-11 | 2018-09-11 | 国家电网公司 | Information security control method based on cloud platform and system |
| CN105072115A (en) * | 2015-08-12 | 2015-11-18 | 国家电网公司 | Information system invasion detection method based on Docker virtualization |
| CN105072115B (en) * | 2015-08-12 | 2018-06-08 | 国家电网公司 | A kind of information system intrusion detection method based on Docker virtualizations |
| CN106844144A (en) * | 2016-12-29 | 2017-06-13 | 广州凯耀资产管理有限公司 | A kind of secure virtual machine monitoring method |
| CN107124400A (en) * | 2017-04-01 | 2017-09-01 | 中国科学院信息工程研究所 | Intrusion prevention device and method based on security strategy |
| CN109040125A (en) * | 2018-09-18 | 2018-12-18 | 郑州云海信息技术有限公司 | Message filtering method and device in virtual machine |
| CN109618139A (en) * | 2019-01-10 | 2019-04-12 | 深圳市华金盾信息科技有限公司 | A kind of intelligent video monitoring system and method for view-based access control model routing |
| CN111901291A (en) * | 2020-06-03 | 2020-11-06 | 中国科学院信息工程研究所 | Network intrusion detection method and device |
| CN111901291B (en) * | 2020-06-03 | 2022-03-22 | 中国科学院信息工程研究所 | Network intrusion detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103457945A (en) | Intrusion detection method and system | |
| US9166988B1 (en) | System and method for controlling virtual network including security function | |
| CN102684944B (en) | Method and device for detecting intrusion | |
| CN104270467B (en) | A kind of virtual machine management-control method for mixed cloud | |
| CN109413091A (en) | A kind of network security monitoring method and apparatus based on internet-of-things terminal | |
| US20210155270A1 (en) | Information Processing Device and Abnormality Handling Method | |
| CN104506507A (en) | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) | |
| CN105376251A (en) | Intrusion detection method and intrusion detection system based on cloud computing | |
| CN103902885A (en) | Virtual machine security isolation system and method oriented to multi-security-level virtual desktop system | |
| CN104023034A (en) | Security defensive system and defensive method based on software-defined network | |
| CN107241304B (en) | Method and device for detecting DDoS attack | |
| CN110830287B (en) | Internet of things environment situation sensing method based on supervised learning | |
| WO2018001030A1 (en) | Method and device for controlling virtualized broadband remote access server (vbras), and communication system | |
| CN109271217B (en) | Network flow detection method and system under cloud environment | |
| CN104468504A (en) | Monitoring method and system for virtualized network dynamic information security | |
| KR102088308B1 (en) | Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv | |
| CN110138780B (en) | Method for realizing Internet of things terminal threat detection based on probe technology | |
| CN112822146A (en) | Network connection monitoring method, device, system and computer readable storage medium | |
| CN110311901A (en) | A kind of lightweight network sandbox setting method based on container technique | |
| CN111031018A (en) | Transformer substation network security monitoring client system and implementation method thereof | |
| CN108809950B (en) | Wireless router protection method and system based on cloud shadow system | |
| CN107608752B (en) | Threat information response and disposal method and system based on virtual machine introspection | |
| CN105721347A (en) | Method and system for precisely controlling network bandwidth | |
| CN106529284B (en) | Virtual machine monitor security reinforcement method based on security chip | |
| CN105591815A (en) | Network control method for power supply relay device of cloud testing platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20131218 |