CN103731426A - Intrusion alarming system based on virtual network - Google Patents
Intrusion alarming system based on virtual network Download PDFInfo
- Publication number
- CN103731426A CN103731426A CN201310752007.4A CN201310752007A CN103731426A CN 103731426 A CN103731426 A CN 103731426A CN 201310752007 A CN201310752007 A CN 201310752007A CN 103731426 A CN103731426 A CN 103731426A
- Authority
- CN
- China
- Prior art keywords
- ids
- engine node
- alarm system
- main frame
- detection rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides an intrusion alarming system based on a virtual network. The intrusion alarming system comprises IDS engine nodes which are arranged on cloud hosts of a could computing center respectively. Each IDS engine node comprises a detection module and an alarming module. The detection modules are used for monitoring data packets flowing into the cloud hosts where the IDS engine nodes are located and matching the data packets with intrusion detection rules stored in an intrusion detection rule base. The alarming modules are used for generating alarming information when the situation that data packets are matched with some intrusion detection rule in the intrusion detection rule base is detected. The intrusion alarming system based on the virtual network can achieve distributed management of the ISD engine nodes.
Description
Technical field
The present invention relates to field of computer technology, more specifically, relate to a kind of break alarm system based on virtual network.
Background technology
Intruding detection system (intrusion detection system is called for short " IDS ") is that one monitors immediately to Internet Transmission, the Network Security Device giving the alarm when finding suspicious data stream.In legacy network, generally can intruding detection system be articulated in all concern flows must through link on.So just can monitor all packets of paying close attention to flow, and dependence inbreak detection rule detects suspicious data flow.
In virtual network, in environment, physical network resource is that all virtual network user are shared, but for user, network is to monopolize, and isolates with other users' network.Each user or Business Stream network can have different network security demands according to the service feature of the network of oneself, different for deployment, configuration and the policy requirement of intruding detection system.Due to the retractility expanded of virtual network, from the angle user's of physical network network boundary, be uncertain, cannot dispose intruding detection system according to traditional approach like this, cannot meet the demand for security of virtual network user.
For the problem in correlation technique, effective solution is not yet proposed at present.
Summary of the invention
For the problem in correlation technique, the present invention proposes a kind of break alarm system based on virtual network, to realize the distributed management to intruding detection system IDS engine node.
For achieving the above object, the invention provides a kind of break alarm system based on virtual network, comprise: intruding detection system IDS engine node, be configured in respectively on each cloud main frame of cloud computing center, IDS engine node comprises: detection module, for monitoring the packet of cloud main frame that flows into IDS engine node place, and the inbreak detection rule in the intrusion detection rule base of packet and storage is mated; Alarm module, for when detecting that packet mates with certain inbreak detection rule of intrusion detection rule base, produces warning information.
According to the present invention, break alarm system also comprises: IDS distributed manager, for take out independently IDS engine node of multiple logics for virtual network, and manages and dispatch IDS engine node.
According to the present invention, break alarm system also comprises ids device manager, and ids device manager comprises: for user interactions with select detect target cloud main frame or the control module of target virtual network; For the module that arranges of inbreak detection rule is set.
According to the present invention, IDS distributed manager, also for identify all virtual machine interface messages of user network according to the sign of user network, and cloud main frame corresponding to virtual machine interface; And the inbreak detection rule that ids device manager is issued, send to the IDS engine node on identified cloud main frame.
According to the present invention, alarm module, also for feeding back to warning information IDS distributed manager.
According to the present invention, IDS engine node also comprises communication module, for configuring intrusion detection rule base and operational factor by REST service interface.
According to the present invention, on every cloud main frame, dispose many virtual machines that connect by bridge; On bridge, create the multiple Port Mirroring that correspond respectively to each virtual machine network interface; The monitoring interface of IDS engine node on it is set to mirror port, to monitor by the packet of the multiple Port Mirroring on bridge.
Than prior art, beneficial effect of the present invention is:
In invasion warning system of the present invention, on each cloud main frame of cloud computing center, dispose respectively intruding detection system IDS engine node.Utilize detection module and the alarm module of IDS engine node can carry out intrusion detection, thereby can make each cloud main frame can when packet separately mates with inbreak detection rule, produce respectively warning information.In this way, can realize, to the distributed management of intruding detection system IDS engine node, and then realize the break alarm of supporting many cloud main frames.
Accompanying drawing explanation
Fig. 1 is the structural representation of break alarm system according to an embodiment of the invention;
Fig. 2 is the structural representation of break alarm system according to another embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing, invention is further described.
As depicted in figs. 1 and 2, break alarm system of the present invention comprises: intruding detection system IDS engine node 10, this engine node is configured in respectively on each cloud main frame of cloud computing center.Each IDS engine node includes: detection module 20 and alarm module 30, wherein, detection module 20 is for monitoring the packet of cloud main frame that flows into IDS engine node place, and the inbreak detection rule in the intrusion detection rule base of packet and storage is mated; And alarm module 30 is for when detecting that packet mates with certain inbreak detection rule of intrusion detection rule base, produce warning information.
More specifically, break alarm system also comprises: IDS distributed manager and ids device manager.Wherein, IDS distributed manager is used for taking out independently IDS engine node of multiple logics for virtual network, and IDS engine node is managed and dispatched.And ids device manager comprises control module and module is set, wherein, control module is used for and target cloud main frame or the target virtual network of user interactions to select to detect; And module is set for inbreak detection rule is set.
In addition, IDS distributed manager is also for identify all virtual machine interface messages of user network according to the sign of user network, and cloud main frame corresponding to virtual machine interface; And the inbreak detection rule that ids device manager is issued, send to the IDS engine node on identified cloud main frame.
Preferably, alarm module 30 is also for feeding back to warning information IDS distributed manager.
In an optional embodiment of the present invention, IDS engine node also comprises communication module.This communication module can be used for service interface configuration intrusion detection rule base and operational factor by REST (Representational State Transfer, statement sexual state shifts).
According to a preferred embodiment of the present invention, on every cloud main frame, dispose many virtual machines that connect by bridge; On bridge, create the multiple Port Mirroring that correspond respectively to each virtual machine network interface; The monitoring interface of IDS engine node on it is set to mirror port, to monitor by the packet of the multiple Port Mirroring on bridge.
Described above more specifically, in break alarm system of the present invention, mainly comprise three parts: IDS engine node, IDS distributed manager, intrusion detection Service Management end.
Wherein, IDS engine node is that distributed earth is deployed on each cloud main frame of cloud computing center, and by IDS distributed management management and scheduling.IDS distributed manager is to having taken out independently IDS equipment being managed by ids device manager of some logics in virtual network, and detection target or the inbreak detection rule that ids device manager can be issued, according to user's network element, send on corresponding IDS engine node, thereby can make the configuration of different user and order can not disturb mutually, and realize the logic isolation of user's service.Intrusion detection Service Management end is available to the control end of virtual network user, and here user can be according to the network element of oneself, and objective network interface and the intrusion detection rule base of intrusion detection is set.
In more detail, IDS engine node is deployed on each cloud main frame.On cloud main frame, all virtual machines be all bridge joint on Linux bridge, the packet that mails to virtual machine can mail on the virtual interface that virtual machine connects by the network interface card of cloud main frame and by bridge.First, need on bridge, create the Port Mirroring of all virtual machine network interfaces, the packet that mails to like this virtual machine can be copied on Port Mirroring.IDS engine node monitoring interface is set to mirror port.IDS engine node will listen to the packet of all virtual machines on cloud main frame and according to the feature of packet like this, thereby finds intrusion detection event.Particularly, this node comprises three modules: IDS engine, alarm module 30 and communication module.
IDS engine relies on the rule base of a set of intrusion detection and intercepts and captures the each packet flowing into, and to its split, the series of preprocessing such as restructuring, then mate with rule base.If find to mate with certain rule, produce warning information and the relevant information of packet is recorded in file.Configuration data on IDS engine and intrusion rule library package have contained the network user's identification information, to realize the data isolation of different user.And alarm module 30 can be monitored above-mentioned warning information file, real-time feeds back to warning information in IDS distributed manager.In addition, communication module can provide REST service interface, and the rule base of this service interface configuration ID S engine can be passed through in outside, and runtime parameter.
In one embodiment of the invention, IDS distributed manager can be carried out distributed management to all IDS engine nodes, and at virtual network layer, each virtual network has been taken out to independently IDS virtual unit of a logic, this virtual unit is present in the border of user's virtual network, and each virtual network is entered to feelings monitoring.In other words, IDS Service Management end is sent to IDS distributed manager by the detection target of user isolation and rule base information, distributed manager can find virtual machine interface messages all in user network and the corresponding cloud main frame of virtual machine interface according to the sign of user network, then Rule Information is issued to corresponding IDS engine.This distributed manager is also for monitoring the warning information of all IDS nodes feedback simultaneously, and warning information is write to alarm event database according to user ID classification.
For intrusion detection Service Management of the present invention, bring in, it provides an independently virtual ID S view for user, user can be according to the demand selector switch of oneself or configuration ID S service, this comprises selects the target virtual machine, the configuration intrusion detection rule base etc. that detect, and this management end also can be sent to user's rule IDS distribution management device in addition.Management end also provides the view of break alarm event simultaneously, and it can be according to the real-time network alarm event of extracting relative users from intrusion event database of user profile, shows the user of intrusion detection service.
In sum, in invasion warning system of the present invention, on each cloud main frame of cloud computing center, dispose respectively intruding detection system IDS engine node 10.Utilize detection module 20 and the alarm module 30 of IDS engine node can carry out intrusion detection, thereby can make each cloud main frame can when packet separately mates with inbreak detection rule, produce respectively warning information.In this way, can realize, to the distributed management of intruding detection system IDS engine node 10, and then realize the break alarm of supporting many cloud main frames.
Further in practical application of the present invention, by in cloud main frame deploy IDS engine node and the distributed management to all IDS engine nodes, realize the break alarm system of supporting many tenants, thereby can provide independently break alarm service of logic for virtual network user.
In addition the present invention also supports management and the configuration of user to break alarm system, has further realized the support of intrusion detection service to many tenants and the isolation of user data.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (7)
1. the break alarm system based on virtual network, comprising:
Intruding detection system IDS engine node, is configured in respectively on each cloud main frame of cloud computing center, and described IDS engine node comprises:
Detection module, for monitoring the packet of cloud main frame that flows into IDS engine node place, and mates the inbreak detection rule in the intrusion detection rule base of packet and storage;
Alarm module, for when detecting that packet mates with certain inbreak detection rule of described intrusion detection rule base, produces warning information.
2. break alarm system according to claim 1, is characterized in that, described break alarm system also comprises:
IDS distributed manager, for take out independently described IDS engine node of multiple logics for virtual network, and manages and dispatches described IDS engine node.
3. break alarm system according to claim 1, is characterized in that, described break alarm system also comprises ids device manager, and described ids device manager comprises:
Be used for user interactions to select the target cloud main frame of detection or the control module of target virtual network;
For the module that arranges of inbreak detection rule is set.
4. break alarm system according to claim 3, is characterized in that, described IDS distributed manager, and also for identify all virtual machine interface messages of user network according to the sign of user network, and cloud main frame corresponding to virtual machine interface; And
The inbreak detection rule that described ids device manager is issued, sends to the IDS engine node on identified cloud main frame.
5. break alarm system according to claim 1, is characterized in that, described alarm module, also for feeding back to warning information described IDS distributed manager.
6. break alarm system according to claim 1, is characterized in that, described IDS engine node also comprises communication module, for configuring described intrusion detection rule base and operational factor by REST service interface.
7. break alarm system according to claim 1, is characterized in that, disposes many virtual machines that connect by bridge on every cloud main frame;
On bridge, create the multiple Port Mirroring that correspond respectively to each virtual machine network interface;
The monitoring interface of described IDS engine node on it is set to mirror port, to monitor by the packet of the multiple Port Mirroring on described bridge.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310752007.4A CN103731426A (en) | 2013-12-31 | 2013-12-31 | Intrusion alarming system based on virtual network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310752007.4A CN103731426A (en) | 2013-12-31 | 2013-12-31 | Intrusion alarming system based on virtual network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103731426A true CN103731426A (en) | 2014-04-16 |
Family
ID=50455353
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310752007.4A Pending CN103731426A (en) | 2013-12-31 | 2013-12-31 | Intrusion alarming system based on virtual network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103731426A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105978904A (en) * | 2016-06-30 | 2016-09-28 | 联想(北京)有限公司 | Intrusion detect system and electronic device |
| CN106131054A (en) * | 2016-08-17 | 2016-11-16 | 国家计算机网络与信息安全管理中心 | Network intrusions collaborative detection method based on secure cloud |
| CN107124386A (en) * | 2016-02-24 | 2017-09-01 | 深圳市深信服电子科技有限公司 | The determination method and device of black industry content |
| CN109639726A (en) * | 2018-12-31 | 2019-04-16 | 微梦创科网络科技(中国)有限公司 | Intrusion detection method, device, system, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431416A (en) * | 2008-12-10 | 2009-05-13 | 南京邮电大学 | Synergistic learning invasion detection method used for data gridding |
| CN102196006A (en) * | 2010-03-17 | 2011-09-21 | 中国移动通信集团公司 | Open system for providing resources for application program |
| US20110255538A1 (en) * | 2010-04-16 | 2011-10-20 | Udayakumar Srinivasan | Method of identifying destination in a virtual environment |
| CN102724176A (en) * | 2012-02-23 | 2012-10-10 | 北京市计算中心 | Intrusion detection system facing cloud calculating environment |
| CN103065086A (en) * | 2012-12-24 | 2013-04-24 | 北京启明星辰信息技术股份有限公司 | Distributed intrusion detection system and method applied to dynamic virtualization environment |
-
2013
- 2013-12-31 CN CN201310752007.4A patent/CN103731426A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431416A (en) * | 2008-12-10 | 2009-05-13 | 南京邮电大学 | Synergistic learning invasion detection method used for data gridding |
| CN102196006A (en) * | 2010-03-17 | 2011-09-21 | 中国移动通信集团公司 | Open system for providing resources for application program |
| US20110255538A1 (en) * | 2010-04-16 | 2011-10-20 | Udayakumar Srinivasan | Method of identifying destination in a virtual environment |
| CN102724176A (en) * | 2012-02-23 | 2012-10-10 | 北京市计算中心 | Intrusion detection system facing cloud calculating environment |
| CN103065086A (en) * | 2012-12-24 | 2013-04-24 | 北京启明星辰信息技术股份有限公司 | Distributed intrusion detection system and method applied to dynamic virtualization environment |
Non-Patent Citations (2)
| Title |
|---|
| 宋吉华: "基于移动Agent的分布式入侵检测系统研究", 《中国优秀硕士学位论文全文数据库》 * |
| 张亚茹: "高端分布式交换机端口镜像系统的配置管理", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107124386A (en) * | 2016-02-24 | 2017-09-01 | 深圳市深信服电子科技有限公司 | The determination method and device of black industry content |
| CN105978904A (en) * | 2016-06-30 | 2016-09-28 | 联想(北京)有限公司 | Intrusion detect system and electronic device |
| CN105978904B (en) * | 2016-06-30 | 2019-07-05 | 联想(北京)有限公司 | A kind of intrusion detection method and electronic equipment |
| CN106131054A (en) * | 2016-08-17 | 2016-11-16 | 国家计算机网络与信息安全管理中心 | Network intrusions collaborative detection method based on secure cloud |
| CN106131054B (en) * | 2016-08-17 | 2019-07-09 | 国家计算机网络与信息安全管理中心 | Network intrusions collaborative detection method based on secure cloud |
| CN109639726A (en) * | 2018-12-31 | 2019-04-16 | 微梦创科网络科技(中国)有限公司 | Intrusion detection method, device, system, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11522775B2 (en) | Application monitoring prioritization | |
| US11115466B2 (en) | Distributed network services | |
| US10795992B2 (en) | Self-adaptive application programming interface level security monitoring | |
| US10230612B2 (en) | Systems and methods for implementing a traffic visibility network | |
| WO2021017279A1 (en) | Cluster security management method and apparatus based on kubernetes and network domain, and storage medium | |
| CN105765906B (en) | Method, system and computer-readable medium for network function virtualization information concentrator | |
| CN109716729A (en) | The dynamically auto zoom network security micro services framework based on load | |
| CN103685608B (en) | A kind of method and device for automatically configuring secure virtual machine IP address | |
| CN103414535B (en) | Data sending method, data receiving method and relevant devices | |
| KR102001898B1 (en) | Method of processing alarm information, related devices and systems | |
| CN104125214B (en) | A kind of security architecture system and safety governor for realizing software definition safety | |
| CN103731426A (en) | Intrusion alarming system based on virtual network | |
| CN105162823B (en) | A kind of virtual machine management method and device | |
| CN105827629A (en) | Software definition safety guiding device under cloud computing environment and implementation method thereof | |
| CN114490280A (en) | Log processing method, device, equipment and medium | |
| CN107682166B (en) | Implementation method for remote data acquisition of safety operation and maintenance service platform based on big data | |
| JP2011188422A (en) | Monitoring system for specifying affected service and method of the same | |
| US20070118655A1 (en) | Network-based autodiscovery system for mac forwarding dispatcher | |
| KR20140127116A (en) | System for customized enterprise management and data outflow management based on clouding computing | |
| CN113132678A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN109474571A (en) | A kind of method and system of collaboration linkage discovery Rootkit | |
| CN107666519A (en) | A kind of cloud processing data information system | |
| Jandaeng | Embedded packet logger for network monitoring system | |
| CN107391907A (en) | A kind of long-distance intelligent video diagnostic method based on distributed deployment | |
| Mlotshwa et al. | Opportunistic security architecture for osmotic computing paradigm in dynamic IoT-Edge's resource diffusion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100193 Beijing, Haidian District, northeast Wang West Road, building 8, building 36, floor 5 Applicant after: Shuguang Cloud Computing Group Co Ltd Address before: 100193 Beijing, Haidian District, northeast Wang West Road, building 8, building 36, floor 5 Applicant before: Shuguang Cloud Computing Technology Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140416 |