CN104735069A - High-availability computer cluster based on safety and credibility - Google Patents

High-availability computer cluster based on safety and credibility Download PDF

Info

Publication number
CN104735069A
CN104735069A CN201510135931.7A CN201510135931A CN104735069A CN 104735069 A CN104735069 A CN 104735069A CN 201510135931 A CN201510135931 A CN 201510135931A CN 104735069 A CN104735069 A CN 104735069A
Authority
CN
China
Prior art keywords
node
host
trusted
resource
cluster
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510135931.7A
Other languages
Chinese (zh)
Inventor
王宗训
赵瑞东
牛玉峰
李传忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Group Co Ltd
Original Assignee
Inspur Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Group Co Ltd filed Critical Inspur Group Co Ltd
Priority to CN201510135931.7A priority Critical patent/CN104735069A/en
Publication of CN104735069A publication Critical patent/CN104735069A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/80Responding to QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a high-availability computer cluster based on safety and credibility, which relates to the field of information safety and is characterized in that at least two machines are arranged in the cluster: the cluster system detects the safe and credible state of the service node at regular time/in real time, and when the system host is not credible, the scheduling module can automatically migrate the resources to other credible nodes of the cluster, so that the service is ensured to always run in a safe environment.

Description

A kind of based on safe and reliable high availability computer cluster
Technical field
The present invention relates to information security field, particularly relate to a kind of based on safe and reliable high availability computer cluster.
Background technology
The develop rapidly of computer nowadays technology, all trades and professions use ten hundreds of computers to carry out computing, enjoy application software, the informationization that data processing provides to us is convenient, but, thing followed information security issue, as the potential safety hazards such as illegal use, virus, malicious attack threaten the information security that government, enterprises and institutions particularly have the linked groups of concerning security matters demand all the time.For the application that some are important, need to guarantee the safe and reliable of system running environment.When system is unreliable, need application migration in time.
Ensure that the method for single server security is a lot, such as USB detects forbidding technology, ensures that USB device cannot work after inserting.Various antivirus software emerges in an endless stream, and the virus of scanning computer system, the aspects such as checking and killing Trojan play important function.Trust computing is calculating and widely use in communication system the credible calculating platform under supporting based on hardware security module, to improve the fail safe of entire system.System safety based on trust computing detects the fail safe that ensure that system from hardware foundation.Port is extraneous access and the entrance attacking computer, carries out Scanning Detction in real time to the port of system, can prevent unknown rogue program invasion.
But, after discovering server system is dangerous, insincere, will interrupting service, re-start system safety and recover, after removing potential hazard, just can restart business.But for the application that some are important, need business continuous service or shorter time out, individual server just can not satisfy the demands in this case.
Therefore, a kind of computer cluster with secure and trusted function becomes the tight demand of some application.It is ensureing that system safety is reliable while, and provide redundancy feature, after a main frame goes wrong, an other main frame can take over service, and guarantee business is normally run.
Summary of the invention
The object of the invention is to ensure system safety reliability service, improving the continuity of service operation.Two machines (main frame is had at least in cluster, a standby host), the timing of this group system detect service node secure and trusted state in real time, when system host is insincere, scheduler module can automatically by resource migration in other trusted node of cluster, guarantee business operates in safe environment always.
The carrying out practically step of system is as follows:
Read the relevant configuration in configuration file after step one, system start, each node starts clustered software.
Step 2, system elect a host node, the trusted status on each service node of heartbeat module timed collection, form trusted node list, and resource are started on believable node.
The secure and trusted state of Host Detection system, judges that whether system is safe and reliable.
Detection main contents are as follows, but are not limited to four below (can be increased by amendment configuration file or reduce the particular content of detection and detection):
1, Host Detection antivirus software running status, run version, virus base version
2, the credible tolerance root (PCR) of Host Detection system
3, the opening of Host Detection port
4, main frame detects the plugging condition of USB in real time
Step 3, when host node detects that the node at certain resource place is insincere, scheduling of resource module by resource migration to trusted node list, a certain main frame can be run.
Advantage of the present invention and beneficial effect are:
The present invention is based on credible tolerance root, USB storage device detect in real time, the process of port timing scan, antivirus software state the measure such as timing scan improve system safety rank, the potential threat that can exist in Timeliness coverage system.
After the secure and trusted function of system wrecks; the host node of system can find believable node in whole cluster wide; shielded resource migration can move on main frame trusty by resource management module; service resources can be run in safe and reliable environment, improve the fail safe of system.
Accompanying drawing explanation
Fig. 1 is the Organization Chart of whole group system.
Fig. 2 is the procedure chart that service node and host node carry out information interaction.
Embodiment
In order to make object of the present invention, technical method and advantage are analysed more clearly, are easily understood, and below in conjunction with drawings and Examples, carry out further information explanation to the present invention.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
Read the relevant configuration in configuration file after step one, system start, and the node of first in system is decided to be host node.
Configuration file content comprises the respective configuration file on active and standby machine, its content comprises the whether safe and reliable detection of system, the deploy content of port is (as Fig. 1, configurable), the information such as antivirus software information and eartbeat interval, by the essential information arranged in these configuration files, for the content of later safety, trust authentication provides foundation.The host node of system be responsible for by heartbeat module collect each node reliable information, the trusted host list of maintenance system and resource mapping relation.
The whether believable relevant information of step 2, each node timed collection book node, and information is sent to host node.The main contents checked are as follows, but are not limited only to four below
1, Host Detection antivirus software running status, run version, virus base version.System is connected by setting up socket with antivirus software, send PING order, judge whether antivirus software runs according to return value, acquisition operation version acquisition antivirus software version, virus base version can be performed by obtaining it, contrast with the antivirus software in CONFIG.SYS, judge that whether antivirus software is reliable.
2, the credible tolerance root (PCR) of Host Detection system.The credible tolerance root of system is present in the memory of TPM module, by TCS software stack, obtain the credible tolerance root of system, to its first Hash process, and overlap-add procedure is carried out to the value after each Hash, the result after process provides foundation for comparing with original credible tolerance root on standby host.
3, the opening of Host Detection port.Port is the door of other computer interactives on computer and network.Unauthorized person can control the open and close of certain port by rogue program, can this machine of Long-distance Control.Port open strategy has configured in configuration file, sets up socket and connects, carry out socket communication test after system starts to each port, and then judges whether to open, and contrasts the strategy in the result obtained and configuration file, judges whether consistent.
4, main frame detects the plugging condition of USB in real time.When system starts, can start a separate threads separately, whether real-time detection has USB disk unit to insert is extracted situation, if USB storage device insertion system detected, then send message, reporting system, provides foundation for carrying out resource migration, and the quantity of the USB device of record insertion, when equipment is extracted, whether the quantity of the USB storage device of detection system reduces to 0, if USB storage device quantity becomes 0, moving back for resource provides foundation.
Step 4, host node node are decrypted sign test to the information collected, and analyze result, the insincere main frame in Timeliness coverage system, and upgrade trusted host list.
Which resource in step 5, host node analytical system is present on incredible main frame, according to scheduling strategy, calls scheduling of resource module, by resource migration on trusted main frame.

Claims (3)

1. one kind based on safe and reliable high availability computer cluster, it is characterized in that, two machines are at least set in the cluster: a main frame, a standby host, the timing of this group system detect service node secure and trusted state in real time, when system host is insincere, scheduler module can automatically by resource migration in other trusted node of cluster, guarantee business operates in safe environment always.
2. computer cluster according to claim 1, is characterized in that,
The carrying out practically step of system is as follows:
Read the relevant configuration in configuration file after step one, system start, each node starts clustered software;
Step 2, system elect a host node, the trusted status on each service node of heartbeat module timed collection, form trusted node list, and resource are started on believable node;
The secure and trusted state of Host Detection system, judges that whether system is safe and reliable;
Step 3, when host node detects that the node at certain resource place is insincere, scheduling of resource module by resource migration to trusted node list, a certain main frame can be run.
3. computer cluster according to claim 2, is characterized in that, detects main contents as follows, but is not limited to four below:
1), Host Detection antivirus software running status, run version, virus base version;
2), the credible tolerance root (PCR) of Host Detection system;
3), the opening of Host Detection port;
4), main frame detects the plugging condition of USB in real time.
CN201510135931.7A 2015-03-26 2015-03-26 High-availability computer cluster based on safety and credibility Pending CN104735069A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510135931.7A CN104735069A (en) 2015-03-26 2015-03-26 High-availability computer cluster based on safety and credibility

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510135931.7A CN104735069A (en) 2015-03-26 2015-03-26 High-availability computer cluster based on safety and credibility

Publications (1)

Publication Number Publication Date
CN104735069A true CN104735069A (en) 2015-06-24

Family

ID=53458504

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510135931.7A Pending CN104735069A (en) 2015-03-26 2015-03-26 High-availability computer cluster based on safety and credibility

Country Status (1)

Country Link
CN (1) CN104735069A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105553629A (en) * 2016-03-15 2016-05-04 山东超越数控电子有限公司 Safe and credible calculation master and slave system
CN105760271A (en) * 2016-01-28 2016-07-13 浪潮电子信息产业股份有限公司 Method for monitoring credible state of computing node in cluster mode
CN105791013A (en) * 2016-03-08 2016-07-20 浪潮电子信息产业股份有限公司 Trusted computing pool management and control system based on AMQP
CN106169054A (en) * 2016-07-13 2016-11-30 浪潮电子信息产业股份有限公司 Access control method based on trusted state
CN106909440A (en) * 2017-02-27 2017-06-30 郑州云海信息技术有限公司 A kind of dispatching method of virtual machine and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101331492A (en) * 2005-12-13 2008-12-24 美商内数位科技公司 Method and system for protecting user data in a node
CN102202046A (en) * 2011-03-15 2011-09-28 北京邮电大学 Network-operating-system-oriented trusted virtual operating platform
US20130287208A1 (en) * 2012-04-30 2013-10-31 General Electric Company Systems and methods for controlling file execution for industrial control systems
CN103607297A (en) * 2013-11-07 2014-02-26 上海爱数软件有限公司 Fault processing method of computer cluster system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101331492A (en) * 2005-12-13 2008-12-24 美商内数位科技公司 Method and system for protecting user data in a node
CN102202046A (en) * 2011-03-15 2011-09-28 北京邮电大学 Network-operating-system-oriented trusted virtual operating platform
US20130287208A1 (en) * 2012-04-30 2013-10-31 General Electric Company Systems and methods for controlling file execution for industrial control systems
CN103607297A (en) * 2013-11-07 2014-02-26 上海爱数软件有限公司 Fault processing method of computer cluster system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105760271A (en) * 2016-01-28 2016-07-13 浪潮电子信息产业股份有限公司 Method for monitoring credible state of computing node in cluster mode
CN105791013A (en) * 2016-03-08 2016-07-20 浪潮电子信息产业股份有限公司 Trusted computing pool management and control system based on AMQP
CN105553629A (en) * 2016-03-15 2016-05-04 山东超越数控电子有限公司 Safe and credible calculation master and slave system
CN106169054A (en) * 2016-07-13 2016-11-30 浪潮电子信息产业股份有限公司 Access control method based on trusted state
CN106909440A (en) * 2017-02-27 2017-06-30 郑州云海信息技术有限公司 A kind of dispatching method of virtual machine and system

Similar Documents

Publication Publication Date Title
US9767013B1 (en) Detecting code alteration based on memory allocation
US9619649B1 (en) Systems and methods for detecting potentially malicious applications
EP3335146B1 (en) Systems and methods for detecting unknown vulnerabilities in computing processes
US9202057B2 (en) Systems and methods for identifying private keys that have been compromised
US9158915B1 (en) Systems and methods for analyzing zero-day attacks
Rathnayaka et al. An efficient approach for advanced malware analysis using memory forensic technique
CN109586282B (en) Power grid unknown threat detection system and method
US9178904B1 (en) Systems and methods for detecting malicious browser-based scripts
US9270467B1 (en) Systems and methods for trust propagation of signed files across devices
US10484419B1 (en) Classifying software modules based on fingerprinting code fragments
CN104735069A (en) High-availability computer cluster based on safety and credibility
CN107580703B (en) Migration service method and module for software module
US9338012B1 (en) Systems and methods for identifying code signing certificate misuse
CN110365674B (en) Method, server and system for predicting network attack surface
US9385869B1 (en) Systems and methods for trusting digitally signed files in the absence of verifiable signature conditions
US9934378B1 (en) Systems and methods for filtering log files
US9652615B1 (en) Systems and methods for analyzing suspected malware
US9910994B1 (en) System for assuring security of sensitive data on a host
US11095666B1 (en) Systems and methods for detecting covert channels structured in internet protocol transactions
US9122869B1 (en) Systems and methods for detecting client types
EP3340097B1 (en) Analysis device, analysis method, and analysis program
CN116860489A (en) System and method for threat risk scoring of security threats
US9483643B1 (en) Systems and methods for creating behavioral signatures used to detect malware
US9569617B1 (en) Systems and methods for preventing false positive malware identification
CN105550574B (en) Side channel analysis evidence-obtaining system and method based on memory activity

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20150624

WD01 Invention patent application deemed withdrawn after publication