CN104917653A - Virtual flow monitoring method based on cloud platform and device thereof - Google Patents
Virtual flow monitoring method based on cloud platform and device thereof Download PDFInfo
- Publication number
- CN104917653A CN104917653A CN201510364392.4A CN201510364392A CN104917653A CN 104917653 A CN104917653 A CN 104917653A CN 201510364392 A CN201510364392 A CN 201510364392A CN 104917653 A CN104917653 A CN 104917653A
- Authority
- CN
- China
- Prior art keywords
- virtual
- data traffic
- firewall
- virtual machine
- cloud platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a virtual flow monitoring method based on a cloud platform and a device thereof, relates to the field of network safety and aims to solve the problem that virtual machine flow safety can not be effectively monitored. The method comprises a step of deploying a virtual firewall at the middle of a host machine, a step of monitoring the data flow generated by a source virtual machine through virtual switching equipment and drawing the data flow monitored into the virtual firewall according to the draw strategy issued by the cloud platform, a step of cleaning the data flow through the virtual firewall and obtain safety data flow, and a step of forwarding the safety data flow to the corresponding target virtual machine. The method and the device are mainly applied to the virtual flow monitoring process in a web application environment.
Description
Technical field
The present invention relates to network safety filed, particularly relate to a kind of virtual flux monitoring method based on cloud platform and device.
Background technology
Fire compartment wall is a kind of equipment for establishing protective barrier between Inside and outside network, all flows between intranet and extranet all will through fire compartment wall carry out safety detection just by, to protect Intranet from the intrusion of disabled user.
The general fire compartment wall that adopts of the tissue such as enterprise, universities and colleges is as the first line of defence of efficient public security system.But in real world applications, fire compartment wall can not solve the problem of Web application safety, and for web-site, the detection demand that same existence is applied for Web, thereby produce the fire compartment wall of another kind of form: Web application protection fire compartment wall (Web Application Firewall is called for short WAF).WAF represents the emerging information security technology of a class, in order to solve such as fire compartment wall one quasi-tradition safety means insurmountable Web application safety problem.Different from traditional firewall, WAF is operated in application layer, therefore has inborn technical advantage to Web application protection.WAF carries out content detection and checking to all kinds of requests from web application client, guarantees its fail safe and legitimacy, gives real-time blocking to illegal request, thus effectively protects all kinds of web-site.
Existing WAF is generally the entity hardware device with physical aspect, and as shown in Figure 1, WAF is deployed on the gateway of server in station cluster usually, and the flow produced between server in station and outer net carries out filtering and cleaning via WAF.
In existing site safety protectiving scheme, inventor finds: can only be deployed on the gateway being similarly entity hardware as the WAF of entity hardware device, monitor (such as monitoring the flow produced between intranet server and external network server) the flow between entity device.But under virtual environment, because WAF is independently arranged at outside host, therefore cannot the flow produced between host internal virtual machine (Virtual Machine is called for short VM) be monitored.In practical application, the virtual machine in same host likely can be assigned to different website and use, and how to ensure the fail safe of virtual machine flow in such cases, just becomes one of problem demanding prompt solution in internet security field.
Summary of the invention
The invention provides a kind of virtual flux monitoring method based on cloud platform and device, can solve cannot the problem of effective monitoring virtual machine traffic security.
For solving the problems of the technologies described above, on the one hand, the invention provides a kind of virtual flux monitoring method based on cloud platform, the method comprises:
Virtual firewall is disposed in host;
By the data traffic that virtual switch monitoring of tools source virtual machine produces, and according to the traction policy that cloud platform issues, the data traffic monitored is drawn in virtual firewall;
By virtual firewall, data traffic is cleaned, obtain secure data flow;
Secure data flow is transmitted to corresponding target virtual machine.
On the other hand, present invention also offers a kind of virtual flow-monitoring device based on cloud platform, this device comprises:
Deployment unit, for disposing virtual firewall in host;
Monitoring unit, for the data traffic produced by virtual switch monitoring of tools source virtual machine, and is drawn in the virtual firewall of deployment unit deployment according to the traction policy that cloud platform issues by the data traffic monitored;
Processing unit, is cleaned the data traffic that monitoring unit draws for the virtual firewall disposed by deployment unit, obtains secure data flow;
Transmitting element, the secure data flow for processing unit processes being obtained is transmitted to corresponding target virtual machine.
Virtual flux monitoring method based on cloud platform provided by the invention and device, the virtual firewall being used for flow cleaning can be disposed in host, by virtual switch equipment, the data traffic exchanged between virtual machine is monitored, and the data traffic monitored is drawn in virtual firewall cleans, ensure the fail safe of data traffic thus.Compared with prior art, the present invention can passage be deployed in virtual firewall in host ensure virtual environment under network security.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows the system schematic at gateway deploy entity WAF in prior art;
Fig. 2 shows the flow chart of a kind of virtual flux monitoring method based on cloud platform provided by the invention;
Fig. 3 shows the flow chart of another kind provided by the invention based on the virtual flux monitoring method of cloud platform;
Fig. 4 shows a kind of schematic diagram disposing virtual firewall provided by the invention;
Fig. 5 shows the schematic diagram that another kind provided by the invention disposes virtual firewall;
Fig. 6 shows the schematic diagram of a kind of data traffic monitoring scheme across virtual switch equipment provided by the invention;
Fig. 7 shows the schematic diagram of a kind of data traffic monitoring scheme across host provided by the invention;
Fig. 8 shows the structure composition frame chart of a kind of virtual flow-monitoring device based on cloud platform provided by the invention;
Fig. 9 shows the structure composition frame chart of another kind provided by the invention based on the virtual flow-monitoring device of cloud platform.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
For the data traffic safety under guarantee virtual environment between virtual machine, embodiments provide a kind of virtual flux monitoring method based on cloud platform.As shown in Figure 2, the method comprises:
201, in host, virtual firewall is disposed.
Host described in the present embodiment can be referred to as physical machine or virtual server again in actual applications, serve as the physical entity medium of virtual machine, by to internal memory, central processing unit (CentralProcessing Unit, be called for short CPU) etc. the division of computer resource, a host can mark off multiple virtual machine, and each virtual machine shares the internal memory of host, hard disk, CPU and various interface between software and hardware resource.
Except the multiple virtual machine of division, in the present embodiment, host inside also needs deployment virtual firewall.Different from entity fire compartment wall of the prior art, in fact virtual firewall is the computer program that a segment base performs in process, does not have physical aspect.Similar with virtual machine, virtual firewall carries out work based on the computer resource of host equally.
In the present embodiment, in host, one or more virtual firewall can be disposed.When disposing multiple virtual firewall, the data traffic of virtual switch monitoring of tools can repeatedly be cleared up via multiple virtual firewall successively; Or also can be respectively used to clean the one or more virtual machines be responsible for separately by multiple virtual firewall, the present embodiment does not limit the quantity of virtual firewall and deployment way.
In addition, also can be deployed with the virtual switch equipment exchanged for flow in host, this virtual switch equipment is used for forwarding the data traffic of receiving and dispatching between virtual machine, and all virtual machines all need to carry out exchanges data by virtual switch equipment.Similar with virtual firewall, virtual switch equipment does not have the physical aspect determined equally, and needs the computer resource based on host to carry out work.
In the present embodiment, virtual firewall can be deployed on virtual switch equipment, and also independent of virtual switch deployed with devices, or can also be able to be deployed on certain specific virtual machine, the present embodiment does not limit the deployed position of virtual firewall.
202, by the data traffic of virtual switch monitoring of tools source virtual machine generation.
Virtual machine is when carrying out data transmit-receive, and all data exchanged between virtual machine all need via virtual switch device forwards.In the present embodiment, virtual switch equipment, as the medium of exchange of data traffic, for when virtual machine carries out exchanges data, is monitored the data traffic exchanged.
In practical application, the virtual switch equipment described in the present embodiment can be, but not limited to be virtual router or virtual switch.
For ease of understanding scheme, the virtual machine sending data traffic is called source virtual machine from the angle of data flow by the present embodiment, and the virtual machine of receiving data stream amount is called target virtual machine.In practical application, any virtual machine all with the function of data transmit-receive, so any one virtual machine is all source virtual machine and target virtual machine.
In various embodiments of the present invention, virtual switch equipment, after monitoring data traffic, is intercepted and captured it, and before the cleaning of the complete paired data flow of virtual firewall, this data traffic wouldn't be forwarded in target virtual machine.
The data traffic monitored is drawn in virtual firewall by the traction policy 203, issued according to cloud platform.
After monitoring data traffic, data traffic is drawn in virtual firewall and cleans by virtual switch equipment.In the present embodiment, the traction policy decision that opportunity, data volume size etc., factor was obtained in advance by host of flow lead.In practical application, virtual switch equipment can full-time or periodically draw all or part of data traffic, and the present embodiment is not restricted this.
In the present embodiment, the traction policy that virtual switch equipment obtains in advance is formulated by cloud platform and is issued, and cloud platform based on the large data analysis to different web sites node, can calculate and generate this traction policy.In cloud platform side, can formulate unified traction policy for all web-site, can be also that different virtual environments formulates different traction policies based on factors such as different type of site, host model, virtual machine quantity, virtual machine performance, route topologicals.Certainly, in practical application, the traction policy of cloud platform side also manually can arrange formulation by safety officer, or direct formulation in the virtual switch equipment of host's pusher side forms, and the present embodiment is not restricted this.
After the traction policy obtaining cloud platform configuration, host regularly or irregularly can also upgrade local traction policy by cloud platform.
204, by virtual firewall, data traffic is cleaned, obtain secure data flow.
Virtual firewall has but is not limited to the safety functions such as abnormality detection, leak reparation, equipment audit, after the data traffic obtaining the traction of virtual switch equipment, virtual firewall carries out Safety Purge according to the real needs of web-site to data traffic, obtains secure data flow.
In one implementation, for the data traffic that there is potential safety hazard, virtual firewall directly can abandon it, also can abandon but carry out alarm to virtual switch equipment, carries out respective handling by virtual switch equipment to incipient fault data.
It should be noted that, in the present embodiment, the concept of so-called secure data flow comprises two layers of meaning: the first rejects the normal data flow after incipient fault data, and it two is through data traffic after virtual firewall reparation.Subsequent embodiment of the present invention does not do concrete differentiation and restriction to this.
205, secure data flow is transmitted to corresponding target virtual machine.
After acquisition secure data flow, secure data flow is transmitted to corresponding target virtual machine, the data traffic completed thus from source virtual machine to target virtual machine forwards.
In practical application, secure data flow directly can be transmitted to target virtual machine by virtual firewall, also can return to virtual switch equipment, by virtual switch device forwards to target virtual machine after via virtual firewall cleaning.
In daily life, the hardware device such as computer, server can infect virus or there is leak, and the virtual machine under virtual environment also can exist same problem.Prior art can be propagated by the virus blocked in the mode of gateway deploy hardware firewall between entity device, but propagates then helpless for the virus between virtual machine.The method that the present embodiment provides can at host On-premise virtual firewall, by virtual switch equipment, the data traffic between virtual machine is monitored, be drawn in virtual firewall and clean, prevent transmitted virus between virtual machine thus, ensure the network security under virtual environment.
Further, as the refinement to implementation shown in Fig. 2, another embodiment of the present invention additionally provides a kind of virtual flux monitoring method based on cloud platform.In the method, virtual switch equipment carries out full-time monitoring to the data traffic of virtual machine, and is all drawn in virtual firewall and cleans.Concrete, as shown in Figure 3, the method comprises:
301, according to the network segment Dynamical Deployment virtual firewall at virtual machine place.
In the present embodiment, virtual firewall is deployed on virtual switch equipment, and the partial virtual machine in host needs to carry out flow cleaning, and part virtual machine trusty is without the need to carrying out flow cleaning.When disposing virtual firewall, can based on the network segment at virtual machine place, for the Dynamical Deployment needing the virtual machine carrying out flow cleaning to carry out virtual firewall.Shown in specific implementation following steps 3011 and step 3012:
3011, the network segment of the virtual machine as monitored object is obtained.
Such as in the schematic diagram shown in Fig. 4, be configured with 5 virtual machines in host, IP(Internet Protocol) (Internet Protocol the is called for short IP) address of virtual machine 1 to virtual machine 5 is respectively 192.168.2.1,2,3,4 and 5.According to the configuration of safety officer, need to carry out flow cleaning to virtual machine 1,2 and 3, therefore virtual machine 1,2 and 3 is the monitored object of virtual switch equipment X, and the IP network section of thus obtained monitored object is 192.168.2.1-3.
3012, by virtual firewall Dynamical Deployment on the virtual switch equipment of the corresponding network segment.
In the example shown in fig. 4,5 virtual machines all carry out data retransmission based on unique virtual switch equipment X, therefore the virtual switch equipment that network segment 192.168.2.1-3 is corresponding is virtual switch equipment X, can by virtual firewall Dynamical Deployment on virtual switch equipment X.
In practical application, may there is multiple virtual switch equipment in a host, the data traffic that each virtual switch equipment is responsible for the virtual machine of varying number exchanges.For this kind of situation, the example of step 3011 and step 3012 can be as shown in Figure 5.In Figure 5, virtual machine 1,2 and 3 carries out flow exchange by virtual switch equipment X, and virtual machine 4,5,6 and 7 carries out flow exchange by virtual switch equipment Y.The IP address of virtual machine 1 to 7 is followed successively by 192.168.2.1,2,3,4,5,6 and 7, and wherein, the IP network section that virtual switch equipment X is corresponding is 192.168.2.1-3, and the IP network section that virtual switch equipment Y is corresponding is 192.168.2.4-7.When carrying out fire compartment wall and disposing, if need to monitor virtual machine 2 and 3, then virtual firewall can be deployed on virtual switch equipment X that corresponding IP network section is 192.168.2.1-3, if and need to monitor virtual machine 4,5,6 and 7, then virtual firewall can be deployed on the virtual switch equipment Y that corresponding IP network section is 192.168.2.4-7.If two IP network sections all comprise the virtual machine of needs monitoring, then on virtual switch equipment X and virtual switch equipment Y, a virtual firewall can be disposed separately respectively.Fig. 5 shows the implementation of disposing virtual firewall on two virtual switch equipment respectively.
302, by the data traffic of virtual switch monitoring of tools source virtual machine generation.
For Fig. 4, virtual switch equipment X carries out traffic monitoring to the virtual machine 1,2 and 3 as monitored object.When virtual machine 1 sends data traffic a to virtual machine 3, first this data traffic a is sent on virtual switch equipment X by virtual machine 1, and virtual switch equipment X monitors and obtains data traffic a.
The data traffic monitored is drawn in virtual firewall by the traction policy 303, issued according to cloud platform.
For scheme shown in Fig. 4, after monitoring data traffic a, this data traffic a is drawn in virtual firewall by virtual switch equipment X.
In a kind of improvement project of the present embodiment, virtual switch equipment X can carry out selectivity traction to data traffic.Concrete, virtual switch equipment X shunts data traffic according to traction policy, and this traction policy comprises to be shunted data traffic based at least one dimension following: the grouping of type of data packet, data package size, source virtual machine, target virtual machine grouping and period.After shunting, branching part data selection is drawn in virtual firewall by virtual switch equipment X, and certainly, all streamed datas also can all be drawn in virtual firewall by virtual switch equipment X.
For type of data packet, for data traffic a, virtual switch equipment X can be split into publicly-owned protocol data bag and proprietary protocol packet two streamed datas, is then drawn in virtual firewall by the streamed data of proprietary protocol type.In practical application, all differences of protocol type that different virtual firewalls adopts, carrying out shunting according to type of data packet cannot pack processing type can filter out virtual firewall, avoids unnecessary resource overhead.Certainly, in this example, if be also deployed with the virtual firewall based on publicly-owned agreement in host, virtual switch equipment X also can be drawn to the latter's virtual firewall by having the streamed data of publicly-owned protocol type, to make different fire-proof " Each performs its own functions ".
Again for the period, virtual switch equipment X can be three streamed datas according to data traffic a being split into " 00:00-08:00 ", " 08:00-16:00 " and " 16:00-24:00 " three period generations with period, and is drawn in virtual firewall by least one streamed data wherein.
In practical application, virtual switch equipment X can shunt according to any one dimension in above-mentioned traction policy, and also can shunt based on the combination of at least two dimensions, the present embodiment is not restricted this.
Further, in another implementation of the present embodiment, data distribution also comprises another layer of implication: namely classify to different data traffics, but not carries out " fractionation " certain data traffic.Such as, when virtual machine 1 and virtual machine 2 send data traffic respectively to virtual machine 3, virtual switch equipment X can distinguish the data traffic of the proprietary protocol that the data traffic of the publicly-owned agreement that virtual machine 1 sends and virtual machine 2 send, and the data traffic of the publicly-owned protocol type sent by virtual machine 1 sends to virtual firewall.
304, by virtual firewall, data traffic is cleaned.
Comprise a security rule base in virtual firewall, wherein have recorded the various safety regulations of carrying out data security detection.In the present embodiment, the data traffic cleaning based on security rule base comprises carries out following at least one process to data traffic:
1, abnormal request detection;
2, input validation is strengthened;
3, security breaches are repaired;
4, exception rules/model inspection;
5, condition managing;
6, form fields protection is hidden;
7, process is evaded in anti-invasion;
8, response monitors;
9, information leakage protection.
Virtual firewall cleans data traffic based on one or more rules above-mentioned, and for the data traffic that there is not potential safety hazard, virtual firewall does not do any process, directly obtains secure data flow; For the data traffic that there is potential safety hazard, virtual firewall is repaired it, obtains secure data flow; For the data traffic that cannot repair (such as object is the abnormal access of initiating flow attacking), virtual firewall is directly abandoned.
In the present embodiment, the security rule base that virtual firewall uses can directly write in fire compartment wall when firewall product dispatches from the factory, and also can be after deployment virtual firewall, issue configuration by cloud platform.After configuring security rule base first, virtual firewall can by cloud platform regularly or irregularly carry out the renewal of rule base.
305, according to the object IP address of packets fields, secure data flow is transmitted to corresponding target virtual machine.
Secure data flow is returned to virtual switch equipment X by virtual firewall, by virtual switch equipment X, secure data flow is sent to target virtual machine.
In the present embodiment, in the data traffic that source virtual machine sends, carry object IP address in the specific fields of packet, this IP address is generally the IP address of target virtual machine.The data cleansing of virtual firewall can not cause change to the content in this field, and virtual switch equipment X can based on the object IP address in this field to the secure data flow after the cleaning of target virtual machine route.
Further, as to Fig. 2 or improvement embodiment illustrated in fig. 3, in another embodiment of the invention, field mark can also be carried out to the data traffic after cleaning.For virtual switch equipment, it had both needed the data traffic without cleaning receiving source virtual machine transmission, the secure data flow after the cleaning needing again reception virtual firewall to return.For ease of virtual switch equipment, different pieces of information flow is distinguished, prevent the data traffic after by cleaning from repeating to be drawn in virtual firewall, the present embodiment carries out field mark to the data traffic after cleaning, and accordingly, the data traffic not doing field mark is then unwashed data traffic.In addition, different field marks can also be done respectively to cleaning and unwashed data traffic.
In the present embodiment, field mark can be carried out by virtual firewall, also can carry out field mark by virtual switch equipment.For the latter's mode, virtual switch equipment can with the source of data traffic for foundation be distinguished.Such as the data traffic deriving from virtual machine is labeled as and does not clean data, the data traffic deriving from virtual firewall is labeled as and cleans data.
Based on mark result, virtual switch equipment performs different flow processs: for not carrying out field mark or being labeled as unwashed data traffic, and virtual switch equipment is drawn in virtual firewall to be cleaned; And for carrying out field mark or being labeled as the data traffic of having cleaned, virtual switch equipment it can be used as secure data flow to be transmitted to corresponding target virtual machine.
The present embodiment only carries out qualitative explanation to the implementation of flag data flow, does not limit tag body, mark opportunity and concrete mark pattern.In practical application, for mark pattern, virtual switch equipment can be distinguished by 0/1 or true/false, and the present embodiment does not make exhaustive enumeration to this.
Above embodiment is illustrated method provided by the invention, and in practical application, aforementioned virtual fire compartment wall can be the virtual WAF of website level.Virtual WAF, except comprising function that previous security rule base has, also has virtual machine audit, virtual machine access control, architecture design, Web applies the basic functions such as reinforcing.Below, for virtual WAF, provide two kinds of special application scenarioss of the present invention.
Scene one: the data traffic across virtual switch equipment is monitored
As shown in Figure 6, in a host, virtual machine 1,2,3 is under the jurisdiction of virtual switch equipment X, and virtual machine 4,5,6,7 is under the jurisdiction of virtual switch equipment Y.Virtual switch equipment X deploy has virtual WAF a, and virtual switch equipment Y deploy has virtual WAF b.When virtual machine 1 sends data traffic k to virtual machine 4, data traffic k is sent by virtual machine 1, arrive virtual WAF a via virtual switch equipment X to clean, virtual switch equipment Y is arrived again by virtual switch equipment X, and arrive virtual WAF b via virtual switch equipment Y further and again clean, finally arrive virtual machine 4 by virtual switch equipment Y again.
Wherein, for the wasting of resources preventing twice data cleansing from causing, data traffic k can carry out field mark: if virtual WAF a does not clean it, then data traffic k is labeled as " 1 ", cleans so that data traffic k is drawn to virtual WAF b according to this mark by virtual switch equipment Y; If virtual WAF a cleans it, then data traffic k is labeled as " 0 ", so that data traffic k is directly sent to virtual machine 4 according to this mark by virtual switch equipment Y.
Scene two: the data traffic across host is monitored
As shown in Figure 7, in host M, virtual machine 1,2,3 is under the jurisdiction of virtual switch equipment X, and in host N, virtual machine 4,5,6,7 is under the jurisdiction of virtual switch equipment Y.Virtual switch equipment X deploy has virtual WAF a, and virtual switch equipment Y deploy has virtual WAF b.When virtual machine 1 sends data traffic k to virtual machine 4, monitor identical with the implementation of above-mentioned scene one with the implementation of cleaning data traffic k, repeat no more herein.
Further, as the realization to said method, another embodiment of the present invention additionally provides a kind of virtual flow-monitoring device based on cloud platform, and this device can be arranged in host, and this host is also called physical machine or virtual server.As shown in Figure 8, this device comprises:
Deployment unit 81, for disposing virtual firewall in host;
Monitoring unit 82, for the data traffic produced by virtual switch monitoring of tools source virtual machine, and the data traffic monitored is drawn in the virtual firewall that deployment unit 81 disposes by the traction policy issued according to cloud platform;
Processing unit 83, is cleaned the data traffic that monitoring unit 82 draws for the virtual firewall disposed by deployment unit 81, obtains secure data flow;
Transmitting element 84, is transmitted to corresponding target virtual machine for processing unit 83 being processed the secure data flow obtained.
Further, deployment unit 81 for: virtual firewall is deployed in virtual switch equipment.
Further, deployment unit 81 for:
Obtain the network segment as the virtual machine of monitored object;
By virtual firewall Dynamical Deployment on the virtual switch equipment of the corresponding network segment.
Further, as shown in Figure 9, monitoring unit 82, comprising:
Diverter module 821, for shunting data traffic according to traction policy;
Traction module 822, is optionally drawn in virtual firewall for streamed data diverter module 821 being shunted acquisition.
Further, the traction policy that monitoring unit 82 uses comprises to be shunted data traffic based at least one dimension following:
The grouping of type of data packet, data package size, source virtual machine, target virtual machine grouping and period.
Further, processing unit 83 is for carrying out following at least one process to data traffic:
Abnormal request detection, enhancing input validation, repairing security breaches, exception rules/model inspection, condition managing, hiding form fields protection, anti-invasion are evaded process, response supervision and information leakage and are protected.
Further, transmitting element 84 for: according to the object IP(Internet Protocol) IP address of packets fields, secure data flow is transmitted to corresponding target virtual machine.
Further, as shown in Figure 9, this device comprises further:
Updating block 85, for upgrading by the security rule base of cloud platform to the virtual firewall that deployment unit 81 is disposed.
Further, as shown in Figure 9, this device comprises further:
Indexing unit 86, after obtaining secure data flow at processing unit 83, carries out field mark to secure data flow;
Monitoring unit 82, for the traction policy issued according to cloud platform, data traffic indexing unit 86 not being done field mark is drawn in virtual firewall;
Transmitting element 84, the secure data flow for indexing unit 86 having been done field mark is transmitted to corresponding target virtual machine.
Further, the virtual firewall that deployment unit 81 is disposed is virtual WAF.
Virtual flow-monitoring device based on cloud platform provided by the invention, the virtual firewall being used for flow cleaning can be disposed in host, by virtual switch equipment, the data traffic exchanged between virtual machine is monitored, and be drawn in virtual firewall and clean, ensure the fail safe of data traffic thus.Compared with prior art, the present invention can passage be deployed in virtual firewall in host ensure virtual environment under network security.
Embodiments of the invention disclose:
A1, a kind of virtual flux monitoring method based on cloud platform, it is characterized in that, described method comprises:
Virtual firewall is disposed in host;
By the data traffic that virtual switch monitoring of tools source virtual machine produces, and according to the traction policy that cloud platform issues, the described data traffic monitored is drawn in described virtual firewall;
By described virtual firewall, described data traffic is cleaned, obtain secure data flow;
Described secure data flow is transmitted to corresponding target virtual machine.
A2, method according to claim A1, is characterized in that, describedly in host, disposes virtual firewall, comprising:
Described virtual firewall is deployed on described virtual switch equipment.
A3, method according to claim A2, is characterized in that, is describedly deployed on described virtual switch equipment by described virtual firewall, comprising:
Obtain the network segment as the virtual machine of monitored object;
By described virtual firewall Dynamical Deployment on the virtual switch equipment of the described network segment of correspondence.
A4, method according to claim A1, it is characterized in that, the described data traffic monitored is drawn in described virtual firewall by the described traction policy issued according to cloud platform, comprising:
According to described traction policy, described data traffic is shunted;
Streamed data is optionally drawn in described virtual firewall.
A5, method according to claim A4, it is characterized in that, described traction policy comprises to be shunted data traffic based at least one dimension following:
The grouping of type of data packet, data package size, source virtual machine, target virtual machine grouping and period.
A6, method according to claim A1, is characterized in that, describedly cleaned described data traffic by described virtual firewall, comprises and carry out following at least one process to described data traffic:
Abnormal request detection, enhancing input validation, repairing security breaches, exception rules/model inspection, condition managing, hiding form fields protection, anti-invasion are evaded process, response supervision and information leakage and are protected.
A7, method according to claim A6, is characterized in that, describedly described secure data flow is transmitted to corresponding target virtual machine, comprising:
Described secure data flow is transmitted to corresponding target virtual machine by the object IP(Internet Protocol) IP address according to packets fields.
A8, method according to claim A6, it is characterized in that, described method comprises further:
Upgraded by the security rule base of described cloud platform to described virtual firewall.
A9, method according to any one of claim A1 to A8, it is characterized in that, after described acquisition secure data flow, described method comprises further:
Field mark is carried out to described secure data flow;
The described data traffic monitored is drawn in described virtual firewall by the described traction policy issued according to cloud platform, comprising:
According to the traction policy that cloud platform issues, the data traffic not doing field mark is drawn in described virtual firewall;
The described target virtual machine described secure data flow being transmitted to correspondence, comprising:
The secure data flow doing field mark is transmitted to corresponding target virtual machine.
A10, method according to any one of claim A1 to A8, it is characterized in that, described virtual firewall is virtual web application firewall WAF.
B11, a kind of virtual flow-monitoring device based on cloud platform, it is characterized in that, described device comprises:
Deployment unit, for disposing virtual firewall in host;
Monitoring unit, for the data traffic produced by virtual switch monitoring of tools source virtual machine, and is drawn in the described virtual firewall of described deployment unit deployment according to the traction policy that cloud platform issues by the described data traffic monitored;
Processing unit, is cleaned the described data traffic that described monitoring unit draws for the described virtual firewall disposed by described deployment unit, obtains secure data flow;
Transmitting element, the described secure data flow for described processing unit processes being obtained is transmitted to corresponding target virtual machine.
B12, device according to claim B11, is characterized in that, described deployment unit for: described virtual firewall is deployed in described virtual switch equipment.
B13, device according to claim B12, it is characterized in that, described deployment unit is used for:
Obtain the network segment as the virtual machine of monitored object;
By described virtual firewall Dynamical Deployment on the virtual switch equipment of the described network segment of correspondence.
B14, device according to claim B11, it is characterized in that, described monitoring unit, comprising:
Diverter module, for shunting described data traffic according to described traction policy;
Traction module, is optionally drawn in described virtual firewall for the streamed data described diverter module shunting obtained.
B15, device according to claim B14, is characterized in that, the described traction policy that described monitoring unit uses comprises to be shunted data traffic based at least one dimension following:
The grouping of type of data packet, data package size, source virtual machine, target virtual machine grouping and period.
B16, device according to claim B11, is characterized in that, described processing unit is used for carrying out following at least one process to described data traffic:
Abnormal request detection, enhancing input validation, repairing security breaches, exception rules/model inspection, condition managing, hiding form fields protection, anti-invasion are evaded process, response supervision and information leakage and are protected.
B17, device according to claim B16, it is characterized in that, described transmitting element is used for: described secure data flow is transmitted to corresponding target virtual machine by the object IP(Internet Protocol) IP address according to packets fields.
B18, device according to claim B16, it is characterized in that, described device comprises further:
Updating block, for upgrading by the security rule base of described cloud platform to the described virtual firewall that described deployment unit is disposed.
B19, device according to any one of claim B11 to B18, it is characterized in that, described device comprises further:
Indexing unit, after obtaining secure data flow at described processing unit, carries out field mark to described secure data flow;
Described monitoring unit, for the traction policy issued according to cloud platform, the data traffic described indexing unit not being done field mark is drawn in described virtual firewall;
Described transmitting element, the secure data flow for described indexing unit having been done field mark is transmitted to corresponding target virtual machine.
B20, device according to any one of claim B11 to B18, is characterized in that, the described virtual firewall that described deployment unit is disposed is virtual web application firewall WAF.
In the above-described embodiments, the description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part described in detail, can see the associated description of other embodiments.
Be understandable that, the correlated characteristic in said method and device can reference mutually.In addition, " first ", " second " in above-described embodiment etc. are for distinguishing each embodiment, and do not represent the quality of each embodiment.
Those skilled in the art can be well understood to, and for convenience and simplicity of description, the system of foregoing description, the specific works process of device and unit, with reference to the corresponding process in preceding method embodiment, can not repeat them here.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions of the some or all parts in the denomination of invention (as determined the device of website internal chaining grade) that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Claims (10)
1. based on a virtual flux monitoring method for cloud platform, it is characterized in that, described method comprises:
Virtual firewall is disposed in host;
By the data traffic that virtual switch monitoring of tools source virtual machine produces, and according to the traction policy that cloud platform issues, the described data traffic monitored is drawn in described virtual firewall;
By described virtual firewall, described data traffic is cleaned, obtain secure data flow;
Described secure data flow is transmitted to corresponding target virtual machine.
2. method according to claim 1, is characterized in that, describedly in host, disposes virtual firewall, comprising:
Described virtual firewall is deployed on described virtual switch equipment.
3. method according to claim 2, is characterized in that, is describedly deployed on described virtual switch equipment by described virtual firewall, comprising:
Obtain the network segment as the virtual machine of monitored object;
By described virtual firewall Dynamical Deployment on the virtual switch equipment of the described network segment of correspondence.
4. method according to claim 1, is characterized in that, the described data traffic monitored is drawn in described virtual firewall by the described traction policy issued according to cloud platform, comprising:
According to described traction policy, described data traffic is shunted;
Streamed data is optionally drawn in described virtual firewall.
5. method according to claim 4, is characterized in that, described traction policy comprises to be shunted data traffic based at least one dimension following:
The grouping of type of data packet, data package size, source virtual machine, target virtual machine grouping and period.
6. method according to claim 1, is characterized in that, is describedly cleaned described data traffic by described virtual firewall, comprises and carries out following at least one process to described data traffic:
Abnormal request detection, enhancing input validation, repairing security breaches, exception rules/model inspection, condition managing, hiding form fields protection, anti-invasion are evaded process, response supervision and information leakage and are protected.
7. method according to claim 6, is characterized in that, the described target virtual machine described secure data flow being transmitted to correspondence, comprising:
Described secure data flow is transmitted to corresponding target virtual machine by the object IP(Internet Protocol) IP address according to packets fields.
8. method according to claim 6, is characterized in that, described method comprises further:
Upgraded by the security rule base of described cloud platform to described virtual firewall.
9. method according to any one of claim 1 to 8, is characterized in that, after described acquisition secure data flow, described method comprises further:
Field mark is carried out to described secure data flow;
The described data traffic monitored is drawn in described virtual firewall by the described traction policy issued according to cloud platform, comprising:
According to the traction policy that cloud platform issues, the data traffic not doing field mark is drawn in described virtual firewall;
The described target virtual machine described secure data flow being transmitted to correspondence, comprising:
The secure data flow doing field mark is transmitted to corresponding target virtual machine.
10. based on a virtual flow-monitoring device for cloud platform, it is characterized in that, described device comprises:
Deployment unit, for disposing virtual firewall in host;
Monitoring unit, for the data traffic produced by virtual switch monitoring of tools source virtual machine, and is drawn in the described virtual firewall of described deployment unit deployment according to the traction policy that cloud platform issues by the described data traffic monitored;
Processing unit, is cleaned the described data traffic that described monitoring unit draws for the described virtual firewall disposed by described deployment unit, obtains secure data flow;
Transmitting element, the described secure data flow for described processing unit processes being obtained is transmitted to corresponding target virtual machine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510364392.4A CN104917653A (en) | 2015-06-26 | 2015-06-26 | Virtual flow monitoring method based on cloud platform and device thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510364392.4A CN104917653A (en) | 2015-06-26 | 2015-06-26 | Virtual flow monitoring method based on cloud platform and device thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104917653A true CN104917653A (en) | 2015-09-16 |
Family
ID=54086381
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510364392.4A Pending CN104917653A (en) | 2015-06-26 | 2015-06-26 | Virtual flow monitoring method based on cloud platform and device thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104917653A (en) |
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105320884A (en) * | 2015-11-02 | 2016-02-10 | 南京安贤信息科技有限公司 | Security protection method and system for virtual machine |
| CN105577702A (en) * | 2016-03-15 | 2016-05-11 | 耿童童 | Virtual machine level security protection system and method |
| CN105897766A (en) * | 2016-06-16 | 2016-08-24 | 中电长城网际系统应用有限公司 | Virtual network flow security control method and device |
| CN106059939A (en) * | 2016-05-19 | 2016-10-26 | 杭州华三通信技术有限公司 | Message forwarding method and device |
| CN106411863A (en) * | 2016-09-14 | 2017-02-15 | 南京安贤信息科技有限公司 | Virtualization platform for processing network traffic of virtual switches in real time |
| CN106453333A (en) * | 2016-10-19 | 2017-02-22 | 深圳市深信服电子科技有限公司 | Method and device for creating firewall rule of virtualization platform |
| CN106534346A (en) * | 2016-12-07 | 2017-03-22 | 北京奇虎科技有限公司 | Virtual WAF-based flow control method, apparatus and system |
| CN106790091A (en) * | 2016-12-23 | 2017-05-31 | 深圳市深信服电子科技有限公司 | A kind of cloud security guard system and flow cleaning method |
| CN106789981A (en) * | 2016-12-07 | 2017-05-31 | 北京奇虎科技有限公司 | Flow control methods, apparatus and system based on WAF |
| CN106850382A (en) * | 2016-12-05 | 2017-06-13 | 北京神州绿盟信息安全科技股份有限公司 | A kind of flow lead method and device |
| CN107046546A (en) * | 2017-05-18 | 2017-08-15 | 郑州云海信息技术有限公司 | A kind of network safety control method and device |
| CN107205007A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | Web fire walls transparent mode data spreads transmission method under a kind of cloud environment |
| CN107205006A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | A kind of unified Web safety protecting methods towards website intensive construction |
| CN107360058A (en) * | 2017-07-12 | 2017-11-17 | 郑州云海信息技术有限公司 | A kind of method and device for realizing traffic monitoring |
| CN107707478A (en) * | 2017-09-30 | 2018-02-16 | 迈普通信技术股份有限公司 | Data forwarding method and equipment |
| CN107872443A (en) * | 2016-09-28 | 2018-04-03 | 深圳市深信服电子科技有限公司 | Virtual network security protection system, flow lead method and device |
| CN108156153A (en) * | 2017-12-22 | 2018-06-12 | 国家电网公司 | A kind of differential section means of defence based on distributed security domain |
| CN108156079A (en) * | 2017-12-29 | 2018-06-12 | 深信服网络科技(深圳)有限公司 | A kind of data packet forwarding system and method based on cloud service platform |
| CN108200038A (en) * | 2017-12-28 | 2018-06-22 | 山东浪潮云服务信息科技有限公司 | A kind of secure virtual machine means of defence, device, readable medium and storage control |
| CN109088827A (en) * | 2018-07-11 | 2018-12-25 | 新华三云计算技术有限公司 | virtual machine traffic processing method, device and host |
| CN110825491A (en) * | 2019-10-31 | 2020-02-21 | 福建天晴在线互动科技有限公司 | Virtual environment detection method based on firewall registry characteristics |
| CN110896403A (en) * | 2019-12-31 | 2020-03-20 | 沈阳骏杰卓越软件科技有限公司 | Application firewall architecture |
| CN111224922A (en) * | 2018-11-26 | 2020-06-02 | 顺丰科技有限公司 | Distributed security group module access control method and system |
| CN111953661A (en) * | 2020-07-23 | 2020-11-17 | 深圳供电局有限公司 | SDN-based east-west flow security protection method and system |
| CN112118248A (en) * | 2020-09-11 | 2020-12-22 | 苏州浪潮智能科技有限公司 | Method and device for detecting abnormal flow of cloud platform virtual machine, virtual machine and system |
| CN112437072A (en) * | 2020-11-17 | 2021-03-02 | 广州西麦科技股份有限公司 | Virtual machine flow traction system, method, equipment and medium in cloud platform |
| CN112532621A (en) * | 2020-11-26 | 2021-03-19 | 杭州迪普科技股份有限公司 | Flow cleaning method and device, electronic equipment and storage medium |
| CN112910705A (en) * | 2021-02-02 | 2021-06-04 | 杭州安恒信息技术股份有限公司 | Method, device and storage medium for arranging network flow |
| CN113824799A (en) * | 2021-11-22 | 2021-12-21 | 南京中孚信息技术有限公司 | High-performance network security intelligent shunt control technology and device |
| CN114363035A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Flow traction method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023912A (en) * | 2012-12-26 | 2013-04-03 | 蓝盾信息安全技术股份有限公司 | Method for preventing network attacks based on virtual machines |
| CN103354530A (en) * | 2013-07-18 | 2013-10-16 | 北京启明星辰信息技术股份有限公司 | Virtualization network boundary data flow gathering method and apparatus |
| CN103701822A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Access control method |
| CN104301321A (en) * | 2014-10-22 | 2015-01-21 | 北京启明星辰信息技术股份有限公司 | Method and system for achieving distributed network safety protection |
| CN104660554A (en) * | 2013-11-19 | 2015-05-27 | 北京天地超云科技有限公司 | Method for implementing communication data security of virtual machines |
-
2015
- 2015-06-26 CN CN201510364392.4A patent/CN104917653A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023912A (en) * | 2012-12-26 | 2013-04-03 | 蓝盾信息安全技术股份有限公司 | Method for preventing network attacks based on virtual machines |
| CN103354530A (en) * | 2013-07-18 | 2013-10-16 | 北京启明星辰信息技术股份有限公司 | Virtualization network boundary data flow gathering method and apparatus |
| CN104660554A (en) * | 2013-11-19 | 2015-05-27 | 北京天地超云科技有限公司 | Method for implementing communication data security of virtual machines |
| CN103701822A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Access control method |
| CN104301321A (en) * | 2014-10-22 | 2015-01-21 | 北京启明星辰信息技术股份有限公司 | Method and system for achieving distributed network safety protection |
Cited By (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105320884A (en) * | 2015-11-02 | 2016-02-10 | 南京安贤信息科技有限公司 | Security protection method and system for virtual machine |
| CN105577702A (en) * | 2016-03-15 | 2016-05-11 | 耿童童 | Virtual machine level security protection system and method |
| CN107205007A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | Web fire walls transparent mode data spreads transmission method under a kind of cloud environment |
| CN107205006A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | A kind of unified Web safety protecting methods towards website intensive construction |
| CN106059939A (en) * | 2016-05-19 | 2016-10-26 | 杭州华三通信技术有限公司 | Message forwarding method and device |
| CN106059939B (en) * | 2016-05-19 | 2019-12-06 | 新华三技术有限公司 | Message forwarding method and device |
| CN105897766A (en) * | 2016-06-16 | 2016-08-24 | 中电长城网际系统应用有限公司 | Virtual network flow security control method and device |
| CN105897766B (en) * | 2016-06-16 | 2019-08-09 | 中电长城网际系统应用有限公司 | A kind of virtual network traffic security control method and device |
| CN106411863A (en) * | 2016-09-14 | 2017-02-15 | 南京安贤信息科技有限公司 | Virtualization platform for processing network traffic of virtual switches in real time |
| CN107872443A (en) * | 2016-09-28 | 2018-04-03 | 深圳市深信服电子科技有限公司 | Virtual network security protection system, flow lead method and device |
| CN106453333A (en) * | 2016-10-19 | 2017-02-22 | 深圳市深信服电子科技有限公司 | Method and device for creating firewall rule of virtualization platform |
| CN106453333B (en) * | 2016-10-19 | 2019-08-30 | 深信服科技股份有限公司 | The firewall rule creation method and device of virtual platform |
| CN106850382A (en) * | 2016-12-05 | 2017-06-13 | 北京神州绿盟信息安全科技股份有限公司 | A kind of flow lead method and device |
| CN106789981A (en) * | 2016-12-07 | 2017-05-31 | 北京奇虎科技有限公司 | Flow control methods, apparatus and system based on WAF |
| CN106534346B (en) * | 2016-12-07 | 2019-12-10 | 北京奇虎科技有限公司 | Flow control method, device and system based on virtual WAF |
| CN106534346A (en) * | 2016-12-07 | 2017-03-22 | 北京奇虎科技有限公司 | Virtual WAF-based flow control method, apparatus and system |
| CN106790091B (en) * | 2016-12-23 | 2020-10-27 | 深信服科技股份有限公司 | Cloud safety protection system and flow cleaning method |
| CN106790091A (en) * | 2016-12-23 | 2017-05-31 | 深圳市深信服电子科技有限公司 | A kind of cloud security guard system and flow cleaning method |
| CN107046546A (en) * | 2017-05-18 | 2017-08-15 | 郑州云海信息技术有限公司 | A kind of network safety control method and device |
| CN107360058A (en) * | 2017-07-12 | 2017-11-17 | 郑州云海信息技术有限公司 | A kind of method and device for realizing traffic monitoring |
| CN107707478A (en) * | 2017-09-30 | 2018-02-16 | 迈普通信技术股份有限公司 | Data forwarding method and equipment |
| CN108156153A (en) * | 2017-12-22 | 2018-06-12 | 国家电网公司 | A kind of differential section means of defence based on distributed security domain |
| CN108200038A (en) * | 2017-12-28 | 2018-06-22 | 山东浪潮云服务信息科技有限公司 | A kind of secure virtual machine means of defence, device, readable medium and storage control |
| CN108156079A (en) * | 2017-12-29 | 2018-06-12 | 深信服网络科技(深圳)有限公司 | A kind of data packet forwarding system and method based on cloud service platform |
| CN109088827B (en) * | 2018-07-11 | 2019-12-13 | 新华三云计算技术有限公司 | Virtual machine flow processing method and device and host |
| CN109088827A (en) * | 2018-07-11 | 2018-12-25 | 新华三云计算技术有限公司 | virtual machine traffic processing method, device and host |
| CN111224922A (en) * | 2018-11-26 | 2020-06-02 | 顺丰科技有限公司 | Distributed security group module access control method and system |
| CN110825491B (en) * | 2019-10-31 | 2022-02-01 | 福建天晴在线互动科技有限公司 | Virtual environment detection method based on firewall registry characteristics |
| CN110825491A (en) * | 2019-10-31 | 2020-02-21 | 福建天晴在线互动科技有限公司 | Virtual environment detection method based on firewall registry characteristics |
| CN110896403A (en) * | 2019-12-31 | 2020-03-20 | 沈阳骏杰卓越软件科技有限公司 | Application firewall architecture |
| CN111953661A (en) * | 2020-07-23 | 2020-11-17 | 深圳供电局有限公司 | SDN-based east-west flow security protection method and system |
| CN112118248A (en) * | 2020-09-11 | 2020-12-22 | 苏州浪潮智能科技有限公司 | Method and device for detecting abnormal flow of cloud platform virtual machine, virtual machine and system |
| CN112118248B (en) * | 2020-09-11 | 2022-06-14 | 苏州浪潮智能科技有限公司 | Cloud platform virtual machine abnormal flow detection method and device, virtual machine and system |
| CN112437072A (en) * | 2020-11-17 | 2021-03-02 | 广州西麦科技股份有限公司 | Virtual machine flow traction system, method, equipment and medium in cloud platform |
| CN112532621A (en) * | 2020-11-26 | 2021-03-19 | 杭州迪普科技股份有限公司 | Flow cleaning method and device, electronic equipment and storage medium |
| CN112910705A (en) * | 2021-02-02 | 2021-06-04 | 杭州安恒信息技术股份有限公司 | Method, device and storage medium for arranging network flow |
| CN113824799A (en) * | 2021-11-22 | 2021-12-21 | 南京中孚信息技术有限公司 | High-performance network security intelligent shunt control technology and device |
| CN114363035A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Flow traction method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104917653A (en) | Virtual flow monitoring method based on cloud platform and device thereof | |
| US9961099B2 (en) | Systems and methods for detecting and tracking adversary trajectory | |
| US10362057B1 (en) | Enterprise DNS analysis | |
| US9985988B2 (en) | Deception to detect network scans | |
| US10326796B1 (en) | Dynamic security mechanisms for mixed networks | |
| US20170214708A1 (en) | Detecting security threats by combining deception mechanisms and data science | |
| US10616276B2 (en) | Tunneling for network deceptions | |
| US10972503B1 (en) | Deception mechanisms in containerized environments | |
| JP4373779B2 (en) | Stateful distributed event processing and adaptive maintenance | |
| US20170289191A1 (en) | Infiltration Detection and Network Rerouting | |
| CN110958262A (en) | Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry | |
| CN100556031C (en) | Intelligent integrated network security device | |
| CN105337986B (en) | Credible protocol conversion method and system | |
| US20170329783A1 (en) | Systems and methods for identifying similar hosts | |
| CN108063753A (en) | A kind of information safety monitoring method and system | |
| CN104104679B (en) | A kind of data processing method based on private clound | |
| CN107634959A (en) | Means of defence, apparatus and system based on automobile | |
| EP3291501A1 (en) | System and method for using a virtual honeypot in an industrial automation system and cloud connector | |
| JP2015222597A (en) | Integrated type unified threat management for process control system | |
| WO2017087964A1 (en) | Modification of a server to mimic a deception mechanism | |
| CN105684391A (en) | Automated generation of label-based access control rules | |
| WO2017156261A1 (en) | Active deception system | |
| CN105099821A (en) | Flow monitoring method and apparatus based on cloud virtual environment | |
| CN105049441B (en) | Prevent the method and system of link type ddos attack | |
| US20220400116A1 (en) | Systems and methods for resilient ztna micro-segmentation policy generation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20161122 Address after: 100088 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Applicant after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before: Beijing Qihu Technology Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150916 |
|
| RJ01 | Rejection of invention patent application after publication |