CN104994094B - Virtual platform safety protecting method based on virtual switch, device and system - Google Patents

Virtual platform safety protecting method based on virtual switch, device and system Download PDF

Info

Publication number
CN104994094B
CN104994094B CN201510379913.3A CN201510379913A CN104994094B CN 104994094 B CN104994094 B CN 104994094B CN 201510379913 A CN201510379913 A CN 201510379913A CN 104994094 B CN104994094 B CN 104994094B
Authority
CN
China
Prior art keywords
packet
network security
security policy
information
interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510379913.3A
Other languages
Chinese (zh)
Other versions
CN104994094A (en
Inventor
汪圣平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Beijing Qianxin Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201510379913.3A priority Critical patent/CN104994094B/en
Publication of CN104994094A publication Critical patent/CN104994094A/en
Application granted granted Critical
Publication of CN104994094B publication Critical patent/CN104994094B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The embodiment of the present invention provides a kind of virtual platform safety protecting method based on virtual switch, device and system, by the first interface in virtual switch on the communication link in virtual switch, the first equipment is sent to the packet of the second equipment and intercepts, use in data characteristics storehouse with network security policy characteristic of correspondence infomation detection packet whether safety, the most then it is sent to the second equipment by the second interface in virtual switch.Thus avoid and the communication flows in virtual switch is imported to external system carry out safety detection, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction.

Description

Virtual platform safety protecting method based on virtual switch, device and system
Technical field
The present invention relates to communication technical field, particularly relate to a kind of virtual platform based on virtual switch peace Full protection methods, devices and systems.
Background technology
Communicating alternately by least one virtual switch between equipment on virtual platform, these lead to Letter includes alternately: the communication interaction from physical machine to virtual machine, the communication interaction from virtual machine to physical machine, And the communication interaction between virtual machine.
In order to ensure the communication security of virtual platform, need the communication flows during above-mentioned communication interaction Carry out safety detection.The communication equipment that prior art relates to during mainly reconfiguring communication interaction Port, is all redirected to external security system by the communication flows through all virtual interacting machines and detects.
As can be seen here, prior art needs that all of communication flows is all imported to external security system and carries out Detection, along with the increase of communication flows, importing and exporting of mass data reduces communication efficiency, and outside Safety is that easy appearance processes bottleneck, image processing efficiency.
Summary of the invention
The embodiment of the present invention provides a kind of virtual platform safety protecting method based on virtual switch, device And system.Technical scheme is as follows:
First aspect according to embodiments of the present invention, it is provided that a kind of virtual platform based on virtual switch is pacified Full protection method, the method includes:
Receiving the packet that the first interface in virtual switch sends, described first interface is for described void Intend on the communication link in switch, the first equipment is sent to the packet of the second equipment and intercepts;
Data characteristics storehouse is used to detect whether described packet meets default network security policy, described data Feature database includes: with described network security policy characteristic of correspondence information;
If judging to know that described packet meets described network security policy, then by described virtual switch The second interface the packet through safety detection is sent to described second equipment.
Second aspect according to embodiments of the present invention, it is provided that a kind of virtual platform based on virtual switch is pacified Full protection device, this device includes:
Receiver module, for receiving the packet that the first interface in virtual switch sends, described first connects Mouthful for the communication link in described virtual switch, the first equipment being sent to the packet of the second equipment Intercept;
Detection module, for using data characteristics storehouse to detect whether described packet meets default network security Strategy, described data characteristics storehouse includes: with described network security policy characteristic of correspondence information;
Sending module, if knowing that described packet meets described network security policy for judgement, then passes through institute State the second interface in virtual switch and the packet through safety detection is sent to described second equipment.
The third aspect according to embodiments of the present invention, it is provided that a kind of virtual platform based on virtual switch Security protection system, this system includes: the first equipment of being positioned on virtual platform, the second equipment, and Virtual switch, wherein, described first equipment and the second equipment all include: the physical machine on virtual platform, Or, the virtual machine being deployed in physical machine, described virtual switch includes as above based on virtual friendship The virtual platform safety device changed planes.
The embodiment of the present invention provide virtual platform safety protecting method based on virtual switch, device and System, by the first interface in virtual switch on the communication link in virtual switch, the first equipment The packet being sent to the second equipment intercepts, and uses in data characteristics storehouse corresponding with network security policy Characteristic information detection packet whether safety, the most then be sent to by the second interface in virtual switch Second equipment.Thus avoid and the communication flows in virtual switch is imported to external system carry out safe inspection Survey, improve the treatment effeciency of safety detection, and reduce the time delay of communication interaction.
It should be appreciated that it is only exemplary and explanatory that above general description and details hereinafter describe, The present invention can not be limited.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to enforcement In example or description of the prior art, the required accompanying drawing used is briefly described, it should be apparent that, retouch below Accompanying drawing in stating is some embodiments of the present invention, for those of ordinary skill in the art, is not paying On the premise of creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of based on virtual switch the virtual platform security protection side that the embodiment of the present invention provides The flow chart of method;
Fig. 2 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The flow chart of method;
Fig. 3 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The flow chart of method;
Fig. 4 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The flow chart of method;
Fig. 5 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The flow chart of method;
Fig. 6 is a kind of based on virtual switch the virtual platform security protection dress that the embodiment of the present invention provides The structural representation put;
Fig. 7 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The structural representation of device;
Fig. 8 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The structural representation of device;
Fig. 9 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The structural representation of device;
Figure 10 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The structural representation of device;
Figure 11 is a kind of based on virtual switch the virtual platform security protection system that the embodiment of the present invention provides The structural representation of system.
By above-mentioned accompanying drawing, it has been shown that the embodiment that the present invention is clear and definite, hereinafter will be described in more detail. These accompanying drawings and word are described and are not intended to be limited by any mode the scope of present inventive concept, but logical Crossing with reference to specific embodiment is that those skilled in the art illustrate idea of the invention.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with the present invention Accompanying drawing in embodiment, is clearly and completely described the technical scheme in the embodiment of the present invention, it is clear that Described embodiment is a part of embodiment of the present invention rather than whole embodiments.Based in the present invention Embodiment, those of ordinary skill in the art obtained under not making creative work premise all its His embodiment, broadly falls into the scope of protection of the invention.
Fig. 1 is a kind of based on virtual switch the virtual platform security protection side that the embodiment of the present invention provides The flow chart of method, as it is shown in figure 1, the method specifically includes:
Step 101, receives the packet that the first interface in virtual switch sends, and described first interface is used In on the communication link in described virtual switch, the first equipment is sent to the packet of the second equipment and carries out Intercept;
At least one physical machine is included on virtual platform, can be by virtual for a physical machine by Intel Virtualization Technology Become multiple stage virtual machine, and on virtual platform, fictionalize at least one virtual switch.Wherein, often Individual virtual machine can run different operating system and application, between different virtual machines, and virtual machine and thing Can be communicated alternately by virtual switch between reason machine.
More owing to carrying out the type of the communicating pair of communication interaction on virtual platform, including: virtual machine leads to Cross virtual switch and send packet to virtual machine, or, physical machine is sent out to virtual machine by virtual switch Packet, virtual machine is sent to send packet by virtual switch to physical machine.Therefore, in order to clearer The virtual platform safety protecting method based on virtual switch that the present embodiment provides is described, flat with virtualization The first equipment and the second equipment on platform are to carry out as a example by executive agent is communicated alternately by virtual switch Illustrate.Wherein, the first equipment includes: physical machine or virtual machine;Second equipment includes: physical machine Or virtual machine.
The first interface arranged in virtual switch in advance, first interface is for leading in virtual switch On letter link, the first equipment is sent to the packet of the second equipment and intercepts.It should be noted that first The position of interface can need to select on the communication link, such as according to reality application: communication link Entrance, or centre position, i.e. position before packet flows out virtual switch by communication link are equal Position can be set as first interface.
It should be noted that the generating mode of first interface has a lot, can select according to application needs, The present embodiment is without limitation, is illustrated below: can be by hook Hook program at virtual switch In generate, it is also possible to control centre from virtual platform obtains the interface being cured and installs.
The communication link pre-build by virtual switch when the first equipment is to the second equipment sending data bag Time, first interface is for intercepting the packet on communication link, and is sent to data characteristics storehouse and carries out Safety detection.
Step 102, uses data characteristics storehouse to detect whether described packet meets default network security policy, Described data characteristics storehouse includes: with described network security policy characteristic of correspondence information;
Virtual switch is previously provided with data characteristics storehouse, data characteristics storehouse includes and network security plan Slightly characteristic of correspondence information.Wherein, network security policy includes: network legal power audit, network attack detection, And at least one in flow invasion, can be according to network application environment and virtual machine and the business of physical machine Type is configured, and the present embodiment is without limitation.Owing to network security policy is different, therefore, corresponding The particular content of characteristic information and the form of expression also differ.
When data characteristics storehouse receives, by first interface, the packet that the first equipment is sent to the second equipment, Use and whether data characteristics storehouse meets default with network security policy this packet of characteristic of correspondence infomation detection Network security policy.Owing to the characteristic information of network security policy is different, therefore, concrete detection process The most different with criterion, can be specifically introduced in subsequent embodiment.
Step 103, if judging to know that described packet meets described network security policy, then by described virtual Packet through safety detection is sent to described second equipment by the second interface in switch.
If data characteristics storehouse according to network security policy characteristic of correspondence information, it is judged that know that this packet accords with Close the network security policy preset, then illustrate that this packet does not has network attack to the equipment on virtual platform Threat, virtual switch can be passed through, therefore, the packet through safety detection is sent to second and connects Mouthful, in order to by the second interface, the packet through safety detection is sent to the second equipment.
It should be noted that the second interface is used for carrying out the packet through data characteristics storehouse safety detection turning Send out.It should be noted that the position of the second interface can need to carry out on the communication link according to reality application Select, such as: the outlet of communication link, or first interface to export between position.
It should be noted that the generating mode of the second interface has a lot, can select according to application needs, The present embodiment is without limitation, is illustrated below: can be by hook Hook program at virtual switch In generate, it is also possible to control centre from virtual platform obtains the interface being cured and installs.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, by virtual friendship The first interface changed planes on the communication link in virtual switch, the first equipment be sent to the second equipment Packet intercepts, with network security policy characteristic of correspondence infomation detection data in employing data characteristics storehouse Wrap whether safety, be the most then sent to the second equipment by the second interface in virtual switch.Thus keep away Exempt from that the communication flows in virtual switch is imported to external system and carried out safety detection, improve safe inspection The treatment effeciency surveyed, and reduce the time delay of communication interaction.
Fig. 2 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The flow chart of method, the present embodiment describes in detail and generates first in virtual switch by hook Hook program Interface;And/or second process of interface, and detection knows that security protection when packet is dangerous processes, As in figure 2 it is shown, the method specifically includes:
Step 201, application hooks subprogram is provided for intercepting the first of described packet on described communication link Registration point, and be packaged setting up described first interface to described first registration point;And/or, apply hook journey Sequence is provided for forwarding the second registration point of described packet on described communication link, and to described second note Volume point is packaged setting up described second interface;
Application hook Hook program is provided for the first of data interception bag on the communication link of virtual switch Registration point, and be packaged setting up first interface to the first registration point.First registration point is on the communication link Directly it is provided for the anchor point that the packet on communication link is intercepted, this first registration point is carried out The purpose of encapsulation is to realize the first interface corresponding with intercepting function, the most in other words, it is simply that to the first registration Point stamps interception labelling so that when packet arrives this first registration point, intercept this packet.
And/or,
Application hooks subprogram is provided for forwarding the second registration point of packet on the communication link, and to second Registration point is packaged setting up described second interface.Second registration point is the most directly to be provided for The anchor point forwarded the packet on communication link after safety detection, clicks on this second registration The purpose of row encapsulation is to realize second interface corresponding with forwarding capability, the most in other words, it is simply that to the second note Volume point stamps forwarding labelling so that when packet arrives this second registration point, forward this packet.
Step 202, receives the packet that the first interface in virtual switch sends, and described first interface is used for To on the communication link in described virtual switch, the first equipment is sent to the packet of the second equipment and blocks Cut;
The communication link pre-build by virtual switch when the first equipment is to the second equipment sending data bag Time, first interface is for intercepting the packet on communication link, and is sent to data characteristics storehouse and carries out Safety detection.
Step 203, uses data characteristics storehouse to detect whether described packet meets default network security policy, Described data characteristics storehouse includes: with described network security policy characteristic of correspondence information;
When data characteristics storehouse receives, by first interface, the packet that the first equipment is sent to the second equipment, Use and whether data characteristics storehouse meets default with network security policy this packet of characteristic of correspondence infomation detection Network security policy.Owing to the characteristic information of network security policy is different, therefore, concrete detection process The most different with criterion, can be specifically introduced in subsequent embodiment.
Step 204, if judging to know that described packet meets described network security policy, then by described virtual Packet through safety detection is sent to described second equipment by the second interface in switch;If judging to obtain Know that described packet does not meets described network security policy, then according to the network prestige in described network security policy Side of body type, carries out security protection process to described packet.
If data characteristics storehouse according to network security policy characteristic of correspondence information, it is judged that know that this packet accords with Close the network security policy preset, then illustrate that this packet does not has network attack to the equipment on virtual platform Threat, virtual switch can be passed through, therefore, the packet through safety detection is sent to second and connects Mouthful, in order to by the second interface, the packet through safety detection is sent to the second equipment.
If data characteristics storehouse according to network security policy characteristic of correspondence information, it is judged that know this packet not Meet network security policy, then according to the Cyberthreat type in network security policy, packet is pacified Full protection processes, to ensure that this packet with Cyberthreat will not flow out virtual switch arrival second and sets Standby.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, by virtual friendship Employing hook program of changing planes arrange first interface on the communication link in virtual switch, the first equipment The packet being sent to the second equipment intercepts, and uses in data characteristics storehouse corresponding with network security policy Characteristic information detection packet whether safety, the most then by using hook program to arrange in virtual switch The second interface be sent to the second equipment, if it is not, then packet is carried out security protection process.Thus avoid Communication flows in virtual switch is imported to external system carries out safety detection, improves safety detection Treatment effeciency, and reduce the time delay of communication interaction, and further increasing virtual platform Safety.
For embodiment described in Fig. 2, owing to network security policy is different, therefore, the spy of network security policy Reference cease, and concrete detection process and criterion the most different, in order to above-mentioned adopting more clearly is described With data characteristics storehouse, packet is carried out the process of safety detection, and when judgement knows that described packet is not inconsistent When closing described network security policy, according to the Cyberthreat type in described network security policy, to packet Carry out the process of security protection process, be specifically described by embodiment described in Fig. 3-Fig. 5.
Fig. 3 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The flow chart of method, the present embodiment be for network security policy be network legal power audit time safety detection mistake Journey, and when the Cyberthreat type that packet is network legal power audit, packet is carried out security protection The process processed, as it is shown on figure 3, the method specifically includes:
Step 301, obtains corresponding for the source IP network access authority information with described packet;
Specifically, when network security policy is network legal power audit, with network security policy characteristic of correspondence Information includes: IP address information, and the network access authority information corresponding with IP address information.
When data characteristics storehouse receives the packet that first interface sends, resolve packet and obtain this packet Source IP address and purpose IP address.Then IP address information, Yi Jiyu in the characteristic information prestored are inquired about The network access authority information that IP address information is corresponding, obtains the network corresponding for source IP with this packet and accesses Authority information.
Step 302, audits to the legitimacy of purpose IP according to described network access authority infomation detection;
The legitimacy of purpose IP is audited by the network access authority infomation detection according to obtaining, i.e. according to being somebody's turn to do Network access authority information judges whether this source IP has permission and accesses the Internet resources that purpose IP is corresponding.If sentencing Break and know that source IP has permission the Internet resources that access purpose IP is corresponding, then purpose IP is legal, and this packet leads to Cross safety detection, send the packet to the second equipment by the second interface.If judging to know that source IP does not has Authority accesses the Internet resources that purpose IP is corresponding, then purpose IP is illegal, and this packet is not over safety Detection, needs packet is carried out security protection process.
Step 303, if judging to know that described purpose IP is illegal, then according to described by described network access right Described purpose IP is revised as lawful authority IP by limit information, and amended packet is sent to described second Interface.
If judging to know that source IP does not has authority to access the Internet resources that purpose IP is corresponding, then purpose IP is illegal, This packet is not over safety detection, and therefore, purpose IP is repaiied by the network access authority information according to obtaining Change lawful authority IP into, and amended packet is sent to the second interface, by the second interface by this number It is sent to the second equipment according to bag.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, special by data Levy in storehouse with network legal power audit characteristic of correspondence infomation detection packet whether safety, the most then by void The second interface intended in switch is sent to the second equipment, changes Lawful access power into if it is not, then guarantee the repair free of charge data The packet of limit forwards.Thus improve the safety of virtual platform.
Fig. 4 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The flow chart of method, the present embodiment is to be safety detection mistake during network attack detection for network security policy Journey, and when the Cyberthreat type that packet is network attack detection, packet is carried out security protection The process processed, as shown in Figure 4, the method specifically includes:
Step 401, determines the communication protocol that described packet is applied;
Specifically, when network security policy is network attack detection, with network security policy characteristic of correspondence Information includes: the critical field corresponding with the communication protocol of packet, and attacks the description information of character string.
When data characteristics storehouse receives the packet that first interface sends, resolve packet and determine that packet should Communication protocol.The communication protocol of this packet application is obtained from the header file information of this packet.Logical Letter agreement specifically includes: HTML (Hypertext Markup Language), the standard agreement of Internet Tele Sign-On services, Yi Jijian Single Mail Transfer protocol.
Step 402, obtains the data message in the critical field corresponding with described communication protocol, it is judged that described pass Whether the data message in key field includes the description information of described attack character string;
Critical field corresponding with the communication protocol of packet in the characteristic information that inquiry prestores, and attack word The description information of symbol string.Data message is obtained, it is judged that crucial from the critical field corresponding with this communication protocol Whether the data message in field includes the description of attack character string corresponding with communication protocol in characteristic information Information.If judging to know the description information that the data message in critical field does not include attacking character string, this number According to bag by safety detection, send the packet to the second equipment by the second interface.If judging to know pass Data message in key field include attack character string description information, this packet not over safety detection, Need packet is carried out security protection process.
Step 403, if judging to know the description letter that the data message in described critical field includes attacking character string Breath, then abandon described packet;Or, obtain after described packet is carried out filtration treatment and meet described net The packet of network security strategy, and it is sent to described second interface.
If judging to know the description information that the data message in critical field includes attacking character string, this packet Not over safety detection, therefore, then this packet is abandoned;Or, this packet is carried out filtration treatment Rear acquisition meets the packet of network security policy, and is sent to described second interface, will by the second interface This packet is sent to the second equipment.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, special by data Levy in storehouse with network attack detection characteristic of correspondence infomation detection packet whether safety, the most then by void The second interface intended in switch is sent to the second equipment, if it is not, then abandon packet or filter Process.Thus improve the safety of virtual platform.
Fig. 5 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The flow chart of method, the present embodiment be for network security policy be flow invasion time safety detection process, And when the Cyberthreat type that packet is flow invasion, packet is carried out the mistake of security protection process Journey, as it is shown in figure 5, the method specifically includes:
Step 501, by the header file information of described packet, the form of intermediate file and ends file Form mates with the format information in described characteristic information;
Specifically, when network security policy is flow invasion, with network security policy characteristic of correspondence information Including: flow threshold corresponding with described format information in the format information of packet, and Preset Time, Wherein, described format information includes: header file information, the form of intermediate file and the lattice of ends file At least one in formula.
When data characteristics storehouse receives the packet that first interface sends, resolve packet, by packet The form of header file information, the form of intermediate file and ends file and the format information in characteristic information Mate.The data form of such as DDOS attack, if having DDOS attack in Preset Time end The flow of the packet of data form exceedes default flow threshold, then illustrate its purpose to seek in a large number and consume The process resource of counterpart device so that it is system crash.
Step 502, it is judged that whether the flow of the packet that in Preset Time, the match is successful exceedes default flow threshold Value;
In the characteristic information that inquiry prestores, it is judged that whether the flow of the packet that the match is successful in Preset Time Exceed default flow threshold.If judging to know that the flow in Preset Time is less than or equal to default flow threshold, This packet passes through safety detection, sends the packet to the second equipment by the second interface.If judging to obtain Know flow in Preset Time more than or equal to the flow threshold preset, this packet not over safety detection, Need packet is carried out security protection process.
Step 503, if judging to know, in Preset Time, the flow of the packet that the match is successful exceedes described flow threshold Value, then abandon described packet.
If judging to know, in Preset Time, the flow of the packet that the match is successful exceedes flow threshold, this packet Not over safety detection, therefore, then this packet is abandoned.
The virtual platform safety protecting method based on virtual switch that the present embodiment provides, special by data Levy in storehouse with flow invasion characteristic of correspondence infomation detection packet whether safety, the most then by virtual friendship The second interface in changing planes is sent to the second equipment, if it is not, then abandon packet.Thus improve The safety of virtual platform.
Fig. 6 is a kind of based on virtual switch the virtual platform security protection dress that the embodiment of the present invention provides The structural representation put, as shown in Figure 6, this device includes: receiver module 11, detection module 12 and transmission Module 13, wherein,
Receiver module 11, for receiving the packet that the first interface in virtual switch sends, described first Interface for being sent to the data of the second equipment to the communication link in described virtual switch, the first equipment Bag intercepts;
Detection module 12, for using data characteristics storehouse to detect whether described packet meets default network peace Full strategy, described data characteristics storehouse includes: with described network security policy characteristic of correspondence information;
Sending module 13, if knowing that described packet meets described network security policy for judgement, then passes through Packet through safety detection is sent to described second equipment by the second interface in described virtual switch.
The merit of each module in the virtual platform safety device based on virtual switch that the present embodiment provides Energy and handling process, may refer to the embodiment of the method shown in above-mentioned Fig. 1, and it realizes principle and is similar to, herein Repeat no more.
The virtual platform safety device based on virtual switch that the present embodiment provides, by virtual friendship The first interface changed planes on the communication link in virtual switch, the first equipment be sent to the second equipment Packet intercepts, with network security policy characteristic of correspondence infomation detection data in employing data characteristics storehouse Wrap whether safety, be the most then sent to the second equipment by the second interface in virtual switch.Thus keep away Exempt from that the communication flows in virtual switch is imported to external system and carried out safety detection, improve safe inspection The treatment effeciency surveyed, and reduce the time delay of communication interaction.
Fig. 7 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The structural representation of device, as it is shown in fig. 7, based on embodiment illustrated in fig. 6, this device also includes: arrange Module 14 and processing module 15, wherein,
Module 14 is set, is provided for intercepting described data on described communication link for application hooks subprogram First registration point of bag, and be packaged setting up described first interface to described first registration point;And/or, should On described communication link, it is provided for forwarding the second registration point of described packet by hook program, and to institute State the second registration point to be packaged setting up described second interface.
For judgement, processing module 15, if knowing that described packet does not meets described network security policy, then root According to the Cyberthreat type in described network security policy, described packet is carried out security protection process.
The merit of each module in the virtual platform safety device based on virtual switch that the present embodiment provides Energy and handling process, may refer to the embodiment of the method shown in above-mentioned Fig. 2, and it realizes principle and is similar to, herein Repeat no more.
The virtual platform safety device based on virtual switch that the present embodiment provides, by virtual friendship Employing hook program of changing planes arrange first interface on the communication link in virtual switch, the first equipment The packet being sent to the second equipment intercepts, and uses in data characteristics storehouse corresponding with network security policy Characteristic information detection packet whether safety, the most then by using hook program to arrange in virtual switch The second interface be sent to the second equipment, if it is not, then packet is carried out security protection process.Thus avoid Communication flows in virtual switch is imported to external system carries out safety detection, improves safety detection Treatment effeciency, and reduce the time delay of communication interaction, and further increasing virtual platform Safety.
Fig. 8 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The structural representation of device, described network security policy is network legal power audit, described and described network security Strategy characteristic of correspondence information includes: IP address information, and the network access right corresponding with IP address information Limit information;As shown in Figure 8, based on embodiment illustrated in fig. 7, this detection module 12 includes: acquiring unit 121 With auditable unit 122, wherein,
Acquiring unit 121, for obtaining corresponding for the source IP network access authority information with described packet;
Auditable unit 122, for entering the legitimacy of purpose IP according to described network access authority infomation detection Row audit;
Processing module 15, specifically for:
If judge know that described purpose IP is illegal, then according to described by described network access authority information to institute State purpose IP and be revised as lawful authority IP, and amended packet is sent to described second interface.
The merit of each module in the virtual platform safety device based on virtual switch that the present embodiment provides Energy and handling process, may refer to the embodiment of the method shown in above-mentioned Fig. 3, and it realizes principle and is similar to, herein Repeat no more.
The virtual platform safety device based on virtual switch that the present embodiment provides, special by data Levy in storehouse with network legal power audit characteristic of correspondence infomation detection packet whether safety, the most then by void The second interface intended in switch is sent to the second equipment, changes Lawful access power into if it is not, then guarantee the repair free of charge data The packet of limit forwards.Thus improve the safety of virtual platform.
Fig. 9 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The structural representation of device, described network security policy is network attack detection, described and described network security Strategy characteristic of correspondence information includes: the critical field corresponding with the communication protocol of packet, and attacks word The description information of symbol string;As it is shown in figure 9, based on embodiment illustrated in fig. 7, this detection module 12 includes: really Cell 123 and the first judging unit 124, wherein,
Determine unit 123, for determining the communication protocol that described packet is applied;
First judging unit 124, for obtaining the data letter in the critical field corresponding with described communication protocol Breath, it is judged that whether include the description information of described attack character string in the data message in described critical field;
Processing module 15, specifically for:
If judging to know the description information that the data message in described critical field includes attacking character string, then lose Abandon described packet;Or, obtain after described packet is carried out filtration treatment and meet described network security plan Packet slightly, and it is sent to described second interface.
The merit of each module in the virtual platform safety device based on virtual switch that the present embodiment provides Energy and handling process, may refer to the embodiment of the method shown in above-mentioned Fig. 3, and it realizes principle and is similar to, herein Repeat no more.
The virtual platform safety device based on virtual switch that the present embodiment provides, special by data Levy in storehouse with network attack detection characteristic of correspondence infomation detection packet whether safety, the most then by void The second interface intended in switch is sent to the second equipment, if it is not, then abandon packet or filter Process.Thus improve the safety of virtual platform.
Figure 10 is another kind virtual platform based on the virtual switch security protection that the embodiment of the present invention provides The structural representation of device, described network security policy is flow invasion, described and described network security policy Characteristic of correspondence information includes: the format information of packet, and Preset Time is interior and described format information pair The flow threshold answered, wherein, described format information includes: header file information, the form of intermediate file, with And at least one in the form of ends file;As shown in Figure 10, based on embodiment illustrated in fig. 7, this detection Module 12 includes: matching unit 125 and the second judging unit 126, wherein,
Matching unit 125, for by the header file information of described packet, the form of intermediate file, Yi Jijie The form of bundle file mates with the format information in described characteristic information;
Second judging unit 126, for judging in Preset Time, whether the flow of the packet that the match is successful exceedes The flow threshold preset;
Processing module 15, specifically for:
If judging to know, in Preset Time, the flow of the packet that the match is successful exceedes described flow threshold, then lose Abandon described packet.
The merit of each module in the virtual platform safety device based on virtual switch that the present embodiment provides Energy and handling process, may refer to the embodiment of the method shown in above-mentioned Fig. 3, and it realizes principle and is similar to, herein Repeat no more.
The virtual platform safety device based on virtual switch that the present embodiment provides, special by data Levy in storehouse with flow invasion characteristic of correspondence infomation detection packet whether safety, the most then by virtual friendship The second interface in changing planes is sent to the second equipment, if it is not, then abandon packet.Thus improve The safety of virtual platform.
Figure 11 is a kind of based on virtual switch the virtual platform security protection system that the embodiment of the present invention provides The structural representation of system, as shown in figure 11, this system includes: the first equipment 1 of being positioned on virtual platform, Second equipment 2, and the virtual switch 3 being deployed in physical machine, wherein, described first equipment 1 and Two equipment 2 all include: the physical machine 4 on virtual platform, or, the virtual machine 5 being deployed in physical machine, Described virtual switch 3 includes virtual platform safety device 6, Tu11Suo based on virtual switch Show that embodiment is the first virtual machine with the first equipment 1, and the second equipment 2 is that the second virtual machine is by virtual Switch 3 carries out example as a example by communicating alternately.
The merit of each module in the virtual platform security protection system based on virtual switch that the present embodiment provides Energy and handling process, may refer to above-mentioned shown embodiment of the method, and it realizes principle and is similar to, the most no longer Repeat.
The virtual platform security protection system based on virtual switch that the present embodiment provides, by virtual friendship The first interface changed planes on the communication link in virtual switch, the first equipment be sent to the second equipment Packet intercepts, with network security policy characteristic of correspondence infomation detection data in employing data characteristics storehouse Wrap whether safety, be the most then sent to the second equipment by the second interface in virtual switch.Thus keep away Exempt from that the communication flows in virtual switch is imported to external system and carried out safety detection, improve safe inspection The treatment effeciency surveyed, and reduce the time delay of communication interaction.
One of ordinary skill in the art will appreciate that: all or part of step realizing said method embodiment can Completing with the hardware relevant by programmed instruction, aforesaid program can be stored in an embodied on computer readable and deposit In storage media, this program upon execution, performs to include the step of said method embodiment;And aforesaid storage Medium includes: the various media that can store program code such as ROM, RAM, magnetic disc or CD.
Last it is noted that various embodiments above is only in order to illustrate technical scheme, rather than to it Limit;Although the present invention being described in detail with reference to foregoing embodiments, the ordinary skill of this area Personnel it is understood that the technical scheme described in foregoing embodiments still can be modified by it, or The most some or all of technical characteristic is carried out equivalent;And these amendments or replacement, do not make phase The essence answering technical scheme departs from the scope of various embodiments of the present invention technical scheme.

Claims (11)

1. a virtual platform safety protecting method based on virtual switch, it is characterised in that described side Method includes:
Receiving the packet that the first interface in virtual switch sends, described first interface is for described void Intend on the communication link in switch, the first equipment is sent to the packet of the second equipment and intercepts;
Data characteristics storehouse is used to detect whether described packet meets default network security policy, described data Feature database includes: with described network security policy characteristic of correspondence information;
If judging to know that described packet meets described network security policy, then by described virtual switch The second interface the packet through safety detection is sent to described second equipment;
Before the packet that first interface in described reception virtual switch sends, also include:
Application hooks subprogram is provided for intercepting the first registration point of described packet on described communication link, And be packaged setting up described first interface to described first registration point;
And/or,
Application hooks subprogram is provided for forwarding the second registration point of described packet on described communication link, And be packaged setting up described second interface to described second registration point;
If judging to know that described packet does not meets described network security policy, then according to described network security plan Cyberthreat type in slightly, carries out security protection process to described packet.
Method the most according to claim 1, it is characterised in that described network security policy includes:
At least one in network legal power audit, network attack detection and flow invasion.
Method the most according to claim 2, it is characterised in that described network security policy is network weight Limit audit, include with described network security policy characteristic of correspondence information: IP address information, and with IP ground The network access authority information that location information is corresponding;
Described employing data characteristics storehouse detects whether described packet meets default network security policy, including:
Obtain corresponding for the source IP network access authority information with described packet, according to described network access right The legitimacy of purpose IP is audited by limit information detection;
Described according to the Cyberthreat type in described network security policy, described packet is carried out safety anti- Protect process, including:
If judge know that described purpose IP is illegal, then according to described by described network access authority information to institute State purpose IP and be revised as lawful authority IP, and amended packet is sent to described second interface.
Method the most according to claim 2, it is characterised in that described network security policy is that network is attacked Hit detection, include with described network security policy characteristic of correspondence information: corresponding with the communication protocol of packet Critical field, and attack character string description information;
Described employing data characteristics storehouse detects whether described packet meets default network security policy, including:
Determine the communication protocol that described packet is applied;
Obtain the data message in the critical field corresponding with described communication protocol, it is judged that in described critical field Data message in whether include the description information of described attack character string;
Described according to the Cyberthreat type in described network security policy, described packet is carried out safety anti- Protect process, including:
If judging to know the description information that the data message in described critical field includes attacking character string, then lose Abandon described packet;Or, obtain after described packet is carried out filtration treatment and meet described network security plan Packet slightly, and it is sent to described second interface.
Method the most according to claim 2, it is characterised in that described network security policy is that flow enters Invade, include with described network security policy characteristic of correspondence information: the format information of packet, and preset Flow threshold corresponding with described format information in time, wherein, described format information includes: header file is believed At least one in the form of breath, the form of intermediate file and ends file;
Described employing data characteristics storehouse detects whether described packet meets default network security policy, including:
By the header file information of described packet, the form of intermediate file and the form of ends file and institute The format information stated in characteristic information mates;
Judge in Preset Time, whether the flow of the packet that the match is successful exceedes default flow threshold;
Described according to the Cyberthreat type in described network security policy, described packet is carried out safety anti- Protect process, including:
If judging to know, in Preset Time, the flow of the packet that the match is successful exceedes described flow threshold, then lose Abandon described packet.
6. a virtual platform safety device based on virtual switch, it is characterised in that described dress Put and include:
Receiver module, for receiving the packet that the first interface in virtual switch sends, described first connects Mouthful for the communication link in described virtual switch, the first equipment being sent to the packet of the second equipment Intercept;
Detection module, for using data characteristics storehouse to detect whether described packet meets default network security Strategy, described data characteristics storehouse includes: with described network security policy characteristic of correspondence information;
Sending module, if knowing that described packet meets described network security policy for judgement, then passes through institute State the second interface in virtual switch and the packet through safety detection is sent to described second equipment;
Module is set, is provided for intercepting described packet on described communication link for application hooks subprogram The first registration point, and be packaged setting up described first interface to described first registration point;
And/or,
Application hooks subprogram is provided for forwarding the second registration point of described packet on described communication link, And be packaged setting up described second interface to described second registration point;
For judgement, processing module, if knowing that described packet does not meets described network security policy, then basis Cyberthreat type in described network security policy, carries out security protection process to described packet.
Device the most according to claim 6, it is characterised in that described network security policy includes:
At least one in network legal power audit, network attack detection and flow invasion.
Device the most according to claim 7, it is characterised in that described network security policy is network weight Limit audit, described and described network security policy characteristic of correspondence information includes: IP address information, Yi Jiyu The network access authority information that IP address information is corresponding;
Described detection module, including:
Acquiring unit, for obtaining corresponding for the source IP network access authority information with described packet;
Auditable unit, for examining the legitimacy of purpose IP according to described network access authority infomation detection Meter;
Described processing module, specifically for:
If judge know that described purpose IP is illegal, then according to described by described network access authority information to institute State purpose IP and be revised as lawful authority IP, and amended packet is sent to described second interface.
Device the most according to claim 7, it is characterised in that described network security policy is that network is attacked Hitting detection, described and described network security policy characteristic of correspondence information includes: with the communication protocol of packet Corresponding critical field, and attack the description information of character string;
Described detection module, including:
Determine unit, for determining the communication protocol that described packet is applied;
First judging unit, for obtaining the data message in the critical field corresponding with described communication protocol, Judge whether the data message in described critical field includes the description information of described attack character string;
Described processing module, specifically for:
If judging to know the description information that the data message in described critical field includes attacking character string, then lose Abandon described packet;Or, obtain after described packet is carried out filtration treatment and meet described network security plan Packet slightly, and it is sent to described second interface.
Device the most according to claim 7, it is characterised in that described network security policy is flow Invasion, described and described network security policy characteristic of correspondence information includes: the format information of packet, with And the interior flow threshold corresponding with described format information of Preset Time, wherein, described format information includes: head At least one in the form of fileinfo, the form of intermediate file and ends file;
Described detection module, including:
Matching unit, for by the header file information of described packet, the form of intermediate file and end The form of file mates with the format information in described characteristic information;
Second judging unit, for judging in Preset Time, whether the flow of the packet that the match is successful exceedes pre- If flow threshold;
Described processing module, specifically for:
If judging to know, in Preset Time, the flow of the packet that the match is successful exceedes described flow threshold, then lose Abandon described packet.
11. 1 kinds of virtual platform security protection systems based on virtual switch, it is characterised in that described System includes: the first equipment of being positioned on virtual platform, the second equipment, and virtual switch, wherein, Described first equipment and the second equipment all include: the physical machine on virtual platform, or, it is deployed in physics Virtual machine on machine, described virtual switch include as described in claim 6-10 is arbitrary based on virtual switch The virtual platform safety device of machine.
CN201510379913.3A 2015-07-01 2015-07-01 Virtual platform safety protecting method based on virtual switch, device and system Active CN104994094B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510379913.3A CN104994094B (en) 2015-07-01 2015-07-01 Virtual platform safety protecting method based on virtual switch, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510379913.3A CN104994094B (en) 2015-07-01 2015-07-01 Virtual platform safety protecting method based on virtual switch, device and system

Publications (2)

Publication Number Publication Date
CN104994094A CN104994094A (en) 2015-10-21
CN104994094B true CN104994094B (en) 2016-11-30

Family

ID=54305846

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510379913.3A Active CN104994094B (en) 2015-07-01 2015-07-01 Virtual platform safety protecting method based on virtual switch, device and system

Country Status (1)

Country Link
CN (1) CN104994094B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685900B (en) * 2015-11-10 2020-04-28 中国电信股份有限公司 Vulnerability protection method and device
CN105590058B (en) * 2015-12-18 2019-04-26 北京奇虎科技有限公司 The detection method and device of virtual machine escape
CN107306264B (en) * 2016-04-25 2019-04-02 腾讯科技(深圳)有限公司 Network security monitoring method and apparatus
CN106411863A (en) * 2016-09-14 2017-02-15 南京安贤信息科技有限公司 Virtualization platform for processing network traffic of virtual switches in real time
CN107800696B (en) * 2017-10-23 2020-07-03 国云科技股份有限公司 Method for identifying communication counterfeiting source on cloud platform virtual switch
WO2019127134A1 (en) 2017-12-27 2019-07-04 华为技术有限公司 Data transmission method and virtual switch
CN111684775B (en) 2018-02-06 2022-10-14 上海诺基亚贝尔股份有限公司 Method, apparatus, and computer-readable medium for providing security services for a data center

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763310B (en) * 2013-12-31 2017-04-12 曙光云计算技术有限公司 Firewall service system and method based on virtual network
CN104023034B (en) * 2014-06-25 2017-05-10 武汉大学 Security defensive system and defensive method based on software-defined network
CN104023035A (en) * 2014-06-26 2014-09-03 浪潮电子信息产业股份有限公司 Method for protecting flow among virtual machines in same security domain

Also Published As

Publication number Publication date
CN104994094A (en) 2015-10-21

Similar Documents

Publication Publication Date Title
CN104994094B (en) Virtual platform safety protecting method based on virtual switch, device and system
US9686294B2 (en) Protection of communication on a vehicular network via a remote security service
US10303881B2 (en) Soft-wired radio (SWR) web machine
CN106060003A (en) Network boundary unidirectional isolated transmission device
US9462011B2 (en) Determining trustworthiness of API requests based on source computer applications' responses to attack messages
US11290484B2 (en) Bot characteristic detection method and apparatus
CN103297437A (en) Safety server access method for mobile intelligent terminal
US9661006B2 (en) Method for protection of automotive components in intravehicle communication system
CN105847251B (en) Using the industrial control system safety protecting method and system of S7 agreements
CN105656765B (en) A kind of anti-method and system that leak of smtp protocol data based on depth content parsing
CN103647772A (en) Method for carrying out trusted access controlling on network data package
Elgargouri et al. Analysis of cyber-attacks on IEC 61850 networks
CN111314381A (en) Safety isolation gateway
CN105407106A (en) Access control method and device
CN111865996A (en) Data detection method and device and electronic equipment
CN1326365C (en) Worm blocking system and method using hardware-based pattern matching
CN113904826B (en) Data transmission method, device, equipment and storage medium
CN105429975B (en) A kind of data safety system of defense, method and cloud terminal security system based on cloud terminal
Schear et al. Glavlit: Preventing exfiltration at wire speed
KR20130035600A (en) Method and apparatus for preventing data loss
CN105656937B (en) A kind of anti-method and system that leak of http data based on depth content parsing
CN105471839B (en) A kind of method for judging router data and whether being tampered
CN110492994B (en) Trusted network access method and system
CN113923021A (en) Sandbox-based encrypted flow processing method, system, device and medium
Schmidt et al. Building a demilitarized zone with data encryption for grid environments

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20161117

Address after: 100016 Beijing Chaoyang District Jiuxianqiao Road No. 10, building 15, floor 17, floor 3, 1701-26

Patentee after: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right

Effective date of registration: 20161223

Address after: 100016 Beijing Chaoyang District Jiuxianqiao Road No. 10, building 15, floor 17, floor 3, 1701-26

Patentee after: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Wang Shengping

Inventor after: Wu Yunkun

Inventor before: Wang Shengping

CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee after: Qianxin Technology Group Co.,Ltd.

Address before: 100016 Beijing Chaoyang District Jiuxianqiao Road 10, 3 building 15, 17 floors 1701-26

Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20201229

Address after: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing

Patentee after: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

Patentee after: Qianxin Technology Group Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee before: Qianxin Technology Group Co.,Ltd.

CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 2nd Floor, Building 1, Yard 26, Xizhimenwai South Road, Xicheng District, Beijing, 100032

Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Patentee after: Qianxin Technology Group Co.,Ltd.

Address before: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing

Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

Patentee before: Qianxin Technology Group Co.,Ltd.