CN105141608A - System and method for providing SaaS (Security as a Service) in cloud operating system - Google Patents
System and method for providing SaaS (Security as a Service) in cloud operating system Download PDFInfo
- Publication number
- CN105141608A CN105141608A CN201510527879.XA CN201510527879A CN105141608A CN 105141608 A CN105141608 A CN 105141608A CN 201510527879 A CN201510527879 A CN 201510527879A CN 105141608 A CN105141608 A CN 105141608A
- Authority
- CN
- China
- Prior art keywords
- security
- secure resources
- operating system
- virtual machine
- cloud operating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Stored Programmes (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a system and a method for providing SaaS (Security as a Service) in a cloud operating system. The system comprises a security resource pool used for centralizing security resources for pooling and providing security service for a virtual machine; an updating node used for linking to a security updating library and updating resources in the security resource pool; and a security terminal agent used for deploying a security agent program in the virtual machine and carrying out safety protection on the virtual machine through interacting with the security resource pool. According to the system and the method, the operation and maintenance efficiency of a cloud data center is improved and the operation and maintenance cost is reduced. A comprehensive and timely security protection is provided for the virtual machine in the cloud operating system, and the network storm of a computational node, which is caused by updating of security features under the conventional security protection mode, is avoided.
Description
Technical field
The present invention relates to cloud operation system technology field, the system and method that namely safety serve is provided in espespecially a kind of cloud operating system.
Background technology
Cloud computing is approved by industry gradually, namely infrastructure serve, namely platform serves, namely software served and all carried out commercial stage, wherein namely infrastructure serve that (IaaS, InfrastructureasaService) product is comparatively ripe is applied to Ge Yun data center.Consumer can obtain service from perfect computer based Infrastructure by Internet.The service of the upper other types of Internet comprises platform and namely serves (PlatformasaService, PaaS) and namely software serve (SoftwareasaService, SaaS).PaaS provides the application development of the complete or part that user can access, and SaaS then provides the complete application program that can directly use.
But the most important cloud security of field of cloud calculation, particularly namely safety serve, and is also in theoretical research stage.It is delayed that cloud security develops, and greatly have impact on the confidence of cloud user for cloud computing, also delayed the development of cloud industry.
Summary of the invention
In order to solve the problems of the technologies described above; the invention provides in a kind of cloud operating system the system and method providing safety namely to serve; comprehensive safeguard protection timely can be provided for the virtual machine in cloud operating system, avoid security feature under conventional security protection mode to upgrade the network storm of the computing node caused.
In order to reach the object of the invention, the invention provides in a kind of cloud operating system the system providing safety namely to serve, comprise: secure resources pond, more new node and security terminal agency, wherein, secure resources pond, for concentrating secure resources by the security procedure on computing node, for virtual machine provides security service; More new node, upgrades storehouse for linking secure, and upgrades the secure resources in secure resources pond; Security terminal is acted on behalf of, and for the virtual machine internal administration security agent on computing node, security agent obtains secure resources from secure resources pond, for virtual machine provides security service.
Further, described security service provides with the form of safety regulation, and safety regulation comprises below one or more: anti-virus, fire compartment wall, DPI, integrity detection, anti-Malware, vulnerability scanning, log audit.
Further, described secure resources pond divides secure resources subpool by operating system.
Further, described security terminal agency obtains secure resources by the interface calling secure resources pond.
Present invention also offers in a kind of cloud operating system the method providing safety namely to serve, it is characterized in that, comprising: the computing node in cloud operating system installs security procedure, the security procedure of multiple computing node concentrates secure resources to form secure resources pond; Upgrade node link security update storehouse, and secure resources pond is connected with more new node, upgrades the secure resources in secure resources pond; The virtual machine internal administration security agent of security terminal agency on computing node, security agent obtains secure resources from secure resources pond, for virtual machine provides security service.
Further, described security service provides with the form of safety regulation, and safety regulation comprises below one or more: anti-virus, fire compartment wall, DPI, integrity detection, anti-Malware, vulnerability scanning, log audit.
Further, described security terminal agency obtains secure resources by the interface calling secure resources pond.
Compared with prior art; virtual machine on computing node in cloud operating system of the present invention is without the need to installing fail-safe software; also without the need to initiatively upgrading security feature storehouse; no matter when create, open virtual machine; safeguard protection is all that enforcement is up-to-date; under avoiding traditional mode, multiple stage virtual machine upgrades the network storm that secure resources brings to computing node simultaneously.
Other features and advantages of the present invention will be set forth in the following description, and, partly become apparent from specification, or understand by implementing the present invention.Object of the present invention and other advantages realize by structure specifically noted in specification, claims and accompanying drawing and obtain.
Accompanying drawing explanation
Accompanying drawing is used to provide the further understanding to technical solution of the present invention, and forms a part for specification, is used from and explains technical scheme of the present invention, do not form the restriction to technical solution of the present invention with the embodiment one of the application.
Fig. 1 is the configuration diagram of the system providing safety namely to serve in a kind of embodiment medium cloud operating system of the present invention.
Fig. 2 is the schematic flow sheet of the method providing safety namely to serve in a kind of embodiment medium cloud operating system of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly understand, hereinafter will be described in detail to embodiments of the invention by reference to the accompanying drawings.It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combination in any mutually.
Can perform in the computer system of such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing.Further, although show logical order in flow charts, in some cases, can be different from the step shown or described by order execution herein.
Fig. 1 is the schematic diagram of the system providing safety namely to serve in a kind of embodiment medium cloud operating system of the present invention.As shown in Figure 1, comprise secure resources pond, more new node and security terminal agency, wherein,
Secure resources pond, for concentrating secure resources by the security procedure on computing node, for virtual machine provides security service.
Particularly, secure resources pond can divide secure resources subpool by operating system.The structure in secure resources pond is that the safety function that all security services represent is provided by security procedure by building corresponding security procedure on computing node.Security service provides with the form of safety regulation, and safety regulation comprises below one or more: anti-virus, fire compartment wall, DPI, integrity detection, anti-Malware, vulnerability scanning, log audit etc.
More new node, upgrades storehouse for linking secure, and upgrades the secure resources in secure resources pond.
Particularly, upgrade node link security update storehouse, download up-to-date security patch, virus base etc. by internet.Secure resources pond, by network, with more new node is mutual, obtains up-to-date security patch, virus base etc. security information, upgrades security feature storehouse.
Security terminal is acted on behalf of, and for the virtual machine internal administration security agent on computing node, security agent obtains secure resources from secure resources pond, for virtual machine provides security service.
Particularly, the effect of security agent is the interface calling secure resources pond, carries out security protection, and this security agent is installed in virtual machine in the mode of independent installation kit.Security terminal agency and secure resources pond are undertaken alternately by the interface calling the other side each other, and network traffics, file, integrality etc. that mutual information comprises virtual machine carry out safety verification, thus carry out security protection to virtual machine.
Fig. 2 is the schematic flow sheet of the method providing safety namely to serve in a kind of embodiment medium cloud operating system of the present invention.As shown in Figure 2, comprising:
Step 201, the computing node in cloud operating system installs security procedure, and the security procedure of multiple computing node concentrates secure resources to form secure resources pond.
In this step, every platform computing node installs security agent, for the virtual machine operated on this computing node provides security service; Multiple stage installs the computing node composition secure resources pond of security agent.
Step 202, upgrades node link security update storehouse, and secure resources pond is connected with more new node, upgrades the secure resources in secure resources pond.
In this step, the secure resources in secure resources pond is upgraded by more new node automatically.
Step 203, the virtual machine internal administration security agent of security terminal agency on computing node, security agent obtains secure resources from secure resources pond, for virtual machine provides security service.
In this step, operate in virtual machine on the computing node security agent by self, carry out alternately with the security procedure of computing node, the safety function utilizing computing node to provide is protected itself, such as anti-virus, patch detection, fire compartment wall, DPI, anti-Malware, integrity detection, log audit etc.
For cloud operating system:
Cloud user applies for the virtual machine with security service, such as win7; Backstage generates the virtual machine of win7 operating system, and TSM Security Agent has been pre-installed in the inside; After the start of this virtual machine, security protection can be carried out according to safety regulation to virtual machine, because the secure resources pond on backstage is upgraded, so without the need to virus base of regularly upgrading, security patch by more new node automatically; Machine or shutdown a period of time if this virtual machine is delayed, then start shooting, up-to-date safeguard protection will be subject at once, also without the need under picture traditional mode, worry that the antivirus software of virtual machine is expired, virus base is not up-to-date.
In the present invention, virtual machine without the need to installing fail-safe software, also without the need to initiatively upgrading security feature storehouse; no matter when create, open virtual machine; safeguard protection is all that enforcement is up-to-date, and under avoiding traditional mode, multiple stage virtual machine upgrades the network storm that security feature storehouse is brought to computing node simultaneously.
Although the execution mode disclosed by the present invention is as above, the execution mode that described content only adopts for ease of understanding the present invention, and be not used to limit the present invention.Those of skill in the art belonging to any the present invention; under the prerequisite not departing from the spirit and scope disclosed by the present invention; any amendment and change can be carried out in the form implemented and details; but scope of patent protection of the present invention, the scope that still must define with appending claims is as the criterion.
Claims (7)
1. the system providing safety namely to serve in cloud operating system, is characterized in that, comprising: secure resources pond, more new node and security terminal agency, wherein,
Secure resources pond, for concentrating secure resources by the security procedure on computing node, for virtual machine provides security service;
More new node, upgrades storehouse for linking secure, and upgrades the secure resources in secure resources pond;
Security terminal is acted on behalf of, and for the virtual machine internal administration security agent on computing node, security agent obtains secure resources from secure resources pond, for virtual machine provides security service.
2. the system that namely safety serve is provided in cloud operating system according to claim 1, it is characterized in that, described security service provides with the form of safety regulation, and safety regulation comprises below one or more: anti-virus, fire compartment wall, DPI, integrity detection, anti-Malware, vulnerability scanning, log audit.
3. the system providing safety namely to serve in cloud operating system according to claim 1, is characterized in that, described secure resources pond divides secure resources subpool by operating system.
4. the system providing safety namely to serve in cloud operating system according to claim 1, is characterized in that, described security terminal agency obtains secure resources by the interface calling secure resources pond.
5. the method providing safety namely to serve in cloud operating system, is characterized in that, comprising:
Computing node in cloud operating system installs security procedure, and the security procedure of multiple computing node concentrates secure resources to form secure resources pond;
Upgrade node link security update storehouse, and secure resources pond is connected with more new node, upgrades the secure resources in secure resources pond;
The virtual machine internal administration security agent of security terminal agency on computing node, security agent obtains secure resources from secure resources pond, for virtual machine provides security service.
6. the method that namely safety serve is provided in cloud operating system according to claim 5, it is characterized in that, described security service provides with the form of safety regulation, and safety regulation comprises below one or more: anti-virus, fire compartment wall, DPI, integrity detection, anti-Malware, vulnerability scanning, log audit.
7. the method providing safety namely to serve in cloud operating system according to claim 5, is characterized in that, described security terminal agency obtains secure resources by the interface calling secure resources pond.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510527879.XA CN105141608B (en) | 2015-08-25 | 2015-08-25 | The safety i.e. system and method for service are provided in a kind of cloud operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510527879.XA CN105141608B (en) | 2015-08-25 | 2015-08-25 | The safety i.e. system and method for service are provided in a kind of cloud operating system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105141608A true CN105141608A (en) | 2015-12-09 |
| CN105141608B CN105141608B (en) | 2018-09-11 |
Family
ID=54726816
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510527879.XA Active CN105141608B (en) | 2015-08-25 | 2015-08-25 | The safety i.e. system and method for service are provided in a kind of cloud operating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105141608B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105681314A (en) * | 2016-01-29 | 2016-06-15 | 博雅网信(北京)科技有限公司 | Cloud environment security scanner and method |
| CN105933290A (en) * | 2016-04-08 | 2016-09-07 | 杭州华三通信技术有限公司 | Anti-attack method and device of virtual machines |
| CN106790270A (en) * | 2017-02-16 | 2017-05-31 | 郑州云海信息技术有限公司 | A kind of safety system of cloud operating system |
| CN108200207A (en) * | 2018-02-11 | 2018-06-22 | 中国联合网络通信集团有限公司 | The method and system of cloud computing system security service, secure cloud management platform |
| CN108234223A (en) * | 2018-04-19 | 2018-06-29 | 郑州云海信息技术有限公司 | A kind of security service design method of data center's total management system |
| CN109814882A (en) * | 2018-12-13 | 2019-05-28 | 国网信通亿力科技有限责任公司 | A kind of virtual machine quick deployment method of customizable |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582071A (en) * | 2008-05-16 | 2009-11-18 | 鸿富锦精密工业(深圳)有限公司 | System and method for updating data |
| CN104023011A (en) * | 2014-05-30 | 2014-09-03 | 国云科技股份有限公司 | Network firewall realization method suitable for virtual machine |
| CN104536802A (en) * | 2014-12-19 | 2015-04-22 | 中兴通讯股份有限公司 | Method for achieving calling of applications and virtual machine |
-
2015
- 2015-08-25 CN CN201510527879.XA patent/CN105141608B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582071A (en) * | 2008-05-16 | 2009-11-18 | 鸿富锦精密工业(深圳)有限公司 | System and method for updating data |
| CN104023011A (en) * | 2014-05-30 | 2014-09-03 | 国云科技股份有限公司 | Network firewall realization method suitable for virtual machine |
| CN104536802A (en) * | 2014-12-19 | 2015-04-22 | 中兴通讯股份有限公司 | Method for achieving calling of applications and virtual machine |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105681314A (en) * | 2016-01-29 | 2016-06-15 | 博雅网信(北京)科技有限公司 | Cloud environment security scanner and method |
| CN105933290A (en) * | 2016-04-08 | 2016-09-07 | 杭州华三通信技术有限公司 | Anti-attack method and device of virtual machines |
| CN106790270A (en) * | 2017-02-16 | 2017-05-31 | 郑州云海信息技术有限公司 | A kind of safety system of cloud operating system |
| CN108200207A (en) * | 2018-02-11 | 2018-06-22 | 中国联合网络通信集团有限公司 | The method and system of cloud computing system security service, secure cloud management platform |
| CN108234223A (en) * | 2018-04-19 | 2018-06-29 | 郑州云海信息技术有限公司 | A kind of security service design method of data center's total management system |
| CN108234223B (en) * | 2018-04-19 | 2021-09-07 | 郑州云海信息技术有限公司 | Safety service design method of data center integrated management system |
| CN109814882A (en) * | 2018-12-13 | 2019-05-28 | 国网信通亿力科技有限责任公司 | A kind of virtual machine quick deployment method of customizable |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105141608B (en) | 2018-09-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105141608A (en) | System and method for providing SaaS (Security as a Service) in cloud operating system | |
| CN107911421B (en) | Method, apparatus, and computer storage medium for configuring cross-network communications in a blockchain | |
| CN102792307B (en) | The system and method for NS software is provided in virtual environment | |
| CN102651061B (en) | System and method of protecting computing device from malicious objects using complex infection schemes | |
| US8850587B2 (en) | Network security scanner for enterprise protection | |
| CN105786538B (en) | software upgrading method and device based on android system | |
| US9811663B2 (en) | Generic unpacking of applications for malware detection | |
| US20130185799A1 (en) | Trusted installation of a software application | |
| US20090288167A1 (en) | Secure virtualization system software | |
| US20190121965A1 (en) | Cloud application detection method and cloud application detection apparatus | |
| JP6101360B2 (en) | Method, apparatus, program and recording medium for setting application state | |
| CN106803040B (en) | Virus characteristic code processing method and device | |
| EP3547189A1 (en) | Method for runtime mitigation of software and firmware code weaknesses | |
| WO2010145543A1 (en) | Software upgrading method, software upgrading system and client | |
| CN105069352A (en) | Method for constructing trusted application program running environment on server | |
| CN104216741A (en) | Android plug-in implementation method and device based on APK (Android Package) dynamic loading and interaction method | |
| CN101901323B (en) | System filtration method for monitoring loading activity of program module | |
| CN105183504A (en) | Software server based process white-list updating method | |
| CN104270467A (en) | Virtual machine managing and controlling method for mixed cloud | |
| US20150039946A1 (en) | Method and system for a high availability framework | |
| CN101657793A (en) | Method, system and computer program for configuring firewalls | |
| CN103077071A (en) | Method and system for acquiring process information of KVM (Kernel-based Virtual Machine) | |
| JP6198229B2 (en) | Installation engine and package format for parallelizable and reliable installation | |
| CN105204902A (en) | Method and device for upgrading security patches of virtual machine | |
| CN110188574A (en) | A kind of the webpage tamper resistant systems and its method of Docker container |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |