CN105282176B - Data security system and method under a kind of cloud computing environment - Google Patents

Data security system and method under a kind of cloud computing environment Download PDF

Info

Publication number
CN105282176B
CN105282176B CN201510785508.1A CN201510785508A CN105282176B CN 105282176 B CN105282176 B CN 105282176B CN 201510785508 A CN201510785508 A CN 201510785508A CN 105282176 B CN105282176 B CN 105282176B
Authority
CN
China
Prior art keywords
data packet
data
spy
sent
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510785508.1A
Other languages
Chinese (zh)
Other versions
CN105282176A (en
Inventor
余启轩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hebei Steel Grain Union Technology Co., Ltd
Original Assignee
Shanghai Feixun Data Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Feixun Data Communication Technology Co Ltd filed Critical Shanghai Feixun Data Communication Technology Co Ltd
Priority to CN201510785508.1A priority Critical patent/CN105282176B/en
Publication of CN105282176A publication Critical patent/CN105282176A/en
Application granted granted Critical
Publication of CN105282176B publication Critical patent/CN105282176B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance

Landscapes

  • Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Evolutionary Computation (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses the data security systems and method under cloud computing environment, the system includes: generation module, for generating spy's data packet, security performance of the spy's data packet to monitor the data packet when determining that needs send data packet to cloud terminal server;Sending module, for spy's data packet and the data packet to be sent to cloud terminal server;Receiving module, the information collected and returned when listening to unauthorized access for receiving spy's data packet;Safety management module, for carrying out data security analysis management according to the information.The present invention can effectively ensure that the safety of the data stored in cloud terminal.

Description

Data security system and method under a kind of cloud computing environment
Technical field
The present invention relates to computer network field, more particularly under a kind of cloud computing environment data security system and side Method.
Background technique
Cloud computing is one of the hot topic of current information technical field, is all circles such as industrial circle, academia, government equal ten Divide focus of attention.It embodies the thought of " network is exactly computer ", by a large amount of computing resources, storage resource and software resource It links together, forms the shared virtual IT resource pool of huge size.It is divided according to its deployment and effort category, cloud computing can be with Be divided into privately owned cloud computing, publicly-owned cloud computing and mixing cloud computing, due to its provide IT type service difference, cloud computing again with Following pattern embodied: IaaS (Infrastructure as a Service, architecture service), PaaS (Platform As a Service, platform service), SaaS (Software as a Service, software service), data cloud (cloud Storage, Storage as a Service) etc..
Using the data cloud service in cloud computing, what user can be convenient is stored in the data of oneself in cloud terminal at any time Access.But the storage in data cloud service is shared, i.e., is not that user opens up separate storage area.With traditional software phase Than, maximum of the cloud computing in terms of data it is not both that all data are responsible for maintenance by third party, and due to cloud computing frame The characteristics of structure, these data are potentially stored in the place of dispersion, and store all in the form of plaintext.Although firewall can be right The external attack of malice provides a degree of protection, but this framework be leaked some critical data may.
Therefore, there are great safety and privacy concerns for the data stored in cloud terminal.
Summary of the invention
The invention mainly solves the technical problem of providing the data security system and method under a kind of cloud computing environment, energy The safety of storing data in cloud terminal is enough effectively ensured.
In order to solve the above technical problems, one technical scheme adopted by the invention is that: it provides under a kind of cloud computing environment Data security system, the system include generation module, for generating when determining that needs send data packet to cloud terminal server Spy's data packet, security performance of the spy's data packet to monitor the data packet;Sending module is used for the spy Data packet and the data packet are sent to cloud terminal server;Receiving module is being listened to for receiving spy's data packet The information collected and returned when unauthorized access;Safety management module, for carrying out data safety according to the information Analysis management.
In order to solve the above technical problems, one technical scheme adopted by the invention is that: it provides under a kind of cloud computing environment The method of data safety, this method include determining to need to generate spy's data packet, institute when sending data packet to cloud terminal server State security performance of spy's data packet to monitor the data packet;Spy's data packet and the data packet are sent to cloud Terminal server;Receive the information that spy's data packet is collected and returned when listening to unauthorized access;According to described Information carries out data security analysis management.
It is different from the prior art, the data security system under cloud computing environment of the invention, determines and need to take to cloud terminal It is engaged in generating spy's data packet when device sends data packet, spy's data packet and the data packet is sent to cloud terminal service Device;Receive the information that spy's data packet is collected and returned when listening to unauthorized access;According to the information Carry out data security analysis management;To which the safety of the data stored in cloud terminal be effectively ensured.
Detailed description of the invention
Fig. 1 is the structural schematic diagram of the first embodiment of the data security system under cloud computing environment of the present invention;
Fig. 2 is the structural schematic diagram of the second embodiment of the data security system under cloud computing environment of the present invention;
Fig. 3 is the flow diagram of the first embodiment of the data security methods under cloud computing environment of the present invention.
Specific embodiment
Further more detailed description is made to technical solution of the present invention With reference to embodiment.Obviously, it is retouched The embodiment stated is only a part of the embodiments of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, Those of ordinary skill in the art's every other embodiment obtained without creative labor, all should belong to The scope of protection of the invention.
Refering to fig. 1, Fig. 1 is the knot of the first embodiment of the data security system under cloud computing environment provided by the invention Structure schematic diagram, the system can be deployed in user for accessing the client of cloud service.
Data security system 100 under the cloud computing environment includes: generation module 110, sending module 120, receiving module 130, safety management module 140.
Wherein, generation module 110, for generating spy's data when determining that needs send data packet to cloud terminal server Packet, security performance of the spy's data packet to monitor the data packet.
Specifically, generation module 110, which can be the data packet sent as needed, generates spy's data packet, it is also possible to weight Newly-generated new spy's data packet, the type of spy's data packet of generation, which can be, to be carried the data packet of label indicia, carries and draw It lures the data packet of data field or carries any one or more combination that real-time monitoring is investigated in the data packet of data.
Sending module 120, for spy's data packet and the data packet to be sent to cloud terminal server.Specifically , spy's data packet and normal data packet are mixed transmission by sending module 120.
Receiving module 130, the information collected and returned when listening to unauthorized access for receiving spy's data packet Information.
Safety management module 140, for carrying out data security analysis management according to the information.Specifically, the mould Block can be analyzed and be sorted out to the information received, parse the unauthorized access time, unauthorized access person IP address, The information such as unauthorized access type further can give a warning notice to user in real time or save so that user looks at any time It askes.
It is different from the prior art, the data security system under cloud computing environment of the invention, determines and need to take to cloud terminal It is engaged in generating spy's data packet, security performance of the spy's data packet to monitor the data packet when device sends data packet;It will Spy's data packet and the data packet are sent to cloud terminal server;It receives spy's data packet and is listening to illegal visit The information collected and returned when asking;Data security analysis management is carried out according to the information, to realize cloud end The safety of the data stored on end is effectively ensured.
Referring to Fig.2, Fig. 2 is the knot of the second embodiment of the data security system under cloud computing environment provided by the invention Structure schematic diagram.The system can be deployed in user for accessing the client of cloud service.
Data security system 200 under the cloud computing environment includes: generation module 210, sending module 220, receiving module 230, safety management module 240.
Wherein, generation module 210, for generating spy's data when determining that needs send data packet to cloud terminal server Packet, security performance of the spy's data packet to monitor the data packet.
In first example of the present embodiment, generation module 210 includes selection unit 211 and camouflage unit 212.It chooses Unit 211, for choosing a part of data packet from the data packet to be sent;Camouflage unit 212 is used for the selection A part of data packet disguise oneself as spy's data packet;Further, camouflage unit 212 includes that label indicia packet pretends subelement 2121, lure data packet to pretend subelement 2122, real-time monitoring investigates one or more of data packet camouflage subelement 2123 Subelement;Wherein, label indicia packet pretends subelement 2121, for choosing a part of data from the data packet to be sent Packet adds label indicia data segment, and the label indicia can be opened when spy's data packet is by unauthorized access and record visit Ask information;It lures data packet to pretend subelement 2122, adds for choosing a part of data packet from the data packet to be sent On lure data field, it is described to lure data segment that unauthorized access person be lured to access spy's data packet first and record visit Ask information;Real-time monitoring investigates data packet and pretends subelement 2123, for choosing a part from the data packet to be sent Data packet investigates data plus real-time monitoring, and the real-time monitoring investigation data can be used for real-time monitoring and record the spy Data packet is by the information of unauthorized access.
In second example of the present embodiment, generation module 210 includes structural unit 213, for constructing new spy Data packet;Further, structural unit 213 includes that label indicia packet constructs subelement 2131, and data packet is lured to construct subelement 2132, real-time monitoring investigates one or more subelements in data packet construction subelement 2133;Wherein, label indicia packet constructs Subelement 2131, for constructing the data packet for not including truthful data and adding label indicia data segment, the label indicia Can be opened simultaneously record access information when spy's data packet is by unauthorized access;Data packet is lured to construct subelement 2132, It is described to lure data segment that lure illegally for constructing not comprising truthful data and plus the data packet for luring data field Visitor accesses spy's data packet and record access information first;Real-time monitoring investigates data packet and constructs subelement 2133, For constructing the data packet for not including truthful data and investigating data plus real-time monitoring, the real-time monitoring investigation data can For real-time monitoring and to record spy's data packet by the information of unauthorized access.
Wherein, sending module 220, for spy's data packet and the data packet to be sent to cloud terminal server; Specifically, when generation module 210 is used for the spy's data packet that disguises oneself as after choosing a part of data packet in the data packet to be sent, Sending module 220 is sent to cloud for will not pretend part in spy's data packet of the camouflage and the data packet to be sent Terminal server;When generation module 210 is used for for constructing new spy's data packet, sending module 220 by the new of the construction Spy's data packet be blended in the data packet to be sent and be sent to cloud terminal server.
Receiving module 230, the information collected and returned when listening to unauthorized access for receiving spy's data packet Information.
Safety management module 240, for carrying out data security analysis management according to the information.Specifically, the mould Block can be analyzed and be sorted out to the information received, parse the unauthorized access time, unauthorized access person IP address, The information such as unauthorized access type further can give a warning notice to user in real time or save so that user looks at any time It askes.
Optionally, which further also includes display module 250, for showing the feelings to user It notifies breath.Specifically, can be when safety management module 240 has analyzed unauthorized users to access, display module 250 is real-time The information such as detailed IP address, the access type of the illegal user are shown to user, so that user proposes the information reporting cloud service For quotient or do other processing.It is also possible to the inquiry request according to user, shows the unauthorized access record of nearest a period of time.
It is different from the prior art, the data security system under cloud computing environment of the invention, determines and need to take to cloud terminal It is engaged in generating spy's data packet, security performance of the spy's data packet to monitor the data packet when device sends data packet;It will Spy's data packet and the data packet are sent to cloud terminal server;It receives spy's data packet and is listening to illegal visit The information collected and returned when asking;Data security analysis management is carried out according to the information, to realize cloud end The safety of the data stored on end is effectively ensured.
It is the method first embodiment of the data security system under cloud computing environment provided by the invention refering to Fig. 3, Fig. 3 Flow diagram.The executing subject of this method is the client that user is used to access cloud service.
The step of this method includes:
S301: it determines and needs to generate spy's data packet, spy's data packet when sending data packet to cloud terminal server To monitor the security performance of the data packet.
It is used specifically, generating spy's data packet and can be any one or both of which of following two method: from described It chooses a part in the data packet to be sent to disguise oneself as spy's data packet, or spy's data packet that construction is new.
Specifically, the type of spy's datagram can be following three kinds any one or more combination: carrying mark It signs the data packet of mark, carry the data packet lured the data packet of data field, carry real-time monitoring investigation data.
Wherein, the method for choosing a part of spy's data packet that disguises oneself as may is that be selected from the data packet to be sent Take a part of data packet plus label indicia data segment, the label indicia can quilt when spy's data packet is by unauthorized access Open simultaneously record access information;Or a part of data packet is chosen from the data packet to be sent plus luring data word Section, it is described to lure data segment that unauthorized access person be lured to access spy's data packet and record access information first;Or A part of data packet is chosen from the data packet to be sent and investigates data plus real-time monitoring, and the real-time monitoring investigates number According to can be used for real-time monitoring and record spy's data packet by the information of unauthorized access.
Wherein, the method for constructing new spy's data packet may is that construction does not include truthful data and remembers plus label The data packet of number section, the label indicia can be opened when spy's data packet is by unauthorized access and record access letter Breath;Or construction does not include truthful data and adds the data packet for luring data field, it is described to lure data segment that lure Unauthorized access person accesses spy's data packet and record access information first;Or construction does not include truthful data and adds Real-time monitoring investigates the data packet of data, and the real-time monitoring investigation data can be used for real-time monitoring and record spy's number According to the information of coating unauthorized access.
S302: spy's data packet and the data packet are sent to cloud terminal server.
Specifically, when the mode for generating spy's data packet in step S301 is to choose a part data packet to be occurred camouflage When at spy's data packet, this step is that will not pretend part in spy's data packet of the camouflage and the data packet to be sent It is sent to cloud terminal server.
Specifically, when the mode for generating spy's data packet in step S301 is the new spy's data packet of construction, this step Implementation be to be blended in new spy's data packet of the construction in the data packet to be sent to be sent to cloud terminal Server.
S303: the information that spy's data packet is collected and returned when listening to unauthorized access is received.
Wherein, unauthorized access time, the IP address of unauthorized access person, unauthorized access be may include in the information of return The information such as type.
S304: data security analysis management is carried out according to the information.
Specifically, the information received can be analyzed and be sorted out in this step, when parsing unauthorized access Between, the information such as the IP address of unauthorized access person, unauthorized access type, further can in real time to user give a warning notice or Person saves so that user inquires at any time.
It optionally, further can also be comprising showing the information to user after this method.For example, working as step When S304 has analyzed unauthorized users to access, detailed IP address, the access type etc. of the illegal user are shown to user in real time Information, so that user by the information reporting cloud service provider or does other processing.Either information is saved in S304 Later, according to the inquiry request of user, the unauthorized access record of nearest a period of time is shown.
It is different from the prior art, the method for the data safety under cloud computing environment of the invention, determines and need to cloud terminal Server generates spy's data packet, security performance of the spy's data packet to monitor the data packet when sending data packet; Spy's data packet and the data packet are sent to cloud terminal server;Spy's data packet is received to listen to illegally The information collected and returned when access;Data security analysis management is carried out according to the information, to realize cloud The safety of the data stored in terminal is effectively ensured.
Mode the above is only the implementation of the present invention is not intended to limit the scope of the invention, all to utilize this Equivalent structure or equivalent flow shift made by description of the invention and accompanying drawing content, it is relevant to be applied directly or indirectly in other Technical field is included within the scope of the present invention.

Claims (4)

1. the data security system under a kind of cloud computing environment characterized by comprising
Generation module, for generating spy's data packet, the spy when determining that needs send data packet to cloud terminal server Security performance of the data packet to monitor the data packet;
Sending module, for spy's data packet and the data packet to be sent to cloud terminal server;
Receiving module, the information collected and returned when listening to unauthorized access for receiving spy's data packet;
Safety management module, for carrying out data security analysis management according to the information;
The generation module includes selection unit and camouflage unit, the selection unit, for selecting from the data packet to be sent Take a part of data packet;The camouflage unit, for a part of data packet of the selection to disguise oneself as spy's data packet;It is described Camouflage unit includes: label indicia packet camouflage subelement, for choosing a part of data packet from the data packet to be sent In addition label indicia data segment, the label indicia data segment can be opened and remember when spy's data packet is by unauthorized access Record access information;Or data packet is lured to pretend subelement, for choosing a part of data from the data packet to be sent Packet adds and lures data field, described to lure data field that unauthorized access person be lured to access spy's data packet first simultaneously Record access information;Or real-time monitoring investigation data packet pretends subelement, for being chosen from the data packet to be sent A part of data packet adds real-time monitoring and investigates data, between the real-time monitoring investigation data are used for described in real-time monitoring and record Spy data packet is by the information of unauthorized access;
The sending module, for spy's data packet and the data packet to be sent to cloud terminal server specifically: institute Sending module being stated, being sent to cloud for will not pretend part in spy's data packet of the camouflage and the data packet to be sent Terminal server.
2. the data security system under cloud computing environment according to claim 1, which is characterized in that the system is further It further include display module, for showing the information to user.
3. a kind of method of the data safety under cloud computing environment characterized by comprising
It determines and needs to generate spy's data packet when sending data packet to cloud terminal server, spy's data packet is to monitor State the security performance of data packet;
Spy's data packet and the data packet are sent to cloud terminal server;
Receive the information that spy's data packet is collected and returned when listening to unauthorized access;
Data security analysis management is carried out according to the information;
Generation spy's data packet specifically: a part, which is chosen, from the data packet to be sent disguises oneself as spy's data packet, it can To be to choose a part of data packet from the data packet to be sent plus label indicia data segment, the label indicia data Section can be opened when spy's data packet is by unauthorized access and record access information;Or from the data packet to be sent Middle a part of data packet of selection, which adds, lures data field, described that data field is lured unauthorized access person can be lured to access first Spy's data packet and record access information;Or a part of data packet is chosen from the data packet to be sent plus real When monitoring investigation data, real-time monitoring investigation data can be used for real-time monitoring and to record spy's data packet illegal The information of access;
It is described that spy's data packet and the data packet are sent to cloud terminal server specifically: by the spy of the camouflage Do not pretend part in data packet and the data packet to be sent and is sent to cloud terminal server.
4. the method for the data safety under cloud computing environment according to claim 3, which is characterized in that the method is into one Step further include: show the information to user.
CN201510785508.1A 2015-11-16 2015-11-16 Data security system and method under a kind of cloud computing environment Active CN105282176B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510785508.1A CN105282176B (en) 2015-11-16 2015-11-16 Data security system and method under a kind of cloud computing environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510785508.1A CN105282176B (en) 2015-11-16 2015-11-16 Data security system and method under a kind of cloud computing environment

Publications (2)

Publication Number Publication Date
CN105282176A CN105282176A (en) 2016-01-27
CN105282176B true CN105282176B (en) 2019-07-19

Family

ID=55150502

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510785508.1A Active CN105282176B (en) 2015-11-16 2015-11-16 Data security system and method under a kind of cloud computing environment

Country Status (1)

Country Link
CN (1) CN105282176B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101087196A (en) * 2006-12-27 2007-12-12 北京大学 Multi-layer honey network data transmission method and system
CN103749001B (en) * 2010-06-09 2012-02-08 北京理工大学 The self-protection GU Generic Unit of Inner Network Security Monitor System
CN103368979A (en) * 2013-08-08 2013-10-23 电子科技大学 Network security verifying device based on improved K-means algorithm

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8959573B2 (en) * 2012-05-01 2015-02-17 Harris Corporation Noise, encryption, and decoys for communications in a dynamic computer network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101087196A (en) * 2006-12-27 2007-12-12 北京大学 Multi-layer honey network data transmission method and system
CN103749001B (en) * 2010-06-09 2012-02-08 北京理工大学 The self-protection GU Generic Unit of Inner Network Security Monitor System
CN103368979A (en) * 2013-08-08 2013-10-23 电子科技大学 Network security verifying device based on improved K-means algorithm

Also Published As

Publication number Publication date
CN105282176A (en) 2016-01-27

Similar Documents

Publication Publication Date Title
Bhatia et al. A framework for generating realistic traffic for Distributed Denial-of-Service attacks and Flash Events
CN105592052B (en) A kind of firewall rule configuration method and device
CA2874320A1 (en) Social sharing of security information in a group
JP2014506045A (en) Network stimulation engine
CN109189596A (en) The method and apparatus that large-size screen monitors are shown are realized based on Websocket
Hasan et al. A constraint-based intrusion detection system
Yen Detecting stealthy malware using behavioral features in network traffic
CN109600395A (en) A kind of device and implementation method of terminal network access control system
Santa Barletta et al. Deriving smart city security from the analysis of their technological levels: a case study
Killer et al. Threat management dashboard for a blockchain collaborative defense
US20040210773A1 (en) System and method for network security
Castiglione et al. A novel methodology to acquire live big data evidence from the cloud
CN105282176B (en) Data security system and method under a kind of cloud computing environment
Ahmed et al. A proactive approach to protect cloud computing environment against a distributed denial of service (DDoS) attack
Takahashi et al. Virtual flow‐net for accountability and forensics of computer and network systems
Melón et al. Eve and adam: situation awareness tools for nato ccdcoe cyber exercises
CN115022077A (en) Network threat protection method, system and computer readable storage medium
Syed et al. Fast attack detection using correlation and summarizing of security alerts in grid computing networks
Erbacher Glyph-based generic network visualization
CN110392129A (en) The method of IPv6 client computer and IPv6 client computer and server communication
Grispos et al. Calm before the storm: The emerging challenges of cloud computing in digital forensics
Meghani et al. Security from various Intrusion Attacks using honeypots in cloud
Giribabu et al. Cybersecurity in webgis environment
Broucek et al. Managing university internet access: balancing the need for security, privacy and digital evidence
US20230300141A1 (en) Network security management method and computer device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20201010

Address after: 063000 Rongmao building, south of the west section of Huimin street, Qian'an City, Tangshan City, Hebei Province

Patentee after: Hebei Steel Grain Union Technology Co., Ltd

Address before: 201616 Shanghai city Songjiang District Sixian Road No. 3666

Patentee before: Phicomm (Shanghai) Co.,Ltd.