CN105871939A - Virtual machine safety isolation system under network environment - Google Patents
Virtual machine safety isolation system under network environment Download PDFInfo
- Publication number
- CN105871939A CN105871939A CN201610479366.0A CN201610479366A CN105871939A CN 105871939 A CN105871939 A CN 105871939A CN 201610479366 A CN201610479366 A CN 201610479366A CN 105871939 A CN105871939 A CN 105871939A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- module
- key
- computer
- isolation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a virtual machine safety isolation system under a network environment. The virtual machine safety isolation system comprises a secret key management subsystem and an isolation subsystem, and is characterized in that (1), a real computer access a virtual machine and a firewall before accessing the internet so as to scan network communication flowing through the real computer; (2), the firewall is connected with the virtual machine and the virtual machine is connected with the real computer through a data copying system; (3), a false unprotected computer is installed on the virtual machine and a virtual machine safety isolation scheme is set on the false unprotected computer so as to enable an intruder to identify true information difficultly.
Description
Technical field
The present invention relates to computer safety field, particularly computer safety guarantee in a network environment.
Background technology
Development in science and technology now is swift and violent, bank, computer, mobile phone, and game identification number is closely bound up with us, with
Sample has some illegal geeks to have begun to carry out gray zone, is engaged in unlawful activities.At mobile interchange
In the net epoch, the value of userspersonal information unprecedentedly highlights, and the commercial value that " big data " can be brought will be drawn
Lead a dramatic change, steal personal computer confidential information, subscriber data.DDOS attack on network,
Virus disseminating, fishing webpage, the pornographic various information of violence reaction.At present, using technology a lot, one is to use
Hardware isolated is dangerous, and two is to install antivirus software, and three are, are separated by two computers, and one uses online merit
Can, another is then suspension state, and four are, limits surf time place, and five is to use minority's system such as
LINUX, Fructus Mali pumilae etc., some is effective, and being also intended to but more is connected into the Internet, will give
Hacker's chance.From the perspective of from technical standpoint, as long as being connected into the Internet when just do not have safe.One safety is provided
Network environment be essential condition.
Summary of the invention
Therefore present invention aims to above deficiency supplement, it is provided that a kind of safe and reasonable is reliable
Network environment, it is possible to meeting user, to use network to feel at ease relieved.
Inventive solution is to utilize the computer that can surf the Net to set up a virtual computerized environment, it is possible to complete
Become to crack down upon evil forces visitor's intrusion behavior, can carry out data analysis, use, and safety completes any instruction task, and
And ensure that this computer is not by any virus, hacker attacks.
The invention have the benefit that this is simple to operate, low cost, it is adaptable to promote on a large scale, it is possible to
Ensure the safe handling of this computer.
The concrete solution of the present invention is to provide virtual machine security isolation system under a kind of network environment, including:
(1) before true computer is linked in the Internet, access of virtual machine and fire wall, to flowing through its network
Communication is scanned;
(2) being connected with virtual machine by fire wall, virtual machine is connected with true computer by data copy system;
(3) falseness is installed on a virtual machine to run nakedly computer, virtual machine peace is set on falseness runs nakedly computer
Full isolation scheme, so that invader is difficult to identification real information.
Preferably, wherein fire wall is network firewall, for the network service flowing through it is scanned,
Or close the port that do not uses, or forbid the outgoing communication of particular port, block Trojan Horse, or forbid
From the access of special website, thus prevent all communications from not clear invader.
The concrete scheme of the present invention also resides in a kind of secure virtual machine shielding system of offer, including: two subsystems
System, i.e. key management subsystem and separaant system.
Preferably, key management subsystem includes key negotiation module and key management module, and key consults mould
Block is responsible for managing server request key with key, and key management module is positioned in key management server, negative
Duty management distribution key.
Preferably, separaant system mainly contains: block device isolation module, internal memory isolation module and desktop association
View isolation module.Block device isolation module complete to block device request selective transparent encryption, internal memory every
Completing to control desktop security inspection by extension ACM framework from module, desktop protocol isolation module is by right
The encryption of input and output makes desktop protocol become safer.
Preferably, block device includes hard disk, CDROM, floppy disk.
According to below in conjunction with the accompanying drawing detailed description to the specific embodiment of the invention, those skilled in the art will
More understand the above-mentioned of the present invention and other purposes, advantage and feature.
Accompanying drawing explanation
Some describing the present invention the most by way of example, and not by way of limitation in detail are specifically real
Execute example.Reference identical in accompanying drawing denotes same or similar parts or part.People in the art
Member is it should be understood that what these accompanying drawings were not necessarily drawn to scale.The target of the present invention and feature are in view of as follows
Description taken together with the accompanying drawings will be apparent from, in accompanying drawing:
Accompanying drawing 1 is according to virtual machine security isolation method flow chart under the network environment of the embodiment of the present invention.
Accompanying drawing 2 is according to the system module view of virtual machine under the network environment of the embodiment of the present invention.
Detailed description of the invention
With reference now to accompanying drawing, the description of details will be provided according to the present invention.
With reference to the accompanying drawings 1, virtual machine security isolation system under a kind of network environment, including:
(1) before true computer is linked in the Internet, access of virtual machine and fire wall, wherein fire wall is net
Network fire wall, the network service to flowing through it is scanned, and so can filter out some and attack, Yi Mianqi
Being performed on a target computer, fire wall can also close the port not used, moreover it is possible to forbids particular port
Outgoing communication, block Trojan Horse.It addition, fire wall can forbid the access from special website,
Thus prevent all communications from not clear invader;
(2) being connected with virtual machine by fire wall, virtual machine is connected with true computer by data copy system;
(3) falseness is installed on a virtual machine to run nakedly computer, virtual machine peace is set on falseness runs nakedly computer
Full isolation scheme, so that invader is difficult to identification real information.
The partition method using virtual machine to carry out under network environment observes three principles, ensures to perform effect i.e. as far as possible
Rate, reduces the isolated operation impact on system execution efficiency as far as possible, it addition, use the spy of existed system as far as possible
Property, and need to consider the deployment complexity of real network environmental applications, select simple mode as far as possible.Empty
Intend shielding system uses a key management server, be responsible for each key corresponding for virtual machine uuid,
When a certain virtual machine activation, key consultative management service sets up safety meeting by Diffie-Hellman algorithm
Words, to the key that key management server request virtual machine is corresponding after session establishment, by key transmission after request
Use to block device and desktop protocol communication encryption module, desktop protocol encrypting module and desktop protocol the two
Module all uses transparent encryption mode, upper-level virtual machine cannot perceive the existence of encrypting module, and internal memory is isolated
Module is present in Hypervisor, is extended, it is achieved to virutal machine memory in ACM module basis
Tracking and regular the automatically generating of ACM, realize the security control to desktop by pre-fishing mode.
With reference to the accompanying drawings 2, whole system can be divided into two subsystems: key management subsystem and separaant system.
Key management subsystem includes key negotiation module and key management module, and key negotiation module is responsible for and key
Management server request key, key management module is positioned in key management server, is responsible for distributing secret
Key.Separaant system mainly contains: block device isolation module, internal memory isolation module and desktop protocol isolation mode
Block.Block device isolation module completes the selective transparent encryption to block device request, and internal memory isolation module leads to
Crossing extension ACM framework to complete to control desktop security inspection, desktop protocol isolation module is by input and output
Encryption make desktop protocol become safer.
Although the present invention is described by reference to specific illustrative embodiment, but will not be by these
The restriction of embodiment and only limited by accessory claim.Skilled artisan would appreciate that permissible
In the case of without departing from protection scope of the present invention and spirit, embodiments of the invention can be modified and
Amendment.
Claims (6)
1. virtual machine security isolation system under a network environment, it is characterised in that including:
(1) before true computer is linked in the Internet, access of virtual machine and fire wall, to flowing through its network
Communication is scanned;
(2) being connected with virtual machine by fire wall, virtual machine is connected with true computer by data copy system;
(3) falseness is installed on a virtual machine to run nakedly computer, virtual machine peace is set on falseness runs nakedly computer
Full isolation scheme, so that invader is difficult to identification real information.
Virtual machine security isolation system under a kind of network environment the most according to claim 1, its feature exists
It is network firewall in wherein said fire wall, for the network service flowing through it is scanned, or closes
The port not used, or forbid the outgoing communication of particular port, block Trojan Horse, or forbid from spy
The access of different website, thus prevent all communications from not clear invader.
3., for the secure virtual machine shielding system that claim 1-2 is any one of, its feature exists
In including: two subsystems, i.e. key management subsystem and separaant system.
Secure virtual machine shielding system the most according to claim 3, it is characterised in that: wherein said secret
Key management subsystem includes key negotiation module and key management module, and key negotiation module is responsible for and key pipe
Reason server request key, key management module is positioned in key management server, is responsible for distributing key.
Secure virtual machine shielding system the most according to claim 3, it is characterised in that: described separaant
System mainly contains: block device isolation module, internal memory isolation module and desktop protocol isolation module, described piece
Equipment blocking module completes the selective transparent encryption to block device request, and described internal memory isolation module passes through
Extension ACM framework completes to control desktop security inspection, and described desktop protocol isolation module is by defeated to input
The encryption gone out makes desktop protocol become safer.
Secure virtual machine shielding system the most according to claim 5, it is characterised in that: described block device
Including hard disk, CDROM, floppy disk.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610479366.0A CN105871939A (en) | 2016-06-26 | 2016-06-26 | Virtual machine safety isolation system under network environment |
PCT/CN2016/095103 WO2018000537A1 (en) | 2016-06-26 | 2016-08-14 | Virtual machine safety isolation system under network environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610479366.0A CN105871939A (en) | 2016-06-26 | 2016-06-26 | Virtual machine safety isolation system under network environment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105871939A true CN105871939A (en) | 2016-08-17 |
Family
ID=56655579
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610479366.0A Pending CN105871939A (en) | 2016-06-26 | 2016-06-26 | Virtual machine safety isolation system under network environment |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN105871939A (en) |
WO (1) | WO2018000537A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110352587A (en) * | 2017-03-07 | 2019-10-18 | Abb瑞士股份有限公司 | Automated communications network system reinforcement |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101409714A (en) * | 2008-11-18 | 2009-04-15 | 华南理工大学 | Firewall system based on virtual machine |
CN101645873A (en) * | 2008-08-07 | 2010-02-10 | 联想(北京)有限公司 | Method for realizing network isolation in environments of computer and virtual machine |
CN101668022A (en) * | 2009-09-14 | 2010-03-10 | 陈博东 | Virtual network isolation system established on virtual machine and implementation method thereof |
CN101673215A (en) * | 2008-09-09 | 2010-03-17 | 联想(北京)有限公司 | Computer and user management method in virtual environment |
CN201499183U (en) * | 2009-09-14 | 2010-06-02 | 陈博东 | Virtual network separation system |
CN102523215A (en) * | 2011-12-15 | 2012-06-27 | 北京海云捷迅科技有限公司 | Virtual machine (VM) online antivirus system based on KVM virtualization platform |
CN103414558A (en) * | 2013-07-17 | 2013-11-27 | 电子科技大学 | XEN cloud platform-based virtual machine block device isolation method |
CN204334621U (en) * | 2014-11-25 | 2015-05-13 | 甘肃省科学技术情报研究所 | A kind of network security management device |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9767274B2 (en) * | 2011-11-22 | 2017-09-19 | Bromium, Inc. | Approaches for efficient physical to virtual disk conversion |
CN102567217B (en) * | 2012-01-04 | 2014-12-24 | 北京航空航天大学 | MIPS platform-oriented memory virtualization method |
CN104125192A (en) * | 2013-04-23 | 2014-10-29 | 鸿富锦精密工业(深圳)有限公司 | Virtual-machine safety protection system and method |
CN103577771B (en) * | 2013-11-08 | 2016-09-07 | 中科信息安全共性技术国家工程研究中心有限公司 | A kind of virtual desktop anti-data-leakage guard method based on disk encryption |
-
2016
- 2016-06-26 CN CN201610479366.0A patent/CN105871939A/en active Pending
- 2016-08-14 WO PCT/CN2016/095103 patent/WO2018000537A1/en active Application Filing
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101645873A (en) * | 2008-08-07 | 2010-02-10 | 联想(北京)有限公司 | Method for realizing network isolation in environments of computer and virtual machine |
CN101673215A (en) * | 2008-09-09 | 2010-03-17 | 联想(北京)有限公司 | Computer and user management method in virtual environment |
CN101409714A (en) * | 2008-11-18 | 2009-04-15 | 华南理工大学 | Firewall system based on virtual machine |
CN101668022A (en) * | 2009-09-14 | 2010-03-10 | 陈博东 | Virtual network isolation system established on virtual machine and implementation method thereof |
CN201499183U (en) * | 2009-09-14 | 2010-06-02 | 陈博东 | Virtual network separation system |
CN102523215A (en) * | 2011-12-15 | 2012-06-27 | 北京海云捷迅科技有限公司 | Virtual machine (VM) online antivirus system based on KVM virtualization platform |
CN103414558A (en) * | 2013-07-17 | 2013-11-27 | 电子科技大学 | XEN cloud platform-based virtual machine block device isolation method |
CN204334621U (en) * | 2014-11-25 | 2015-05-13 | 甘肃省科学技术情报研究所 | A kind of network security management device |
Non-Patent Citations (1)
Title |
---|
邵长庚: ""Xen云环境虚拟机安全隔离技术研究与实现"", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110352587A (en) * | 2017-03-07 | 2019-10-18 | Abb瑞士股份有限公司 | Automated communications network system reinforcement |
CN110352587B (en) * | 2017-03-07 | 2022-09-16 | Abb瑞士股份有限公司 | Automatic communication network system consolidation |
Also Published As
Publication number | Publication date |
---|---|
WO2018000537A1 (en) | 2018-01-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9680849B2 (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
CN104065651B (en) | A kind of information flow credible security method towards cloud computing | |
US20160099960A1 (en) | System and method for scanning hosts using an autonomous, self-destructing payload | |
US10095865B2 (en) | Detecting unauthorized remote administration using dependency rules | |
RU2584506C1 (en) | System and method of protecting operations with electronic money | |
Laureano et al. | Protecting host-based intrusion detectors through virtual machines | |
US20110296164A1 (en) | System and method for providing secure network services | |
Maghrabi | The threats of data security over the Cloud as perceived by experts and university students | |
Ibrahim | A Review on the Mechanism Mitigating and Eliminating Internet Crimes using Modern Technologies: Mitigating Internet crimes using modern technologies | |
Goel et al. | Measures for Improving IoT Security | |
Khandelwal et al. | An insight into the security issues and their solutions for android phones | |
Uyyala | Multilevel Authentication System Using Hierarchical Intrusion Detection Architecture For Online Banking | |
Jawad et al. | Intelligent Cybersecurity Threat Management in Modern Information Technologies Systems | |
CN105871939A (en) | Virtual machine safety isolation system under network environment | |
Qurashi | Securing Hypervisors in Cloud Computing Environments against Malware Injection | |
Gligor | Security limitations of virtualization and how to overcome them | |
Jiang | Computer security vulnerabilities and preventive measures | |
Muhseen et al. | A review in security issues and challenges on mobile cloud computing (MCC) | |
Yadlapati et al. | Security Management Approaches Over the Cloud | |
Rahaman et al. | Keylogger Threat to the Android Mobile Banking Applications | |
Singh et al. | Managing Cyber Security | |
Singh et al. | A hybrid model for cyberspace security | |
Pandey | Security attacks in cloud computing | |
Ramakic et al. | Data protection in microcomputer systems and networks | |
Song et al. | Android Data-Clone Attack via Operating System Customization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160817 |