CN105871939A - Virtual machine safety isolation system under network environment - Google Patents

Virtual machine safety isolation system under network environment Download PDF

Info

Publication number
CN105871939A
CN105871939A CN201610479366.0A CN201610479366A CN105871939A CN 105871939 A CN105871939 A CN 105871939A CN 201610479366 A CN201610479366 A CN 201610479366A CN 105871939 A CN105871939 A CN 105871939A
Authority
CN
China
Prior art keywords
virtual machine
module
key
computer
isolation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610479366.0A
Other languages
Chinese (zh)
Inventor
杨越
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201610479366.0A priority Critical patent/CN105871939A/en
Priority to PCT/CN2016/095103 priority patent/WO2018000537A1/en
Publication of CN105871939A publication Critical patent/CN105871939A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a virtual machine safety isolation system under a network environment. The virtual machine safety isolation system comprises a secret key management subsystem and an isolation subsystem, and is characterized in that (1), a real computer access a virtual machine and a firewall before accessing the internet so as to scan network communication flowing through the real computer; (2), the firewall is connected with the virtual machine and the virtual machine is connected with the real computer through a data copying system; (3), a false unprotected computer is installed on the virtual machine and a virtual machine safety isolation scheme is set on the false unprotected computer so as to enable an intruder to identify true information difficultly.

Description

Virtual machine security isolation system under network environment
Technical field
The present invention relates to computer safety field, particularly computer safety guarantee in a network environment.
Background technology
Development in science and technology now is swift and violent, bank, computer, mobile phone, and game identification number is closely bound up with us, with Sample has some illegal geeks to have begun to carry out gray zone, is engaged in unlawful activities.At mobile interchange In the net epoch, the value of userspersonal information unprecedentedly highlights, and the commercial value that " big data " can be brought will be drawn Lead a dramatic change, steal personal computer confidential information, subscriber data.DDOS attack on network, Virus disseminating, fishing webpage, the pornographic various information of violence reaction.At present, using technology a lot, one is to use Hardware isolated is dangerous, and two is to install antivirus software, and three are, are separated by two computers, and one uses online merit Can, another is then suspension state, and four are, limits surf time place, and five is to use minority's system such as LINUX, Fructus Mali pumilae etc., some is effective, and being also intended to but more is connected into the Internet, will give Hacker's chance.From the perspective of from technical standpoint, as long as being connected into the Internet when just do not have safe.One safety is provided Network environment be essential condition.
Summary of the invention
Therefore present invention aims to above deficiency supplement, it is provided that a kind of safe and reasonable is reliable Network environment, it is possible to meeting user, to use network to feel at ease relieved.
Inventive solution is to utilize the computer that can surf the Net to set up a virtual computerized environment, it is possible to complete Become to crack down upon evil forces visitor's intrusion behavior, can carry out data analysis, use, and safety completes any instruction task, and And ensure that this computer is not by any virus, hacker attacks.
The invention have the benefit that this is simple to operate, low cost, it is adaptable to promote on a large scale, it is possible to Ensure the safe handling of this computer.
The concrete solution of the present invention is to provide virtual machine security isolation system under a kind of network environment, including:
(1) before true computer is linked in the Internet, access of virtual machine and fire wall, to flowing through its network Communication is scanned;
(2) being connected with virtual machine by fire wall, virtual machine is connected with true computer by data copy system;
(3) falseness is installed on a virtual machine to run nakedly computer, virtual machine peace is set on falseness runs nakedly computer Full isolation scheme, so that invader is difficult to identification real information.
Preferably, wherein fire wall is network firewall, for the network service flowing through it is scanned, Or close the port that do not uses, or forbid the outgoing communication of particular port, block Trojan Horse, or forbid From the access of special website, thus prevent all communications from not clear invader.
The concrete scheme of the present invention also resides in a kind of secure virtual machine shielding system of offer, including: two subsystems System, i.e. key management subsystem and separaant system.
Preferably, key management subsystem includes key negotiation module and key management module, and key consults mould Block is responsible for managing server request key with key, and key management module is positioned in key management server, negative Duty management distribution key.
Preferably, separaant system mainly contains: block device isolation module, internal memory isolation module and desktop association View isolation module.Block device isolation module complete to block device request selective transparent encryption, internal memory every Completing to control desktop security inspection by extension ACM framework from module, desktop protocol isolation module is by right The encryption of input and output makes desktop protocol become safer.
Preferably, block device includes hard disk, CDROM, floppy disk.
According to below in conjunction with the accompanying drawing detailed description to the specific embodiment of the invention, those skilled in the art will More understand the above-mentioned of the present invention and other purposes, advantage and feature.
Accompanying drawing explanation
Some describing the present invention the most by way of example, and not by way of limitation in detail are specifically real Execute example.Reference identical in accompanying drawing denotes same or similar parts or part.People in the art Member is it should be understood that what these accompanying drawings were not necessarily drawn to scale.The target of the present invention and feature are in view of as follows Description taken together with the accompanying drawings will be apparent from, in accompanying drawing:
Accompanying drawing 1 is according to virtual machine security isolation method flow chart under the network environment of the embodiment of the present invention.
Accompanying drawing 2 is according to the system module view of virtual machine under the network environment of the embodiment of the present invention.
Detailed description of the invention
With reference now to accompanying drawing, the description of details will be provided according to the present invention.
With reference to the accompanying drawings 1, virtual machine security isolation system under a kind of network environment, including:
(1) before true computer is linked in the Internet, access of virtual machine and fire wall, wherein fire wall is net Network fire wall, the network service to flowing through it is scanned, and so can filter out some and attack, Yi Mianqi Being performed on a target computer, fire wall can also close the port not used, moreover it is possible to forbids particular port Outgoing communication, block Trojan Horse.It addition, fire wall can forbid the access from special website, Thus prevent all communications from not clear invader;
(2) being connected with virtual machine by fire wall, virtual machine is connected with true computer by data copy system;
(3) falseness is installed on a virtual machine to run nakedly computer, virtual machine peace is set on falseness runs nakedly computer Full isolation scheme, so that invader is difficult to identification real information.
The partition method using virtual machine to carry out under network environment observes three principles, ensures to perform effect i.e. as far as possible Rate, reduces the isolated operation impact on system execution efficiency as far as possible, it addition, use the spy of existed system as far as possible Property, and need to consider the deployment complexity of real network environmental applications, select simple mode as far as possible.Empty Intend shielding system uses a key management server, be responsible for each key corresponding for virtual machine uuid, When a certain virtual machine activation, key consultative management service sets up safety meeting by Diffie-Hellman algorithm Words, to the key that key management server request virtual machine is corresponding after session establishment, by key transmission after request Use to block device and desktop protocol communication encryption module, desktop protocol encrypting module and desktop protocol the two Module all uses transparent encryption mode, upper-level virtual machine cannot perceive the existence of encrypting module, and internal memory is isolated Module is present in Hypervisor, is extended, it is achieved to virutal machine memory in ACM module basis Tracking and regular the automatically generating of ACM, realize the security control to desktop by pre-fishing mode.
With reference to the accompanying drawings 2, whole system can be divided into two subsystems: key management subsystem and separaant system. Key management subsystem includes key negotiation module and key management module, and key negotiation module is responsible for and key Management server request key, key management module is positioned in key management server, is responsible for distributing secret Key.Separaant system mainly contains: block device isolation module, internal memory isolation module and desktop protocol isolation mode Block.Block device isolation module completes the selective transparent encryption to block device request, and internal memory isolation module leads to Crossing extension ACM framework to complete to control desktop security inspection, desktop protocol isolation module is by input and output Encryption make desktop protocol become safer.
Although the present invention is described by reference to specific illustrative embodiment, but will not be by these The restriction of embodiment and only limited by accessory claim.Skilled artisan would appreciate that permissible In the case of without departing from protection scope of the present invention and spirit, embodiments of the invention can be modified and Amendment.

Claims (6)

1. virtual machine security isolation system under a network environment, it is characterised in that including:
(1) before true computer is linked in the Internet, access of virtual machine and fire wall, to flowing through its network Communication is scanned;
(2) being connected with virtual machine by fire wall, virtual machine is connected with true computer by data copy system;
(3) falseness is installed on a virtual machine to run nakedly computer, virtual machine peace is set on falseness runs nakedly computer Full isolation scheme, so that invader is difficult to identification real information.
Virtual machine security isolation system under a kind of network environment the most according to claim 1, its feature exists It is network firewall in wherein said fire wall, for the network service flowing through it is scanned, or closes The port not used, or forbid the outgoing communication of particular port, block Trojan Horse, or forbid from spy The access of different website, thus prevent all communications from not clear invader.
3., for the secure virtual machine shielding system that claim 1-2 is any one of, its feature exists In including: two subsystems, i.e. key management subsystem and separaant system.
Secure virtual machine shielding system the most according to claim 3, it is characterised in that: wherein said secret Key management subsystem includes key negotiation module and key management module, and key negotiation module is responsible for and key pipe Reason server request key, key management module is positioned in key management server, is responsible for distributing key.
Secure virtual machine shielding system the most according to claim 3, it is characterised in that: described separaant System mainly contains: block device isolation module, internal memory isolation module and desktop protocol isolation module, described piece Equipment blocking module completes the selective transparent encryption to block device request, and described internal memory isolation module passes through Extension ACM framework completes to control desktop security inspection, and described desktop protocol isolation module is by defeated to input The encryption gone out makes desktop protocol become safer.
Secure virtual machine shielding system the most according to claim 5, it is characterised in that: described block device Including hard disk, CDROM, floppy disk.
CN201610479366.0A 2016-06-26 2016-06-26 Virtual machine safety isolation system under network environment Pending CN105871939A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201610479366.0A CN105871939A (en) 2016-06-26 2016-06-26 Virtual machine safety isolation system under network environment
PCT/CN2016/095103 WO2018000537A1 (en) 2016-06-26 2016-08-14 Virtual machine safety isolation system under network environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610479366.0A CN105871939A (en) 2016-06-26 2016-06-26 Virtual machine safety isolation system under network environment

Publications (1)

Publication Number Publication Date
CN105871939A true CN105871939A (en) 2016-08-17

Family

ID=56655579

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610479366.0A Pending CN105871939A (en) 2016-06-26 2016-06-26 Virtual machine safety isolation system under network environment

Country Status (2)

Country Link
CN (1) CN105871939A (en)
WO (1) WO2018000537A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110352587A (en) * 2017-03-07 2019-10-18 Abb瑞士股份有限公司 Automated communications network system reinforcement

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101409714A (en) * 2008-11-18 2009-04-15 华南理工大学 Firewall system based on virtual machine
CN101645873A (en) * 2008-08-07 2010-02-10 联想(北京)有限公司 Method for realizing network isolation in environments of computer and virtual machine
CN101668022A (en) * 2009-09-14 2010-03-10 陈博东 Virtual network isolation system established on virtual machine and implementation method thereof
CN101673215A (en) * 2008-09-09 2010-03-17 联想(北京)有限公司 Computer and user management method in virtual environment
CN201499183U (en) * 2009-09-14 2010-06-02 陈博东 Virtual network separation system
CN102523215A (en) * 2011-12-15 2012-06-27 北京海云捷迅科技有限公司 Virtual machine (VM) online antivirus system based on KVM virtualization platform
CN103414558A (en) * 2013-07-17 2013-11-27 电子科技大学 XEN cloud platform-based virtual machine block device isolation method
CN204334621U (en) * 2014-11-25 2015-05-13 甘肃省科学技术情报研究所 A kind of network security management device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9767274B2 (en) * 2011-11-22 2017-09-19 Bromium, Inc. Approaches for efficient physical to virtual disk conversion
CN102567217B (en) * 2012-01-04 2014-12-24 北京航空航天大学 MIPS platform-oriented memory virtualization method
CN104125192A (en) * 2013-04-23 2014-10-29 鸿富锦精密工业(深圳)有限公司 Virtual-machine safety protection system and method
CN103577771B (en) * 2013-11-08 2016-09-07 中科信息安全共性技术国家工程研究中心有限公司 A kind of virtual desktop anti-data-leakage guard method based on disk encryption

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645873A (en) * 2008-08-07 2010-02-10 联想(北京)有限公司 Method for realizing network isolation in environments of computer and virtual machine
CN101673215A (en) * 2008-09-09 2010-03-17 联想(北京)有限公司 Computer and user management method in virtual environment
CN101409714A (en) * 2008-11-18 2009-04-15 华南理工大学 Firewall system based on virtual machine
CN101668022A (en) * 2009-09-14 2010-03-10 陈博东 Virtual network isolation system established on virtual machine and implementation method thereof
CN201499183U (en) * 2009-09-14 2010-06-02 陈博东 Virtual network separation system
CN102523215A (en) * 2011-12-15 2012-06-27 北京海云捷迅科技有限公司 Virtual machine (VM) online antivirus system based on KVM virtualization platform
CN103414558A (en) * 2013-07-17 2013-11-27 电子科技大学 XEN cloud platform-based virtual machine block device isolation method
CN204334621U (en) * 2014-11-25 2015-05-13 甘肃省科学技术情报研究所 A kind of network security management device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
邵长庚: ""Xen云环境虚拟机安全隔离技术研究与实现"", 《中国优秀硕士学位论文全文数据库》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110352587A (en) * 2017-03-07 2019-10-18 Abb瑞士股份有限公司 Automated communications network system reinforcement
CN110352587B (en) * 2017-03-07 2022-09-16 Abb瑞士股份有限公司 Automatic communication network system consolidation

Also Published As

Publication number Publication date
WO2018000537A1 (en) 2018-01-04

Similar Documents

Publication Publication Date Title
US9680849B2 (en) Rootkit detection by using hardware resources to detect inconsistencies in network traffic
CN104065651B (en) A kind of information flow credible security method towards cloud computing
US20160099960A1 (en) System and method for scanning hosts using an autonomous, self-destructing payload
US10095865B2 (en) Detecting unauthorized remote administration using dependency rules
RU2584506C1 (en) System and method of protecting operations with electronic money
Laureano et al. Protecting host-based intrusion detectors through virtual machines
US20110296164A1 (en) System and method for providing secure network services
Maghrabi The threats of data security over the Cloud as perceived by experts and university students
Ibrahim A Review on the Mechanism Mitigating and Eliminating Internet Crimes using Modern Technologies: Mitigating Internet crimes using modern technologies
Goel et al. Measures for Improving IoT Security
Khandelwal et al. An insight into the security issues and their solutions for android phones
Uyyala Multilevel Authentication System Using Hierarchical Intrusion Detection Architecture For Online Banking
Jawad et al. Intelligent Cybersecurity Threat Management in Modern Information Technologies Systems
CN105871939A (en) Virtual machine safety isolation system under network environment
Qurashi Securing Hypervisors in Cloud Computing Environments against Malware Injection
Gligor Security limitations of virtualization and how to overcome them
Jiang Computer security vulnerabilities and preventive measures
Muhseen et al. A review in security issues and challenges on mobile cloud computing (MCC)
Yadlapati et al. Security Management Approaches Over the Cloud
Rahaman et al. Keylogger Threat to the Android Mobile Banking Applications
Singh et al. Managing Cyber Security
Singh et al. A hybrid model for cyberspace security
Pandey Security attacks in cloud computing
Ramakic et al. Data protection in microcomputer systems and networks
Song et al. Android Data-Clone Attack via Operating System Customization

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160817