CN106685900A - Loophole prevention method and apparatus - Google Patents
Loophole prevention method and apparatus Download PDFInfo
- Publication number
- CN106685900A CN106685900A CN201510760077.3A CN201510760077A CN106685900A CN 106685900 A CN106685900 A CN 106685900A CN 201510760077 A CN201510760077 A CN 201510760077A CN 106685900 A CN106685900 A CN 106685900A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- feature database
- target
- leak
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a loophole prevention method and apparatus and relates to the technical field of virtualization. The method includes the following steps: acquiring an object IP address of network traffic; based on the object IP address, acquiring a loophole prevention characteristic database corresponding to an object virtual machine; the loophole prevention characteristic database corresponding to the object virtual machine being directed at application information on the object virtual machine; and based on the loophole prevention characteristic database corresponding to the object virtual machine, detecting network traffic. According to the invention, the method can detect the network traffic by utilizing the loophole prevention characteristic database of the object virtual machine, has less characteristic codes corresponding to the loophole prevention characteristic database, and can provide safety and increase detection efficiency directed at the characteristic codes of the application information contained in the object virtual machine.
Description
Technical field
The present invention relates to technical field of virtualization, particularly a kind of leak means of defence and device.
Background technology
Leak be hardware, software, agreement implement or System Security Policy present on
Defect, attacker can be accessed or destruction system in the case of undelegated by leak.Leak
The mistake produced when defect when may be from application software or operating system design or coding,
May be from design defect or logic flow of the business in iterative process it is unreasonable it
Place.According to sphere of action, leak can be divided into long-range leak and local leak.Remotely leak is
Refer to that attacker can pass through the leak that network is directly launched a offensive.Local leak refers to that attacker must
The leak that just must can be launched a offensive under the premise of the machine possesses access rights.
Long-range leak to be attacked and send specific attack instruction often through network or can cause leak
Illegal command.In order to protection system or application software are attacked from leak, general leak protection
Mode have patch reparation, software protecting etc..
After leak is found, to solve the problems, such as that the small routine that the leak is issued is referred to as patch.
System or application software after patch reparation typically will not again be subject to corresponding leak to attack to be affected.
Software protecting is referred to by IPS (Intrusion Prevention System, intrusion prevention
System)/IDS (Intrusion Detection Systems intruding detection systems) securing software,
IPS/IDS hardware devices or other protection capacity of safety protection software products prevent long-range leak from attacking.Protection
There is leak to protect feature database for software or equipment itself, there is various attack signature codes in feature database,
The contrast of condition code in feature database is protected by network traffic content and leak, may identify whether to deposit
Attack in leak, stop that leak is attacked.Traditional leak securing software is generally deployed in server
On native operating sys-tern, and the general side of hardware leak safeguard hangs over data center's outlet device,
Safety detection is carried out to the north-south flow of data center's turnover.
Along with data center virtualization and the fast development of cloud computing, a large amount of Intel Virtualization Technologies
Using, also bring new safety problem, such as between virtual machine East and West direction flow exchange visits safety,
Virtual machine traffic is controlled with the problems such as monitoring, and traditional safety protection equipment is difficult to detect virtual machine
Between East and West direction flow, and on each virtual machine install leak securing software can then form money
Source consumes the problem that huge, cost is improved.Therefore, each security firm also begins to and virtualization factory
Business cooperates, and releases the security protection product under virtualized environment.
Existing virtual machine leak protection safety technology as shown in Figure 1, leak protection safety
Product is deployed in the physics clothes for carrying virtual machine in the form of virtual machine (calling secure virtual machine in the following text)
On business device, by API (the Application Programming for calling virtualization software
Interface, programmable interface), by the network traffics of all virtual machines on server guide to
On secure virtual machine, leak protection detection is carried out, normal discharge just can be forwarded to after the completion of detection
Target virtual machine, attack traffic will be intercepted.The leak guard technology can prevent other virtual machines
Or main frame is attacked virtual machine by network using software vulnerability, but in detection process,
All of network traffics are required for control leak feature database to carry out traversal detection, virtual in high density
In the environment of machine, resource consumption is larger, less efficient.
The content of the invention
It is an object of the present invention to provide a kind of side for improving virtual machine leak protection efficiency
Case.
According to an aspect of the present invention, a kind of leak means of defence is proposed, including:Obtain net
The target ip address of network flow;The corresponding leak of target virtual machine is obtained according to target ip address
Protection feature database, the corresponding leak protection feature database of target virtual machine is on target virtual machine
The leak protection feature database of application message;Feature database is protected according to the corresponding leak of target virtual machine
Detection network traffics.
Alternatively, the corresponding leak of target virtual machine is obtained according to target ip address and protects feature
Storehouse includes:Target virtual machine identifier UUID is obtained according to target ip address;It is empty according to target
Plan machine UUID obtains the corresponding leak of target virtual machine and protects feature database.
Alternatively, also include:The identification information and application message of virtual machine are collected, wherein, mark
Knowledge information includes the IP address information of virtual machine, and application message includes that the operating system of virtual machine is believed
Breath and/or application software information;Determine that the corresponding leak of virtual machine protects feature according to application message
Storehouse.
Alternatively, also include:Prevented according to the corresponding leak of virtual machine determined based on application message
Shield feature database draws little leak and protects feature database set, generates the corresponding leak of virtual machine and protects feature
Storehouse subclass;Generate leak protection feature database subclass pass corresponding with the IP address of virtual machine
System;Obtaining the corresponding leak protection feature database of target virtual machine according to target ip address is:According to
Target ip address obtains the corresponding leak of target virtual machine and protects feature database subclass.
Alternatively, identification information is also including the UUID information of virtual machine;Leak means of defence is also
Including:The corresponding leak protection feature database of virtual machine according to being determined based on application message draws little complete
Whole leak protection feature database set, generates the corresponding leak of virtual machine and protects feature database subclass;
Generate the corresponding relation of leak protection feature database subclass and virtual machine UUID;Generate virtual machine
The corresponding relation of the IP address of UUID and virtual machine;Target is obtained according to target ip address empty
Plan machine corresponding leak protection feature database is:The void of target virtual machine is obtained according to target ip address
Plan machine UUID, determines that the corresponding leak of target virtual machine protects feature according to virtual machine UUID
Storehouse subclass.
Alternatively, prevent if failing the corresponding leak of acquisition target virtual machine according to target ip address
Shield feature database, then using complete leak protection feature database detection network traffics.
Alternatively, also include:If after testing, network traffics are attack traffic, then network is intercepted
Flow;Otherwise, network traffics are forwarded into target virtual machine.
By such method, the leak protection feature database pair for target virtual machine can be adopted
Network traffics are detected, the condition code in correspondence leak protection feature database is less, and be for
The condition code of application message in target virtual machine, can improve detection while ensuring safety
Efficiency.
According to another aspect of the present invention, a kind of leak protector is proposed, including:Address
Acquisition module, for obtaining the target ip address of network traffics;Feature database acquisition module, is used for
The corresponding leak of target virtual machine is obtained according to target ip address and protects feature database, target virtual machine
Corresponding leak protection feature database is the leak protection feature for application message on target virtual machine
Storehouse;Flow detection module, for according to the corresponding leak protection feature database detection of target virtual machine
Network traffics.
Alternatively, feature database acquisition module is additionally operable to:Target is obtained according to target ip address empty
Plan machine identifier UUID;The corresponding leakage of target virtual machine is obtained according to target virtual machine UUID
Feature database is protected in hole.
Alternatively, also include:Information collection module, for collect virtual machine identification information and
Application message, wherein, identification information includes the IP address information of virtual machine, and application message includes
The operation system information and/or application software information of virtual machine;Feature database determining module, for root
Determine that the corresponding leak of virtual machine protects feature database according to application message.
Alternatively, also include:Feature database draws little module, is determined based on application message for basis
Virtual machine corresponding leak protection feature database draw little leak and protect feature database set, generate virtual
The corresponding leak of machine protects feature database subclass;Corresponding relation generation module, for generating leak
The corresponding relation of the IP address of protection feature database subclass and virtual machine;Feature database acquisition module is also
Feature database subclass is protected for obtaining the corresponding leak of target virtual machine according to target ip address.
Alternatively, identification information is also including the UUID information of virtual machine;Leak protector is also
Including:Feature database draws little module, for corresponding according to the virtual machine determined based on application message
Leak protection feature database draws little complete leak protection feature database set, generates virtual machine corresponding
Leak protects feature database subclass;Corresponding relation generation module, for generating leak protection feature
The corresponding relation of storehouse subclass and virtual machine UUID, and generate virtual machine UUID with it is virtual
The corresponding relation of the IP address of machine;Feature database acquisition module is additionally operable to be obtained according to target ip address
The virtual machine UUID of target virtual machine is taken, target virtual machine pair is determined according to virtual machine UUID
The leak protection feature database subclass answered.
Alternatively, prevent if failing the corresponding leak of acquisition target virtual machine according to target ip address
Shield feature database, then using complete leak protection feature database detection network traffics.
Alternatively, also include:Flow processing module, for determining network traffics afterwards after testing
In the case of attack traffic, network traffics are intercepted;It is not the feelings of attack traffic in network traffics
Under condition, network traffics are forwarded into target virtual machine.
Such device can adopt the leak for target virtual machine to protect feature database to network
Flow is detected that the condition code in correspondence leak protection feature database is less, and is for target
The condition code of application message in virtual machine, can improve detection efficiency while ensuring safety.
Description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the application
A part, the schematic description and description of the present invention is used to explain the present invention, not structure
Into inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the schematic diagram of existing virtual machine leak protection safety technology.
Fig. 2 is the flow chart of one embodiment of the leak means of defence of the present invention.
Fig. 3 is the flow chart of another embodiment of the leak means of defence of the present invention.
Fig. 4 is the flow chart of another embodiment of the leak means of defence of the present invention.
Fig. 5 is the schematic diagram of the further embodiment of the leak means of defence of the present invention.
Fig. 6 is the schematic diagram of the another embodiment of the leak means of defence of the present invention.
Fig. 7 is the schematic diagram of one embodiment of the leak protector of the present invention.
Fig. 8 is the schematic diagram of another embodiment of the leak protector of the present invention.
Fig. 9 is the schematic diagram of another embodiment of the leak protector of the present invention.
Specific embodiment
Below by drawings and Examples, technical scheme is done and is further retouched in detail
State.
The flow chart of one embodiment of the leak means of defence of the present invention is as shown in Figure 2.
In step 201, secure virtual machine obtains the target ip address of network traffics.Network
The target ip address of flow can be obtained by parsing network traffics.
In step 202., secure virtual machine determines mesh according to the target ip address of network traffics
Mark virtual machine, and determine that the corresponding leak of target virtual machine protects feature database.Target virtual machine pair
The leak protection feature database answered is the leak protection feature for application message on target virtual machine
Storehouse.Leak attacks typically related to specific operating system or application software, if operating system version
This is different or does not correspond to application, then leak is attacked and will not come into force.What target virtual machine was adopted
System, the application software installed are limited, can obtain system for target virtual machine,
The leak protection feature database of application software.
In step 203, according to the corresponding leak protection feature database detection network of target virtual machine
Flow.
By such method, the leak protection feature database pair for target virtual machine can be adopted
Network traffics are detected, the condition code in correspondence leak protection feature database is less, and be for
The condition code of application message in target virtual machine, can improve detection while ensuring safety
Efficiency.
In one embodiment, secure virtual machine determines according to the target ip address of network traffics
The target virtual machine identifier UUID of target virtual machine, further according to UUID destination virtual is determined
The corresponding leak of machine protects feature database.Because a virtual machine may be believed with multiple IP address
Breath, and IP address information is probably dynamic change, and the UUID of virtual machine be it is unique and
It is metastable, by such method, UUID can be determined by IP address, further according to
Metastable UUID protects the relation of feature database to determine corresponding leak protection feature with leak
Storehouse, reduces the burden of data renewal.
The flow chart of another embodiment of the leak means of defence of the present invention is as shown in Figure 3.
In step 301, secure virtual machine collects the identification information and application message of virtual machine.
The identification information of virtual machine includes the IP address information of virtual machine, and the application message of virtual machine includes
The operation system information and/or application software information of virtual machine.High for degree of opening is virtual
Machine, can obtain the identification information and application message of virtual machine by API;For degree of opening
Low virtual machine, can be by the corresponding instrument of virtual machine, such as in VMware virtual platforms
Used in used in VMtools, Virtual Box virtual platforms Guest Addition obtain
The identification information and application message of virtual machine.
In step 302, secure virtual machine determines corresponding leakage according to the application message of virtual machine
Hole protects feature database, the as corresponding leak of the virtual machine to protect feature database.Can be in virtual machine
IP address corresponding with virtual machine leak protection feature database between set up incidence relation.At one
In embodiment, the IP address leak corresponding with virtual machine that can set up virtual machine protects feature database
Mark associated data table.
In step 303, when network traffics arrive, secure virtual machine obtains network traffics
Target ip address.
In step 304, secure virtual machine determines mesh according to the target ip address of network traffics
The corresponding leak of mark virtual machine protects feature database.In one embodiment, can be empty by inquiring about
The associated data table of the mark of the IP address of plan machine leak protection feature database corresponding with virtual machine
Mode determine that the corresponding leak of virtual machine protects feature database.
In step 305, network traffics are detected using corresponding leak protection feature database.
By such method, the identification information and application message of virtual machine can be gathered, according to
The application message of virtual machine obtains the corresponding leak of virtual machine and protects feature database, and sets up virtual machine
Leak protection feature database and virtual machine IP address between corresponding relation, so as to convenient and safe void
Plan machine obtains corresponding leak and protects feature database according to the IP address of network traffics, further improves
The efficiency of leak protection.
In one embodiment, secure virtual machine determines corresponding according to the application message of virtual machine
Leak protects feature database, can also respectively virtual machine IP address and virtual machine UUID,
Incidence relation is set up between the UUID of virtual machine and corresponding leak protection feature database.At one
In embodiment, the IP address of virtual machine and the UUID of virtual machine, virtual machine can be respectively set up
UUID and corresponding leak protect the associated data table of feature database.Concrete form can be as follows
Shown in table:
The UUID of virtual machine 1 | IP address |
The UUID of virtual machine 2 | IP address 1 |
The UUID of virtual machine 2 | IP address 2 |
The associated data table of table 1 virtual machine UUID and IP
The UUID of virtual machine 1 | Leak protection feature database subclass 1 |
The UUID of virtual machine 2 | Leak protection feature database subclass 2 |
The UUID of virtual machine 3 | Leak protection feature database subclass 3 |
The virtual machine UUID of table 2 tables corresponding with feature database set
When network traffics arrive, target virtual machine is first obtained according to target ip address
UUID, then corresponding leak protection feature database is obtained, can be obtained by way of tabling look-up.
Because a virtual machine may have multiple IP address information, and IP address information may
It is dynamic change, and the UUID of virtual machine is unique and metastable, by so
Method, UUID can be determined by IP address, further according to metastable UUID with leakage
The relation of hole protection feature database determines corresponding leak protection feature database, and in the IP of virtual machine
When address changes, it is only necessary to update the corresponding relation of UUID and IP, data are reduced more
New burden.
In one embodiment, complete leak can be protected according to the application message of virtual machine
Feature database draws little, determines that the corresponding leak of application message protects feature database subclass.Draw it is little after
Leak protects feature database because condition code is less, few in the time used when network traffics are detected that carries out,
So as to improve the efficiency of network traffics detection.
The flow chart of another embodiment of the leak means of defence of the present invention is as shown in Figure 4.
In step 401, secure virtual machine parsing network traffics, obtain the target of network traffics
IP address.
In step 402, secure virtual machine searches the corresponding virtual machine UUID of target ip address.
UUID can be passed through to inquire about with the associated data table of IP address.
In step 403, judge whether to find corresponding UUID.In situation about finding
Under, execution step 404;Otherwise, execution step 407.
In step 404, secure virtual machine searches corresponding leak and protects feature according to UUID
Storehouse subclass.UUID and leak that storage can be passed through protect the incidence number of feature database subclass
Inquire about according to table.
In step 405, judge whether to find corresponding leak protection feature database subclass.
If it is found, then execution step 406;Otherwise, execution step 407.
In a step 406, feature database subclass is protected to network traffics using the leak for finding
Detected.
In step 407, network traffics are detected using complete leak protection feature database.
In a step 408, judge whether network traffics are attack traffic.If attack traffic,
Then execution step 409;Otherwise, execution step 410.
In step 409, network traffics are intercepted.
In step 410, network traffics are forwarded into target virtual machine.
By such method, can prevent failing to find the corresponding leak of target ip address
In the case of shield feature database, network traffics are detected using complete leak protection feature database,
So as to enhance the safeguard protection to virtual machine.
In one embodiment, as shown in Figure 5.
In 501, virtual machine provides flag information and application message to information collection module.
In 502, secure virtual machine obtains the identification information of virtual machine by information collection module
And application message.
In 503, complete characterization storehouse is drawn little by the process that secure virtual machine passes through processing module,
The condition code for virtual machine is extracted, corresponding stroke little of leak protection feature database subclass is generated.
In 504, network traffics Jing virtual switch reaches secure virtual machine.
In 505, secure virtual machine inquires the target virtual machine of network traffics, using correspondence
Draw little leak protection feature database subclass detection network traffics.
By such method, secure virtual machine can call virtualization software in installation and deployment
Api interface, all-network flow is guided to secure virtual machine and carries out safety detection by after.Jing
Corresponding target virtual machine is reached again after detection, the screening of crossing secure virtual machine, it is ensured that virtual
The safety of machine;Generate and use targetedly, condition code it is less leak protection feature database
Set carries out Network Traffic Monitoring, can effectively improve the efficiency of safety detection, reduces virtual
Machine receives the time delay of network traffics.
In one embodiment, as shown in fig. 6, by taking VMware virtualized environments as an example,
VMware resource pools dispose leak protection safety product, by calling VMware API, if
Fixed all virtual machine network flows all will all be directed to after secure virtual machine is detected and carry out again
Forwarding.Hypothesis has on the server two virtual machines, is mounted with that Apache should on virtual machine 1
With, oracle database application is mounted with virtual machine 2, call void using collection module first
Planization software interface, obtain virtual machine all information, afterwards by information with【(UUID1、
1.1.1.1, Apache), (UUID2,2.2.2.2, Oracle DB)】Form is sent to peace
Processing module on full virtual machine, processing module is received after information, sets up " virtual machine UUID
With the corresponding table of IP " with " virtual machine UUID and leak protection feature database subclass corresponding table ",
Content is as shown in the figure.Afterwards according to form, set up set a and two leak protection of set b are special
Storehouse subclass is levied, the condition code related to the attack of Apache leaks is put into set a, with
Oracle database leak attacks related condition code and is put into set b, completes feature database and draws little behaviour
Make.When network traffics flow to virtual machine 1, the processing module on secure virtual machine is arrived first at,
UUID1 is found according to purpose IP address 1.1.1.1, corresponding feature code collection is then found
A is closed, then network traffics is detected using condition code set a, complete again will after detection
Normal discharge is transmitted to virtual machine 1.
By such mode, virtual machine information can be obtained by virtualization software interface, and
By in feedback of the information to secure virtual machine;Can according to virtual machine UUID and obtain information,
Feature database is drawn into little, the leak protection feature database subclass of the virtual machine is set up;According to virtual machine
UUID, network traffics IP address, leak protection feature database subclass three's corresponding relation, choosing
Selecting subclass carries out safety detection, and such method can be effectively increased virtual machine leak protective
Can, reduce resource consumption, it is adaptable to have the safety inside the cloud resource pool of different business application to prevent
Shield, can quickly realize the leak protection of a large amount of virtual machines, meanwhile, it is tenant in public cloud
There is provided the leak protection service of high-performance, low consumption of resources, it is adaptable to highly dense under virtualized environment
The leak protection of degree virtual machine scene.
The schematic diagram of one embodiment of the leak protector of the present invention is as shown in Figure 7.Wherein,
701 is address acquisition module, for obtaining the Target IP of network traffics by parsing network traffics
Address.702 are characterized storehouse acquisition module, for being determined according to the target ip address of network traffics
Target virtual machine, and determine that the corresponding leak of target virtual machine protects feature database.703 is flow
Detection module, for according to the corresponding leak protection feature database detection network traffics of target virtual machine.
Such device can adopt the leak for target virtual machine to protect feature database to network
Flow is detected that the condition code in correspondence leak protection feature database is less, and is for target
The condition code of application message in virtual machine, can improve detection efficiency while ensuring safety.
In one embodiment, feature database acquisition module 702 can be according to the target of network traffics
IP address determines the target virtual machine identifier UUID of target virtual machine, true further according to UUID
The corresponding leak of the virtual machine that sets the goal protects feature database.Due to a virtual machine may have it is multiple
IP address information, and IP address information is probably dynamic change, and the UUID of virtual machine
It is unique and metastable, such device can determine UUID by IP address, then
The relation of feature database is protected to determine corresponding leak protection with leak according to metastable UUID
Feature database, reduces the burden of data renewal.
The schematic diagram of another embodiment of the leak protector of the present invention is as shown in Figure 8.Its
In 801,802,803 be respectively address acquisition module, feature database acquisition module and flow detection
Module, its 26S Proteasome Structure and Function to it is similar in Fig. 7.804 is information collection module, for receiving
The identification information and application message of collection virtual machine.The identification information of virtual machine includes the IP of virtual machine
Address information, the application message of virtual machine includes the operation system information of virtual machine and/or using soft
Part information.The virtual machine high for degree of opening, information collection module can be obtained by API
The identification information and application message of virtual machine;The virtual machine low for degree of opening, can pass through
The corresponding instrument of virtual machine, such as VMtools, Virtual used in VMware virtual platforms
Guest Addition obtain identification information and the application of virtual machine used in Box virtual platforms
Information.805 are characterized storehouse determining module, for determining correspondence according to the application message of virtual machine
Leak protection feature database, the as corresponding leak of the virtual machine protects feature database.Feature database is true
Cover half block 805 can the IP address of virtual machine corresponding with virtual machine leak protection feature database it
Between set up incidence relation, e.g., the IP address leak corresponding with virtual machine of virtual machine can be set up
The associated data table of the mark of protection feature database.
Such device can gather the identification information and application message of virtual machine, according to virtual machine
Application message obtain the corresponding leak of virtual machine and protect feature database, and set up the leak of virtual machine
Corresponding relation between the IP address of protection feature database and virtual machine, so as to convenient and safe virtual machine root
Corresponding leak is obtained according to the IP address of network traffics and protect feature database, further increase leak
The efficiency of protection.
The schematic diagram of another embodiment of the leak protector of the present invention is as shown in Figure 9.Its
In, 901,902,903 are respectively the inspection of address acquisition module, feature database acquisition module and flow
Survey module, its 26S Proteasome Structure and Function to it is similar in Fig. 7.904 is information collection module, is used for
Collect the identification information and application message of virtual machine.905 are characterized storehouse determining module, for root
Determine corresponding leak protection feature database according to the application message of virtual machine, as the virtual machine correspondence
Leak protection feature database.906 are characterized storehouse draws little module, for complete leak to be protected
Feature database draws little, extracts the condition code for virtual machine, generates corresponding leak and protects feature database
Subclass.907 be corresponding relation generation module, for set up the IP address of virtual machine with it is virtual
Incidence relation between the little leak protection feature database of corresponding stroke of machine, such as sets up IP address and draws
Little leak protects the associated data table of feature database subclass.Due to draw it is little after leak protection it is special
Levy planting modes on sink characteristic code less, it is few in the time used when network traffics are detected that carries out using such device,
So as to improve the efficiency of network traffics detection.
In one embodiment, information collection module 904 can also obtain the UUID of virtual machine,
The information format of acquisition can be:【(virtual machine 1UUID, IP address, system information,
Application software information), (virtual machine 2UUID, IP address, system information, application software
Information) ...】.Corresponding relation generation module 907 can generate leak protection feature database
Set and the corresponding relation of virtual machine UUID, and virtual machine UUID is generated with virtual machine
The corresponding relation of IP address, e.g., sets up respectively the IP address of virtual machine and the UUID of virtual machine,
The UUID of virtual machine protects the associated data table of feature database subclass with corresponding leak.Due to
One virtual machine may have multiple IP address information, and IP address information is probably that dynamic becomes
Change, and the UUID of virtual machine is unique and metastable, such device can lead to
Cross IP address and determine UUID, further according to metastable UUID and leak feature database is protected
Relation determines corresponding leak protection feature database, and when the IP address of virtual machine changes,
Only need to update the corresponding relation of UUID and IP, reduce the burden of data renewal.
In one embodiment, when feature database acquisition module fails to be obtained by target ip address
During corresponding stroke little leak protection feature database, flow detection module can adopt complete leak to protect
Feature database detects network traffics.Such device can fail to find target ip address correspondence
Leak protection feature database in the case of, feature database is protected to network traffics using complete leak
Detected, so as to enhance the safeguard protection to virtual machine.
In one embodiment, leak protector can also include flow processing module, with stream
Amount detection module is connected, for processing network traffics according to testing result.When it is determined that network traffics
For attack traffic when, intercept network traffics;When network traffic security, network traffics are forwarded
To target virtual machine.Such device can realize the Effective selection to network traffics, so as to reality
Now to the protection of virtual machine.
Finally it should be noted that:Above example only illustrating technical scheme and
It is non-that it is limited;It is affiliated although being described in detail to the present invention with reference to preferred embodiment
The those of ordinary skill in field should be understood:Still the specific embodiment of the present invention can be entered
Row modification carries out equivalent to some technical characteristics;Without deviating from technical solution of the present invention
Spirit, it all should cover in the middle of the technical scheme scope being claimed in the present invention.
Claims (14)
1. a kind of leak means of defence, it is characterised in that include:
Obtain the target ip address of network traffics;
The corresponding leak of target virtual machine is obtained according to the target ip address and protects feature database,
The corresponding leak protection feature database of the target virtual machine is for applying on the target virtual machine
The leak protection feature database of information;
The network traffics are detected according to the corresponding leak protection feature database of the target virtual machine.
2. method according to claim 1, it is characterised in that described according to the mesh
Mark IP address obtains the corresponding leak protection feature database of target virtual machine to be included:
Target virtual machine identifier UUID is obtained according to the target ip address;
The corresponding leak protection of target virtual machine is obtained according to the target virtual machine UUID special
Levy storehouse.
3. method according to claim 1, it is characterised in that also include:
The identification information and application message of virtual machine are collected, wherein, the identification information includes institute
The IP address information of virtual machine is stated, the application message includes that the operating system of the virtual machine is believed
Breath and/or application software information;
Determine that the corresponding leak of the virtual machine protects feature database according to the application message.
4. method according to claim 3, it is characterised in that also include:
The corresponding leak of the virtual machine according to being determined based on the application message protects feature
Storehouse is drawn little leak and protects feature database set, is generated the corresponding leak of the virtual machine and is protected feature database
Subclass;
Generate the leak protection feature database subclass corresponding with the IP address of the virtual machine
Relation;
It is described that the corresponding leak protection feature of target virtual machine is obtained according to the target ip address
Storehouse is:The corresponding leak of the target virtual machine is obtained according to the target ip address and protects feature
Storehouse subclass.
5. method according to claim 3, it is characterised in that
The identification information is also including the UUID information of virtual machine;
The leak means of defence also includes:
The corresponding leak of the virtual machine according to being determined based on the application message protects feature
Little complete leak protection feature database set is drawn in storehouse, generates the corresponding leak protection of the virtual machine
Feature database subclass;
Generate leak protection feature database subclass pass corresponding with the virtual machine UUID
System;
Generate the corresponding relation of the virtual machine UUID and the IP address of the virtual machine;
It is described that the corresponding leak protection feature of target virtual machine is obtained according to the target ip address
Storehouse is:The virtual machine UUID of the target virtual machine, root are obtained according to the target ip address
Determine that the corresponding leak of the target virtual machine protects feature database subset according to the virtual machine UUID
Close.
6. method according to claim 1, it is characterised in that if according to the target
IP address fails to obtain the corresponding leak protection feature database of target virtual machine, then using complete leakage
Hole protection feature database detects the network traffics.
7. method according to claim 1, it is characterised in that also include:
If after testing, the network traffics are attack traffic, then the network traffics are intercepted;It is no
Then, the network traffics are forwarded into the target virtual machine.
8. a kind of leak protector, it is characterised in that include:
Address acquisition module, for obtaining the target ip address of network traffics;
Feature database acquisition module, for obtaining target virtual machine pair according to the target ip address
The leak protection feature database answered, the corresponding leak protection feature database of the target virtual machine be for
The leak protection feature database of application message on the target virtual machine;
Flow detection module, for protecting feature database according to the corresponding leak of the target virtual machine
Detect the network traffics.
9. device according to claim 8, it is characterised in that the feature database is obtained
Module is additionally operable to:
Target virtual machine identifier UUID is obtained according to the target ip address;
The corresponding leak protection of target virtual machine is obtained according to the target virtual machine UUID special
Levy storehouse.
10. device according to claim 8, it is characterised in that also include:
Information collection module, for collecting the identification information and application message of virtual machine, wherein,
The identification information includes the IP address information of the virtual machine, and the application message includes described
The operation system information and/or application software information of virtual machine;
Feature database determining module, for determining that the virtual machine is corresponding according to the application message
Leak protects feature database.
11. devices according to claim 10, it is characterised in that also include:
Feature database draws little module, for according to the virtual machine determined based on the application message
Corresponding leak protection feature database draws little leak and protects feature database set, generates the virtual machine pair
The leak protection feature database subclass answered;
Corresponding relation generation module, for generate leak protection feature database subclass with it is described
The corresponding relation of the IP address of virtual machine;
The feature database acquisition module is additionally operable to obtain the target according to the target ip address
The corresponding leak of virtual machine protects feature database subclass.
12. devices according to claim 10, it is characterised in that
The identification information is also including the UUID information of virtual machine;
Described device also includes:
Feature database draws little module, for according to the virtual machine determined based on the application message
Corresponding leak protection feature database draws little complete leak protection feature database set, generates the void
The corresponding leak of plan machine protects feature database subclass;
Corresponding relation generation module, for generate leak protection feature database subclass with it is described
The corresponding relation of virtual machine UUID, and generate the virtual machine UUID and the virtual machine
IP address corresponding relation;
The feature database acquisition module is additionally operable to obtain the target according to the target ip address
The virtual machine UUID of virtual machine, according to the virtual machine UUID target virtual machine is determined
Corresponding leak protects feature database subclass.
13. devices according to claim 8, it is characterised in that if according to the target
IP address fails to obtain the corresponding leak protection feature database of target virtual machine, then using complete leakage
Hole protection feature database detects the network traffics.
14. devices according to claim 8, it is characterised in that also include:
Flow processing module, for determining the network traffics afterwards after testing for attack traffic
In the case of, intercept the network traffics;In the case where the network traffics are not attack traffic,
The network traffics are forwarded into the target virtual machine.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510760077.3A CN106685900B (en) | 2015-11-10 | 2015-11-10 | Vulnerability protection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510760077.3A CN106685900B (en) | 2015-11-10 | 2015-11-10 | Vulnerability protection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106685900A true CN106685900A (en) | 2017-05-17 |
CN106685900B CN106685900B (en) | 2020-04-28 |
Family
ID=58864394
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510760077.3A Active CN106685900B (en) | 2015-11-10 | 2015-11-10 | Vulnerability protection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106685900B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109922021A (en) * | 2017-12-12 | 2019-06-21 | 中国电信股份有限公司 | Security protection system and safety protecting method |
CN111225082A (en) * | 2020-01-14 | 2020-06-02 | 上海顺舟智能科技股份有限公司 | Identity management method and device of Internet of things intelligent equipment and Internet of things platform |
CN111835694A (en) * | 2019-04-23 | 2020-10-27 | 张长河 | Network security vulnerability defense system based on dynamic camouflage |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102346828A (en) * | 2011-09-20 | 2012-02-08 | 海南意源高科技有限公司 | Malicious program judging method based on cloud security |
CN103561035A (en) * | 2013-11-11 | 2014-02-05 | 中国联合网络通信集团有限公司 | Mobile subscriber safety protection method and system |
CN104142848A (en) * | 2013-05-08 | 2014-11-12 | 西安邮电大学 | Virtual machine identifier and use method thereof |
CN104217157A (en) * | 2014-07-31 | 2014-12-17 | 珠海市君天电子科技有限公司 | Anti-vulnerability-exploitation method and system |
CN104363236A (en) * | 2014-11-21 | 2015-02-18 | 西安邮电大学 | Automatic vulnerability validation method |
CN104573508A (en) * | 2013-10-22 | 2015-04-29 | 中国银联股份有限公司 | Method for detecting compliance of payment applications under virtualization environment |
CN104751056A (en) * | 2014-12-19 | 2015-07-01 | 中国航天科工集团第二研究院七〇六所 | Vulnerability verification system and method based on attack library |
US20150264077A1 (en) * | 2014-03-13 | 2015-09-17 | International Business Machines Corporation | Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure |
CN104994094A (en) * | 2015-07-01 | 2015-10-21 | 北京奇虎科技有限公司 | Virtualization platform safety protection method, device and system based on virtual switch |
-
2015
- 2015-11-10 CN CN201510760077.3A patent/CN106685900B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102346828A (en) * | 2011-09-20 | 2012-02-08 | 海南意源高科技有限公司 | Malicious program judging method based on cloud security |
CN104142848A (en) * | 2013-05-08 | 2014-11-12 | 西安邮电大学 | Virtual machine identifier and use method thereof |
CN104573508A (en) * | 2013-10-22 | 2015-04-29 | 中国银联股份有限公司 | Method for detecting compliance of payment applications under virtualization environment |
CN103561035A (en) * | 2013-11-11 | 2014-02-05 | 中国联合网络通信集团有限公司 | Mobile subscriber safety protection method and system |
US20150264077A1 (en) * | 2014-03-13 | 2015-09-17 | International Business Machines Corporation | Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure |
CN104217157A (en) * | 2014-07-31 | 2014-12-17 | 珠海市君天电子科技有限公司 | Anti-vulnerability-exploitation method and system |
CN104363236A (en) * | 2014-11-21 | 2015-02-18 | 西安邮电大学 | Automatic vulnerability validation method |
CN104751056A (en) * | 2014-12-19 | 2015-07-01 | 中国航天科工集团第二研究院七〇六所 | Vulnerability verification system and method based on attack library |
CN104994094A (en) * | 2015-07-01 | 2015-10-21 | 北京奇虎科技有限公司 | Virtualization platform safety protection method, device and system based on virtual switch |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109922021A (en) * | 2017-12-12 | 2019-06-21 | 中国电信股份有限公司 | Security protection system and safety protecting method |
CN109922021B (en) * | 2017-12-12 | 2022-03-08 | 中国电信股份有限公司 | Safety protection system and safety protection method |
CN111835694A (en) * | 2019-04-23 | 2020-10-27 | 张长河 | Network security vulnerability defense system based on dynamic camouflage |
CN111835694B (en) * | 2019-04-23 | 2023-04-07 | 张长河 | Network security vulnerability defense system based on dynamic camouflage |
CN111225082A (en) * | 2020-01-14 | 2020-06-02 | 上海顺舟智能科技股份有限公司 | Identity management method and device of Internet of things intelligent equipment and Internet of things platform |
CN111225082B (en) * | 2020-01-14 | 2020-12-29 | 上海顺舟智能科技股份有限公司 | Identity management method and device of Internet of things intelligent equipment and Internet of things platform |
Also Published As
Publication number | Publication date |
---|---|
CN106685900B (en) | 2020-04-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104023034B (en) | Security defensive system and defensive method based on software-defined network | |
US9166988B1 (en) | System and method for controlling virtual network including security function | |
CN107370756B (en) | Honey net protection method and system | |
US10474813B1 (en) | Code injection technique for remediation at an endpoint of a network | |
US10454950B1 (en) | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks | |
CN104601568B (en) | Virtualization security isolation method and device | |
US9507935B2 (en) | Exploit detection system with threat-aware microvisor | |
US20070266433A1 (en) | System and Method for Securing Information in a Virtual Computing Environment | |
CN104104679B (en) | A kind of data processing method based on private clound | |
CN110572412A (en) | Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof | |
Zhou et al. | Applying NFV/SDN in mitigating DDoS attacks | |
CN104270467A (en) | Virtual machine managing and controlling method for mixed cloud | |
CN109347847A (en) | A kind of smart city security assurance information system | |
CN104951354A (en) | Virtual machine dispatch algorithm security verification method based on dynamic migration | |
CN101873318A (en) | Application and data security method aiming at application system on application basis supporting platform | |
CN106341426A (en) | Method for defending APT attack and safety controller | |
CN104866407A (en) | Monitoring system and method in virtual machine environment | |
CN105516073A (en) | Network intrusion prevention method | |
CN106685900A (en) | Loophole prevention method and apparatus | |
Mehmood et al. | Distributed intrusion detection system using mobile agents in cloud computing environment | |
KR101768079B1 (en) | System and method for improvement invasion detection | |
CN104219211A (en) | Detection method and detection device for network security in cloud computing network | |
CN108345795A (en) | System and method for the Malware that detects and classify | |
CN110099041A (en) | A kind of Internet of Things means of defence and equipment, system | |
CN105704087A (en) | Device for realizing network security management based on virtualization and management method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |