CN106685900A - Loophole prevention method and apparatus - Google Patents

Loophole prevention method and apparatus Download PDF

Info

Publication number
CN106685900A
CN106685900A CN201510760077.3A CN201510760077A CN106685900A CN 106685900 A CN106685900 A CN 106685900A CN 201510760077 A CN201510760077 A CN 201510760077A CN 106685900 A CN106685900 A CN 106685900A
Authority
CN
China
Prior art keywords
virtual machine
feature database
target
leak
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510760077.3A
Other languages
Chinese (zh)
Other versions
CN106685900B (en
Inventor
刘艺
赖培源
陈楠
樊勇兵
何晓武
李巧玲
区洪辉
丁圣勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN201510760077.3A priority Critical patent/CN106685900B/en
Publication of CN106685900A publication Critical patent/CN106685900A/en
Application granted granted Critical
Publication of CN106685900B publication Critical patent/CN106685900B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a loophole prevention method and apparatus and relates to the technical field of virtualization. The method includes the following steps: acquiring an object IP address of network traffic; based on the object IP address, acquiring a loophole prevention characteristic database corresponding to an object virtual machine; the loophole prevention characteristic database corresponding to the object virtual machine being directed at application information on the object virtual machine; and based on the loophole prevention characteristic database corresponding to the object virtual machine, detecting network traffic. According to the invention, the method can detect the network traffic by utilizing the loophole prevention characteristic database of the object virtual machine, has less characteristic codes corresponding to the loophole prevention characteristic database, and can provide safety and increase detection efficiency directed at the characteristic codes of the application information contained in the object virtual machine.

Description

Leak means of defence and device
Technical field
The present invention relates to technical field of virtualization, particularly a kind of leak means of defence and device.
Background technology
Leak be hardware, software, agreement implement or System Security Policy present on Defect, attacker can be accessed or destruction system in the case of undelegated by leak.Leak The mistake produced when defect when may be from application software or operating system design or coding, May be from design defect or logic flow of the business in iterative process it is unreasonable it Place.According to sphere of action, leak can be divided into long-range leak and local leak.Remotely leak is Refer to that attacker can pass through the leak that network is directly launched a offensive.Local leak refers to that attacker must The leak that just must can be launched a offensive under the premise of the machine possesses access rights.
Long-range leak to be attacked and send specific attack instruction often through network or can cause leak Illegal command.In order to protection system or application software are attacked from leak, general leak protection Mode have patch reparation, software protecting etc..
After leak is found, to solve the problems, such as that the small routine that the leak is issued is referred to as patch. System or application software after patch reparation typically will not again be subject to corresponding leak to attack to be affected.
Software protecting is referred to by IPS (Intrusion Prevention System, intrusion prevention System)/IDS (Intrusion Detection Systems intruding detection systems) securing software, IPS/IDS hardware devices or other protection capacity of safety protection software products prevent long-range leak from attacking.Protection There is leak to protect feature database for software or equipment itself, there is various attack signature codes in feature database, The contrast of condition code in feature database is protected by network traffic content and leak, may identify whether to deposit Attack in leak, stop that leak is attacked.Traditional leak securing software is generally deployed in server On native operating sys-tern, and the general side of hardware leak safeguard hangs over data center's outlet device, Safety detection is carried out to the north-south flow of data center's turnover.
Along with data center virtualization and the fast development of cloud computing, a large amount of Intel Virtualization Technologies Using, also bring new safety problem, such as between virtual machine East and West direction flow exchange visits safety, Virtual machine traffic is controlled with the problems such as monitoring, and traditional safety protection equipment is difficult to detect virtual machine Between East and West direction flow, and on each virtual machine install leak securing software can then form money Source consumes the problem that huge, cost is improved.Therefore, each security firm also begins to and virtualization factory Business cooperates, and releases the security protection product under virtualized environment.
Existing virtual machine leak protection safety technology as shown in Figure 1, leak protection safety Product is deployed in the physics clothes for carrying virtual machine in the form of virtual machine (calling secure virtual machine in the following text) On business device, by API (the Application Programming for calling virtualization software Interface, programmable interface), by the network traffics of all virtual machines on server guide to On secure virtual machine, leak protection detection is carried out, normal discharge just can be forwarded to after the completion of detection Target virtual machine, attack traffic will be intercepted.The leak guard technology can prevent other virtual machines Or main frame is attacked virtual machine by network using software vulnerability, but in detection process, All of network traffics are required for control leak feature database to carry out traversal detection, virtual in high density In the environment of machine, resource consumption is larger, less efficient.
The content of the invention
It is an object of the present invention to provide a kind of side for improving virtual machine leak protection efficiency Case.
According to an aspect of the present invention, a kind of leak means of defence is proposed, including:Obtain net The target ip address of network flow;The corresponding leak of target virtual machine is obtained according to target ip address Protection feature database, the corresponding leak protection feature database of target virtual machine is on target virtual machine The leak protection feature database of application message;Feature database is protected according to the corresponding leak of target virtual machine Detection network traffics.
Alternatively, the corresponding leak of target virtual machine is obtained according to target ip address and protects feature Storehouse includes:Target virtual machine identifier UUID is obtained according to target ip address;It is empty according to target Plan machine UUID obtains the corresponding leak of target virtual machine and protects feature database.
Alternatively, also include:The identification information and application message of virtual machine are collected, wherein, mark Knowledge information includes the IP address information of virtual machine, and application message includes that the operating system of virtual machine is believed Breath and/or application software information;Determine that the corresponding leak of virtual machine protects feature according to application message Storehouse.
Alternatively, also include:Prevented according to the corresponding leak of virtual machine determined based on application message Shield feature database draws little leak and protects feature database set, generates the corresponding leak of virtual machine and protects feature Storehouse subclass;Generate leak protection feature database subclass pass corresponding with the IP address of virtual machine System;Obtaining the corresponding leak protection feature database of target virtual machine according to target ip address is:According to Target ip address obtains the corresponding leak of target virtual machine and protects feature database subclass.
Alternatively, identification information is also including the UUID information of virtual machine;Leak means of defence is also Including:The corresponding leak protection feature database of virtual machine according to being determined based on application message draws little complete Whole leak protection feature database set, generates the corresponding leak of virtual machine and protects feature database subclass; Generate the corresponding relation of leak protection feature database subclass and virtual machine UUID;Generate virtual machine The corresponding relation of the IP address of UUID and virtual machine;Target is obtained according to target ip address empty Plan machine corresponding leak protection feature database is:The void of target virtual machine is obtained according to target ip address Plan machine UUID, determines that the corresponding leak of target virtual machine protects feature according to virtual machine UUID Storehouse subclass.
Alternatively, prevent if failing the corresponding leak of acquisition target virtual machine according to target ip address Shield feature database, then using complete leak protection feature database detection network traffics.
Alternatively, also include:If after testing, network traffics are attack traffic, then network is intercepted Flow;Otherwise, network traffics are forwarded into target virtual machine.
By such method, the leak protection feature database pair for target virtual machine can be adopted Network traffics are detected, the condition code in correspondence leak protection feature database is less, and be for The condition code of application message in target virtual machine, can improve detection while ensuring safety Efficiency.
According to another aspect of the present invention, a kind of leak protector is proposed, including:Address Acquisition module, for obtaining the target ip address of network traffics;Feature database acquisition module, is used for The corresponding leak of target virtual machine is obtained according to target ip address and protects feature database, target virtual machine Corresponding leak protection feature database is the leak protection feature for application message on target virtual machine Storehouse;Flow detection module, for according to the corresponding leak protection feature database detection of target virtual machine Network traffics.
Alternatively, feature database acquisition module is additionally operable to:Target is obtained according to target ip address empty Plan machine identifier UUID;The corresponding leakage of target virtual machine is obtained according to target virtual machine UUID Feature database is protected in hole.
Alternatively, also include:Information collection module, for collect virtual machine identification information and Application message, wherein, identification information includes the IP address information of virtual machine, and application message includes The operation system information and/or application software information of virtual machine;Feature database determining module, for root Determine that the corresponding leak of virtual machine protects feature database according to application message.
Alternatively, also include:Feature database draws little module, is determined based on application message for basis Virtual machine corresponding leak protection feature database draw little leak and protect feature database set, generate virtual The corresponding leak of machine protects feature database subclass;Corresponding relation generation module, for generating leak The corresponding relation of the IP address of protection feature database subclass and virtual machine;Feature database acquisition module is also Feature database subclass is protected for obtaining the corresponding leak of target virtual machine according to target ip address.
Alternatively, identification information is also including the UUID information of virtual machine;Leak protector is also Including:Feature database draws little module, for corresponding according to the virtual machine determined based on application message Leak protection feature database draws little complete leak protection feature database set, generates virtual machine corresponding Leak protects feature database subclass;Corresponding relation generation module, for generating leak protection feature The corresponding relation of storehouse subclass and virtual machine UUID, and generate virtual machine UUID with it is virtual The corresponding relation of the IP address of machine;Feature database acquisition module is additionally operable to be obtained according to target ip address The virtual machine UUID of target virtual machine is taken, target virtual machine pair is determined according to virtual machine UUID The leak protection feature database subclass answered.
Alternatively, prevent if failing the corresponding leak of acquisition target virtual machine according to target ip address Shield feature database, then using complete leak protection feature database detection network traffics.
Alternatively, also include:Flow processing module, for determining network traffics afterwards after testing In the case of attack traffic, network traffics are intercepted;It is not the feelings of attack traffic in network traffics Under condition, network traffics are forwarded into target virtual machine.
Such device can adopt the leak for target virtual machine to protect feature database to network Flow is detected that the condition code in correspondence leak protection feature database is less, and is for target The condition code of application message in virtual machine, can improve detection efficiency while ensuring safety.
Description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the application A part, the schematic description and description of the present invention is used to explain the present invention, not structure Into inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the schematic diagram of existing virtual machine leak protection safety technology.
Fig. 2 is the flow chart of one embodiment of the leak means of defence of the present invention.
Fig. 3 is the flow chart of another embodiment of the leak means of defence of the present invention.
Fig. 4 is the flow chart of another embodiment of the leak means of defence of the present invention.
Fig. 5 is the schematic diagram of the further embodiment of the leak means of defence of the present invention.
Fig. 6 is the schematic diagram of the another embodiment of the leak means of defence of the present invention.
Fig. 7 is the schematic diagram of one embodiment of the leak protector of the present invention.
Fig. 8 is the schematic diagram of another embodiment of the leak protector of the present invention.
Fig. 9 is the schematic diagram of another embodiment of the leak protector of the present invention.
Specific embodiment
Below by drawings and Examples, technical scheme is done and is further retouched in detail State.
The flow chart of one embodiment of the leak means of defence of the present invention is as shown in Figure 2.
In step 201, secure virtual machine obtains the target ip address of network traffics.Network The target ip address of flow can be obtained by parsing network traffics.
In step 202., secure virtual machine determines mesh according to the target ip address of network traffics Mark virtual machine, and determine that the corresponding leak of target virtual machine protects feature database.Target virtual machine pair The leak protection feature database answered is the leak protection feature for application message on target virtual machine Storehouse.Leak attacks typically related to specific operating system or application software, if operating system version This is different or does not correspond to application, then leak is attacked and will not come into force.What target virtual machine was adopted System, the application software installed are limited, can obtain system for target virtual machine, The leak protection feature database of application software.
In step 203, according to the corresponding leak protection feature database detection network of target virtual machine Flow.
By such method, the leak protection feature database pair for target virtual machine can be adopted Network traffics are detected, the condition code in correspondence leak protection feature database is less, and be for The condition code of application message in target virtual machine, can improve detection while ensuring safety Efficiency.
In one embodiment, secure virtual machine determines according to the target ip address of network traffics The target virtual machine identifier UUID of target virtual machine, further according to UUID destination virtual is determined The corresponding leak of machine protects feature database.Because a virtual machine may be believed with multiple IP address Breath, and IP address information is probably dynamic change, and the UUID of virtual machine be it is unique and It is metastable, by such method, UUID can be determined by IP address, further according to Metastable UUID protects the relation of feature database to determine corresponding leak protection feature with leak Storehouse, reduces the burden of data renewal.
The flow chart of another embodiment of the leak means of defence of the present invention is as shown in Figure 3.
In step 301, secure virtual machine collects the identification information and application message of virtual machine. The identification information of virtual machine includes the IP address information of virtual machine, and the application message of virtual machine includes The operation system information and/or application software information of virtual machine.High for degree of opening is virtual Machine, can obtain the identification information and application message of virtual machine by API;For degree of opening Low virtual machine, can be by the corresponding instrument of virtual machine, such as in VMware virtual platforms Used in used in VMtools, Virtual Box virtual platforms Guest Addition obtain The identification information and application message of virtual machine.
In step 302, secure virtual machine determines corresponding leakage according to the application message of virtual machine Hole protects feature database, the as corresponding leak of the virtual machine to protect feature database.Can be in virtual machine IP address corresponding with virtual machine leak protection feature database between set up incidence relation.At one In embodiment, the IP address leak corresponding with virtual machine that can set up virtual machine protects feature database Mark associated data table.
In step 303, when network traffics arrive, secure virtual machine obtains network traffics Target ip address.
In step 304, secure virtual machine determines mesh according to the target ip address of network traffics The corresponding leak of mark virtual machine protects feature database.In one embodiment, can be empty by inquiring about The associated data table of the mark of the IP address of plan machine leak protection feature database corresponding with virtual machine Mode determine that the corresponding leak of virtual machine protects feature database.
In step 305, network traffics are detected using corresponding leak protection feature database.
By such method, the identification information and application message of virtual machine can be gathered, according to The application message of virtual machine obtains the corresponding leak of virtual machine and protects feature database, and sets up virtual machine Leak protection feature database and virtual machine IP address between corresponding relation, so as to convenient and safe void Plan machine obtains corresponding leak and protects feature database according to the IP address of network traffics, further improves The efficiency of leak protection.
In one embodiment, secure virtual machine determines corresponding according to the application message of virtual machine Leak protects feature database, can also respectively virtual machine IP address and virtual machine UUID, Incidence relation is set up between the UUID of virtual machine and corresponding leak protection feature database.At one In embodiment, the IP address of virtual machine and the UUID of virtual machine, virtual machine can be respectively set up UUID and corresponding leak protect the associated data table of feature database.Concrete form can be as follows Shown in table:
The UUID of virtual machine 1 IP address
The UUID of virtual machine 2 IP address 1
The UUID of virtual machine 2 IP address 2
The associated data table of table 1 virtual machine UUID and IP
The UUID of virtual machine 1 Leak protection feature database subclass 1
The UUID of virtual machine 2 Leak protection feature database subclass 2
The UUID of virtual machine 3 Leak protection feature database subclass 3
The virtual machine UUID of table 2 tables corresponding with feature database set
When network traffics arrive, target virtual machine is first obtained according to target ip address UUID, then corresponding leak protection feature database is obtained, can be obtained by way of tabling look-up.
Because a virtual machine may have multiple IP address information, and IP address information may It is dynamic change, and the UUID of virtual machine is unique and metastable, by so Method, UUID can be determined by IP address, further according to metastable UUID with leakage The relation of hole protection feature database determines corresponding leak protection feature database, and in the IP of virtual machine When address changes, it is only necessary to update the corresponding relation of UUID and IP, data are reduced more New burden.
In one embodiment, complete leak can be protected according to the application message of virtual machine Feature database draws little, determines that the corresponding leak of application message protects feature database subclass.Draw it is little after Leak protects feature database because condition code is less, few in the time used when network traffics are detected that carries out, So as to improve the efficiency of network traffics detection.
The flow chart of another embodiment of the leak means of defence of the present invention is as shown in Figure 4.
In step 401, secure virtual machine parsing network traffics, obtain the target of network traffics IP address.
In step 402, secure virtual machine searches the corresponding virtual machine UUID of target ip address. UUID can be passed through to inquire about with the associated data table of IP address.
In step 403, judge whether to find corresponding UUID.In situation about finding Under, execution step 404;Otherwise, execution step 407.
In step 404, secure virtual machine searches corresponding leak and protects feature according to UUID Storehouse subclass.UUID and leak that storage can be passed through protect the incidence number of feature database subclass Inquire about according to table.
In step 405, judge whether to find corresponding leak protection feature database subclass. If it is found, then execution step 406;Otherwise, execution step 407.
In a step 406, feature database subclass is protected to network traffics using the leak for finding Detected.
In step 407, network traffics are detected using complete leak protection feature database.
In a step 408, judge whether network traffics are attack traffic.If attack traffic, Then execution step 409;Otherwise, execution step 410.
In step 409, network traffics are intercepted.
In step 410, network traffics are forwarded into target virtual machine.
By such method, can prevent failing to find the corresponding leak of target ip address In the case of shield feature database, network traffics are detected using complete leak protection feature database, So as to enhance the safeguard protection to virtual machine.
In one embodiment, as shown in Figure 5.
In 501, virtual machine provides flag information and application message to information collection module.
In 502, secure virtual machine obtains the identification information of virtual machine by information collection module And application message.
In 503, complete characterization storehouse is drawn little by the process that secure virtual machine passes through processing module, The condition code for virtual machine is extracted, corresponding stroke little of leak protection feature database subclass is generated.
In 504, network traffics Jing virtual switch reaches secure virtual machine.
In 505, secure virtual machine inquires the target virtual machine of network traffics, using correspondence Draw little leak protection feature database subclass detection network traffics.
By such method, secure virtual machine can call virtualization software in installation and deployment Api interface, all-network flow is guided to secure virtual machine and carries out safety detection by after.Jing Corresponding target virtual machine is reached again after detection, the screening of crossing secure virtual machine, it is ensured that virtual The safety of machine;Generate and use targetedly, condition code it is less leak protection feature database Set carries out Network Traffic Monitoring, can effectively improve the efficiency of safety detection, reduces virtual Machine receives the time delay of network traffics.
In one embodiment, as shown in fig. 6, by taking VMware virtualized environments as an example, VMware resource pools dispose leak protection safety product, by calling VMware API, if Fixed all virtual machine network flows all will all be directed to after secure virtual machine is detected and carry out again Forwarding.Hypothesis has on the server two virtual machines, is mounted with that Apache should on virtual machine 1 With, oracle database application is mounted with virtual machine 2, call void using collection module first Planization software interface, obtain virtual machine all information, afterwards by information with【(UUID1、 1.1.1.1, Apache), (UUID2,2.2.2.2, Oracle DB)】Form is sent to peace Processing module on full virtual machine, processing module is received after information, sets up " virtual machine UUID With the corresponding table of IP " with " virtual machine UUID and leak protection feature database subclass corresponding table ", Content is as shown in the figure.Afterwards according to form, set up set a and two leak protection of set b are special Storehouse subclass is levied, the condition code related to the attack of Apache leaks is put into set a, with Oracle database leak attacks related condition code and is put into set b, completes feature database and draws little behaviour Make.When network traffics flow to virtual machine 1, the processing module on secure virtual machine is arrived first at, UUID1 is found according to purpose IP address 1.1.1.1, corresponding feature code collection is then found A is closed, then network traffics is detected using condition code set a, complete again will after detection Normal discharge is transmitted to virtual machine 1.
By such mode, virtual machine information can be obtained by virtualization software interface, and By in feedback of the information to secure virtual machine;Can according to virtual machine UUID and obtain information, Feature database is drawn into little, the leak protection feature database subclass of the virtual machine is set up;According to virtual machine UUID, network traffics IP address, leak protection feature database subclass three's corresponding relation, choosing Selecting subclass carries out safety detection, and such method can be effectively increased virtual machine leak protective Can, reduce resource consumption, it is adaptable to have the safety inside the cloud resource pool of different business application to prevent Shield, can quickly realize the leak protection of a large amount of virtual machines, meanwhile, it is tenant in public cloud There is provided the leak protection service of high-performance, low consumption of resources, it is adaptable to highly dense under virtualized environment The leak protection of degree virtual machine scene.
The schematic diagram of one embodiment of the leak protector of the present invention is as shown in Figure 7.Wherein, 701 is address acquisition module, for obtaining the Target IP of network traffics by parsing network traffics Address.702 are characterized storehouse acquisition module, for being determined according to the target ip address of network traffics Target virtual machine, and determine that the corresponding leak of target virtual machine protects feature database.703 is flow Detection module, for according to the corresponding leak protection feature database detection network traffics of target virtual machine.
Such device can adopt the leak for target virtual machine to protect feature database to network Flow is detected that the condition code in correspondence leak protection feature database is less, and is for target The condition code of application message in virtual machine, can improve detection efficiency while ensuring safety.
In one embodiment, feature database acquisition module 702 can be according to the target of network traffics IP address determines the target virtual machine identifier UUID of target virtual machine, true further according to UUID The corresponding leak of the virtual machine that sets the goal protects feature database.Due to a virtual machine may have it is multiple IP address information, and IP address information is probably dynamic change, and the UUID of virtual machine It is unique and metastable, such device can determine UUID by IP address, then The relation of feature database is protected to determine corresponding leak protection with leak according to metastable UUID Feature database, reduces the burden of data renewal.
The schematic diagram of another embodiment of the leak protector of the present invention is as shown in Figure 8.Its In 801,802,803 be respectively address acquisition module, feature database acquisition module and flow detection Module, its 26S Proteasome Structure and Function to it is similar in Fig. 7.804 is information collection module, for receiving The identification information and application message of collection virtual machine.The identification information of virtual machine includes the IP of virtual machine Address information, the application message of virtual machine includes the operation system information of virtual machine and/or using soft Part information.The virtual machine high for degree of opening, information collection module can be obtained by API The identification information and application message of virtual machine;The virtual machine low for degree of opening, can pass through The corresponding instrument of virtual machine, such as VMtools, Virtual used in VMware virtual platforms Guest Addition obtain identification information and the application of virtual machine used in Box virtual platforms Information.805 are characterized storehouse determining module, for determining correspondence according to the application message of virtual machine Leak protection feature database, the as corresponding leak of the virtual machine protects feature database.Feature database is true Cover half block 805 can the IP address of virtual machine corresponding with virtual machine leak protection feature database it Between set up incidence relation, e.g., the IP address leak corresponding with virtual machine of virtual machine can be set up The associated data table of the mark of protection feature database.
Such device can gather the identification information and application message of virtual machine, according to virtual machine Application message obtain the corresponding leak of virtual machine and protect feature database, and set up the leak of virtual machine Corresponding relation between the IP address of protection feature database and virtual machine, so as to convenient and safe virtual machine root Corresponding leak is obtained according to the IP address of network traffics and protect feature database, further increase leak The efficiency of protection.
The schematic diagram of another embodiment of the leak protector of the present invention is as shown in Figure 9.Its In, 901,902,903 are respectively the inspection of address acquisition module, feature database acquisition module and flow Survey module, its 26S Proteasome Structure and Function to it is similar in Fig. 7.904 is information collection module, is used for Collect the identification information and application message of virtual machine.905 are characterized storehouse determining module, for root Determine corresponding leak protection feature database according to the application message of virtual machine, as the virtual machine correspondence Leak protection feature database.906 are characterized storehouse draws little module, for complete leak to be protected Feature database draws little, extracts the condition code for virtual machine, generates corresponding leak and protects feature database Subclass.907 be corresponding relation generation module, for set up the IP address of virtual machine with it is virtual Incidence relation between the little leak protection feature database of corresponding stroke of machine, such as sets up IP address and draws Little leak protects the associated data table of feature database subclass.Due to draw it is little after leak protection it is special Levy planting modes on sink characteristic code less, it is few in the time used when network traffics are detected that carries out using such device, So as to improve the efficiency of network traffics detection.
In one embodiment, information collection module 904 can also obtain the UUID of virtual machine, The information format of acquisition can be:【(virtual machine 1UUID, IP address, system information, Application software information), (virtual machine 2UUID, IP address, system information, application software Information) ...】.Corresponding relation generation module 907 can generate leak protection feature database Set and the corresponding relation of virtual machine UUID, and virtual machine UUID is generated with virtual machine The corresponding relation of IP address, e.g., sets up respectively the IP address of virtual machine and the UUID of virtual machine, The UUID of virtual machine protects the associated data table of feature database subclass with corresponding leak.Due to One virtual machine may have multiple IP address information, and IP address information is probably that dynamic becomes Change, and the UUID of virtual machine is unique and metastable, such device can lead to Cross IP address and determine UUID, further according to metastable UUID and leak feature database is protected Relation determines corresponding leak protection feature database, and when the IP address of virtual machine changes, Only need to update the corresponding relation of UUID and IP, reduce the burden of data renewal.
In one embodiment, when feature database acquisition module fails to be obtained by target ip address During corresponding stroke little leak protection feature database, flow detection module can adopt complete leak to protect Feature database detects network traffics.Such device can fail to find target ip address correspondence Leak protection feature database in the case of, feature database is protected to network traffics using complete leak Detected, so as to enhance the safeguard protection to virtual machine.
In one embodiment, leak protector can also include flow processing module, with stream Amount detection module is connected, for processing network traffics according to testing result.When it is determined that network traffics For attack traffic when, intercept network traffics;When network traffic security, network traffics are forwarded To target virtual machine.Such device can realize the Effective selection to network traffics, so as to reality Now to the protection of virtual machine.
Finally it should be noted that:Above example only illustrating technical scheme and It is non-that it is limited;It is affiliated although being described in detail to the present invention with reference to preferred embodiment The those of ordinary skill in field should be understood:Still the specific embodiment of the present invention can be entered Row modification carries out equivalent to some technical characteristics;Without deviating from technical solution of the present invention Spirit, it all should cover in the middle of the technical scheme scope being claimed in the present invention.

Claims (14)

1. a kind of leak means of defence, it is characterised in that include:
Obtain the target ip address of network traffics;
The corresponding leak of target virtual machine is obtained according to the target ip address and protects feature database, The corresponding leak protection feature database of the target virtual machine is for applying on the target virtual machine The leak protection feature database of information;
The network traffics are detected according to the corresponding leak protection feature database of the target virtual machine.
2. method according to claim 1, it is characterised in that described according to the mesh Mark IP address obtains the corresponding leak protection feature database of target virtual machine to be included:
Target virtual machine identifier UUID is obtained according to the target ip address;
The corresponding leak protection of target virtual machine is obtained according to the target virtual machine UUID special Levy storehouse.
3. method according to claim 1, it is characterised in that also include:
The identification information and application message of virtual machine are collected, wherein, the identification information includes institute The IP address information of virtual machine is stated, the application message includes that the operating system of the virtual machine is believed Breath and/or application software information;
Determine that the corresponding leak of the virtual machine protects feature database according to the application message.
4. method according to claim 3, it is characterised in that also include:
The corresponding leak of the virtual machine according to being determined based on the application message protects feature Storehouse is drawn little leak and protects feature database set, is generated the corresponding leak of the virtual machine and is protected feature database Subclass;
Generate the leak protection feature database subclass corresponding with the IP address of the virtual machine Relation;
It is described that the corresponding leak protection feature of target virtual machine is obtained according to the target ip address Storehouse is:The corresponding leak of the target virtual machine is obtained according to the target ip address and protects feature Storehouse subclass.
5. method according to claim 3, it is characterised in that
The identification information is also including the UUID information of virtual machine;
The leak means of defence also includes:
The corresponding leak of the virtual machine according to being determined based on the application message protects feature Little complete leak protection feature database set is drawn in storehouse, generates the corresponding leak protection of the virtual machine Feature database subclass;
Generate leak protection feature database subclass pass corresponding with the virtual machine UUID System;
Generate the corresponding relation of the virtual machine UUID and the IP address of the virtual machine;
It is described that the corresponding leak protection feature of target virtual machine is obtained according to the target ip address Storehouse is:The virtual machine UUID of the target virtual machine, root are obtained according to the target ip address Determine that the corresponding leak of the target virtual machine protects feature database subset according to the virtual machine UUID Close.
6. method according to claim 1, it is characterised in that if according to the target IP address fails to obtain the corresponding leak protection feature database of target virtual machine, then using complete leakage Hole protection feature database detects the network traffics.
7. method according to claim 1, it is characterised in that also include:
If after testing, the network traffics are attack traffic, then the network traffics are intercepted;It is no Then, the network traffics are forwarded into the target virtual machine.
8. a kind of leak protector, it is characterised in that include:
Address acquisition module, for obtaining the target ip address of network traffics;
Feature database acquisition module, for obtaining target virtual machine pair according to the target ip address The leak protection feature database answered, the corresponding leak protection feature database of the target virtual machine be for The leak protection feature database of application message on the target virtual machine;
Flow detection module, for protecting feature database according to the corresponding leak of the target virtual machine Detect the network traffics.
9. device according to claim 8, it is characterised in that the feature database is obtained Module is additionally operable to:
Target virtual machine identifier UUID is obtained according to the target ip address;
The corresponding leak protection of target virtual machine is obtained according to the target virtual machine UUID special Levy storehouse.
10. device according to claim 8, it is characterised in that also include:
Information collection module, for collecting the identification information and application message of virtual machine, wherein, The identification information includes the IP address information of the virtual machine, and the application message includes described The operation system information and/or application software information of virtual machine;
Feature database determining module, for determining that the virtual machine is corresponding according to the application message Leak protects feature database.
11. devices according to claim 10, it is characterised in that also include:
Feature database draws little module, for according to the virtual machine determined based on the application message Corresponding leak protection feature database draws little leak and protects feature database set, generates the virtual machine pair The leak protection feature database subclass answered;
Corresponding relation generation module, for generate leak protection feature database subclass with it is described The corresponding relation of the IP address of virtual machine;
The feature database acquisition module is additionally operable to obtain the target according to the target ip address The corresponding leak of virtual machine protects feature database subclass.
12. devices according to claim 10, it is characterised in that
The identification information is also including the UUID information of virtual machine;
Described device also includes:
Feature database draws little module, for according to the virtual machine determined based on the application message Corresponding leak protection feature database draws little complete leak protection feature database set, generates the void The corresponding leak of plan machine protects feature database subclass;
Corresponding relation generation module, for generate leak protection feature database subclass with it is described The corresponding relation of virtual machine UUID, and generate the virtual machine UUID and the virtual machine IP address corresponding relation;
The feature database acquisition module is additionally operable to obtain the target according to the target ip address The virtual machine UUID of virtual machine, according to the virtual machine UUID target virtual machine is determined Corresponding leak protects feature database subclass.
13. devices according to claim 8, it is characterised in that if according to the target IP address fails to obtain the corresponding leak protection feature database of target virtual machine, then using complete leakage Hole protection feature database detects the network traffics.
14. devices according to claim 8, it is characterised in that also include:
Flow processing module, for determining the network traffics afterwards after testing for attack traffic In the case of, intercept the network traffics;In the case where the network traffics are not attack traffic, The network traffics are forwarded into the target virtual machine.
CN201510760077.3A 2015-11-10 2015-11-10 Vulnerability protection method and device Active CN106685900B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510760077.3A CN106685900B (en) 2015-11-10 2015-11-10 Vulnerability protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510760077.3A CN106685900B (en) 2015-11-10 2015-11-10 Vulnerability protection method and device

Publications (2)

Publication Number Publication Date
CN106685900A true CN106685900A (en) 2017-05-17
CN106685900B CN106685900B (en) 2020-04-28

Family

ID=58864394

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510760077.3A Active CN106685900B (en) 2015-11-10 2015-11-10 Vulnerability protection method and device

Country Status (1)

Country Link
CN (1) CN106685900B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109922021A (en) * 2017-12-12 2019-06-21 中国电信股份有限公司 Security protection system and safety protecting method
CN111225082A (en) * 2020-01-14 2020-06-02 上海顺舟智能科技股份有限公司 Identity management method and device of Internet of things intelligent equipment and Internet of things platform
CN111835694A (en) * 2019-04-23 2020-10-27 张长河 Network security vulnerability defense system based on dynamic camouflage

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102346828A (en) * 2011-09-20 2012-02-08 海南意源高科技有限公司 Malicious program judging method based on cloud security
CN103561035A (en) * 2013-11-11 2014-02-05 中国联合网络通信集团有限公司 Mobile subscriber safety protection method and system
CN104142848A (en) * 2013-05-08 2014-11-12 西安邮电大学 Virtual machine identifier and use method thereof
CN104217157A (en) * 2014-07-31 2014-12-17 珠海市君天电子科技有限公司 Anti-vulnerability-exploitation method and system
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN104573508A (en) * 2013-10-22 2015-04-29 中国银联股份有限公司 Method for detecting compliance of payment applications under virtualization environment
CN104751056A (en) * 2014-12-19 2015-07-01 中国航天科工集团第二研究院七〇六所 Vulnerability verification system and method based on attack library
US20150264077A1 (en) * 2014-03-13 2015-09-17 International Business Machines Corporation Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure
CN104994094A (en) * 2015-07-01 2015-10-21 北京奇虎科技有限公司 Virtualization platform safety protection method, device and system based on virtual switch

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102346828A (en) * 2011-09-20 2012-02-08 海南意源高科技有限公司 Malicious program judging method based on cloud security
CN104142848A (en) * 2013-05-08 2014-11-12 西安邮电大学 Virtual machine identifier and use method thereof
CN104573508A (en) * 2013-10-22 2015-04-29 中国银联股份有限公司 Method for detecting compliance of payment applications under virtualization environment
CN103561035A (en) * 2013-11-11 2014-02-05 中国联合网络通信集团有限公司 Mobile subscriber safety protection method and system
US20150264077A1 (en) * 2014-03-13 2015-09-17 International Business Machines Corporation Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure
CN104217157A (en) * 2014-07-31 2014-12-17 珠海市君天电子科技有限公司 Anti-vulnerability-exploitation method and system
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN104751056A (en) * 2014-12-19 2015-07-01 中国航天科工集团第二研究院七〇六所 Vulnerability verification system and method based on attack library
CN104994094A (en) * 2015-07-01 2015-10-21 北京奇虎科技有限公司 Virtualization platform safety protection method, device and system based on virtual switch

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109922021A (en) * 2017-12-12 2019-06-21 中国电信股份有限公司 Security protection system and safety protecting method
CN109922021B (en) * 2017-12-12 2022-03-08 中国电信股份有限公司 Safety protection system and safety protection method
CN111835694A (en) * 2019-04-23 2020-10-27 张长河 Network security vulnerability defense system based on dynamic camouflage
CN111835694B (en) * 2019-04-23 2023-04-07 张长河 Network security vulnerability defense system based on dynamic camouflage
CN111225082A (en) * 2020-01-14 2020-06-02 上海顺舟智能科技股份有限公司 Identity management method and device of Internet of things intelligent equipment and Internet of things platform
CN111225082B (en) * 2020-01-14 2020-12-29 上海顺舟智能科技股份有限公司 Identity management method and device of Internet of things intelligent equipment and Internet of things platform

Also Published As

Publication number Publication date
CN106685900B (en) 2020-04-28

Similar Documents

Publication Publication Date Title
CN104023034B (en) Security defensive system and defensive method based on software-defined network
US9166988B1 (en) System and method for controlling virtual network including security function
CN107370756B (en) Honey net protection method and system
US10474813B1 (en) Code injection technique for remediation at an endpoint of a network
US10454950B1 (en) Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks
CN104601568B (en) Virtualization security isolation method and device
US9507935B2 (en) Exploit detection system with threat-aware microvisor
US20070266433A1 (en) System and Method for Securing Information in a Virtual Computing Environment
CN104104679B (en) A kind of data processing method based on private clound
CN110572412A (en) Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof
Zhou et al. Applying NFV/SDN in mitigating DDoS attacks
CN104270467A (en) Virtual machine managing and controlling method for mixed cloud
CN109347847A (en) A kind of smart city security assurance information system
CN104951354A (en) Virtual machine dispatch algorithm security verification method based on dynamic migration
CN101873318A (en) Application and data security method aiming at application system on application basis supporting platform
CN106341426A (en) Method for defending APT attack and safety controller
CN104866407A (en) Monitoring system and method in virtual machine environment
CN105516073A (en) Network intrusion prevention method
CN106685900A (en) Loophole prevention method and apparatus
Mehmood et al. Distributed intrusion detection system using mobile agents in cloud computing environment
KR101768079B1 (en) System and method for improvement invasion detection
CN104219211A (en) Detection method and detection device for network security in cloud computing network
CN108345795A (en) System and method for the Malware that detects and classify
CN110099041A (en) A kind of Internet of Things means of defence and equipment, system
CN105704087A (en) Device for realizing network security management based on virtualization and management method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant