CN106790091B - Cloud safety protection system and flow cleaning method - Google Patents
Cloud safety protection system and flow cleaning method Download PDFInfo
- Publication number
- CN106790091B CN106790091B CN201611207710.7A CN201611207710A CN106790091B CN 106790091 B CN106790091 B CN 106790091B CN 201611207710 A CN201611207710 A CN 201611207710A CN 106790091 B CN106790091 B CN 106790091B
- Authority
- CN
- China
- Prior art keywords
- security
- cloud
- virtual machine
- resource pool
- target virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention provides a cloud security protection system and a flow cleaning method, wherein the system comprises a cloud platform and a cloud security service platform, the cloud platform is used for deploying virtual machines, the cloud security service platform is used for deploying terminal security on the virtual machines, the cloud security protection system further comprises a security resource pool, and the security resource pool is used for checking and/or managing the terminal security. The cloud security protection system shown in the embodiment can realize centralized management and security visualization, can uniformly control all security components, provides a cloud platform security state display function, and is convenient for user operation and management.
Description
Technical Field
The invention relates to the technical field of flow cleaning, in particular to a flow cleaning method based on cloud computing, a cloud safety protection system and a flow cleaning method.
Background
The global cloud computing services market has kept high growth in recent years. According to statistics, the global cloud computing Service market in 2014 has a size of 1528 billion dollars, and the growth rate has 17.9%, wherein typical Infrastructure as a Service (hereinafter referred to as IaaS), Platform as a Service (hereinafter referred to as PaaS), and Software as a Service (hereinafter referred to as Software as a Service) services have a market size of 425 billion dollars. Cloud services are accelerated by 4 times the global IT expenditures, which are expected to increase the percentage of the global IT expenditures from 3.6% in 2013 to 6.6% in 2018. Cloud computing services are increasingly evolving into new types of information infrastructures.
Cloud computing is a revolution in the whole IT field, and the production efficiency is greatly improved due to the large-scale and intensive computing resources, however, new challenges of protecting enterprise assets, sensitive data and the like are brought, and in 2016 12 cloud computing threats published at the end of 2 months, data leakage, weak identity information or access management are the only threats to be considered as the dominant threat. The main factors behind these threats are that we are opaque to tenants and lack control of cloud services when using cloud services, while traditional security solutions are difficult to deploy in front of cloud services. Therefore, whether to solve the security problems becomes one of the prerequisites for migrating the enterprise to the cloud.
At present, security solutions in cloud computing environments are roughly divided into two types, one type is that cloud platform manufacturers provide basic security capability to solve the security problem of a platform layer, and the security of a service layer is guaranteed by tenants. The other type is that hardware security equipment is converted into software by a traditional security manufacturer and transplanted to a cloud platform to ensure the security of a cloud computing environment, but in the cloud computing environment, different from a traditional network, in the cloud computing environment, customer service resources can be flexibly expanded, so that the requirements on security also need to be flexibly expanded, and the software conversion of the traditional security hardware equipment cannot be realized. In a cloud computing environment, the same physical host can run service data of a plurality of clients at the same time, the traditional physical boundary is not available, the security boundary becomes fuzzy, and the control and visualization of virtual machine east-west flow become problems. In a cloud computing environment, in order to ensure service continuity, customer services can be migrated among a plurality of different cloud platform merchants, and a uniform and simpler security operation and maintenance platform is required by customers, but the current cloud security scheme cannot meet the requirement.
Disclosure of Invention
The invention provides a cloud security protection system and a flow cleaning method, which have higher security and can realize the elastic expansion of customer service resources.
A first aspect of an embodiment of the present invention provides a cloud security protection system, including a cloud platform, a cloud security service platform, where the cloud platform is configured to deploy a virtual machine, the cloud security service platform is configured to deploy terminal security on the virtual machine, and the cloud security protection system further includes a security resource pool, and the security resource pool is configured to view and/or manage the terminal security.
The secure resource pool includes at least one component shown below:
virtual next generation application firewall vNGAF, virtual online behavior management vAC and virtual SSL VPN.
The security resource pool set is deployed on a plurality of cloud computing nodes, or at least one component included in the security resource pool set is deployed on the cloud computing nodes, and the cloud computing nodes include a plurality of virtual machines.
The secure resource pool includes at least one of the following functions:
the terminal security management system comprises a security protection capability for providing north-south traffic to the cloud platform, a function for providing user management for the terminal security, a function for providing traffic visible for the terminal security, and a function for providing security visible for the terminal security;
the safety protection capability comprises at least one of:
the backdoor tool webshell of the website protects, disinfects and prevents tampering.
The cloud security service platform comprises at least one of the following functions:
the system and the method are used for providing management, traffic visualization and security services for the cloud platform.
The terminal security comprises at least one of the following functions:
security protection capabilities for providing a network for the virtual machine, security protection capabilities for providing a host for the virtual machine, and security protection capabilities for providing east-west traffic to the cloud platform;
the safety protection capability comprises at least one of:
the backdoor tool webshell of the website protects, disinfects and prevents tampering.
The cloud security service platform comprises a user interaction system, an authentication system, a security component system, a real-time information system, a log system and an alarm system;
the user interaction system is used for providing a control panel and/or a state transmission interface REST API, the control panel is used for realizing interaction between a user and the cloud security protection system, and the cloud security service platform interacts with the cloud platform through the REST API;
the authentication system is used for verifying the identity of the user;
the security component system is used for being in butt joint with the cloud platform, and the security component system is used for managing the security of the cloud platform and the terminal;
the real-time information system is used for feeding back the real-time information of the safety resource pool and/or the safety of the terminal to the user;
the log system is used for acquiring a security log of the security resource pool and/or the security of the terminal, analyzing the security log to generate an analysis result, and feeding back the analysis result to a user;
the warning system is used for feeding back warning information to a user.
The authentication system further comprises at least one of the following functions:
token management, providing a service directory for accessing resources, providing access control corresponding to user identity, registration of service endpoints.
The real-time information comprises at least one of:
traffic, running state, protection state, CPU utilization, and memory utilization.
And the analysis result is fed back to the user in the form of a visual chart and/or a safe report.
A second aspect of the present invention provides a traffic cleaning method, where based on the cloud security protection system provided in the first aspect of the present invention, the traffic cleaning method includes:
the method comprises the steps that the flow of a target virtual machine is dragged to a safe resource pool according to a configured flow guiding mode, the number of the target virtual machine is at least one, and the target virtual machine is a virtual machine subjected to distributed denial of service (DDoS) attack;
determining a security resource corresponding to the target virtual machine according to the configured flow traction rule through the security resource pool;
cleaning the flow of the target virtual machine through the safety resources corresponding to the target virtual machine to generate cleaned flow;
and reinjecting the cleaned flow to the target virtual machine through the safe resource pool.
Before determining, by the secure resource pool according to the configured traffic pulling rule, the secure resource corresponding to the target virtual machine, the method further includes:
controlling the cloud security service platform to acquire target tenant information to which the target virtual machine belongs through a cloud platform;
controlling the cloud security service platform to create the security resource on the security resource pool through the target tenant information, wherein the security resource corresponds to the target virtual machine;
controlling the cloud security service platform to generate the flow traction rule according to the target tenant information, wherein the flow traction rule corresponds to the target virtual machine;
and controlling the cloud security service platform to send the flow traction rule to the security resource pool.
Before the traffic of the target virtual machine is dragged to the secure resource pool according to the configured drainage mode, the method further comprises the following steps:
receiving drainage mode configuration information input by a user;
and configuring the drainage mode according to the drainage mode configuration information.
After the secure resource corresponding to the target virtual machine flushes traffic of the target virtual machine to generate flushed traffic, the method further includes:
generating a flow cleaning safety log through the safety resource pool, wherein the flow cleaning safety log is used for indicating the condition that the safety resources corresponding to the target virtual machine clean the flow of the target virtual machine;
and sending the flow cleaning safety log to a cloud safety service platform CSSP through the safety resource pool.
The cloud security protection system disclosed by the embodiment can realize centralized management and security visualization, can uniformly control all security components, provides a cloud platform security state display function, and is convenient for user operation and management. The cloud security protection system shown in the embodiment has high security, and can realize flexible expansion of customer service resources.
Drawings
Fig. 1 is a schematic structural diagram of an embodiment of a cloud security protection system provided in the present invention;
FIG. 2 is a schematic diagram illustrating an arrangement of a secure resource pool according to the present invention;
FIG. 3 is a schematic diagram illustrating another configuration of a secure resource pool provided by the present invention;
fig. 4 is a schematic structural diagram of an arrangement manner of the cloud security service platform provided by the present invention;
FIG. 5 is a flowchart illustrating steps of a flow cleaning method according to an embodiment of the present invention.
Detailed Description
First, a specific structure of the cloud security protection system provided by the embodiment of the present invention is described with reference to fig. 1:
as shown in fig. 1, the cloud security protection system according to the embodiment of the present invention includes:
the Cloud Security Service Platform 102 is configured to provide functions of unified management, traffic visualization, Security Service, and the like for Security components of the Cloud Platform in a Cloud environment.
The cloud platform 103 is used for deploying the virtual machine 106.
In particular, virtualization technology for the virtual machine 106 can be implemented on the cloud platform 103, wherein the virtualization technology separates the application software and the operating system thereon from the underlying physical device by decoupling.
The cloud platform 103 is not limited in this embodiment, and in this embodiment, the cloud platform is an OpenStack cloud computing management platform or a cloud platform of a borui VMware company or a cloud platform of a company hua.
The cloud Security service platform 102 shown in this embodiment is further configured to deploy terminal Security 105 (hereinafter, referred to as "Endpoint Security") on a virtual machine 106 of a tenant, where the EPS105 is configured to provide Security protection capabilities such as a network and a host for the virtual machine 106.
Specifically, in this embodiment, the EPS105 may provide protection against east-west traffic of the cloud platform 103, including security protection functions such as webshell protection, virus killing, and tamper resistance.
The secure resource pool 104, in this embodiment, the secure resource pool 104 provides protection against north-south traffic of the cloud platform 103.
The present embodiment does not limit the security components included in the security resource pool 104, for example, the security resource pool 104 includes a next-generation firewall vNGAF, a virtual internet behavior management vAC, or a virtual SSL VPN vSSL.
Specifically, the security resource pool 104 provides functions of unified tenant management, traffic visualization, security service, and the like for the EPS 105; the tenant can view and manage the EPS105 belonging to the tenant through the security resource pool 104, so as to implement functions of viewing the traffic component, the security state, and the like of the virtual machine of the tenant.
And the core router 101 is used for realizing the forwarding of data.
The following describes the setting manner of the secure resource pool 104 with reference to fig. 2 and 3:
as shown in fig. 2, the security resource pool 104 may exist in a form of being centrally deployed on several cloud computing nodes 201, and in particular, the security components included in the security resource pool 104 are centrally deployed on several cloud computing nodes 201.
As shown in fig. 3, the secure resource pool 104 may exist in a form of being distributed on each cloud computing node 301 of the cloud platform, and specifically, the security components included in the secure resource pool 104 are distributed on the cloud computing nodes 301 respectively.
Specifically, the specific structure of the cloud security service platform CSSP is exemplarily described below with reference to fig. 4.
The cloud security service platform CSSP shown in this embodiment includes:
a user interaction system 401, an authentication system 402, a security component system 403, a real-time information system 404, a logging system 405, an alarm system 406.
Specifically, the user interaction system 401 provides a DashBoard and/or REST API interface for Web access.
Specifically, the control panel provides a tenant login management security component, and functions that the tenant can implement through the view panel include, but are not limited to, viewing security logs, system configuration, and the like.
Specifically, REST (English full name: REpresentational State Transfer, Chinese full name: State Transfer);
and the REST API interface is provided for a third-party system to be used for secondary development and integration.
The functions mainly responsible for the authentication system 402 include, but are not limited to, identity authentication of a user, token management, providing a service directory for accessing resources, and access control based on user roles.
Specifically, the authentication system 402 can detect whether the user name and the user login password are normal, issue the token, register the service endpoint, and whether the user has the right to access a specific resource, which are all completed by the authentication system 402.
The security component system 403 is mainly responsible for interfacing with OpenStack, VMware, vNGAF, EPS, and providing management functions for the cloud platform and the security components, such as creating vNGAF, creating EPS, and the like.
Specifically, a cloud platform API is provided in the security component system 403, so that the security component system 403 performs data interaction with the cloud platform through the cloud platform API.
The security component system 403 is provided with a vNGAF API, so that the security component system 403 performs data interaction with the security resource through the vNGAF API.
An EPS API is provided in the security component system 403, so that the security component system 403 performs data interaction with the virtual machine deployed with an EPS through the EPSAPI.
The real-time information system 404 is responsible for collecting real-time status information from security components such as vNGAF and EPS and feeding back the status information to tenants, for example: flow, running state, protection state, CPU utilization rate, memory utilization rate and the like.
The log system 405 is responsible for collecting security logs from security components such as vNGAF and EPS, performing comprehensive analysis on the security logs, and outputting related visual charts or security reports to be fed back to tenants.
The alarm system 406 is responsible for sending security alarms, system exception alarms, etc. to tenants, including but not limited to mail alarms, short message alarms, WeChat alarms, etc.
The cloud security protection system shown in the embodiment has the beneficial effects that:
the cloud security protection system provided by the embodiment can realize multiple functions, such as traffic cleaning, and comprises cleaning of multilayer traffic, such as firewall WAF traffic cleaning, intrusion prevention system IPS traffic cleaning, security gateway UTM traffic cleaning and the like; but also north-south flow and east-west flow cleaning, etc.
The cloud security protection system shown in this embodiment can also implement expansion of security capability, that is, the cloud security protection system shown in this embodiment supports multiple security components, including next-generation firewall vNGAF, security behavior control vAC, data security encryption vSSL, endpoint security EPS WebShell protection, tamper resistance, antivirus, and the like.
The cloud security protection system shown in the embodiment can also realize centralized management and security visualization, and the CSSP can also uniformly control all security components, and provide functions such as cloud platform security state display, thereby facilitating user operation and management.
The cloud security protection system shown in this embodiment can also realize a multi-tenant management function, so that tenant security resource self-management is realized, and the cloud security protection system is controllable and easy to maintain.
Optionally, the following describes an exemplary process of implementing traffic cleansing for the cloud security protection system provided in the embodiment of the present invention:
the method for cleaning traffic in this embodiment is based on the cloud security protection system in the above embodiment, and this embodiment does not describe any details of the specific structure of the cloud security protection system.
The flow cleaning method provided by the present embodiment is described below with reference to fig. 5:
When the flow cleaning is needed, a user can input the configuration information of the flow guiding mode through the core router, wherein the configuration information of the flow guiding mode is used for indicating the core router to lead the flow which needs to be cleaned to the safe resource pool.
The configuration information of the drainage manner shown in this embodiment may be information for configuring a policy routing or other configuration information capable of implementing drainage.
And 502, the core router configures a drainage mode according to the drainage mode configuration information.
And after receiving the configuration information of the drainage mode input by the user, the core router can configure the drainage mode so as to enable the core router to draw the flow of the virtual machine according to the drainage mode.
Specifically, the specific process of configuring the drainage manner for the core router in this embodiment may be that the core router updates a routing table entry of the core router according to the drainage manner configuration information input by the user, so as to implement configuration of the drainage manner.
In this embodiment, the number of the target virtual machines is at least one, and the target virtual machines are virtual machines under distributed denial of service DDoS attack, that is, the target virtual machines shown in this embodiment are virtual machines that need to perform traffic cleaning.
Specifically, the target virtual machine shown in this embodiment is provided with a terminal security EPS client, and the EPS client of the target virtual machine is accessed to the cloud security service platform CSSP.
Specifically, the cloud security service platform CSSP shown in this embodiment interacts with the cloud platform through an interface REST API of the cloud security service platform CSSP, so that the cloud security service platform CSSP can obtain target tenant information of the cloud platform.
Specifically, the target tenant information is tenant information that needs to be subjected to traffic cleaning.
It should be clear that, in this embodiment, there is no limitation on the execution sequence between step 504 and steps 501 and 503.
And 505, the cloud security service platform CSSP creating a security resource on the security resource pool through the target tenant information.
Specifically, the security resource created by the cloud security service platform CSSP corresponds to the target virtual machine.
The secure resource pool shown in this embodiment can be used for cleaning the flow of the virtual machine.
The traffic pulling rule shown in this embodiment corresponds to the target virtual machine.
The traffic pulling rule is used for indicating a security resource corresponding to the target virtual machine.
And 507, the cloud security service platform CSSP sends the traffic pulling rule to the security resource pool.
And step 508, the secure resource pool determines the secure resource corresponding to the target virtual machine according to the configured flow traction rule.
In this embodiment, the secure resource corresponding to the target virtual machine is determined in the secure resource pool according to the traffic pulling rule.
The embodiment does not limit the traffic pulling rule, as long as the secure resource pool can determine the secure resource corresponding to the target virtual machine according to the traffic pulling rule.
Specifically, the security resource can filter attack messages of the traffic of the virtual machine corresponding to the security resource, so that distributed denial of service (DDoS) and unknown malicious traffic of various network layers and application layers are accurately detected and blocked.
The security resource supports rich attack defense functions, such as defense against common attacks, e.g., SYN Flood, UDP Flood, ICMP Flood, ACK Flood, RST Flood, DNS Query Flood, HTTP Get Flood, and the like.
And step 510, the secure resource pool reinjecting the cleaned flow to the target virtual machine.
Specifically, in the process of flow reinjection, a tunnel for transmitting flow is established between the secure resource pool and the core router, after the secure resource pool finishes cleaning the flow of the virtual machine, the secure resource pool can send the cleaned flow to the core router through the established tunnel, and the core router can forward the cleaned flow to the virtual machine.
It should be clear that, in this embodiment, the description of the flow reinjection is an optional example, and is not limited, as long as the secure resource pool can send the cleaned flow to the target virtual machine, and a specific manner is not limited.
The traffic cleansing security log shown in this embodiment is used to indicate that the security resource corresponding to the target virtual machine cleanses the traffic of the target virtual machine.
And step 512, the security resource pool sends the flow cleaning security log to a cloud security service platform CSSP.
The cloud security service platform CSSP can display the traffic cleaning security log so that a user can master the traffic of the target virtual machine for cleaning.
The flow cleaning method disclosed by the embodiment has the beneficial effects that:
by adopting the flow cleaning method shown in the embodiment, the core router can pull the flow of the target virtual machine to the safety resource pool according to the configured drainage mode, the safety resource corresponding to the target virtual machine can clean the flow of the target virtual machine to generate the cleaned flow, and the safety resource pool can also reinject the cleaned flow to the target virtual machine The method and the device flexibly realize the cleaning of the flow of the virtual machine.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (14)
1. The cloud security protection system is characterized by comprising a cloud platform and a cloud security service platform, wherein the cloud platform is used for deploying virtual machines, the cloud security service platform is used for deploying terminal security on the virtual machines, and the cloud security protection system further comprises a security resource pool which is used for checking and/or managing the terminal security;
the cloud security service platform comprises a user interaction system and a security component system;
the user interaction system is used for providing a control panel and/or a state transmission interface REST API, the control panel is used for realizing interaction between a user and the cloud security protection system, and the cloud security service platform interacts with the cloud platform through the REST API;
the security component system is used for being in butt joint with the cloud platform, and the security component system is used for managing the security of the cloud platform and the terminal.
2. The cloud security protection system of claim 1, wherein the secure resource pool comprises at least one component shown as:
virtual next generation application firewall vNGAF, virtual online behavior management vAC and virtual SSL VPN.
3. The cloud security protection system of claim 2, wherein the secure resource pool is centrally deployed on a plurality of cloud computing nodes, or wherein at least one of the components comprised by the secure resource pool is deployed on the cloud computing nodes, the cloud computing nodes comprising a plurality of the virtual machines.
4. The cloud security protection system of claim 3, wherein the secure resource pool comprises at least one of the following functions:
the terminal security management system comprises a security protection capability for providing north-south traffic to the cloud platform, a function for providing user management for the terminal security, a function for providing traffic visible for the terminal security, and a function for providing security visible for the terminal security;
the safety protection capability comprises at least one of:
the backdoor tool webshell of the website protects, disinfects and prevents tampering.
5. The cloud security protection system of claim 1, wherein the cloud security service platform comprises at least one of the following functions:
the system and the method are used for providing management, traffic visualization and security services for the cloud platform.
6. The cloud security protection system of claim 1, wherein the terminal security comprises at least one of the following functions:
security protection capabilities for providing a network for the virtual machine, security protection capabilities for providing a host for the virtual machine, and security protection capabilities for providing east-west traffic to the cloud platform;
the safety protection capability comprises at least one of:
the backdoor tool webshell of the website protects, disinfects and prevents tampering.
7. The cloud security protection system of any one of claims 1 to 6, wherein the cloud security service platform further comprises an authentication system, a real-time information system, a log system, and an alarm system;
the authentication system is used for verifying the identity of the user;
the real-time information system is used for feeding back the real-time information of the safety resource pool and/or the safety of the terminal to the user;
the log system is used for acquiring a security log of the security resource pool and/or the security of the terminal, analyzing the security log to generate an analysis result, and feeding back the analysis result to a user;
the warning system is used for feeding back warning information to a user.
8. The cloud security protection system of claim 7, wherein the authentication system further comprises at least one of the following:
token management, providing a service directory for accessing resources, providing access control corresponding to user identity, registration of service endpoints.
9. The cloud security protection system of claim 7, wherein the real-time information comprises at least one of:
traffic, running state, protection state, CPU utilization, and memory utilization.
10. The cloud security protection system of claim 7, wherein the analysis results are fed back to the user in the form of visual charts and/or security reports.
11. A traffic cleaning method, based on the cloud security system described in any one of claim 1 to claim 10, the traffic cleaning method including:
the method comprises the steps that the flow of a target virtual machine is dragged to a safe resource pool according to a configured flow guiding mode, the number of the target virtual machine is at least one, and the target virtual machine is a virtual machine subjected to distributed denial of service (DDoS) attack;
determining a security resource corresponding to the target virtual machine according to the configured flow traction rule through the security resource pool;
cleaning the flow of the target virtual machine through the safety resources corresponding to the target virtual machine to generate cleaned flow;
and reinjecting the cleaned flow to the target virtual machine through the safe resource pool.
12. The method of claim 11, wherein prior to determining, by the secure resource pool, the secure resource corresponding to the target virtual machine according to the configured traffic pulling rules, the method further comprises:
controlling the cloud security service platform to acquire target tenant information to which the target virtual machine belongs through a cloud platform;
controlling the cloud security service platform to create the security resource on the security resource pool through the target tenant information, wherein the security resource corresponds to the target virtual machine;
controlling the cloud security service platform to generate the flow traction rule according to the target tenant information, wherein the flow traction rule corresponds to the target virtual machine;
and controlling the cloud security service platform to send the flow traction rule to the security resource pool.
13. The method of claim 11, wherein prior to the pulling traffic of the target virtual machine to the secure resource pool according to the configured drainage style, the method further comprises:
receiving drainage mode configuration information input by a user;
and configuring the drainage mode according to the drainage mode configuration information.
14. The method of claim 11, wherein after the secure resources corresponding to the target virtual machine flush traffic of the target virtual machine to generate flushed traffic, the method further comprises:
generating a flow cleaning safety log through the safety resource pool, wherein the flow cleaning safety log is used for indicating the condition that the safety resources corresponding to the target virtual machine clean the flow of the target virtual machine;
and sending the flow cleaning safety log to a cloud safety service platform CSSP through the safety resource pool.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611207710.7A CN106790091B (en) | 2016-12-23 | 2016-12-23 | Cloud safety protection system and flow cleaning method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611207710.7A CN106790091B (en) | 2016-12-23 | 2016-12-23 | Cloud safety protection system and flow cleaning method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106790091A CN106790091A (en) | 2017-05-31 |
| CN106790091B true CN106790091B (en) | 2020-10-27 |
Family
ID=58919175
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611207710.7A Active CN106790091B (en) | 2016-12-23 | 2016-12-23 | Cloud safety protection system and flow cleaning method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106790091B (en) |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107454082A (en) * | 2017-08-07 | 2017-12-08 | 中国人民解放军信息工程大学 | Secure cloud service construction method and device based on mimicry defence |
| CN109787939A (en) * | 2017-11-14 | 2019-05-21 | 北京星河星云信息技术有限公司 | A kind of cloud security system of defense and its user's method for building up |
| CN109922021B (en) * | 2017-12-12 | 2022-03-08 | 中国电信股份有限公司 | Safety protection system and safety protection method |
| CN108040067B (en) * | 2017-12-26 | 2021-07-06 | 北京星河星云信息技术有限公司 | Cloud platform intrusion detection method, device and system |
| CN108173694B (en) * | 2017-12-29 | 2021-05-04 | 深信服科技股份有限公司 | Security resource pool access method and system of data center |
| CN108449314B (en) * | 2018-02-02 | 2020-12-29 | 杭州迪普科技股份有限公司 | Flow traction method and device |
| CN108809963A (en) * | 2018-05-24 | 2018-11-13 | 中国科学院计算机网络信息中心 | Secure resource sharing method, apparatus and storage medium |
| CN110611637B (en) * | 2018-06-14 | 2022-07-01 | 北京安天网络安全技术有限公司 | Online network threat detection method and system based on VPN flow traction |
| CN109167795B (en) * | 2018-09-27 | 2022-03-22 | 深信服科技股份有限公司 | Security defense system and method |
| CN111224922A (en) * | 2018-11-26 | 2020-06-02 | 顺丰科技有限公司 | Distributed security group module access control method and system |
| CN109688242B (en) * | 2018-12-27 | 2022-03-22 | 深信服科技股份有限公司 | Cloud protection system and method |
| CN110365577B (en) * | 2019-07-24 | 2021-10-15 | 绿盟科技集团股份有限公司 | Drainage system of safety resource pool and safety inspection method |
| CN110855714B (en) * | 2019-11-29 | 2021-09-14 | 广州鲁邦通物联网科技有限公司 | Secure connection method and system for multi-tenant equipment |
| CN111431914A (en) * | 2020-03-30 | 2020-07-17 | 贵州电网有限责任公司 | Energy internet cloud platform safety protection method and system |
| CN111556047B (en) * | 2020-04-24 | 2022-07-12 | 杭州安恒信息技术股份有限公司 | Deployment method of security service in private cloud environment |
| CN111970242B (en) * | 2020-07-15 | 2022-09-30 | 深信服科技股份有限公司 | Cloud security protection method and device and storage medium |
| CN112291232B (en) * | 2020-10-27 | 2021-06-04 | 中国联合网络通信有限公司深圳市分公司 | Safety capability and safety service chain management platform based on tenants |
| CN112364342A (en) * | 2020-11-04 | 2021-02-12 | 深圳供电局有限公司 | Safety protection system based on cloud platform |
| CN114448674A (en) * | 2021-12-27 | 2022-05-06 | 天翼云科技有限公司 | Distributed flow cleaning method and system |
| CN114760152B (en) * | 2022-06-14 | 2022-08-19 | 湖南警察学院 | Cloud data center virtualization node network security early warning method |
| CN115664948B (en) * | 2022-12-28 | 2023-03-17 | 北京六方云信息技术有限公司 | Method, device, system and storage medium for automatic configuration and issuing of virtual resources |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243569A (en) * | 2014-09-09 | 2014-12-24 | 安徽四创电子股份有限公司 | City operation system |
| CN104378387A (en) * | 2014-12-09 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | Virtual platform information security protection method |
| CN104917653A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Virtual flow monitoring method based on cloud platform and device thereof |
| CN105245504A (en) * | 2015-09-10 | 2016-01-13 | 北京汉柏科技有限公司 | North-south flow safety protection system in cloud computing network |
| CN105376246A (en) * | 2015-11-30 | 2016-03-02 | 中国电子科技网络信息安全有限公司 | Adaptive generation management system and method of security strategy based on SDN |
-
2016
- 2016-12-23 CN CN201611207710.7A patent/CN106790091B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243569A (en) * | 2014-09-09 | 2014-12-24 | 安徽四创电子股份有限公司 | City operation system |
| CN104378387A (en) * | 2014-12-09 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | Virtual platform information security protection method |
| CN104917653A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Virtual flow monitoring method based on cloud platform and device thereof |
| CN105245504A (en) * | 2015-09-10 | 2016-01-13 | 北京汉柏科技有限公司 | North-south flow safety protection system in cloud computing network |
| CN105376246A (en) * | 2015-11-30 | 2016-03-02 | 中国电子科技网络信息安全有限公司 | Adaptive generation management system and method of security strategy based on SDN |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106790091A (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106790091B (en) | Cloud safety protection system and flow cleaning method | |
| US11924072B2 (en) | Technologies for annotating process and user information for network flows | |
| US11658998B2 (en) | Translating security actions into computing asset-specific action procedures | |
| JP6731687B2 (en) | Automatic mitigation of electronic message-based security threats | |
| US9762599B2 (en) | Multi-node affinity-based examination for computer network security remediation | |
| EP3214568B1 (en) | Method, apparatus and system for processing cloud application attack behaviours in cloud computing system | |
| US9906557B2 (en) | Dynamically generating a packet inspection policy for a policy enforcement point in a centralized management environment | |
| JP2023025160A (en) | Automatic packet-less network reachability analysis | |
| US20220060507A1 (en) | Privilege assurance of enterprise computer network environments using attack path detection and prediction | |
| US20200389498A1 (en) | User-Based Visibility and Control of a Segmentation Policy | |
| US20170244738A1 (en) | Distributed detection of malicious cloud actors | |
| CN105245336B (en) | A kind of file encryption management system | |
| JP5307238B2 (en) | Intrusion prevention method and system for communication networks | |
| Rolbin | Early detection of network threats using Software Defined Network (SDN) and virtualization | |
| US20190188746A1 (en) | Locating a network cable connector |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Nanshan District Xueyuan Road in Shenzhen city of Guangdong province 518052 No. 1001 Nanshan Chi Park building A1 layer Applicant after: SANGFOR TECHNOLOGIES Inc. Address before: Nanshan District Xueyuan Road in Shenzhen city of Guangdong province 518055 No. 1001 Nanshan Chi Park building A1 layer Applicant before: Sangfor Technologies Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |