CN106844004B - Security protection method and system based on virtualization environment - Google Patents

Security protection method and system based on virtualization environment Download PDF

Info

Publication number
CN106844004B
CN106844004B CN201611242625.4A CN201611242625A CN106844004B CN 106844004 B CN106844004 B CN 106844004B CN 201611242625 A CN201611242625 A CN 201611242625A CN 106844004 B CN106844004 B CN 106844004B
Authority
CN
China
Prior art keywords
virtual machine
protection
security
data
migration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611242625.4A
Other languages
Chinese (zh)
Other versions
CN106844004A (en
Inventor
唐政
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Net An Technology Ltd By Share Ltd
Original Assignee
Beijing Net An Technology Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Net An Technology Ltd By Share Ltd filed Critical Beijing Net An Technology Ltd By Share Ltd
Priority to CN201611242625.4A priority Critical patent/CN106844004B/en
Publication of CN106844004A publication Critical patent/CN106844004A/en
Application granted granted Critical
Publication of CN106844004B publication Critical patent/CN106844004B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a security protection method and system based on a virtualization environment. The method comprises the following steps: when a virtual machine needs to be migrated from a source physical host to a destination physical host, and a source security virtual machine of the source physical host executes a security protection event on the migration virtual machine needing to be migrated, acquiring protection progress information of the security protection event from the source security virtual machine by the migration virtual machine, and acquiring data to be protected corresponding to the security protection event from a source physical memory space; after the migration virtual machine is migrated to the target physical host, the migration virtual machine sends the protection progress information to the target safety virtual machine of the target physical host, and simultaneously writes the data to be protected into a target physical memory space of the target physical host; and after receiving the protection progress information, the target security virtual machine continues to perform security protection on the data to be protected written in the target physical memory space according to the protection progress information. The method can realize uninterrupted security protection of virtual machine migration.

Description

Security protection method and system based on virtualization environment
Technical Field
The invention relates to the technical field of virtualization, in particular to a security protection method and system based on a virtualization environment.
Background
With the wide application of the hardware virtualization technology, a plurality of operating systems can be simultaneously operated on one physical host, and the operating systems are isolated from each other, so that the management of hardware facilities is more effective, flexible and economical. For example: the virtual machine on the physical host with high resource occupancy rate can be migrated to the physical host with low resource occupancy rate, so that the reasonable distribution of resources is achieved; or the virtual machines on the physical host with low resource occupancy rate are all migrated to other physical hosts, and the physical host is closed, thereby achieving the effect of energy saving. However, the security threat problem faced in the conventional operating system deployment also faces in the virtualization deployment process.
In order to solve the problem of virtual machine security in a virtualization environment, a set of security protection software is deployed in each virtual machine on each physical host, so that the same function as that of the security protection software installed in an operating system on a common physical machine is achieved. However, a set of security protection products is deployed in a plurality of virtual machines on the same physical host, which may cause occupation of computing resources and storage resources. In order to reduce occupation of computing resources and storage resources caused by repeated deployment of security protection software by a virtual machine in a virtualization environment, a light proxy mode can be adopted, wherein the light proxy mode is to move most of query data in the security protection software into a private cloud or a public cloud for processing, only minimum security engine service data is reserved in the virtual machine, but the data in the security protection software is moved to a cloud server, and when the virtual machine performs a security engine, a certain network bandwidth needs to be occupied and a certain requirement is made on the response speed of a network environment.
The problem that resources are occupied due to the fact that a set of safety protection software is deployed on each virtual machine of a physical host and certain requirements are met on a network environment due to the fact that a light proxy mode is adopted can be solved by using a proxy-free safety protection mode, but the proxy-free safety protection mode is that safety protection software is deployed on a certain virtual machine of the physical host (the virtual machine with the safety protection software is a safety virtual machine), respective virtual memories are configured for the virtual machines running on the physical host, and the virtual memories correspond to the same physical memory space, so that when the safety virtual machine carries out safety protection on other virtual machines without the safety protection software, and the protected virtual machine needs to be migrated from the current physical host to other physical hosts, and the protected virtual machines are migrated to a new physical host and do not have safety protection functions, and the safety virtual machine on the original physical host machine can not continuously perform safety protection on the protected virtual machine, so that the safety protection is stopped, and the protected virtual machines face the safety threat problem again.
Disclosure of Invention
Therefore, it is necessary to provide a security protection method and system based on a virtualization environment for solving the problem that a protected virtual machine in a conventional physical host adopting an agent-less security protection method cannot be continuously protected when the protected virtual machine is migrated from one physical host to another physical host, so that the protected virtual machine can be continuously secured while the protected virtual machine in the physical host adopting the agent-less security protection method is migrated.
In order to achieve the purpose of the invention, a security protection method based on a virtualization environment is provided, and the method comprises the following steps:
when a virtual machine needs to be migrated from a source physical host to a destination physical host, and a source security virtual machine of the source physical host executes a security protection event on the migration virtual machine needing to be migrated, the migration virtual machine acquires protection progress information of the security protection event from the source security virtual machine, and acquires data to be protected corresponding to the security protection event from a source physical memory space of the source physical host;
after the migration virtual machine is migrated to the target physical host, the migration virtual machine sends the protection progress information to a target safety virtual machine of the target physical host, and simultaneously writes the data to be protected into a target physical memory space of the target physical host;
and after receiving the protection progress information, the target security virtual machine continues to perform security protection on the data to be protected written in the target physical memory space according to the protection progress information.
In one embodiment, when a virtual machine needs to be migrated from a source physical host where the virtual machine is located to a destination physical host, and a source security virtual machine of the source physical host is executing a security protection event on a migration virtual machine that needs to be migrated, the step of obtaining, by the migration virtual machine, protection progress information of the security protection event from the source security virtual machine, and obtaining, by the migration virtual machine, data to be protected corresponding to the security protection event from a source physical memory of the source physical host includes:
when a virtual machine needs to be migrated from a source physical host where the virtual machine is located to a destination physical host, and a source security virtual machine of the source physical host executes a security protection event on the migration virtual machine needing to be migrated, the migration virtual machine sends a migration suspension instruction to the source security virtual machine;
after receiving the migration suspension instruction, the source security virtual machine stops executing the security protection event on the migration virtual machine, and sends protection progress information of the security protection event to the migration virtual machine;
the migration virtual machine receives the protection progress information, stores the protection progress information in a local disk partition, and acquires data to be protected corresponding to the safety protection event from the source physical memory space;
and the data to be protected is data subjected to partial security protection by the source security virtual machine.
In one embodiment, after the migration virtual machine migrates to the destination physical host, the step of sending the protection progress information to a destination secure virtual machine of the destination physical host by the migration virtual machine, and writing the data to be protected into a destination physical memory space of the destination physical host includes:
after the migration virtual machine is migrated to the destination physical host, the migration virtual machine establishes a mapping relation between the migration virtual machine and the destination physical memory space;
and the migration virtual machine sends the protection progress information to the target safety virtual machine according to the mapping relation, and writes the data to be protected into the target physical memory space according to the mapping relation.
In one embodiment, after the step of establishing the mapping relationship between the migration virtual machine and the destination physical memory space, the method further includes:
the migration virtual machine generates a migration protection event on the target physical host according to the protection progress information and the data to be protected, and sends the migration protection event serving as a safety protection event to the target safety virtual machine;
the target safety virtual machine receives the safety protection event sent by the migration virtual machine, extracts task identification information of the safety protection event from the safety protection event, and queries a local record according to the task identification information;
if the target security virtual machine inquires that local task identification information which is the same as the task identification information exists in the local record, determining that the security protection event is not the migration protection event;
and if the target secure virtual machine inquires that local task identification information which is the same as the task identification information does not exist in the local record, determining that the secure protection event is the migration protection event, executing the steps that the migration virtual machine sends the protection progress information to the target secure virtual machine according to the mapping relation, and writing the data to be protected into the target physical memory space according to the mapping relation.
In one embodiment, after receiving the protection progress information, the step of continuing to perform security protection on the data to be protected written in the target physical memory space according to the protection progress information by the target security virtual machine includes:
the target safety virtual machine receives the protection progress information and extracts unprotected data information from the protection progress information;
the target security virtual machine analyzes the data to be protected written in the target physical memory space according to the information of the data not to be protected to obtain the data not to be protected in the data to be protected;
and the target safety virtual machine carries out safety protection on the unprotected data and feeds back a safety protection result to the migrated virtual machine.
In one embodiment, after receiving the protection progress information, the step of continuing to perform security protection on the data to be protected written in the target physical memory space according to the protection progress information further includes:
the target safety virtual machine receives the protection progress information and extracts protected data information from the protection progress information;
the target security virtual machine analyzes the data to be protected written in the target physical memory space according to the protected data information to obtain protected data in the data to be protected;
and the target safety virtual machine deletes the protected data from the target physical memory space.
The invention also provides a safety protection system based on the virtualization environment, which at least comprises a source physical host and a destination physical host, wherein the source physical host comprises a source safety virtual machine, the destination physical host comprises a destination safety virtual machine, and a migration virtual machine needing to be migrated in the source physical host can be migrated from the source physical host to the destination physical host; the migration virtual machine comprises an acquisition module and a sending and writing module; the destination secure virtual machine comprises a security protection module, wherein:
the obtaining module is configured to obtain protection progress information of a security protection event from a source physical host of a source physical host when a virtual machine needs to be migrated from the source physical host to a destination physical host, and a source security virtual machine of the source physical host is executing the security protection event on a migration virtual machine that needs to be migrated, and obtain data to be protected corresponding to the security protection event from a source physical memory space of the source physical host;
the sending and writing module is configured to send the protection progress information to a destination secure virtual machine of the destination physical host after the migration virtual machine is migrated to the destination physical host, and write the data to be protected into a destination physical memory space of the destination physical host at the same time;
and the safety protection module is used for continuing to perform safety protection on the data to be protected written in the target physical memory space according to the protection progress information after the target safety virtual machine receives the protection progress information.
In one embodiment, the obtaining module includes:
the instruction sending unit is used for sending a migration pause instruction to the source security virtual machine when the virtual machine needs to be migrated from the source physical host to the destination physical host, and the source security virtual machine of the source physical host executes a security protection event on the migration virtual machine needing to be migrated;
a receiving and storing unit, configured to receive protection progress information of the security protection event fed back by the source security virtual machine after the source security virtual machine stops executing the security protection event according to the migration pause instruction, and store the protection progress information in a local disk partition;
and an obtaining unit, configured to obtain data to be protected corresponding to the security protection event from the source physical memory space, where the data to be protected is data that is partially secured by the source security virtual machine.
In one embodiment, the sending and writing module includes:
the establishing unit is used for establishing a mapping relation between the migration virtual machine and the target physical memory space after the migration virtual machine is migrated to the target physical host;
and the sending and writing unit is used for sending the protection progress information to the target safety virtual machine according to the mapping relation and writing the data to be protected into the target physical memory space according to the mapping relation.
In one embodiment, the sending and writing module further includes:
a generating unit, configured to generate a migration protection event on the destination physical host according to the protection progress information and the data to be protected after the migration virtual machine establishes a mapping relationship between the migration virtual machine and the destination physical memory space, and send the migration protection event as a security protection event to the destination security virtual machine;
the query result receiving unit is used for receiving the query result of the target safety virtual machine after the target safety virtual machine queries the local record according to the task identification information in the safety protection event; the query result comprises that if the target security virtual machine queries that the local task identification information which is the same as the task identification information exists in the local record, the security protection event is determined not to be the migration protection event; and if the target safety virtual machine inquires that the local task identification information which is the same as the task identification information does not exist in the local record, determining that the safety protection event is the migration protection event.
In one embodiment, the safety protection module comprises:
the extraction unit is used for receiving the protection progress information and extracting unprotected data information and protected data information from the protection progress information;
the analysis unit is used for analyzing the data to be protected written in the target physical memory space according to the unprotected data information and the protected data information to obtain unprotected data and unprotected data in the data to be protected;
the safety protection unit is used for carrying out safety protection on the unprotected data and feeding back a safety protection result to the migrated virtual machine;
and the deleting unit is used for deleting the protected data from the target physical memory space.
The beneficial effects of the invention include:
when a virtual machine running on a certain physical host and being protected migrates, the virtual machine, as a migration virtual machine, acquires protection progress information of a safety protection event executed by the source safety virtual machine from the source safety virtual machine of the physical host where the virtual machine is located, and simultaneously acquires data to be protected in a physical memory space of the physical host where the virtual machine is located, and when the migration virtual machine migrates to a target physical host, the migration virtual machine transmits the protection progress information to the safety virtual machine of the target physical host, and simultaneously writes the data to be protected in the physical memory space of the target physical host, so that the safety virtual machine in the target physical host continues to perform safety protection on the migration virtual machine according to the protection progress information, thereby realizing uninterrupted safety protection in the migration process of the virtual machine, the safety of the virtual machine in the migration process is guaranteed.
Drawings
FIG. 1 is a block diagram that illustrates a physical host that deploys a secure virtual machine, in one embodiment;
FIG. 2 is a flowchart illustrating a method for securing based on a virtualization environment, according to an embodiment;
FIG. 3 is a schematic diagram illustrating a process for virtual machine migration in a security protection system based on a virtualization environment, according to an embodiment;
fig. 4 is a schematic structural diagram of a security protection system in a virtualization-based environment in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly understood, the following describes in detail a security protection method and system based on a virtualization environment according to the present invention with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In one embodiment, as shown in fig. 1 and fig. 2, a method for security protection in a virtualization-based environment is provided, the method comprising the following steps:
s100, when a virtual machine needs to be migrated from a source physical host where the virtual machine is located to a destination physical host, and a source security virtual machine of the source physical host executes a security protection event on the migration virtual machine needing to be migrated, the migration virtual machine acquires protection progress information of the security protection event from the source security virtual machine, and acquires data to be protected corresponding to the security protection event from a source physical memory space of the source physical host.
S200, after the migration virtual machine is migrated to the target physical host, the migration virtual machine sends the protection progress information to the target safety virtual machine of the target physical host, and meanwhile, the data to be protected is written into the target physical memory space of the target physical host.
And S300, after the target security virtual machine receives the protection progress information, continuing to perform security protection on the data to be protected written in the target physical memory space according to the protection progress information.
The method includes at least two physical hosts, and each physical host is based on a "proxy-free security protection mechanism", referring to fig. 1, where the proxy-free security protection mechanism refers to: the method comprises the steps that a plurality of virtual machines are deployed on one physical host, each virtual machine corresponds to a respective virtual memory, each virtual memory corresponds to the same physical memory space, a preset number of virtual machines in the virtual machines are safety virtual machines, and the rest virtual machines are common virtual machines without safety protection software. That is, multiple virtual machines in the same physical host share the same physical memory space. Preferably, optionally one of the plurality of virtual machines is a secure virtual machine. In the agent-free security protection mechanism, because the virtual memory of each virtual machine corresponds to the same physical memory space, that is, each virtual machine shares one physical memory space, so that direct communication among multiple virtual machines can be realized through the physical memory space, and a virtual machine in the multiple virtual machines is configured as a security virtual machine, that is, a preset number of virtual machines are selected from the multiple virtual machines to configure security protection software, for example: one, two or more virtual machines with low resource occupancy rate or large physical resources are selected as the safe virtual machine, so that the safety protection of the safe virtual machine on other non-safe virtual machines is realized. The event manager is equivalent to software running on a VMM (Virtual Machine Monitor) layer, is used for realizing transmission of security events and data between Virtual machines in the same physical host, and is equivalent to a communication pipeline between the Virtual machines. The virtual memory is obtained by simulating a segment of memory space in the VMM layer by using conventional simulation software (qemu), which is an open source simulation software. The VMM is used for planning, deploying, managing and optimizing each virtual machine to realize the scheduling of each virtual machine, and the VMM takes each virtual machine as a scheduling unit when scheduling each virtual machine and schedules the virtual machines according to a time slice polling mode.
In the security protection method based on the virtualization environment in this embodiment, when a virtual machine running on one of the physical hosts needs to be migrated to another physical host, and the virtual machine, as a migration virtual machine, executes a security protection event by a security virtual machine deployed on the physical host where the virtual machine is located, the migration virtual machine acquires protection progress information from a source security virtual machine of the physical host where the virtual machine is located, so that when the migration virtual machine migrates to another physical host, the protection progress information is also migrated to a destination physical host along with the migration virtual machine, the migration virtual machine sends the protection progress information to a destination security virtual machine of the destination physical host, and writes data to be protected acquired from the source physical memory space into a destination physical memory space of the destination physical host, so that the destination security virtual machine can continue to perform security protection on data to be protected according to the protection progress information, therefore, uninterrupted safety protection is realized in the virtual machine migration process, and the safety of the virtual machine in the migration process is ensured.
It should be noted that the protection progress information includes task identification information of the security protection event, and file number information, start information, protected tag information, and the like of the data to be protected corresponding to the security protection event. The task identification information includes task ID (identity) information. Protected data and unprotected data of data to be protected, which are acquired from the source physical memory space, can be easily obtained according to the protected tag information. The task identification information may uniquely determine which security protection event is. The migration of the secure virtual machine is the same as that of the traditional virtual machine with the security protection software installed, and details are not repeated here.
In one embodiment, step S100 includes:
s110, when the virtual machine needs to be migrated from the source physical host to the destination physical host, and the source security virtual machine of the source physical host executes a security protection event on the migration virtual machine needing to be migrated, the migration virtual machine sends a migration suspension instruction to the source security virtual machine.
And S120, after the source security virtual machine receives the migration suspension instruction, stopping executing the security protection event on the migration virtual machine, and sending the protection progress information of the security protection event to the migration virtual machine.
S130, the migration virtual machine receives the protection progress information, stores the protection progress information in a local disk partition, and acquires data to be protected corresponding to the security protection event from a source physical memory space; and the data to be protected is data subjected to partial safety protection by the source safety virtual machine.
When the source physical host receives the migration task, the migration task includes a migration object, namely a virtual machine to be executed with the migration task, and a destination physical host to which the migration virtual machine is to be migrated. And after the source physical host learns the migration virtual machine according to the migration task, informing the migration virtual machine to execute the migration task. If the migration virtual machine is being executed the security protection event by the source security virtual machine on the source physical host, the migration virtual machine sends a migration suspension instruction to the source security virtual machine, so that the source security virtual machine is notified to stop executing the security protection event on the migration virtual machine, unnecessary security protection is avoided, and occupation of a memory of the source physical host is reduced. Meanwhile, the source security virtual machine sends protection progress information of a security protection event executed by the source security virtual machine to the migration virtual machine, and the migration virtual machine receives the protection progress information and then stores the protection progress information in the local disk partition, so that when the migration virtual machine is migrated to the target physical host, the protection progress information is migrated to the target physical host at the same time. The step of storing the protection progress information in the local disk partition means that the protection progress information is stored in a partition of a disk where the migration virtual machine is located, and the protection progress information is convenient to migrate along with the migration virtual machine when the migration virtual machine migrates.
Preferably, when the migration virtual machine receives the protection progress information sent by the source security virtual machine, the migration virtual machine also obtains data to be protected corresponding to the security protection event from the physical memory space, where the data to be protected is data after the source security virtual machine performs partial security protection. Therefore, resource waste of repeated protection of the protected data of the source security virtual machine by the destination security virtual machine when the to-be-protected data without partial security protection (the to-be-protected data before the migration virtual machine is written into the source physical memory space) is written into the destination physical memory space can be effectively avoided. Preferably, the data to be protected is acquired from the source physical memory space in a snapshot manner, that is, a snapshot is created for the data to be protected in the source physical memory space, and when the data to be protected needs to be restored in the destination physical memory space, the data to be protected in the source physical memory space is restored to the destination physical memory space by using the snapshot. The snapshot function is utilized to copy the data to be protected from the source physical memory space to the target physical memory space, so that the method is simple, convenient and easy to realize, and the occupation of storage resources during migration is saved.
In one embodiment, step S200 includes:
s210, after the migration virtual machine is migrated to the destination physical host, the migration virtual machine establishes a mapping relation between the migration virtual machine and the destination physical memory space.
And S220, the migration virtual machine sends the protection progress information to the target safety virtual machine according to the mapping relation, and writes the data to be protected into the target physical memory space according to the mapping relation.
After the migration virtual machine is migrated to the destination physical host, the migration virtual machine is an independent system on the destination physical host relative to other virtual machines, is isolated from other virtual machines, and has no function of data interaction. Therefore, it is necessary to establish a communication function of the migration virtual machine with other virtual machines on the destination physical host. Specifically, a mapping relationship between a virtual memory of the migration virtual machine and a target physical memory space of the target physical host is established, and since the target physical memory space already has a corresponding mapping relationship with virtual memories of other virtual machines of the target physical host, after the mapping relationship between the virtual memory of the migration virtual machine and the target physical memory space is established, the purpose that the migration virtual machine and other virtual machines on the target physical host share the same physical memory space can be achieved. The target physical memory space is a memory partitioned from a physical memory of the target physical host as a shared memory space of each virtual machine. The Virtual memory of the Virtual Machine is obtained by simulating a segment of storage space in a VMM (Virtual Machine Monitor) layer by using conventional simulation software (qemu, an open source simulation software), and is used for caching data to be protected of each Virtual Machine. The virtual machines on the same physical host realize data interaction with each other through the physical memory space, so that the virtual machines are mutually and transparently seen from the outside.
After step S210, the migration virtual machine may send, according to the mapping relationship between the migration virtual machine and the target physical memory space, the protection progress information of the data to be protected, which is brought when the migration virtual machine migrates, to the target security virtual machine, and simultaneously write the data to be protected, which is brought when the migration virtual machine migrates, into the target physical memory space, so that the security virtual machine may continue to perform security protection on the data to be protected according to the protection progress information, thereby implementing uninterrupted security protection in the virtual machine migration process.
Further, after step S210, the method includes:
s210a, the migration virtual machine generates a migration protection event on the destination physical host according to the protection progress information and the data to be protected, and sends the migration protection event as a security protection event to the destination security virtual machine.
S210b, the destination security virtual machine receives the security protection event sent by the migration virtual machine, extracts the task identification information of the security protection event from the security protection event, and queries the local record according to the task identification information.
S210c, if the destination security virtual machine inquires that the local record has the local task identification information which is the same as the task identification information, determining that the security protection event is not a migration protection event.
S210d, if the destination secure virtual machine queries that the local record does not have the local task identification information that is the same as the task identification information, determining that the security protection event is the migration protection event, and executing step S220.
After the mapping relationship is established between the migration virtual machine and the target memory space of the target physical host, an event manager communicating among the virtual machines in the same physical host is only responsible for event transmission, so that a migration protection event needs to be generated according to the data to be protected and the protection progress information, and the migration protection event is transmitted from the migration virtual machine to the target safety virtual machine through the event manager, so that the protection progress information of the safety protection event corresponding to the data to be protected is transmitted to the target safety virtual machine. After the mapping relationship between the migration virtual machine and the target physical memory space is established, the migration virtual machine may generate other security protection events besides the migration protection event, for example: the method comprises the following steps that security protection events (website access, file modification and the like) captured by a driving unit of the virtual machine or security protection events sent by the security virtual machine according to a scanning task. If the security event is generated locally (destination physical host), the identification information of the security event is recorded in the local record when the security event is generated, otherwise, the identification information of the security event is not recorded in the local record. Therefore, when the migration virtual machine sends the migration protection event (also regarded as a security protection event on the target physical host) and the security protection event generated locally to the target security virtual machine, the target security virtual machine needs to first determine whether the security protection event is the migration protection event, and if the received security protection event is the migration protection event, the target security virtual machine can perform security protection on the data to be protected written in the target physical memory space according to the protection progress information of the migration protection event, so that uninterrupted execution of the security protection event during virtual machine migration is realized, the target security virtual machine confirms whether the received security protection event is the migration protection event, and the migration protection event can be further ensured to be performed smoothly, and the security of the virtual machine is further ensured. And if the safety protection event received by the target safety virtual machine is not the migration protection event, carrying out safety protection according to the general safety protection event, and ensuring the safety of the migration virtual machine.
In one embodiment, step S300 includes:
and S310, the target safety virtual machine receives the protection progress information, and extracts the unprotected data information from the protection progress information.
And S320, analyzing the data to be protected written in the target physical memory space by the target safety virtual machine according to the information of the data not to be protected to obtain the data not to be protected in the data to be protected.
S330, the target safety virtual machine carries out safety protection on the unprotected data and feeds back the safety protection result to the migrated virtual machine.
Further, step S300 further includes:
and S310', the target safety virtual machine receives the protection progress information and extracts the protected data information from the protection progress information.
And S320', the target safety virtual machine analyzes the data to be protected written in the target physical memory space according to the protected data information to obtain protected data in the data to be protected.
S330', the target safety virtual machine deletes the protected data from the target physical memory space.
The two embodiments are two specific embodiments of step S300, where performing security protection on unprotected data in data to be protected is a necessary step, and the two embodiments can reduce occupation of resources by the destination security virtual machine when repeatedly protecting the protected data, and can also improve protection efficiency of the data to be protected, and are efficient, accurate, and resource-saving. And protected data in the data to be protected are obtained, and the protected data are deleted from the target physical memory space, so that the occupation of the protected data in the physical memory space can be effectively reduced, and the protection efficiency is improved.
In a specific embodiment, the destination secure virtual machine may obtain protected data in the data to be protected according to the protection progress information, delete the protected data from the destination physical memory space, and then perform security protection on the remaining unprotected data. This may simplify the security process of the destination secure virtual machine.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
In an embodiment, as shown in fig. 3 and 4, there is further provided a security protection system based on a virtualization environment, where the system includes at least a source physical host and a destination physical host, the source physical host includes a source security virtual machine, the destination physical host includes a destination security virtual machine, and a migration virtual machine that needs to be migrated in the source physical host can be migrated from the source physical host to the destination physical host; the migration virtual machine comprises an acquisition module 100 and a sending and writing module 200; the destination secure virtual machine includes a security guard module 300. Wherein:
the obtaining module 100 is configured to, when a virtual machine needs to be migrated from a source physical host where the virtual machine is located to a destination physical host, and a source security virtual machine of the source physical host executes a security protection event on a migration virtual machine that needs to be migrated, obtain protection progress information of the security protection event from the source security virtual machine, and obtain data to be protected corresponding to the security protection event from a source physical memory space of the source physical host. The sending and writing module 200 is configured to send the protection progress information to the destination secure virtual machine of the destination physical host after the migration virtual machine is migrated to the destination physical host, and write the data to be protected into a destination physical memory space of the destination physical host. And the safety protection module 300 is configured to, after receiving the protection progress information at the destination safety virtual machine, continue to perform safety protection on the data to be protected written in the destination physical memory space according to the protection progress information.
In the safety protection system based on the virtualization environment in this embodiment, when a virtual machine being protected and running on a certain physical host migrates, the virtual machine, as a migration virtual machine, obtains protection progress information of a safety protection event executed by a source safety virtual machine from the source safety virtual machine of the physical host where the virtual machine is located, and obtains data to be protected in a physical memory space of the physical host where the virtual machine is located, and when the migration virtual machine migrates to a destination physical host, the migration virtual machine transmits the protection progress information to a safety virtual machine of the destination physical host, and writes the data to be protected in the physical memory space of the destination physical host, so that the safety virtual machine in the destination physical host continues to perform safety protection on the migration virtual machine according to the protection progress information, thereby implementing uninterrupted safety protection during migration of the virtual machine, the safety of the virtual machine in the migration process is guaranteed.
In one embodiment, the acquisition module 100 includes: the instruction sending unit 110 is configured to send a migration suspension instruction to the source secure virtual machine when the virtual machine needs to be migrated from the source physical host where the virtual machine is located to the destination physical host, and the source secure virtual machine of the source physical host is executing a security protection event on the migration virtual machine that needs to be migrated. The receiving and saving unit 120 is configured to receive protection progress information of the security protection event fed back by the source security virtual machine after the source security virtual machine stops executing the security protection event according to the migration suspension instruction, and save the protection progress information in the local disk partition. An obtaining unit 130, configured to obtain data to be protected corresponding to the security protection event from the source physical memory space, where the data to be protected is data that is partially secured by the source security virtual machine.
In one embodiment, the transmit write module 200 includes: the establishing unit 210 is configured to establish a mapping relationship between the migration virtual machine and a destination physical memory space after the migration virtual machine is migrated to the destination physical host. And a sending and writing unit 220, configured to send the protection progress information to the destination secure virtual machine according to the mapping relationship, and write the data to be protected into the destination physical memory space according to the mapping relationship.
In one embodiment, the sending write module 200 further comprises: the generating unit 210a is configured to, after the migration virtual machine establishes a mapping relationship between the migration virtual machine and a target physical memory space, generate a migration protection event on the target physical host according to the protection progress information and the data to be protected, and send the migration protection event as a security protection event to the target security virtual machine. The query result receiving unit 210b is configured to receive a query result of the target secure virtual machine after the target secure virtual machine queries the local record according to the task identification information in the security protection event; the query result comprises that if the target safety virtual machine queries that the local task identification information which is the same as the task identification information exists in the local record, the safety protection event is determined not to be the migration protection event; and if the destination security virtual machine inquires that the local task identification information which is the same as the task identification information does not exist in the local record, determining that the security protection event is a migration protection event.
In one embodiment, safety shield module 300 includes: the extracting unit 310 is configured to receive the protection progress information, and extract unprotected data information and protected data information from the protection progress information. The analyzing unit 320 is configured to analyze the data to be protected written in the target physical memory space according to the unprotected data information and the protected data information, so as to obtain unprotected data and unprotected data in the data to be protected. The security protection unit 330 is configured to perform security protection on unprotected data, and feed back a security protection result to the migrated virtual machine. And a deleting unit 340, configured to delete the guarded data from the destination physical memory space.
Because the principle of the system for solving the problems is similar to the safety protection method based on the virtualization environment, the implementation of the system can refer to the implementation of the method, and repeated details are not repeated.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (13)

1. A security protection method based on a virtualization environment is characterized by comprising the following steps:
when a virtual machine needs to be migrated from a source physical host to a destination physical host, and a source security virtual machine of the source physical host executes a security protection event on the migration virtual machine needing to be migrated, the migration virtual machine acquires protection progress information of the security protection event from the source security virtual machine, and acquires data to be protected corresponding to the security protection event from a source physical memory space of the source physical host;
after the migration virtual machine is migrated to the target physical host, the migration virtual machine sends the protection progress information to a target safety virtual machine of the target physical host, and simultaneously writes the data to be protected into a target physical memory space of the target physical host;
after receiving the protection progress information, the target security virtual machine continues to perform security protection on the data to be protected written in the target physical memory space according to the protection progress information;
the protection progress information comprises task identification information of a safety protection event, file quantity information, initial information and protected label information of data to be protected corresponding to the safety protection event;
the method comprises the steps that when a migration virtual machine receives protection progress information sent by a source security virtual machine, the migration virtual machine obtains data to be protected corresponding to a security protection event from a physical memory space in a snapshot mode, and the data to be protected is data obtained after partial security protection is carried out on the source security virtual machine.
2. The method according to claim 1, wherein when a virtual machine needs to be migrated from a source physical host to a destination physical host where the virtual machine is located, and a source security virtual machine of the source physical host executes a security protection event on a migration virtual machine that needs to be migrated, the step of obtaining, by the migration virtual machine, protection progress information of the security protection event from the source security virtual machine, and obtaining, by the migration virtual machine, data to be protected corresponding to the security protection event from a source physical memory of the source physical host includes:
when a virtual machine needs to be migrated from a source physical host where the virtual machine is located to a destination physical host, and a source security virtual machine of the source physical host executes a security protection event on the migration virtual machine needing to be migrated, the migration virtual machine sends a migration suspension instruction to the source security virtual machine;
after receiving the migration suspension instruction, the source security virtual machine stops executing the security protection event on the migration virtual machine, and sends protection progress information of the security protection event to the migration virtual machine;
the migration virtual machine receives the protection progress information, stores the protection progress information in a local disk partition, and acquires data to be protected corresponding to the safety protection event from the source physical memory space;
and the data to be protected is data subjected to partial security protection by the source security virtual machine.
3. The method according to claim 1, wherein after the migration virtual machine migrates to the destination physical host, the step of sending the protection progress information to the destination secure virtual machine of the destination physical host by the migration virtual machine, and writing the data to be protected into a destination physical memory space of the destination physical host includes:
after the migration virtual machine is migrated to the destination physical host, the migration virtual machine establishes a mapping relation between the migration virtual machine and the destination physical memory space;
and the migration virtual machine sends the protection progress information to the target safety virtual machine according to the mapping relation, and writes the data to be protected into the target physical memory space according to the mapping relation.
4. The method according to claim 3, further comprising, after the step of establishing the mapping relationship between the migration virtual machine and the destination physical memory space, the step of:
the migration virtual machine generates a migration protection event on the target physical host according to the protection progress information and the data to be protected, and sends the migration protection event serving as a safety protection event to the target safety virtual machine;
the target safety virtual machine receives the safety protection event sent by the migration virtual machine, extracts task identification information of the safety protection event from the safety protection event, and queries a local record according to the task identification information;
if the target security virtual machine inquires that local task identification information which is the same as the task identification information exists in the local record, determining that the security protection event is not the migration protection event;
and if the target secure virtual machine inquires that local task identification information which is the same as the task identification information does not exist in the local record, determining that the secure protection event is the migration protection event, executing the steps that the migration virtual machine sends the protection progress information to the target secure virtual machine according to the mapping relation, and writing the data to be protected into the target physical memory space according to the mapping relation.
5. The security protection method based on the virtualization environment according to claim 1, wherein the step of continuing to perform security protection on the data to be protected written in the target physical memory space according to the protection progress information after the target security virtual machine receives the protection progress information includes:
the target safety virtual machine receives the protection progress information and extracts unprotected data information from the protection progress information;
the target security virtual machine analyzes the data to be protected written in the target physical memory space according to the information of the data not to be protected to obtain the data not to be protected in the data to be protected;
and the target safety virtual machine carries out safety protection on the unprotected data and feeds back a safety protection result to the migrated virtual machine.
6. The virtualization environment-based security protection method according to claim 5, wherein after receiving the protection progress information, the step of continuing to perform security protection on the data to be protected written in the target physical memory space according to the protection progress information further includes:
the target safety virtual machine receives the protection progress information and extracts protected data information from the protection progress information;
the target security virtual machine analyzes the data to be protected written in the target physical memory space according to the protected data information to obtain protected data in the data to be protected;
and the target safety virtual machine deletes the protected data from the target physical memory space.
7. A safety protection system based on a virtualization environment is characterized by at least comprising a source physical host and a destination physical host, wherein the source physical host comprises a source safety virtual machine, the destination physical host comprises a destination safety virtual machine, and a migration virtual machine needing to be migrated in the source physical host can be migrated from the source physical host to the destination physical host; the migration virtual machine comprises an acquisition module and a sending and writing module; the destination secure virtual machine comprises a security protection module, wherein:
the obtaining module is configured to obtain protection progress information of a security protection event from a source physical host of a source physical host when a virtual machine needs to be migrated from the source physical host to a destination physical host, and a source security virtual machine of the source physical host is executing the security protection event on a migration virtual machine that needs to be migrated, and obtain data to be protected corresponding to the security protection event from a source physical memory space of the source physical host;
the sending and writing module is configured to send the protection progress information to a destination secure virtual machine of the destination physical host after the migration virtual machine is migrated to the destination physical host, and write the data to be protected into a destination physical memory space of the destination physical host at the same time;
the security protection module is configured to continue to perform security protection on the data to be protected written in the target physical memory space according to the protection progress information after the target security virtual machine receives the protection progress information;
the protection progress information comprises task identification information of a safety protection event, file quantity information, initial information and protected label information of data to be protected corresponding to the safety protection event;
the method comprises the steps that when a migration virtual machine receives protection progress information sent by a source security virtual machine, the migration virtual machine obtains data to be protected corresponding to a security protection event from a physical memory space in a snapshot mode, and the data to be protected is data obtained after partial security protection is carried out on the source security virtual machine.
8. The virtualization environment-based security protection system of claim 7, wherein the obtaining module comprises:
the instruction sending unit is used for sending a migration pause instruction to the source security virtual machine when the virtual machine needs to be migrated from the source physical host to the destination physical host, and the source security virtual machine of the source physical host executes a security protection event on the migration virtual machine needing to be migrated;
a receiving and storing unit, configured to receive protection progress information of the security protection event fed back by the source security virtual machine after the source security virtual machine stops executing the security protection event according to the migration pause instruction, and store the protection progress information in a local disk partition;
and an obtaining unit, configured to obtain data to be protected corresponding to the security protection event from the source physical memory space, where the data to be protected is data that is partially secured by the source security virtual machine.
9. The virtualization environment-based security protection system of claim 7, wherein the send write module comprises:
the establishing unit is used for establishing a mapping relation between the migration virtual machine and the target physical memory space after the migration virtual machine is migrated to the target physical host;
and the sending and writing unit is used for sending the protection progress information to the target safety virtual machine according to the mapping relation and writing the data to be protected into the target physical memory space according to the mapping relation.
10. The virtualization environment-based security protection system of claim 9, wherein the send-write module further comprises:
a generating unit, configured to generate a migration protection event on the destination physical host according to the protection progress information and the data to be protected after the migration virtual machine establishes a mapping relationship between the migration virtual machine and the destination physical memory space, and send the migration protection event as a security protection event to the destination security virtual machine;
the query result receiving unit is used for receiving the query result of the target safety virtual machine after the target safety virtual machine queries the local record according to the task identification information in the safety protection event; the query result comprises that if the target security virtual machine queries that the local task identification information which is the same as the task identification information exists in the local record, the security protection event is determined not to be the migration protection event; and if the target safety virtual machine inquires that the local task identification information which is the same as the task identification information does not exist in the local record, determining that the safety protection event is the migration protection event.
11. The virtualization environment-based security protection system of claim 7, wherein the security protection module comprises:
the extraction unit is used for receiving the protection progress information and extracting unprotected data information and protected data information from the protection progress information;
the analysis unit is used for analyzing the data to be protected written in the target physical memory space according to the unprotected data information and the protected data information to obtain unprotected data and unprotected data in the data to be protected;
the safety protection unit is used for carrying out safety protection on the unprotected data and feeding back a safety protection result to the migrated virtual machine;
and the deleting unit is used for deleting the protected data from the target physical memory space.
12. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 6 when executing the computer program.
13. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
CN201611242625.4A 2016-12-29 2016-12-29 Security protection method and system based on virtualization environment Active CN106844004B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611242625.4A CN106844004B (en) 2016-12-29 2016-12-29 Security protection method and system based on virtualization environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611242625.4A CN106844004B (en) 2016-12-29 2016-12-29 Security protection method and system based on virtualization environment

Publications (2)

Publication Number Publication Date
CN106844004A CN106844004A (en) 2017-06-13
CN106844004B true CN106844004B (en) 2020-02-14

Family

ID=59113616

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611242625.4A Active CN106844004B (en) 2016-12-29 2016-12-29 Security protection method and system based on virtualization environment

Country Status (1)

Country Link
CN (1) CN106844004B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112464231B (en) * 2019-09-09 2024-09-17 北京奇虎科技有限公司 Threat detection method and system based on virtual machine
CN111124599B (en) * 2019-11-08 2021-04-30 海光信息技术股份有限公司 Virtual machine memory data migration method and device, electronic equipment and storage medium
CN111600775B (en) * 2020-05-15 2022-02-22 苏州浪潮智能科技有限公司 Security testing method, device, equipment and medium for cluster encryption migration

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067356A (en) * 2012-12-12 2013-04-24 北京启明星辰信息技术股份有限公司 System and method for business virtual machine safety guaranteeing
CN103065086A (en) * 2012-12-24 2013-04-24 北京启明星辰信息技术股份有限公司 Distributed intrusion detection system and method applied to dynamic virtualization environment
CN103685250A (en) * 2013-12-04 2014-03-26 蓝盾信息安全技术股份有限公司 Virtual machine security policy migration system and method based on SDN
CN105227541A (en) * 2015-08-21 2016-01-06 华为技术有限公司 A kind of security strategy dynamic migration method and device
CN105530259A (en) * 2015-12-22 2016-04-27 华为技术有限公司 Message filtering method and equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067356A (en) * 2012-12-12 2013-04-24 北京启明星辰信息技术股份有限公司 System and method for business virtual machine safety guaranteeing
CN103065086A (en) * 2012-12-24 2013-04-24 北京启明星辰信息技术股份有限公司 Distributed intrusion detection system and method applied to dynamic virtualization environment
CN103685250A (en) * 2013-12-04 2014-03-26 蓝盾信息安全技术股份有限公司 Virtual machine security policy migration system and method based on SDN
CN105227541A (en) * 2015-08-21 2016-01-06 华为技术有限公司 A kind of security strategy dynamic migration method and device
CN105530259A (en) * 2015-12-22 2016-04-27 华为技术有限公司 Message filtering method and equipment

Also Published As

Publication number Publication date
CN106844004A (en) 2017-06-13

Similar Documents

Publication Publication Date Title
CN105631026B (en) Safety data analysis system
CN108399101B (en) Method, device and system for scheduling resources
US8863138B2 (en) Application service performance in cloud computing
TWI544328B (en) Method and system for probe insertion via background virtual machine
US20150095597A1 (en) High performance intelligent virtual desktop infrastructure using volatile memory arrays
US9417973B2 (en) Apparatus and method for fault recovery
US10885052B2 (en) Database process with virtual nodes
CN106844004B (en) Security protection method and system based on virtualization environment
CN106778275A (en) Based on safety protecting method and system and physical host under virtualized environment
EP3279795B1 (en) Method and apparatus for deleting cloud host in cloud computing environment, server and storage medium
US10977049B2 (en) Installing of operating system
CN112527470B (en) Model training method and device for predicting performance index and readable storage medium
CN106845215B (en) Safety protection method and device based on virtualization environment
CN111198739A (en) Rendering method, device and equipment of application view and storage medium
JP2009230596A (en) User data protection method for server device, server device, and computer program
CN112035062B (en) Migration method of local storage of cloud computing, computer equipment and storage medium
CN110221816A (en) Algorithm operation method, device, medium and algorithm platform based on algorithm platform
RU2557476C2 (en) Robust and secure hardware-computer system in cloud computing environment
CN104956346B (en) Control error propagation caused by the failure in the calculate node of distributed computing system
CN105574008A (en) Task scheduling method and equipment applied to distributed file system
CN106844005B (en) Data recovery method and system based on virtualization environment
CN106845214A (en) Based on safety protecting method and system under virtualized environment
CN106844006A (en) Based on data prevention method and system under virtualized environment
CN114327757B (en) Network target range tool delivery method, device, equipment and readable storage medium
CN106850732B (en) A kind of same method of example deployment in probability of height towards PaaS cloud environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 100190 Zhongguancun street, Haidian District, Beijing, No. 22, A1305, 13

Applicant after: Beijing net an Technology Limited by Share Ltd

Address before: 100190 Beijing City, Haidian District Zhongguancun street, No. 22, building 1301

Applicant before: Beijing Rising Information Technology Co., Ltd

GR01 Patent grant
GR01 Patent grant