CN106844144A - A kind of secure virtual machine monitoring method - Google Patents
A kind of secure virtual machine monitoring method Download PDFInfo
- Publication number
- CN106844144A CN106844144A CN201611241724.0A CN201611241724A CN106844144A CN 106844144 A CN106844144 A CN 106844144A CN 201611241724 A CN201611241724 A CN 201611241724A CN 106844144 A CN106844144 A CN 106844144A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- machine
- monitoring
- packet
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/301—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is a virtual computing platform, e.g. logically partitioned systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45583—Memory management, e.g. access or allocation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Abstract
The present invention relates to server virtualization and the technical field of virtual machine monitoring, and in particular to a kind of secure virtual machine monitoring method, comprise the following steps:S1, configures the operational factor of virtual machine network, and virtual machine network includes dummy machine system and external network;Dummy machine system includes monitor of virtual machine and at least one virtual machine;S2, configures the security monitoring strategy of monitor of virtual machine;S3, the packet communicated between capture virtual machine or between virtual machine and external network;S4, parses packet, security control is carried out to respective virtual machine according to security monitoring strategy, and monitoring process and result are shown in customer terminal webpage.The present invention solves that virtual machine committed memory is excessive by setting up the security strategy that is associated with dummy machine system for carrying out the management of virtual machine, and the system card for causing is waited indefinitely problem;By the way of internal control and outside monitoring are combined, the efficiency of virtual machine monitoring is improve, it is ensured that the safe and highly efficient operation of dummy machine system.
Description
Technical field
The present invention relates to server virtualization and the technical field of virtual machine monitoring, and in particular to a kind of secure virtual machine prison
Prosecutor method.
Background technology
At present, the terminal device such as computer often occurs the increasingly slower situation of the speed of service in use, this
When, in order to improve the speed of service, it is necessary to carry out system optimization to it.Existing optimal way generally by file clean-up or
The method of garbage-cleaning, for example, cache file useless in cleaning system, search and mobile file for taking disk space etc.,
So as to Free up Memory, allow system to keep cleaning, make overall operation more smooth.
But, existing some services and applications will not generally automatically exit from process after execution, and these processes according to
Substantial amounts of system resource can so be taken, user cannot often perceive, until system or program occur in that it is stuck in addition collapse
Situation.Existing system optimization mode can only carry out some basic file clean-up work, stuck for system, and backstage
Situations such as program took various flow then cannot effectively be processed, it is impossible to effectively available internal memory and other systems in release system
Resource etc..
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on
A kind of secure virtual machine monitoring method of problem is stated, is comprised the following steps:
S1, configures the operational factor of virtual machine network, and the virtual machine network includes dummy machine system and external network;Institute
Stating dummy machine system includes monitor of virtual machine and at least one virtual machine;
S2, configures the security monitoring strategy of monitor of virtual machine;
S3, the packet communicated between capture virtual machine or between virtual machine and external network;
S4, parses the packet, and security control is carried out to respective virtual machine according to the security monitoring strategy, and in visitor
Family end page is shown in face of monitoring process and result.
Preferably, the security monitoring strategy in the step S2 is specially:Set up intrusion detection domain, Provisioning Policy module,
Various security strategies are configured in the policy module, the policy module is connected with policy framework, it is right that the policy framework is used for
The request of operating system interface is responded.
Preferably, the step S2 also includes:The packet of virtual switch port is entered using network counter group
Row monitoring;And using the internal control and the outside based on control point in monitor of virtual machine driven safely based on virtual machine kernel
The monitor mode that monitoring is combined.
Preferably, the step S3 is specially:Row buffering is entered to packet by virtual switch storehouse, in virtual switch
The packet communicated between virtual machine or between virtual machine and external network is checked and captured in storehouse.
Preferably, the packet is captured using Hook Mechanism, specially:Global hook is created, will be described complete
Office's hook adds globally shared data variable, creates hook executable program and captures the packet.
Preferably, the security control is specially the one kind or many in internal memory protection, kernel code protection and access control
Kind.
Preferably, the security monitoring strategy in the step S2 is specially:To normal procedure in the dummy machine system
Data set up finite automaton state machine, correlation function are called as state with the dummy machine system, then to being detected process
Packet be monitored, call correlation function to be contrasted with the state in finite state machine the dummy machine system, such as
Fruit matches then current process safety, and otherwise current process has been infected.
The present invention is used to carry out the management of virtual machine by setting up the security strategy associated with dummy machine system, effectively solves
Virtual machine committed memory is excessive, and the system card that causes is waited indefinitely problem;And various security strategies are configured with, and set up Hook Mechanism
Packet to virtual machine is captured, the monitor mode being combined using internal control and outside monitoring, substantially increases void
Intend the efficiency of machine monitoring, it is ensured that the safe and highly efficient operation of dummy machine system.
Described above is only the general introduction of technical solution of the present invention, in order to better understand technological means of the invention,
And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, be exemplified below specific embodiment of the invention.
According to the accompanying drawings to the detailed description of the specific embodiment of the invention, those skilled in the art will be brighter
Of the invention above-mentioned and other purposes, advantages and features.
Brief description of the drawings
Fig. 1 is the corresponding system structure diagram of secure virtual machine monitoring method of the invention.
Specific embodiment
Exemplary embodiment disclosed by the invention is more fully described below with reference to accompanying drawings.Although showing this in accompanying drawing
The exemplary embodiment of disclosure of the invention, it being understood, however, that may be realized in various forms the disclosure without that should be explained here
The embodiment stated is limited.Conversely, there is provided these embodiments are able to thoroughly understand the disclosure, and can be by this public affairs
The scope opened it is complete convey to those skilled in the art.
As shown in figure 1, the corresponding system structure diagram of secure virtual machine monitoring method of the invention.The virtual machine network
Including:External network, hardware layer, operating system layer, virtual machine layer;By hardware layer, operating system layer and the common structure of virtual machine layer
Into dummy machine system;Dummy machine system is connected with external network;Operating system has monitor of virtual machine, virtual machine layer operation
There are multiple virtual machines.
With the virtual machine network system to corresponding, there is provided a kind of secure virtual machine monitoring method, comprise the following steps:
S1, configures the operational factor of virtual machine network, and the virtual machine network includes dummy machine system and external network;Institute
Stating dummy machine system includes monitor of virtual machine and at least one virtual machine;
S2, configures the security monitoring strategy of monitor of virtual machine;
S3, the packet communicated between capture virtual machine or between virtual machine and external network;
S4, parses the packet, and security control is carried out to respective virtual machine according to the security monitoring strategy, and in visitor
Family end page is shown in face of monitoring process and result.
Because the virtual machine network system is configured with security strategy, the single monitoring side of conventional virtual machine system is overcome
Formula, security performance is higher.And the security strategy can be adjusted dynamically, flexibility is stronger.It is also possible to using neutral net etc.
Intelligent algorithm is trained and optimizes.It should be noted that above-mentioned several security strategies both provide it is different types of excellent
Change method, can optional one of which or several for the present invention.
Used as a kind of implementation method, the security strategy in step S2 is specially:Set up intrusion detection domain, Provisioning Policy mould
Block, configures various security strategies in the policy module, the policy module is connected with policy framework, and the policy framework is used for
Request to operating system interface is responded.Policy module contains policy library, Policy Decision Point and Policy Enforcement Point.Strategy is determined
Pinpoint for response policy event, and lock corresponding policing rule;The validity check of completion status and resource;Will be stored in
The form that policing rule conversion forming apparatus in policy library can perform.Policy Enforcement Point, is distributed on each network node, is responsible for
Corresponding tactical management operation is performed according to the strategy received from Policy Decision Point, and simultaneously by the result of strategy execution
Offer Policy Decision Point.The wherein tactful mode that issues is divided into two kinds, outsourcing mode and method of supplying.
Used as a kind of implementation method, step S3 is specially:Using network counter group to the number of virtual switch port
It is monitored according to bag;Packet in virtual switch storehouse to being communicated between virtual machine or between virtual machine and external network
Checked and captured.
Used as a kind of implementation method, monitoring is specially based on the internal control of virtual machine kernel safety driving and based on virtual
The monitor mode that the outside monitoring of control point is combined in machine manager.The monitoring method that the inside is combined with outside, specifically
Including:Start outside monitoring programme, and automated procedures are started by the outside monitoring programme;By outside monitoring programme to described
Automated procedures are monitored;Internal control program and execution thread are opened by automated procedures;By internal control program to institute
Execution thread is stated to be monitored.
As a kind of implementation method, the packet is captured using Hook Mechanism;Specially:Create global hook
Son, globally shared data variable is added by the global hook, is created hook executable program and is captured the packet.Monitor single
Unit can capture the packet in watch-dog core network stack, such as opening based on linux kernel by hook (hook) mechanism
The virtualization software of increasing income of source virtual platform has carried hook mechanism, such as Xen, and KVM both provides a set of being based on
The Hook Mechanism of Netfilter.Thus, the method goes for various Katyuan virtualization softwares, and packet packet capturing
Journey can be circulated to be carried out.
Used as a kind of implementation method, the security control in step S4 is specially internal memory protection, kernel code protection and accesses
One or more in control.Shadow page can be set up in above-mentioned security control process, so that attack code is confused, in malice generation
Malicious operation is directed to shadow page when attacking system by code, effectively prevent the malice of normal operation code is distorted with
Replicate.
Used as a kind of implementation method, the security strategy in step S2 is specially:Data to normal procedure in system are set up
Finite automaton state machine, calls correlation function as state with system, and then the packet for being detected process is monitored, will
Its system calls correlation function to be contrasted with the state in finite state machine, if matching if current process safety, otherwise when
Preceding process has been infected.Finite automaton state machine possesses the state of finite number amount, and each state can move to zero or many
Individual state, input word string determines to perform the migration of that state.Finite automaton is set up by the data to normal procedure in system
State machine, realizes the effective monitoring to packet.
The present invention is used to carry out the management of virtual machine by setting up the security strategy associated with dummy machine system, effectively solves
Virtual machine committed memory is excessive, and the system card that causes is waited indefinitely problem;And various security strategies are configured with, and set up Hook Mechanism
Packet to virtual machine is captured, the monitor mode being combined using internal control and outside monitoring, substantially increases void
Intend the efficiency of machine monitoring, it is ensured that the safe and highly efficient operation of dummy machine system.
Although embodiments of the invention are described above, it should be understand that its mode unrestricted only by example
Presented.It is therefore preferable that the width and scope of embodiment should not be by mentioned earlier any one exemplary embodiment limited, and answer
Limited according only to ensuing claim and its equivalent.
Claims (7)
1. a kind of secure virtual machine monitoring method, it is characterised in that comprise the following steps:
S1, configures the operational factor of virtual machine network, and the virtual machine network includes dummy machine system and external network;The void
Plan machine system includes monitor of virtual machine and at least one virtual machine;
S2, configures the security monitoring strategy of monitor of virtual machine;
S3, the packet communicated between capture virtual machine or between virtual machine and external network;
S4, parses the packet, and security control is carried out to respective virtual machine according to the security monitoring strategy, and in client
The page shows to monitoring process and result.
2. method according to claim 1, it is characterised in that the security monitoring strategy in the step S2 is specially:Build
Vertical intrusion detection domain, Provisioning Policy module configures various security strategies, the policy module and tactful frame in the policy module
Frame is connected, and the policy framework is used to respond the request of operating system interface.
3. method according to claim 1, it is characterised in that the step S2 also includes:Using network counter group
Packet to virtual switch port is monitored;And using the internal control driven safely based on virtual machine kernel and be based on
The monitor mode that the outside monitoring of control point is combined in monitor of virtual machine.
4. method according to claim 1, it is characterised in that the step S3 is specially:By virtual switch storehouse pair
Packet enters row buffering, the data in virtual switch storehouse to being communicated between virtual machine or between virtual machine and external network
Bag is checked and captured.
5. the method according to claim 1 or 4, it is characterised in that captured to the packet using Hook Mechanism,
Specially:Global hook is created, the global hook is added into globally shared data variable, create the capture of hook executable program
The packet.
6. method according to claim 1, it is characterised in that the security control is specially internal memory protection, kernel code
One or more in protection and access control.
7. method according to claim 1, it is characterised in that the security monitoring strategy in the step S2 is specially:It is right
The data of normal procedure set up finite automaton state machine in the dummy machine system, and correlation function is called with the dummy machine system
As state, then the packet for being detected process is monitored, by the dummy machine system call correlation function with it is limited
State in state machine is contrasted, and the current process safety if matching, otherwise current process has been infected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611241724.0A CN106844144A (en) | 2016-12-29 | 2016-12-29 | A kind of secure virtual machine monitoring method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611241724.0A CN106844144A (en) | 2016-12-29 | 2016-12-29 | A kind of secure virtual machine monitoring method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106844144A true CN106844144A (en) | 2017-06-13 |
Family
ID=59113280
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611241724.0A Withdrawn CN106844144A (en) | 2016-12-29 | 2016-12-29 | A kind of secure virtual machine monitoring method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106844144A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109412831A (en) * | 2018-08-29 | 2019-03-01 | 无锡华云数据技术服务有限公司 | A kind of method and cloud platform based on FSM management virtual port |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103354530A (en) * | 2013-07-18 | 2013-10-16 | 北京启明星辰信息技术股份有限公司 | Virtualization network boundary data flow gathering method and apparatus |
| CN103457945A (en) * | 2013-08-28 | 2013-12-18 | 中国科学院信息工程研究所 | Intrusion detection method and system |
| CN103870749A (en) * | 2014-03-20 | 2014-06-18 | 中国科学院信息工程研究所 | System and method for implementing safety monitoring of virtual machine system |
| CN104113522A (en) * | 2014-02-20 | 2014-10-22 | 西安未来国际信息股份有限公司 | Design of virtual firewall assembly acting on cloud computing data center security domain |
| CN105337789A (en) * | 2014-08-12 | 2016-02-17 | 北京启明星辰信息安全技术有限公司 | Method and device for monitoring flow of virtual network |
| CN105635035A (en) * | 2014-10-27 | 2016-06-01 | 青岛金讯网络工程有限公司 | Method for monitoring flow of virtual machine |
-
2016
- 2016-12-29 CN CN201611241724.0A patent/CN106844144A/en not_active Withdrawn
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103354530A (en) * | 2013-07-18 | 2013-10-16 | 北京启明星辰信息技术股份有限公司 | Virtualization network boundary data flow gathering method and apparatus |
| CN103457945A (en) * | 2013-08-28 | 2013-12-18 | 中国科学院信息工程研究所 | Intrusion detection method and system |
| CN104113522A (en) * | 2014-02-20 | 2014-10-22 | 西安未来国际信息股份有限公司 | Design of virtual firewall assembly acting on cloud computing data center security domain |
| CN103870749A (en) * | 2014-03-20 | 2014-06-18 | 中国科学院信息工程研究所 | System and method for implementing safety monitoring of virtual machine system |
| CN105337789A (en) * | 2014-08-12 | 2016-02-17 | 北京启明星辰信息安全技术有限公司 | Method and device for monitoring flow of virtual network |
| CN105635035A (en) * | 2014-10-27 | 2016-06-01 | 青岛金讯网络工程有限公司 | Method for monitoring flow of virtual machine |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109412831A (en) * | 2018-08-29 | 2019-03-01 | 无锡华云数据技术服务有限公司 | A kind of method and cloud platform based on FSM management virtual port |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11652852B2 (en) | Intrusion detection and mitigation in data processing | |
| CN110545260B (en) | Cloud management platform construction method based on mimicry structure | |
| US9838415B2 (en) | Fight-through nodes for survivable computer network | |
| US9769250B2 (en) | Fight-through nodes with disposable virtual machines and rollback of persistent state | |
| US9166988B1 (en) | System and method for controlling virtual network including security function | |
| US11522904B2 (en) | Self-healing architecture for resilient computing services | |
| CN103870749B (en) | A kind of safety monitoring system and method for realizing dummy machine system | |
| CN102999716B (en) | virtual machine monitoring system and method | |
| WO2016160599A1 (en) | System and method for threat-driven security policy controls | |
| CN112671807B (en) | Threat processing method, threat processing device, electronic equipment and computer readable storage medium | |
| WO2018027226A1 (en) | Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform | |
| US20160110544A1 (en) | Disabling and initiating nodes based on security issue | |
| CN107797859A (en) | A kind of dispatching method of timed task and a kind of dispatch server | |
| Ariffin et al. | API vulnerabilities in cloud computing platform: attack and detection | |
| CN105245336B (en) | A kind of file encryption management system | |
| CN106844144A (en) | A kind of secure virtual machine monitoring method | |
| US20050076236A1 (en) | Method and system for responding to network intrusions | |
| CN103139169A (en) | Virus detection system and method based on network behavior | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| CN111258712B (en) | Method and system for protecting safety of virtual machine under virtual platform network isolation | |
| WO2022141340A1 (en) | Method and apparatus for determining dependency between application services, and processor | |
| US20220006819A1 (en) | Detection of malicious C2 channels abusing social media sites | |
| CN110958267B (en) | Method and system for monitoring threat behaviors in virtual network | |
| CN109218315A (en) | A kind of method for managing security and security control apparatus | |
| US20240086522A1 (en) | Using thread patterns to identify anomalous behavior |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20170613 |