CN107911358B - Method and system for protecting network security - Google Patents
Method and system for protecting network security Download PDFInfo
- Publication number
- CN107911358B CN107911358B CN201711100071.9A CN201711100071A CN107911358B CN 107911358 B CN107911358 B CN 107911358B CN 201711100071 A CN201711100071 A CN 201711100071A CN 107911358 B CN107911358 B CN 107911358B
- Authority
- CN
- China
- Prior art keywords
- network
- abnormal
- address
- virtual machine
- activity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000002159 abnormal effect Effects 0.000 claims abstract description 60
- 238000002955 isolation Methods 0.000 claims abstract description 18
- 238000012544 monitoring process Methods 0.000 claims abstract description 13
- 230000000694 effects Effects 0.000 claims description 39
- 230000008569 process Effects 0.000 claims description 16
- 238000001514 detection method Methods 0.000 claims description 2
- 230000008260 defense mechanism Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
Abstract
The invention provides a method and a system for protecting network security, wherein the method comprises the following steps: s1: establishing an address association table of each virtual machine in a network; s2: monitoring abnormal flow in the network and positioning the address of the abnormal flow; s3: the virtual machines that produce the abnormal traffic are isolated. The system comprises: the virtual switch is used for connecting an external network and distributing an ID address for a virtual machine in the internal network; a plurality of virtual machines for running various applications and providing computing resources; the isolated virtual switch is used for mounting an abnormal virtual machine; the network anomaly detector 1 is used for monitoring the abnormal traffic in the network and analyzing and isolating the source of the abnormal traffic. By connecting the virtual machines in the monitoring network, the isolation of the abnormal virtual machines is realized.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a system for protecting network security.
Background
With the rapid development of the cloud computing virtualization technology, the application of the server virtualization technology is more and more extensive. The server virtualization technology is used for separating a physical server into a plurality of virtual machines, so that the server is not physically limited, and the utilization rate of physical resources is improved. The virtual machines form a complete network through the virtual switch, and the requirement for calculation can be greatly met.
For any network, the attack is inevitable, and if the network is attacked by external malicious attacks, the existing defense mechanisms such as firewalls and the installed anti-malicious software can effectively defend the external attacks, but some malicious software evades the monitoring of the host through a stealth technology and is deployed in the host to destroy the operation of the network from the inside, and for the attack, the existing defense mechanisms cannot well process the attack.
Disclosure of Invention
In order to solve the above problems, a method and a system for protecting network security are provided, which implement isolation of abnormal virtual machines by connecting virtual machines in a monitoring network.
The embodiment of the invention provides a method for protecting network security, which comprises the following steps:
s1: establishing an address association table of each virtual machine in a network;
s2: monitoring abnormal flow in the network and positioning the address of the abnormal flow;
s3: the virtual machines that produce the abnormal traffic are isolated.
Further, the method further comprises the following steps:
s4: and detecting the isolated abnormal virtual machine, judging whether the virtual machine is an abnormal flow source, if so, continuing to isolate, and if not, releasing the isolation.
Further, the specific implementation process of step S1 is as follows: binding the MAC address of the virtual machine in the network with the ID address distributed by the corresponding virtual switch to generate a corresponding relation list of MAC and VLAN, wherein the list is an address association list.
Further, the specific implementation process of step S2 is as follows:
s21: selecting an activity as a judgment standard, and counting the relative frequency of the activity;
s22: detecting whether the frequency of the selected activities in the network is higher than the relative frequency, if so, entering the next step, and if not, continuing the detection;
s23: the data packet in the activity selected in step S22 is extracted and the MAC address therein is parsed.
Further, the specific implementation process of step S3 is as follows: and searching an ID address corresponding to the MAC address according to the address association table, setting the ID address as an error ID, and mounting the virtual machine corresponding to the ID to a preset abnormal VLAN.
Further, the specific implementation process of step S4 is as follows:
s41: setting a time threshold;
s42: detecting the frequency of the abnormal virtual machine in activity, and counting the time higher than the relative frequency;
s43: and (4) judging whether the time counted in the step S42 is larger than the time threshold in the step S41, if so, continuing the isolation, and if not, releasing the isolation.
The embodiment of the invention also provides a system for protecting network security, which comprises:
the virtual switch is used for connecting an external network and distributing an ID address for a virtual machine in the internal network;
a plurality of virtual machines for running various applications and providing computing resources;
the isolated virtual switch is used for mounting an abnormal virtual machine;
the network anomaly detector 1 is used for monitoring the abnormal traffic in the network and analyzing and isolating the source of the abnormal traffic.
Furthermore, the network anomaly detector 1 counts the relative frequency of occurrence of a certain special activity in the network as a judgment standard of the abnormal traffic, and judges that the activity is the abnormal traffic after the network anomaly detector finds that the relative frequency of the certain activity in the network is higher than the relative frequency.
Further, the system further comprises:
and the network anomaly detector 2 is used for detecting whether the abnormal virtual machine is an abnormal flow source, if so, continuing to isolate, and if not, releasing the isolation.
Further, the network anomaly detector 2 detects whether the relative frequency of the abnormal virtual machine special activities within the threshold time is obviously reduced or not through a preset time threshold, if so, the isolation of the abnormal virtual machine is released, and if not, the isolation of the abnormal virtual machine is continued.
The effect provided in the summary of the invention is only the effect of the embodiment, not all the effects of the invention, and one of the above technical solutions has the following advantages or beneficial effects:
1. by the characteristics of mutual independence and mutual isolation of networks with different VLAN IDs in cloud computing, a network security strategy is realized, and the security of a virtual network and the confidentiality of data are ensured. According to the network of the abnormal virtual machines which are dynamically isolated according to the monitoring of the network abnormal monitor, the abnormal virtual machines in the network are isolated in real time, and the integrity of data is ensured.
2. By using the standard of the relative frequency of special activities, the isolated abnormal virtual machine is secondarily detected, so that the condition of misoperation prevention can be effectively prevented in advance, the isolation accuracy is ensured, and the data integrity is ensured.
Drawings
FIG. 1 is a flowchart of a method of example 1 of the present invention;
FIG. 2 is a system schematic diagram of embodiment 1 of the present invention;
FIG. 3 is a flowchart of a method of embodiment 2 of the present invention;
fig. 4 is a system schematic diagram of embodiment 2 of the present invention.
Detailed Description
In order to clearly explain the technical features of the present invention, the following detailed description of the present invention is provided with reference to the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and procedures are omitted so as to not unnecessarily limit the invention.
The application of the method has the following basic principles: VLAN isolation is a network division according to user requirements without the limitation of physical devices by logically dividing ports connected to a second layer switch. The broadcast in the same VLAN can be heard only by the members in the VLAN and can not be transmitted to other VLANs, so that the generation of unnecessary broadcast storms can be well controlled. Meanwhile, if no route exists, different VLANs cannot communicate with each other, so that the security among different departments in the enterprise network is improved. The network administrator can comprehensively manage the information mutual access between different management units in the enterprise by configuring the routing between the VLANs.
Example 1
As shown in fig. 1, embodiment 1 of the present method provides a method for protecting network security, where the method includes:
s1: and establishing an address association table of each virtual machine in the network. The specific implementation process is as follows: binding the MAC address of the virtual machine in the network with the ID address distributed by the corresponding virtual switch to generate a corresponding relation list of MAC and VLAN, wherein the list is an address association list.
S2: monitoring abnormal flow in the network, and positioning the address of the abnormal flow, wherein the specific implementation process comprises the following steps:
s21: according to the needs or experience, one activity is selected as a judgment standard, and the relative frequency of the activity is counted and is used as the judgment standard.
S22: and detecting whether the frequency of the selected activity in the network is higher than the relative frequency, if so, indicating that the activity with the frequency is abnormal flow, entering the next step, otherwise, indicating that the frequency is normal flow, and continuously detecting the activities generated by other virtual machines.
S23: the data packet in the activity selected in step S22 is extracted and the MAC address therein is parsed.
S3: the virtual machines that produce the abnormal traffic are isolated. The specific implementation process is as follows: and searching an ID address corresponding to the MAC address according to the address association table, setting the ID address as an error ID, and mounting the virtual machine corresponding to the ID to a preset abnormal VLAN.
As shown in fig. 2, based on the method of embodiment 1, an embodiment of the present invention further provides a system for protecting network security, where the system includes: the virtual switch is used for connecting an external network and distributing an ID address for a virtual machine in the internal network; a plurality of virtual machines for running various applications and providing computing resources; the isolated virtual switch is used for mounting an abnormal virtual machine; and the network anomaly detector is used for monitoring the abnormal flow in the network and analyzing and isolating the source of the abnormal flow.
The network anomaly detector takes the relative frequency of a certain special activity in the network as the judgment standard of the abnormal flow, and when the network anomaly detector finds that the certain activity in the network is higher than the relative frequency, the activity is judged to be the abnormal flow.
Example 2
As shown in fig. 3, embodiment 1 of the present method provides a method for protecting network security, where the method includes:
s1: and establishing an address association table of each virtual machine in the network. The specific implementation process is as follows: binding the MAC address of the virtual machine in the network with the ID address distributed by the corresponding virtual switch to generate a corresponding relation list of MAC and VLAN, wherein the list is an address association list.
S2: monitoring abnormal flow in the network, and positioning the address of the abnormal flow, wherein the specific implementation process comprises the following steps:
s21: according to the needs or experience, one activity is selected as a judgment standard, and the relative frequency of the activity is counted and is used as the judgment standard.
S22: and detecting whether the frequency of the selected activity in the network is higher than the relative frequency, if so, indicating that the activity with the frequency is abnormal flow, entering the next step, otherwise, indicating that the frequency is normal flow, and continuously detecting the activities generated by other virtual machines.
S23: the data packet in the activity selected in step S22 is extracted and the MAC address therein is parsed.
S3: the virtual machines that produce the abnormal traffic are isolated. The specific implementation process is as follows: and searching an ID address corresponding to the MAC address according to the address association table, setting the ID address as an error ID, and mounting the virtual machine corresponding to the ID to a preset abnormal VLAN.
S4: and detecting the isolated abnormal virtual machine, judging whether the virtual machine is an abnormal flow source, if so, continuing to isolate, otherwise, modifying the VLAN ID back to the original value, returning the virtual machine to the original network, and removing the isolation.
The specific implementation process of step S4 is as follows:
s41: a time threshold is set, which is set based on empirical or statistical results.
S42: and detecting the frequency of the abnormal virtual machine in activity, and counting the time higher than the relative frequency.
S43: and (4) judging whether the time counted in the step S42 is larger than the time threshold in the step S41, if so, continuing the isolation, and if not, releasing the isolation.
As shown in fig. 4, based on the method of embodiment 1, an embodiment of the present invention further provides a system for protecting network security, where the system includes: the virtual switches are used for connecting an external network and distributing ID addresses for the virtual machines in the internal network; a plurality of virtual machines for running various applications and providing computing resources; the isolated virtual switch is used for mounting an abnormal virtual machine; and the network anomaly detector is used for monitoring the abnormal flow in the network and analyzing and isolating the source of the abnormal flow.
The number of the network anomaly detectors is two, the network anomaly detector 1 needs to monitor the virtual machines in the normal network, and the network anomaly detector 2 needs to monitor the abnormal virtual machines in the isolated network.
The network anomaly detector 1 counts the relative frequency of occurrence of a certain special activity in the network as the judgment standard of the abnormal traffic, and judges that the activity is the abnormal traffic after the network anomaly monitor finds that the certain activity in the network is higher than the relative frequency. The suspicious packet in the campaign is then analyzed to resolve the MAC address therein, and then a quarantine operation is performed.
The network anomaly detector 2 introduces a threshold of suspicious time, which can be set. When the time that a certain special activity occurs more than a relative frequency exceeds a threshold value, the virtual machine is isolated. The isolated network also has a monitor and a threshold value with the same rule, if the relative frequency of the occurrence of the special activities is obviously reduced within the threshold value time in the isolated network, the isolation can be judged to be a misjudgment operation, and the VLAN ID needs to be modified back to the original value, so that the virtual machine returns to the original network. If the relative frequency is not decreased, the frequency is not changed.
While the invention has been described in detail in the specification and drawings and with reference to specific embodiments thereof, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted; all technical solutions and modifications thereof which do not depart from the spirit and scope of the present invention are intended to be covered by the scope of the present invention.
Claims (1)
1. A method for protecting network security is characterized in that: the method comprises the following steps:
s1: establishing an address association table of each virtual machine in a network;
the specific implementation process of step S1 is as follows: binding the MAC address of a virtual machine in a network with an ID address allocated by a corresponding virtual switch to generate a corresponding relation list of MAC and VLAN, wherein the list is an address association table;
s2: monitoring abnormal flow in the network and positioning the address of the abnormal flow;
the specific implementation process of step S2 is as follows:
s21: selecting an activity as a judgment standard, and counting the relative frequency of the activity;
s22: detecting whether the frequency of the selected activities in the network is higher than the relative frequency, if so, entering the next step, and if not, continuing the detection;
s23: extracting the data packet in the activity selected in the step S22, and analyzing the MAC address in the data packet;
s3: isolating a virtual machine generating abnormal flow;
the specific implementation process of step S3 is as follows: searching an ID address corresponding to the MAC address according to an address association table, setting the ID address as an error ID, and mounting a virtual machine corresponding to the ID to a preset abnormal VLAN;
s4: detecting the isolated abnormal virtual machine, judging whether the virtual machine is an abnormal flow source, if so, continuing to isolate, and if not, removing the isolation;
the specific implementation process of step S4 is as follows:
s41: setting a time threshold;
s42: detecting the frequency of the abnormal virtual machine in activity, and counting the time higher than the relative frequency;
s43: and (4) judging whether the time counted in the step S42 is larger than the time threshold in the step S41, if so, continuing the isolation, and if not, releasing the isolation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711100071.9A CN107911358B (en) | 2017-11-09 | 2017-11-09 | Method and system for protecting network security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711100071.9A CN107911358B (en) | 2017-11-09 | 2017-11-09 | Method and system for protecting network security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107911358A CN107911358A (en) | 2018-04-13 |
| CN107911358B true CN107911358B (en) | 2021-04-27 |
Family
ID=61843822
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711100071.9A Active CN107911358B (en) | 2017-11-09 | 2017-11-09 | Method and system for protecting network security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107911358B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103186435A (en) * | 2011-12-28 | 2013-07-03 | 英业达股份有限公司 | System error treatment method and server system applying same |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104601568B (en) * | 2015-01-13 | 2019-05-21 | 深信服科技股份有限公司 | Virtualization security isolation method and device |
| US10255432B2 (en) * | 2015-11-23 | 2019-04-09 | Armor Defense Inc. | Detecting malicious instructions on a virtual machine using profiling |
| CN107222462A (en) * | 2017-05-08 | 2017-09-29 | 汕头大学 | A kind of LAN internals attack being automatically positioned of source, partition method |
-
2017
- 2017-11-09 CN CN201711100071.9A patent/CN107911358B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103186435A (en) * | 2011-12-28 | 2013-07-03 | 英业达股份有限公司 | System error treatment method and server system applying same |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107911358A (en) | 2018-04-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10567424B2 (en) | Determining security actions for security threats using enrichment information | |
| US11496377B2 (en) | Anomaly detection through header field entropy | |
| US10567422B2 (en) | Method, apparatus and system for processing attack behavior of cloud application in cloud computing system | |
| US10122748B1 (en) | Network protection system and threat correlation engine | |
| CN106576099B (en) | Support the data center architecture of attack detecting and alleviation | |
| EP2570954B1 (en) | Method, device and system for preventing distributed denial of service attack in cloud system | |
| US10469528B2 (en) | Algorithmically detecting malicious packets in DDoS attacks | |
| EP3667532A1 (en) | Methods for detecting and mitigating malicious network activity based on dynamic application context and devices thereof | |
| WO2016101870A1 (en) | Network attack analysis method and device | |
| CN110247899B (en) | System and method for detecting and relieving ARP attack based on SDN cloud environment | |
| US20160110544A1 (en) | Disabling and initiating nodes based on security issue | |
| CN104125214A (en) | Security architecture system for realizing software definition security and security controller | |
| US10129277B1 (en) | Methods for detecting malicious network traffic and devices thereof | |
| US10812496B2 (en) | Automatic generation of cluster descriptions | |
| Manimaran et al. | The conjectural framework for detecting DDoS attack using enhanced entropy based threshold technique (EEB-TT) in cloud environment | |
| WO2019142348A1 (en) | Network control device and network control method | |
| CN107911358B (en) | Method and system for protecting network security | |
| Ahmad et al. | Containment of fast scanning computer network worms | |
| Kamatchi et al. | An efficient security framework to detect intrusions at virtual network layer of cloud computing | |
| KR101800145B1 (en) | Software switch for providng network service and method for operating software switch | |
| US11973773B2 (en) | Detecting and mitigating zero-day attacks | |
| US20210359977A1 (en) | Detecting and mitigating zero-day attacks | |
| Al-Mwald et al. | Detection and Prevention of ARP Cache Poisoning in Advanced Persistent Threats Using Multiphase Validation and Firewall | |
| Gupta et al. | Detection of ddos attack using hcif algorithm in cloud computing | |
| Kathrine | A COMPREHENSIVE SURVEY ON INTRUSION DETECTION TECHNIQUES IN CLOUD |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |