CN108989086B - Open vSwitch illegal port operation automatic discovery and tracing system in OpenStack platform - Google Patents
Open vSwitch illegal port operation automatic discovery and tracing system in OpenStack platform Download PDFInfo
- Publication number
- CN108989086B CN108989086B CN201810636784.5A CN201810636784A CN108989086B CN 108989086 B CN108989086 B CN 108989086B CN 201810636784 A CN201810636784 A CN 201810636784A CN 108989086 B CN108989086 B CN 108989086B
- Authority
- CN
- China
- Prior art keywords
- information
- port
- virtual
- open vswitch
- uuid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of networks, and particularly relates to an Open vSwitch illegal port operation automatic discovery and tracing system in an OpenStack platform. The system comprises an Open vSwitch information acquisition device, an OpenStack information acquisition device, an illegal behavior discovery device and an illegal behavior tracing device; the Open vSwitch information acquisition device is used for regularly and automatically starting and collecting port information of the current Open vSwitch on the physical server; the OpenStack information acquisition device acquires information of a virtual network and a virtual machine in a Neutron database in OpenStack at regular time; the violation behavior discovery device discovers violation operation through comparison analysis according to the acquired information; the violation behavior tracing device collects and searches associated log information according to the generated alarm information, and provides an alarm tracing report related to the violation behavior to an administrator. The invention can timely find the violation behavior of bypassing the Neutron direct violation operation Open vSwitch virtual port; provides tracing information for the investigation of the violation behaviors.
Description
Technical Field
The invention belongs to the technical field of networks, and particularly relates to a safety operation and maintenance system of a cloud platform, in particular to a system for automatically discovering and tracing the behavior of bypassing a Neutron violation operation Open vSwitch virtual network port in an OpenStack platform.
Background
In recent years, with the rapid development of cloud computing technology, virtual network technology has also been greatly developed. The virtual network has the characteristics of high elasticity, high expansibility, easiness in management, openness and the like, and can divide a physical network into a plurality of complete and isolated logical networks to be provided for different tenants, so that the network overhead is greatly reduced, the network operation and management are greatly simplified, the reliability of network services is improved, and the requirements of a novel data center are met. Currently, mainstream Open source cloud platforms represented by OpenStack and virtual network technologies represented by Open vSwitch are commonly applied.
In a conventional network environment, a physical switch is generally managed and configured by a special network manager, and an ordinary user has no authority or way to change the configuration of the physical switch. In the virtual network environment, because the virtual switch is deployed on the physical server, an insider or an attacker can directly operate the virtual switch from the remote login server to change the configuration of the virtual network, so that the relevant part of the virtual network related to the server is modified or destroyed according to own intention. In addition, in order to make the virtual switch support the access control mode of the SDN, the virtual switch itself also provides a remote access mode, which also increases a way to directly manipulate the virtual switch. In an environment combining OpenStack and Open vswitch, configuration and management of a virtual network are implemented in a top-down operation manner, such as a service definition layer, a service scheduling layer, and a resource layer, as shown in fig. 1. The virtual switch Open vSwitch of the resource layer can only be configured and managed through a Neutron component of the service scheduling layer under normal conditions.
However, in practice, the Open vSwitch as the third-party software provides a rich management tool and a remote access mode for users, and in the actual operation process, it is impossible or impossible to ensure that the third-party software can only be called by a specific component, which makes it possible for internal personnel to bypass Neutron service in violation and directly perform illegal operation on the virtual network through the management tool of the Open vSwitch. That is to say, as long as an offending insider or attacker can directly log on a certain computing node server by bypassing the cloud platform of the upper two layers, he can perform some illegal operations on the Open vSwitch deployed on the certain server. These illegal operations can be summarized into three types of "add, delete, change":
(1) ports are illegally added. Since the added ports and the virtual machines connected to the ports are not managed by OpenStack, such virtual machines cannot be discovered by an administrator of OpenStack, but can communicate with the virtual machines on OpenStack through proper configuration;
(2) the port is illegally deleted. The port which is illegally deleted and the virtual machine connected to the port are still controlled and managed by OpenStack, and only the remote connection and communication cannot be realized due to network interruption, so that an OpenStack administrator cannot find the exception of the virtual machine from a virtual machine list and a network topology;
(3) the port configuration is illegally changed. The difference from (2) is that it is possible for the virtual machine whose port configuration is changed to communicate "normally" if the networks before and after the change have the same address pool. The implication of the quoted numbers is that virtual machines are normal only from the point of view of network connectivity, which itself is illegal.
Because only the operation passing through the service scheduling layer can be written into the log of the OpenStack, if an attacker bypasses the upper two layers and directly operates the Open vSwitch virtual switch from the resource layer, not only can a cloud network administrator not sense the change of the network at the first time, but also can not inquire which people attack the network in which way from the log of the OpenStack afterwards, which provides a significant challenge for the cloud network administrator and the security administrator. In addition, in the case of irregular operation, an administrator may bypass the Neutron service to directly control a virtual server on a certain server for temporary debugging or other reasons, which belongs to normal network operation, but this also makes it more difficult for illegal operations from other users to be discovered and traced. The conventional mode of network operation and maintenance is to configure and monitor the whole network in a centralized way through a management center, so that the behavior of directly carrying out illegal operation on a virtual switch by bypassing the management center is automatically discovered and traced by adopting an applicable method for the management requirement of the virtual network. The invention provides a method for realizing the aim by adopting state information acquisition, comparison analysis and associated log search.
Disclosure of Invention
The invention aims to provide a system which can automatically discover the illegal action of directly operating a virtual switch port by bypassing a Neutron service in an OpenStack platform and trace the relevant information of the illegal action.
The invention provides an Open vSwitch illegal port operation automatic discovery and tracing system in an OpenStack platform, which comprises an Open vSwitch information acquisition device, an OpenStack information acquisition device, an illegal behavior discovery device and an illegal behavior tracing device, and is shown in an attached drawing 2 in detail. Wherein:
the Open vSwitch information acquisition device runs on each physical server in the cloud platform and is used for regularly collecting port information of the current Open vSwitch on the physical server; the specific process is as follows:
(a) adopting ovsdb-client to connect ovsdb, and obtaining all ports of Open vSwitch on the current physical machine and information of virtual machines connected to the ports, including: port name, port UUID, port VLAN tag, virtual machine UUID and virtual machine MAC address;
(b) adopting ovs-ofctl management tool to obtain a list of information of the vlan tag-VNI correspondence relationship from the flow rule, wherein each record in the list includes: VLAN tag, VxLan marks VNI;
(c) associating the information obtained in the above steps based on VLAN tag, and generating an Open vSwitch port information list, wherein each record in the list comprises: the method comprises the following steps of identifying a VNI, a UUID and an MAC address of a virtual machine by a port name, a UUID, a VLAN tag and a VxLan;
(d) and submitting an Open vSwitch port information list and a VLAN tag-VNI corresponding information list to the violation behavior discovery device.
The OpenStack information acquisition device runs on a management server and is used for regularly acquiring information of a virtual network and a virtual machine in a Neutron database in OpenStack, and the specific flow is as follows:
(a) adopting an API (application programming interface) provided by an OpenStack Neutron module (the module is a component of OpenStack software and is one of tools used by the invention) to acquire port table information and all port information in a Neutron database, extracting a port name (name field), a port UUID (port _ id field), a virtual network UUID (network _ id field), a virtual machine MAC address (MAC _ address field) and a virtual machine UUID (device _ id field);
(b) inquiring an allocations table according to the UUID of each acquired port information, and extracting the IP (IP _ address field) of the virtual machine;
(c) for each acquired port information, according to a virtual network UUID, a network table and an ml2_ network table are inquired, a virtual network name (name field of the network table) is respectively extracted, and a VxLAN identifies a VNI (segmentation _ id field of the ml2_ network table);
(d) based on the obtained information, generating a current Neutron virtual port information list, wherein each record comprises: the virtual machine comprises a port name, a port UUID, a virtual network name, a virtual network UUID, a virtual machine MAC address, a virtual machine UUID, a virtual machine IP address and a VxLAN mark VNI;
(e) submitting a Neutron virtual port information list to the violation discovery device.
The violation behavior discovery device runs on the management server, discovers violation operations through comparison analysis according to the Open vSwitch information sent by the Open vSwitch information acquisition device and Neutron information sent by the Open stack information acquisition device, and has the specific flow that:
(a) summarizing an Open vSwitch port information list, a VLAN tag-VNI corresponding information list and a Neutron virtual port information list which are obtained from a Neutron database, wherein the Open vSwitch port information list and the VLAN tag-VNI corresponding information list are obtained from each physical machine; aiming at Open vSwitch information acquired on each physical machine, executing the following steps;
(b) traversing the port information list of Open vSwitch, and searching a corresponding port UUID in the Neutron virtual port information list according to the port UUID of each record;
(c) if the record of the UUID of the corresponding port is not found in the Neutron virtual port information list, the operation of adding the virtual port in violation can be judged to exist, and alarm information is generated: turning (b);
(d) if the corresponding port UUID is found in the Neutron virtual port information list, further comparing whether other information corresponding to the port is the same or not, wherein the other information comprises: the VxLAN identifies the VNI, the port name, the UUID and the MAC address of the virtual machine, and if the VNI, the port name, the UUID and the MAC address are different, the situation that the virtual port operation is modified illegally can be judged to exist, and alarm information is generated; turning (b);
(e) traversing the Neutron virtual port information list after traversing the Open vSwitch port information list, and inquiring whether a corresponding UUID exists in the Open vSwitch port information list or not according to the UUID; if the UUID of the corresponding port is not found, judging that the virtual port operation is illegally deleted, and generating alarm information;
(f) all alarm information is gathered, each alarm information contains corresponding port information list records of Open vSwitch, Neutron virtual port information list records, and the splicing of the corresponding list records of VLAN Tag-VNI, and the method comprises the following steps:
(1) alarm sequence number: each record is increased progressively;
(2) alarm time: taking the current time;
(3) physical host identification: determining according to an Open vSwitch information source, wherein an IP address can be adopted;
(4) type of violation operation: adding, deleting and modifying;
(5) current VxLAN identifies VNI: extracting from port information list records of Open vSwitch;
(6) current VLAN Tag: extracting from port information list records of Open vSwitch;
(7) original VxLAN identifies VNI: extracting from the Neutron virtual information list record;
(8) original VLAN Tag: according to the original VxLAN mark VNI, obtaining a VLAN Tag-VNI corresponding information list in a correlation search mode;
(9) virtual network name: extracting from the Neutron virtual information list record;
(10) virtual port UUID: extracting from port information list records of Open vSwitch or Neutron virtual information list records according to different violation operation types;
(11) virtual network UUID: extracting from the Neutron virtual information list record;
(12) virtual machine UUID: extracting from port information list records of Open vSwitch;
(13) virtual machine MAC address: extracting from port information list records of Open vSwitch;
(14) virtual machine IP address: extracting from the Neutron virtual information list record;
the information fields that are missing due to a missing record may be left empty.
The violation behavior tracing device runs on the management server; collecting and searching associated log information according to the generated alarm information, and providing an alarm tracing report related to the violation behavior for an administrator, wherein the specific flow is as follows:
(a) continuously collecting various logs generated by OpenStack, Open vSwitch, operating systems of various physical machines and virtual machines and a security system;
(b) according to each alarm record generated by the illegal behavior discovery mechanism, inquiring log records related to a physical host identifier, a VxLAN identifier VNI, a VLAN Tag, a virtual port UUID, a virtual network name, a virtual network UUID, a virtual machine IP address and a virtual machine MAC address related to the alarm information within a period of time before and after the alarm generation time by taking the alarm time contained in the alarm record as a basis;
(c) and integrating the collected log records, generating a retrospective report about the alarm, and submitting the report to an administrator.
More preferably, according to the violation tracing device of the present invention, the following functions may be included: and automatically judging according to the collected associated log information, eliminating false alarms generated by the fact that an administrator directly operates Open vSwitch by bypassing Neutron in person, and automatically responding and disposing.
Compared with the currently and generally adopted method for discovering the violation behavior based on the log, the method has the following advantages that:
1. the violation behavior of bypassing the Neutron direct violation operation Open vSwitch virtual port can be timely discovered. The invention directly collects the current state information in the Open vSwitch and Neutron databases, and finds out illegal operation by comparison, which cannot be realized by singly adopting an OpenStack log or an Open vSwitch log. Bypassing Neutron direct operation on Open vSwitch does not produce OpenStack logs, and the Open vSwitch's log system does not distinguish between violations and normal operations. In addition, even if the OpenStack or Open vSwitch log function is closed, the illegal operation of adding, deleting and changing the port can be found by adopting the method, and the method does not depend on the OpenStack or Open vSwitch log in the illegal behavior finding link;
2. the alarm information contains relatively complete information virtual port, virtual network and virtual machine information. According to the invention, a plurality of table information of the Open vSwitch and Neutron databases are inquired for integration, and the generated alarm information integrates the complementary information of a plurality of sources, including the related information of a virtual network, a virtual port and a virtual machine, so that rich inquiry clues can be provided for the follow-up tracing of illegal behaviors;
3. other associated log information can be automatically acquired, and tracing information is provided for investigation of violation behaviors. According to the invention, based on multi-source complementary information contained in the alarm information, logs from various layers collected by the management system can be automatically inquired, log information associated with illegal operation is obtained, and a complete illegal operation event tracing report is provided for an administrator for the administrator to study and judge. Meanwhile, based on more related log information, related intelligent analysis and assistant decision tools can be further used, false alarms are eliminated, and automatic response is realized.
Drawings
Fig. 1 depicts a typical mode of operation of a virtual switch by Neutron in an OpenStack platform.
Fig. 2 illustrates a relationship among an Open vSwitch information acquisition device, an OpenStack information acquisition device, an illegal behavior discovery device, and an illegal behavior tracing device according to the present invention.
Fig. 3 depicts an embodiment of the present invention.
Detailed Description
As shown in fig. 3, the invention is composed of an Open vSwitch information acquisition device, an OpenStack information acquisition device, an illegal behavior discovery device, and an illegal behavior tracing device, and in specific implementation, the invention can be implemented in a software form. The Open vSwitch information acquisition device is installed on each physical machine of the cloud platform, and the OpenStack information acquisition device, the violation finding device and the violation tracing device are installed on one cloud platform management server.
The Open vSwitch information acquisition device is used as software running on all physical machines, and can be automatically called and executed by adopting a timing mechanism of an operating system of the physical machine, for example, using cron service on Linux. The software calls an OVSDB-client tool, connects to an OVSDB-server, and acquires all ports of an Open vSwitch on a current physical machine and information of virtual machines connected to the ports from an OVSDB database, wherein the information includes: port name, port UUID, port VLAN tag, virtual machine UUID and virtual machine MAC address; extracting a VLAN tag-VNI corresponding relation information list from the flow rule by adopting an ovs-ofctl tool, wherein the VLAN tag and the VxLAN identify VNI; through VLAN tag association, endowing the VxLAN identification VNI information to each port information; and finally submitting an Open vSwitch port information list and a VLAN tag-VNI corresponding information list to the violation behavior discovery device, wherein the reported information comprises a physical machine identifier and can adopt an IP address or host name mode. The software can be realized by adopting a script language, and the connection with the violation behavior discovery device can be realized by adopting a remote file transmission tool.
The OpenStack information acquisition device is used as software running on a cloud platform management server, and can be automatically invoked and executed by adopting a timing mechanism of a physical machine operating system, for example, a cron service on Linux is utilized, and the execution period is consistent with that of the Open vSwitch information acquisition device. The software utilizes an API provided by an OpenStack Neutron module (which is a component of OpenStack software and is one of the tools used by the invention) to acquire ports table information in a Neutron database. Inquiring an allocations table according to the UUID of each acquired port information, and extracting the IP (IP _ address field) of the virtual machine; according to the UUID of the virtual network, a network table and an ml2_ network table are queried, the name of the virtual network (the name field of the network table) is extracted, and the VxLAN identifies the VNI (the segmentation _ id field of the ml2_ network table). Based on the obtained information, a current Neutron virtual port information list is generated. Submitting a Neutron virtual port information list to the violation discovery device. The software can be realized by adopting a script language, and the connection with the violation behavior discovery device can be realized by adopting a local file sharing mode.
The violation discovery device can be operated in a background service mode as software operated on a cloud platform management server. And continuously receiving reported information from the Open vSwitch information acquisition device and the OpenStack information acquisition device. And after all the information in each detection period is received, finding out illegal operation through information comparison. Firstly, according to a port UUID, checking ports which are contained in an Open vSwitch port information list and not contained in a Neutron virtual port information list, and judging that a port behavior is increased illegally; secondly, checking ports which are contained in an Open vSwitch port information list and a Neutron virtual port information list and are not consistent with other information (VxLAN identification VNI, port name, virtual machine UUID and virtual machine MAC address) related to the ports, and judging that the port behavior is modified illegally; and finally, checking ports contained in the Neutron virtual port information list and not contained in the Open vSwitch port information list, and judging that the port behavior is illegally deleted. And according to the discovered illegal behaviors, integrating the associated information in each list, generating an alarm information list, and reporting the alarm information list to the illegal behavior tracing device. The software can be realized by adopting any high-level language, and can adopt a lightweight database to store temporary information, thereby facilitating the query. The connection with the violation behavior tracing device can be realized by various modes such as local file sharing, shared database, message middleware and the like.
The violation behavior tracing device is used as software running on a cloud platform management server and can be realized by adopting a background service + WEB interface mode. The logs from each system can be collected by rsyslog or syslog-ng software, the preprocessed log information can be stored and inquired by a database, and the log information can also be collected and inquired by the log storage and inquiry functions of other cloud platform management software. The software receives alarm information from the violation finding device, and inquires related log records in a period of time before and after the alarm generation time by taking fields of a physical host identifier, a VxLAN identifier VNI, a VLAN Tag, a virtual port UUID, a virtual network name, a virtual network UUID, a virtual machine IP address, a virtual machine MAC address and the like related to the alarm information as conditions for each piece of alarm information; and integrating the query results to generate a tracing report about the alarm. The specific query conditions employed are determined based on information contained in the collected logs. The alarm and the related retrospective report can be displayed to the administrator by adopting a special WEB interface, and the WEB interface can be integrated in WEB Portal of other cloud platform management software. The software may be implemented in any high-level language.
Claims (6)
1. The utility model provides an Open vSwitch port operation automatic discovery and trace back system in openStack platform, its characterized in that, includes Open vSwitch information acquisition device, openStack information acquisition device, violation discovery device, violation trace back device, wherein:
the Open vSwitch information acquisition device runs on each physical server in the cloud platform and is used for regularly collecting port information of the current Open vSwitch on the physical server;
the OpenStack information acquisition device runs on the management server and is used for regularly acquiring information of a virtual network and a virtual machine in a Neutron database in OpenStack;
the violation behavior discovery device runs on the management server, and discovers violation operation through comparison analysis according to the Open vSwitch information sent by the Open vSwitch information acquisition device and Neutron information sent by the Open Stack information acquisition device;
the violation behavior tracing device runs on the management server; collecting and searching associated log information according to the generated alarm information, and providing an alarm tracing report related to the violation to an administrator;
the violation behavior discovery device discovers the specific flow of the violation operation through comparison analysis according to the Open vSwitch information sent by the Open vSwitch information acquisition device and the Neutron information sent by the Open stack information acquisition device, and comprises the following steps:
(a) summarizing an Open vSwitch port information list, a VLAN tag-VNI corresponding information list and a Neutron virtual port information list which are obtained from a Neutron database, wherein the Open vSwitch port information list and the VLAN tag-VNI corresponding information list are obtained from each physical machine; aiming at the Open vSwitch information acquired from each physical machine, the following steps are executed:
(b) traversing the port information list of Open vSwitch, and searching a corresponding port UUID in the Neutron virtual port information list according to the port UUID of each record;
(c) if the record of the UUID of the corresponding port is not found in the Neutron virtual port information list, the operation of adding the virtual port in violation can be judged to exist, and alarm information is generated: turning (b);
(d) if the corresponding port UUID is found in the Neutron virtual port information list, further comparing whether other information corresponding to the port is the same or not, wherein the other information comprises: the VxLAN identifies the VNI, the port name, the UUID and the MAC address of the virtual machine, and if the VNI, the port name, the UUID and the MAC address are different, the situation that the virtual port operation is modified illegally can be judged to exist, and alarm information is generated; turning (b);
(e) traversing the Neutron virtual port information list after traversing the Open vSwitch port information list, and inquiring whether a corresponding UUID exists in the Open vSwitch port information list or not according to the UUID; if the UUID of the corresponding port is not found, judging that the virtual port operation is illegally deleted, and generating alarm information;
(f) and summarizing all alarm information, wherein each alarm information comprises corresponding port information list records of Open vSwitch, Neutron virtual port information list records and splicing of VLAN Tag-VNI corresponding list records.
2. The system according to claim 1, wherein the specific process of the Open vSwitch information collecting device periodically collecting the port information of the current Open vSwitch on the physical server is as follows:
(a) adopting ovsdb-client to connect ovsdb, and obtaining all ports of Open vSwitch on the current physical machine and information of virtual machines connected to the ports, including: port name, port UUID, port VLAN tag, virtual machine UUID and virtual machine MAC address;
(b) adopting ovs-ofctl management tool to obtain VLAN tag-VNI corresponding relation information list from flow rule, each record in the list includes: VLAN tag, VxLan marks VNI;
(c) associating the information obtained in the above steps based on VLAN tag, and generating an Open vSwitch port information list, wherein each record in the list comprises: the method comprises the following steps of identifying a VNI, a UUID and an MAC address of a virtual machine by a port name, a UUID, a VLAN tag and a VxLan;
(d) and submitting an Open vSwitch port information list and a VLAN tag-VNI corresponding information list to the violation behavior discovery device.
3. The system according to claim 2, wherein the specific process of the OpenStack information collecting device for regularly collecting the information of the virtual network and the virtual machine in the Neutron database in the OpenStack is as follows:
(a) acquiring ports table information and all port information in a Neutron database by adopting an API (application programming interface) provided by an OpenStack Neutron module, and extracting port names, port UUIDs, virtual network UUIDs, virtual machine MAC addresses and virtual machine UUIDs;
(b) inquiring an allocations table according to the UUID of each acquired port information, and extracting the IP of the virtual machine;
(c) for each acquired port information, according to a virtual network UUID, a network table and an ml2_ network table are inquired, and a virtual network name and a VxLAN (virtual network interface) identifier VNI are respectively extracted;
(d) based on the obtained information, generating a current Neutron virtual port information list, wherein each record comprises: the virtual machine comprises a port name, a port UUID, a virtual network name, a virtual network UUID, a virtual machine MAC address, a virtual machine UUID, a virtual machine IP address and a VxLAN mark VNI;
(e) submitting a Neutron virtual port information list to the violation discovery device.
4. The system according to claim 3, characterized in that said alarm information comprises in particular:
(1) alarm sequence number: each record is increased progressively;
(2) alarm time: taking the current time;
(3) physical host identification: determining according to an Open vSwitch information source, and adopting an IP address;
(4) type of violation operation: adding, deleting and modifying;
(5) current VxLAN identifies VNI: extracting from port information list records of Open vSwitch;
(6) current VLAN Tag: extracting from port information list records of Open vSwitch;
(7) original VxLAN identifies VNI: extracting from the Neutron virtual information list record;
(8) original VLAN Tag: according to the original VxLAN mark VNI, obtaining a VLAN Tag-VNI corresponding information list in a correlation search mode;
(9) virtual network name: extracting from the Neutron virtual information list record;
(10) virtual port UUID: extracting from port information list records of Open vSwitch or Neutron virtual information list records according to different violation operation types;
(11) virtual network UUID: extracting from the Neutron virtual information list record;
(12) virtual machine UUID: extracting from port information list records of Open vSwitch;
(13) virtual machine MAC address: extracting from port information list records of Open vSwitch;
(14) virtual machine IP address: extracting from the Neutron virtual information list record;
the information fields missing due to a missing record are left empty.
5. The system according to claim 4, wherein the violation tracing apparatus collects and searches associated log information according to the generated alarm information, and the specific process of providing an alarm tracing report related to the violation to the administrator is as follows:
(a) continuously collecting various logs generated by OpenStack, Open vSwitch, operating systems of various physical machines and virtual machines and a security system;
(b) according to each alarm record generated by the illegal behavior discovery mechanism, inquiring log records related to a physical host identifier, a VxLAN identifier VNI, a VLAN Tag, a virtual port UUID, a virtual network name, a virtual network UUID, a virtual machine IP address and a virtual machine MAC address related to the alarm information within a period of time before and after the alarm generation time by taking the alarm time contained in the alarm record as a basis;
(c) and integrating the collected log records, generating a retrospective report about the alarm, and submitting the report to an administrator.
6. The system according to claim 5, wherein the violation tracking device further comprises the following functions: and automatically judging according to the collected associated log information, eliminating false alarms generated by the fact that an administrator directly operates Open vSwitch by bypassing Neutron in person, and automatically responding and disposing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810636784.5A CN108989086B (en) | 2018-06-20 | 2018-06-20 | Open vSwitch illegal port operation automatic discovery and tracing system in OpenStack platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810636784.5A CN108989086B (en) | 2018-06-20 | 2018-06-20 | Open vSwitch illegal port operation automatic discovery and tracing system in OpenStack platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108989086A CN108989086A (en) | 2018-12-11 |
| CN108989086B true CN108989086B (en) | 2021-03-30 |
Family
ID=64541520
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810636784.5A Active CN108989086B (en) | 2018-06-20 | 2018-06-20 | Open vSwitch illegal port operation automatic discovery and tracing system in OpenStack platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108989086B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338496B (en) * | 2020-10-12 | 2023-09-05 | 中移(苏州)软件技术有限公司 | Resource forwarding method, device, terminal and computer storage medium |
| CN113377784B (en) * | 2021-08-13 | 2021-12-03 | 成都市维思凡科技有限公司 | Data processing method, system and storage medium based on middleware |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016026516A1 (en) * | 2014-08-19 | 2016-02-25 | Huawei Technologies Co., Ltd. | Software defined network controller and method for its creation |
| CN106789865A (en) * | 2016-07-14 | 2017-05-31 | 深圳市永达电子信息股份有限公司 | A kind of network safety protection method based on GRE network integration SDN technologies and Honeypot Techniques |
| CN106980627A (en) * | 2016-01-18 | 2017-07-25 | 中兴通讯股份有限公司 | The display methods and device of log content |
| CN107800696A (en) * | 2017-10-23 | 2018-03-13 | 国云科技股份有限公司 | Source discrimination is forged in communication on a kind of cloud platform virtual switch |
| CN107864126A (en) * | 2017-10-30 | 2018-03-30 | 国云科技股份有限公司 | A kind of cloud platform virtual network behavioral value method |
| CN107959689A (en) * | 2018-01-10 | 2018-04-24 | 北京工业大学 | A kind of cloud platform tenant network isolation test |
-
2018
- 2018-06-20 CN CN201810636784.5A patent/CN108989086B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016026516A1 (en) * | 2014-08-19 | 2016-02-25 | Huawei Technologies Co., Ltd. | Software defined network controller and method for its creation |
| CN107003860A (en) * | 2014-08-19 | 2017-08-01 | 华为技术有限公司 | A kind of software defined network controller and its creation method |
| CN106980627A (en) * | 2016-01-18 | 2017-07-25 | 中兴通讯股份有限公司 | The display methods and device of log content |
| CN106789865A (en) * | 2016-07-14 | 2017-05-31 | 深圳市永达电子信息股份有限公司 | A kind of network safety protection method based on GRE network integration SDN technologies and Honeypot Techniques |
| CN107800696A (en) * | 2017-10-23 | 2018-03-13 | 国云科技股份有限公司 | Source discrimination is forged in communication on a kind of cloud platform virtual switch |
| CN107864126A (en) * | 2017-10-30 | 2018-03-30 | 国云科技股份有限公司 | A kind of cloud platform virtual network behavioral value method |
| CN107959689A (en) * | 2018-01-10 | 2018-04-24 | 北京工业大学 | A kind of cloud platform tenant network isolation test |
Non-Patent Citations (2)
| Title |
|---|
| Network Monitoring in Software-Defined Networking: A Review;Pang-Wei Tsai;《IEEE》;20180214;全文 * |
| 基于 Open vSwitch 的虚拟网络访问控制研究;叶家炜;《计算机应用与软件》;20150515;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108989086A (en) | 2018-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6347374B1 (en) | Event detection | |
| US7197489B1 (en) | Methods and apparatus for maintaining object data for components in a network | |
| CN112039834A (en) | Data acquisition method and data acquisition system of data center | |
| CN109460307B (en) | Micro-service calling tracking method and system based on log embedded point | |
| KR20090009622A (en) | Log-based traceback system and method by using the centroid decomposition technique | |
| KR101761781B1 (en) | Big data processing method for applying integrated management framework for the open source database | |
| CN113347170B (en) | Intelligent analysis platform design method based on big data framework | |
| CN108989086B (en) | Open vSwitch illegal port operation automatic discovery and tracing system in OpenStack platform | |
| CN111510463B (en) | Abnormal behavior recognition system | |
| EP2880579A1 (en) | Conjoint vulnerability identifiers | |
| CN114791846A (en) | Method for realizing observability aiming at cloud native chaos engineering experiment | |
| CN112600719A (en) | Alarm clustering method, device and storage medium | |
| JP4485112B2 (en) | Log data collection management method and apparatus | |
| CN113037891A (en) | Access method and device for stateful application in edge computing system and electronic equipment | |
| Shan et al. | Design and Implementation of A Network Security Management System | |
| US20210160241A1 (en) | System And Method For Identification Of Information Assets | |
| GB2416091A (en) | High Capacity Fault Correlation | |
| CN112068953B (en) | Cloud resource fine management traceability system and method | |
| CN114116793A (en) | Data asset discovery platform | |
| CN108574957A (en) | Evolution block core net device intelligence patrol checking server, cruising inspection system and method | |
| KR20130085457A (en) | Apparatus and method for tenant-aware security management in multi-tenancy system | |
| CN116938605B (en) | Network attack protection method and device, electronic equipment and readable storage medium | |
| CN117236645B (en) | IT asset management system for data center based on equipment information classification | |
| CN104506366B (en) | A kind of method and apparatus in maintenance management information MIB storehouses | |
| CN115051851B (en) | User access behavior management and control system and method in scene of internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |