CN109271217B - Network flow detection method and system under cloud environment - Google Patents
Network flow detection method and system under cloud environment Download PDFInfo
- Publication number
- CN109271217B CN109271217B CN201811237301.0A CN201811237301A CN109271217B CN 109271217 B CN109271217 B CN 109271217B CN 201811237301 A CN201811237301 A CN 201811237301A CN 109271217 B CN109271217 B CN 109271217B
- Authority
- CN
- China
- Prior art keywords
- agent
- network
- protocol
- cloud environment
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Abstract
The invention discloses a method and a system for detecting network traffic in a cloud environment, wherein the method for detecting the network traffic in the cloud environment comprises the following steps: s1, capturing a network message in the network card by deploying an agent on each virtual machine in the cloud environment; s2, analyzing and recombining the network messages of various protocols; s3, sending the analyzed message content to a server; s4, matching the rule base on the message content by the server side, and analyzing abnormal network flow; and S5, the server side gives an alarm to abnormal network traffic in real time. According to the method, the agent is deployed on the virtual machine to obtain the flow, and the flow is sent to the server side in a centralized mode to be analyzed and alarmed, so that the problem that the communication flow of the virtual machine in the cloud environment is difficult to detect is effectively solved.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a network traffic detection method and system in a cloud environment.
Background
The network traffic detection method in the cloud environment is to deploy an IDS (intrusion detection system) at a switch or a network boundary and analyze the network traffic by means of traffic mirroring. But traffic communicated between virtual machines is "invisible" to conventional IDSs. The existing scheme is to pull and schedule network traffic, so that the corresponding traffic passes through the corresponding safety equipment.
However, in the prior art, the network virtualization technology is relatively backward to the virtualization of computing and storage resources, and the difficulty of traffic traction is high; secondly, each Cloud Service Provider (CSP) establishes its own virtualized network scheme, and the way of drawing traffic is different; finally, for users, most of their early private cloud construction has no top-level design in terms of security, and the network architecture is also a traditional three-layer structure, so that it is difficult to implement detection and protection of east-west traffic communication in a cloud environment.
Disclosure of Invention
The invention aims to overcome the defect that detection and protection of virtual machine east-west flow communication in a cloud environment are difficult to realize in the prior art, and provides a network flow detection method and a network flow detection system in the cloud environment.
The invention solves the technical problems through the following technical scheme:
the invention provides a network flow detection method under a cloud environment, which comprises the following steps:
s1, capturing network messages in a network card by deploying agents (which refer to software or hardware entities capable of autonomous activity and are generally called as 'agents') on each virtual machine in the cloud environment;
s2, analyzing and recombining the network messages of various protocols;
s3, sending the analyzed message content to a server side (server side);
s4, matching the rule base on the message content by the server side, and analyzing abnormal network flow;
and S5, the server side gives an alarm to abnormal network traffic in real time.
Preferably, step S1 specifically includes:
s11, downloading agent by the virtual machine;
s12, executing the installation command of agent;
s13, modifying the configuration file of the agent, and selecting the protocol to be monitored;
s14, modifying the configuration file of the agent, and selecting the network card to be bound;
s15, running agent service, and capturing the network message in the network card by the agent.
Preferably, in step S15, the agent is further set to boot-up.
Preferably, in step S4, the server performs visual display on the message content.
Preferably, the protocol includes at least one of ICMP protocol (network control message protocol), SSH protocol (secure shell protocol), FTP protocol (file transfer protocol), DNS protocol (domain name system protocol), HTTP protocol (hypertext transfer protocol).
The invention also provides a network flow detection system under the cloud environment, which comprises:
the deployment module is used for deploying an agent on each virtual machine in the cloud environment and capturing a network message in the network card;
the analysis module is used for analyzing and recombining the network messages of various protocols;
the sending module is used for sending the analyzed message content to the server;
and the server is used for matching the message content with the rule base, analyzing abnormal network flow and giving an alarm in real time for the abnormal network flow.
Preferably, the deployment module comprises:
the downloading unit is used for the virtual machine to download the agent;
the installation unit is used for executing an installation command of the agent;
the protocol selection unit is used for modifying the configuration file of the agent and selecting the protocol to be monitored;
the network card selection unit is used for modifying the configuration file of the agent and selecting the network card to be bound;
and the operation unit is used for operating the agent service, and the agent captures the network message in the network card.
Preferably, the running unit is further configured to set the agent to boot from the boot.
Preferably, the server is further configured to visually display the message content.
Preferably, the protocol comprises at least one of ICMP protocol, SSH protocol, FTP protocol, DNS protocol, HTTP protocol.
The positive progress effects of the invention are as follows: according to the method, the agent is deployed on the virtual machine to obtain the flow, and the flow is sent to the server side in a centralized mode to be analyzed and alarmed, so that the problem that the communication flow (east-west flow) of the virtual machine in the cloud environment is difficult to detect is effectively solved.
Drawings
Fig. 1 is a flowchart of a network traffic detection method in a cloud environment according to a preferred embodiment of the present invention.
Fig. 2 is a flowchart illustrating a step 101 of a network traffic detection method in a cloud environment according to a preferred embodiment of the present invention.
Fig. 3 is a schematic block diagram of a network traffic detection system in a cloud environment according to a preferred embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following examples, which are not intended to limit the scope of the invention.
As shown in fig. 1, the method for detecting network traffic in a cloud environment of the present invention includes the following steps:
101, deploying an agent on each virtual machine in a cloud environment, and capturing a network message in a network card;
102, analyzing and recombining network messages of various protocols;
104, matching the rule base on the message content by the server side, and analyzing abnormal network flow; in step 104, the server may also perform visual display on the message content.
And 105, the server end carries out real-time alarm on abnormal network traffic.
Specifically, as shown in fig. 2, step 101 includes:
1014, modifying the configuration file of the agent, and selecting the network card to be bound;
In step 1015, the agent may be set to boot-up and self-boot; the protocol comprises at least one of ICMP protocol, SSH protocol, FTP protocol, DNS protocol and HTTP protocol;
as shown in fig. 3, the network traffic detection system in the cloud environment of the present invention includes a deployment module 1, an analysis module 2, a sending module 3, and a server 4;
the deployment module 1 is used for deploying an agent on each virtual machine in the cloud environment and capturing a network message in the network card;
the analysis module 2 is used for analyzing and recombining network messages of various protocols;
the sending module 3 is used for sending the analyzed message content to the server;
the server 4 is used for matching the rule base with the message content, analyzing abnormal network traffic, and giving an alarm in real time for the abnormal network traffic.
Specifically, the deployment module 1 includes:
the downloading unit 11 is used for the virtual machine to download the agent;
an installation unit 12, configured to execute an installation command of an agent;
the protocol selection unit 13 is used for modifying the configuration file of the agent and selecting the protocol to be monitored;
the network card selecting unit 14 is used for modifying the configuration file of the agent and selecting the network card to be bound;
and the operation unit 15 is used for operating the agent service, capturing the network message in the network card by the agent, and setting the agent to be started up and started up.
In a specific implementation process of the present invention, the server is further configured to visually display the message content, and in addition, preferably, the protocol includes at least one of an ICMP protocol, an SSH protocol, an FTP protocol, a DNS protocol, and an HTTP protocol.
The invention has the improvement that the network flow packet is captured and collected from the cloud host and is sent to the server side for anomaly analysis of intrusion detection, and the method is different from the traditional IDS which can only detect the network flow mirror image, thereby solving the problem that the traditional method can not carry out security detection on the flow (east-west flow) between the virtual machines in the cloud environment.
While specific embodiments of the invention have been described above, it will be appreciated by those skilled in the art that this is by way of example only, and that the scope of the invention is defined by the appended claims. Various changes and modifications to these embodiments may be made by those skilled in the art without departing from the spirit and scope of the invention, and these changes and modifications are within the scope of the invention.
Claims (8)
1. A network flow detection method under a cloud environment is characterized by comprising the following steps:
s1, capturing a network message in the network card by deploying an agent on each virtual machine in the cloud environment;
s2, analyzing and recombining the network messages of various protocols;
s3, sending the analyzed message content to a server;
s4, matching the rule base on the message content by the server side, and analyzing abnormal network flow;
s5, the server side gives an alarm to abnormal network traffic in real time;
step S1 specifically includes:
s11, downloading agent by the virtual machine;
s12, executing the installation command of agent;
s13, modifying the configuration file of the agent, and selecting the protocol to be monitored;
s14, modifying the configuration file of the agent, and selecting the network card to be bound;
s15, running agent service, and capturing the network message in the network card by the agent.
2. The method for detecting network traffic under the cloud environment of claim 1, wherein in step S15, the agent is further configured to be booted.
3. The method for detecting network traffic under the cloud environment of claim 1, wherein in step S4, the server further performs visual display on the message content.
4. The method for detecting network traffic in a cloud environment according to claim 1, wherein the protocol includes at least one of an ICMP protocol, an SSH protocol, an FTP protocol, a DNS protocol, and an HTTP protocol.
5. A system for detecting network traffic in a cloud environment, comprising:
the deployment module is used for deploying an agent on each virtual machine in the cloud environment and capturing a network message in the network card;
the analysis module is used for analyzing and recombining the network messages of various protocols;
the sending module is used for sending the analyzed message content to the server;
the server is used for matching the message content with the rule base, analyzing abnormal network flow and giving an alarm in real time for the abnormal network flow;
the deployment module includes:
the downloading unit is used for the virtual machine to download the agent;
the installation unit is used for executing an installation command of the agent;
the protocol selection unit is used for modifying the configuration file of the agent and selecting the protocol to be monitored;
the network card selection unit is used for modifying the configuration file of the agent and selecting the network card to be bound;
and the operation unit is used for operating the agent service, and the agent captures the network message in the network card.
6. The system for detecting network traffic in a cloud environment of claim 5, wherein the execution unit is further configured to set an agent to boot-up and self-boot.
7. The system according to claim 5, wherein the server is further configured to visually display the message content.
8. The system for detecting network traffic in a cloud environment according to claim 5, wherein said protocol includes at least one of an ICMP protocol, an SSH protocol, an FTP protocol, a DNS protocol, and an HTTP protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811237301.0A CN109271217B (en) | 2018-10-23 | 2018-10-23 | Network flow detection method and system under cloud environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811237301.0A CN109271217B (en) | 2018-10-23 | 2018-10-23 | Network flow detection method and system under cloud environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109271217A CN109271217A (en) | 2019-01-25 |
| CN109271217B true CN109271217B (en) | 2022-02-11 |
Family
ID=65193906
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811237301.0A Active CN109271217B (en) | 2018-10-23 | 2018-10-23 | Network flow detection method and system under cloud environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109271217B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112436981B (en) * | 2020-11-16 | 2021-10-15 | 成都渊数科技有限责任公司 | Method and system for measuring network flow by cloud control strategy and multi-protocol implementation |
| CN113347258B (en) * | 2021-06-04 | 2023-02-07 | 上海天旦网络科技发展有限公司 | Method and system for data acquisition, monitoring and analysis under cloud flow |
| CN114157458A (en) * | 2021-11-18 | 2022-03-08 | 深圳依时货拉拉科技有限公司 | Flow detection method, device, equipment and medium for hybrid cloud environment |
| CN114363035A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Flow traction method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150281085A1 (en) * | 2014-01-23 | 2015-10-01 | InMon Corp. | Method and system of large flow control in communication networks |
| CN106534111A (en) * | 2016-11-09 | 2017-03-22 | 国云科技股份有限公司 | Method for defending network attack for cloud platform based on flow rule |
-
2018
- 2018-10-23 CN CN201811237301.0A patent/CN109271217B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150281085A1 (en) * | 2014-01-23 | 2015-10-01 | InMon Corp. | Method and system of large flow control in communication networks |
| CN106534111A (en) * | 2016-11-09 | 2017-03-22 | 国云科技股份有限公司 | Method for defending network attack for cloud platform based on flow rule |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109271217A (en) | 2019-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109271217B (en) | Network flow detection method and system under cloud environment | |
| Baykara et al. | A novel honeypot based security approach for real-time intrusion detection and prevention systems | |
| US9516054B2 (en) | System and method for cyber threats detection | |
| US9621568B2 (en) | Systems and methods for distributed threat detection in a computer network | |
| CN108769071B (en) | Attack information processing method and device and Internet of things honeypot system | |
| CN107222515B (en) | Honeypot deployment method and device and cloud server | |
| US20160239330A1 (en) | Dynamic Reconfiguration Of Resources In A Virtualized Network | |
| US11818009B2 (en) | Self-driven and adaptable multi-vBNG management orchestration | |
| CN105376251A (en) | Intrusion detection method and intrusion detection system based on cloud computing | |
| CN107204965B (en) | Method and system for intercepting password cracking behavior | |
| US11061792B2 (en) | Test system for testing a computer of a computer system in a test network | |
| EP3035636B1 (en) | Computer defenses and counterattacks | |
| CN106533724B (en) | Method, device and system for monitoring and optimizing Network Function Virtualization (NFV) network | |
| US10318392B2 (en) | Management system for virtual machine failure detection and recovery | |
| Chovancová et al. | Securing Distributed Computer Systems Using an Advanced Sophisticated Hybrid Honeypot Technology. | |
| CN105007175A (en) | Openflow-based flow depth correlation analysis method and system | |
| CN103916288A (en) | Botnet detection method and system on basis of gateway and local | |
| CN109617912B (en) | Device for preventing DDoS attack by adopting intelligent switching of multiple domain names | |
| CN106254312B (en) | method and device for achieving server attack prevention through virtual machine heterogeneous | |
| Zakaria et al. | A review of dynamic and intelligent honeypots | |
| CN114422254A (en) | Cloud honeypot deployment method and device, cloud honeypot server and readable storage medium | |
| KR102088308B1 (en) | Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv | |
| CN111385308A (en) | Security management method, device, equipment and computer readable storage medium | |
| CN115941224A (en) | Network access information management method and device and computer readable storage medium | |
| CN102663293B (en) | Protection method and protection device for video devices of computer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |