CN109525581A - A kind of cloud resource security control method and system - Google Patents
A kind of cloud resource security control method and system Download PDFInfo
- Publication number
- CN109525581A CN109525581A CN201811376253.3A CN201811376253A CN109525581A CN 109525581 A CN109525581 A CN 109525581A CN 201811376253 A CN201811376253 A CN 201811376253A CN 109525581 A CN109525581 A CN 109525581A
- Authority
- CN
- China
- Prior art keywords
- security
- resource
- secure resources
- security domain
- domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 16
- 239000000523 sample Substances 0.000 claims abstract description 20
- 230000003321 amplification Effects 0.000 claims abstract description 18
- 238000003199 nucleic acid amplification method Methods 0.000 claims abstract description 18
- 238000000605 extraction Methods 0.000 claims abstract description 7
- 238000012546 transfer Methods 0.000 claims abstract description 6
- 230000009545 invasion Effects 0.000 claims description 20
- 238000012417 linear regression Methods 0.000 claims description 12
- 238000013468 resource allocation Methods 0.000 claims description 8
- 238000013481 data capture Methods 0.000 claims description 7
- 238000011156 evaluation Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 7
- 238000007726 management method Methods 0.000 claims description 5
- 238000010606 normalization Methods 0.000 claims description 2
- 235000013399 edible fruits Nutrition 0.000 claims 1
- 206010033799 Paralysis Diseases 0.000 description 6
- 238000012544 monitoring process Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000009499 grossing Methods 0.000 description 4
- 230000033001 locomotion Effects 0.000 description 4
- 230000002265 prevention Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of cloud resource security control methods, comprising the following steps: obtains the flow of each server in cloud computing platform, and cloud computing platform is divided into multiple security domains according to the flow of each server, be isolated between the multiple security domain;It extraction section resource and carries out being integrally formed secure resources pond from the secure resources of each server of cloud computing platform;Safety probe is set in each server;When the flow amplification exception of a security domain, using the security domain as targeted security domain, transfers in secure resources pond and security service is carried out to targeted security domain with the flow amplification matched secure resources.The invention also discloses a kind of cloud resource security management and control systems.A kind of cloud resource security control method of the present invention and system, the variation of demand when meeting security domain boundaries changes in flow rate to security protection ability, the safety of whole system is effectively increased, and greatly shortens the time of answering a pager's call, ensure that the safe and stable operation of system.
Description
Technical field
The present invention relates to field of cloud computer technology, and in particular to a kind of cloud resource security control method and system.
Background technique
More popular and mainstream virtualization and cloud computing technology construct service bearer at present for Guangdong mobile application
Cloud resource pond, the resource pool are the branch that operation system is provided infrastructures by the way that physical server is invented several fictitious host computers
Support service, and the operation system that is designed as of network and storage is cooperated to provide the computing resource of distribution according to need, elastic moval and
The flexibility of extension and the redundant ability of High Availabitity.It is undoubtedly brought using the operation system infrastructure that cloud resource pond is formed
The advantages such as the more efficient utilization of resource and more complete availability, but some new safety have also been introduced in the mode in cloud resource pond
Problem, the resource allocation including the monitoring to virtualization object, the security risk of virtualization layer, high concentration may bring management
Improperly hidden danger etc., this requires have new design and consideration for the safety monitoring and preventing in cloud resource pond.
In the prior art, each server is mostly used only to provide to inherently safe the safety problem of cloud computing platform
Source scheduling, this is allowed for when individual server is by invading, and individual server secure resources are insufficient, causes system crash, prestige
Coerce the safety of entire cloud computing platform.
Summary of the invention
The technical problem to be solved by the present invention is to the safety problems for cloud computing platform to mostly use each server only
Scheduling of resource is carried out to inherently safe, this is allowed for when individual server is by invading, and individual server secure resources are insufficient,
System crash is caused, threatens the safety of entire cloud computing platform, and it is an object of the present invention to provide a kind of cloud resource security control method and being
System, solves the above problems.
The present invention is achieved through the following technical solutions:
A kind of cloud resource security control method, comprising the following steps: S1: the stream of each server in cloud computing platform is obtained
Amount, and cloud computing platform is divided by multiple security domains according to the flow of each server, it is isolated between the multiple security domain;From cloud
It extraction section resource and carries out being integrally formed secure resources pond in the secure resources of each server of computing platform;In each server
Safety probe is set;S2: when the flow amplification exception of a security domain, using the security domain as targeted security domain, peace is transferred
Security service is carried out to targeted security domain with the flow amplification matched secure resources in full resource pool;S3: according to safety probe
It traces to the source invasion source, and executes and close.
In the prior art, each server is mostly used only to provide to inherently safe the safety problem of cloud computing platform
Source scheduling, this is allowed for when individual server is by invading, and individual server secure resources are insufficient, causes system crash, prestige
Coerce the safety of entire cloud computing platform.
The present invention in application, obtain the flow of each server in cloud computing platform, and according to the flow of each server first
Cloud computing platform is divided into multiple security domains, and will be isolated between multiple security domains, can be convenient by this means
To security service Resource allocation and smoothing, and to being isolated between multiple security domains, can ensure after a security domain is invaded,
Invader can only obtain the permission of a security domain, can be carried out at this time to invasion by transferring the secure resources of other security domains
It removes;The realization that can be convenient of safety probe is arranged in each server to trace to the source to invasion, and completes subsequent to close work
It is dynamic.
When the flow amplification exception of a security domain, flow is counted:
It is defined on the variable of moment t, original flow is S (t), and whole mean value is k (t), and the difference value of flow is w (t), poor
Dividing variance is var (t), then the calculating to statistic can be realized according to the following formula:
W (t)=S (t)-S (t-1), t > 1
In order to measure t moment uninterrupted, definition evaluation function M (t):
Wherein lower limit low*k (t) big as flow, high*k (t) are used as acceptable flow rate upper limit, judgment criterion
It is as follows:
When M (t) is 0, it is believed that generation is not attacked, when M (t) is greater than 0, it is believed that doubtful attack occurs, and when M (t) is 1
When, then it is assumed that servers go down.
When doubtful attack occurs, using security domain as targeted security domain, and transfers in secure resources pond and increase with the flow
Matched secure resources carry out security service to targeted security domain, due to being to choose resource from entire secure resources pond to carry out
Security service, security service said herein can be identification monitoring, analysis detection and the access control etc. of convection current amount, pass through entirety
The mode for assembling resource can to paralyse completely even if the server of a security domain, can also be quick by secure resources pond
Restore.It is finally traced to the source according to safety probe invasion source, and executes and close, complete entire intrusion prevention movement.The present invention
By the way that above-mentioned steps are arranged, the variation of demand when meeting security domain boundaries changes in flow rate to security protection ability is effectively mentioned
The high safety of whole system, and the time of answering a pager's call greatly is shortened, it ensure that the safe and stable operation of system.
Further, step S1 includes following sub-step: counting the flow of each server in cloud computing platform and will service
Device is distributed into multiple security domains, so that the flow of each security domain is same or similar.
The present invention is in application, security resources allocation is more efficient, and optimal situation is just in order to carry out to each security domain
Be each security domain flow it is identical, but flow itself is a float value, thus flow it is similar be also one can be with
The range of receiving judges the similar flow formation ordered series of numbers that by the way of variance judgement, i.e., can count all security domains of flow,
And variance is asked to the ordered series of numbers, the smallest value of variance is optimal security domain networking plan.
Further, step S2 includes following sub-step: S21: obtaining the ginseng of every Partial security resource in secure resources pond
Number, the parameter include the residual negative carrying capacity of every Partial security resource, every Partial security resource and targeted security domain physics away from
Elastic telescopic situation from, every Partial security resource;S22: the resource aequum of processing target security domain is estimated, and is provided in safety
Multiple groups secure resources are chosen in the pond of source, the residual negative carrying capacity of every group of secure resources is more than the resource aequum in targeted security domain;
S23: the parameter of same group of secure resources is subjected to linear regression, and chooses one group of optimal safety money according to linear regression result
Source is distributed to targeted security domain and carries out security service.
The present invention in application, in order to enable from secure resources pond distribute resource it is more reasonable, need to comprehensively consider safety
At this moment the own situation of each secure resources in pond needs first to obtain the parameter of every Partial security resource in secure resources pond, institute
State the physical distance, every of residual negative carrying capacity, every Partial security resource that parameter includes every Partial security resource and targeted security domain
The elastic telescopic situation of Partial security resource.
Then the resource aequum for estimating processing target security domain, by the flow value of invasion can to this aequum into
Row judgement is at this time chosen multiple groups secure resources alternately secure resources group, is then evaluated these secure resources groups,
The mode of evaluation is carried out by the way of linear regression, and this mode operand is very low, the peace being readily applicable under case of emergency
Full resource allocation.
Further, step S23 includes following sub-step: judging this subintrusion class according to the security situation in targeted security domain
Type;The corresponding weighted value of parameter of each secure resources is chosen according to intrusion type, and the parameter of each secure resources is carried out
Normalization obtains normalized parameter;Linear regression is carried out to normalized parameter according to the weighted value of selection, obtains every group of safety money
The evaluation of estimate in source, and choose grading and be worth one group of optimal security resources allocation to the progress security service of targeted security domain.
The present invention needs to choose different types of secure resources and carries out safety clothes in application, for different intrusion types
Business, the corresponding weighted value of the parameter of each secure resources can embody the importance of each parameter at this time, such as dividing
Cloth Denial of Service attack, that is, the most common DDOS attack, at this time, the elastic telescopic of every Partial security resource is to safety
The application of resource in this section influences less, to carry out in time resilient expansion and carry out operation, but secure resources and target
The network latency problems that the physical distance of security domain represents will play bigger effect herein, that is, network delay is got over
It is low better, and the residual negative carrying capacity of secure resources as most controlling and embody calculate power part, need to account for maximum power
Weight.
And the attack for ARP deception type, the influence that network delay generates at this time are just smaller, it is only necessary to largely calculate power
ARP deception is settled accounts, so that it may it is coped with, it at this moment can be by the physical distance weight of secure resources and targeted security domain
It drops to very low, it might even be possible to be reduced to 0.
Further, when this subintrusion type is that DDOS is invaded, the weight of the residual negative carrying capacity of secure resources is improved, is mentioned
The weight of high every Partial security resource and the physical distance in targeted security domain, and reduce the elastic telescopic feelings of every Partial security resource
The weight of condition.
Further, step S22 includes following sub-step:, will before choosing multiple groups secure resources in secure resources pond
The minimum and completely idle secure resources of operand, which are distributed as prioritized resources to targeted security domain, in secure resources pond is pacified
Full service;When choosing multiple groups secure resources, every group of secure resources include prioritized resources.
The present invention in application, due to network attack occur emergentness, can be before the server attacked be paralysed completely
Security service intervention is just carried out, can ensure data safety to the greatest extent, so the invention is minimum by operand
And completely idle secure resources distribute to targeted security domain as prioritized resources and carry out security service, the smallest safety of operand
In general resource is called gets up just most fastly, carries out security service so quickly distributing this resource to targeted security domain,
Security service can be opened in first time.
A kind of cloud resource security management and control system, including cloud computing platform and secure cloud control platform;The cloud security control
Platform includes data capture unit, security domain unit, matching unit and security resources allocation unit;Data capture unit: it is used for
Obtain the flow of each server in cloud computing platform;Security domain unit: for according to the flow of each server by cloud computing platform
It is divided into multiple security domains, is isolated between the multiple security domain;Security resources allocation unit: for respectively being serviced from cloud computing platform
It extraction section resource and carries out being integrally formed secure resources pond in the secure resources of device, and safety is set in each server and is visited
Needle;Matching unit: for using the security domain as targeted security domain, transferring peace when the flow amplification exception of a security domain
Security service is carried out to targeted security domain with the flow amplification matched secure resources in full resource pool;The security resources allocation
Unit is also used to trace to the source to invasion source according to safety probe, and executes and close.
The present invention in application, obtain the flow of each server in cloud computing platform, and according to the flow of each server first
Cloud computing platform is divided into multiple security domains, and will be isolated between multiple security domains, can be convenient by this means
To security service Resource allocation and smoothing, and to being isolated between multiple security domains, can ensure after a security domain is invaded,
Invader can only obtain the permission of a security domain, can be carried out at this time to invasion by transferring the secure resources of other security domains
It removes;The realization that can be convenient of safety probe is arranged in each server to trace to the source to invasion, and completes subsequent to close work
It is dynamic.
When attacking, using security domain as targeted security domain, and transfer in secure resources pond with the flow amplification
The secure resources matched carry out security service to targeted security domain, due to being to choose resource from entire secure resources pond to carry out safety
Service, security service said herein can be identification monitoring, analysis detection and the access control etc. of convection current amount, be assembled by whole
The mode of resource can to paralyse completely even if the server of a security domain, can also be quickly extensive by secure resources pond
It is multiple.It is finally traced to the source according to safety probe invasion source, and executes and close, complete entire intrusion prevention movement.The present invention is logical
Setting said units are crossed, the variation of demand when meeting security domain boundaries changes in flow rate to security protection ability effectively improves
The safety of whole system, and the time of answering a pager's call greatly is shortened, it ensure that the safe and stable operation of system.
Further, the data capture unit is also used to obtain the parameter of every Partial security resource in secure resources pond,
The parameter include the residual negative carrying capacity of every Partial security resource, the physical distance in every Partial security resource and targeted security domain,
The elastic telescopic situation of every Partial security resource;The security resources allocation unit is also used to estimate the money of processing target security domain
Source aequum, and multiple groups secure resources are chosen in secure resources pond, the residual negative carrying capacity of every group of secure resources is more than target
The resource aequum of security domain;The security resources allocation unit is also used to linearly be returned the parameter of same group of secure resources
Return, and one group of optimal security resources allocation to targeted security domain is chosen according to linear regression result and carries out security service.
Compared with prior art, the present invention having the following advantages and benefits:
A kind of cloud resource security control method of the present invention and system are met anti-to safety when security domain boundaries changes in flow rate
The variation of the demand of shield ability, effectively increases the safety of whole system, and greatly shortens the time of answering a pager's call, and ensure that
The safe and stable operation of system.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below with reference to embodiment, the present invention is made
Further to be described in detail, exemplary embodiment of the invention and its explanation for explaining only the invention, are not intended as to this
The restriction of invention.
Embodiment 1
A kind of cloud resource security control method of the present invention, comprising the following steps: S1: each server in cloud computing platform is obtained
Flow, and cloud computing platform is divided by multiple security domains according to the flow of each server, is isolated between the multiple security domain;
It extraction section resource and carries out being integrally formed secure resources pond from the secure resources of each server of cloud computing platform;In each service
Safety probe is set in device;S2: it when the flow amplification exception of a security domain, using the security domain as targeted security domain, adjusts
It takes in secure resources pond and security service is carried out to targeted security domain with the flow amplification matched secure resources;S3: according to safety
Probe traces to the source to invasion source, and executes and close.
When the present embodiment is implemented, the flow of each server first in acquisition cloud computing platform, and according to the stream of each server
Cloud computing platform is divided into multiple security domains by amount, and will be isolated between multiple security domains, can be square by this means
Just it to security service Resource allocation and smoothing, and to being isolated between multiple security domains, can ensure when a security domain is invaded
Afterwards, invader can only obtain the permission of a security domain, at this time can be to invasion by transferring the secure resources of other security domains
It is purged;The realization that safety probe, which is arranged, in each server can be convenient traces to the source to invasion, and completes subsequent envelope
Taboo activity.
When the flow amplification exception of a security domain, flow is counted:
It is defined on the variable of moment t, original flow is S (t), and whole mean value is k (t), and the difference value of flow is w (t), poor
Dividing variance is var (t), then the calculating to statistic can be realized according to the following formula:
W (t)=S (t)-S (t-1), t > 1
In order to measure t moment uninterrupted, definition evaluation function M (t):
Wherein lower limit low*k (t) big as flow, high*k (t) are used as acceptable flow rate upper limit, judgment criterion
It is as follows:
When M (t) is 0, it is believed that generation is not attacked, when M (t) is greater than 0, it is believed that doubtful attack occurs, and when M (t) is 1
When, then it is assumed that servers go down.
When doubtful attack occurs, using security domain as targeted security domain, and transfers in secure resources pond and increase with the flow
Matched secure resources carry out security service to targeted security domain, due to being to choose resource from entire secure resources pond to carry out
Security service, security service said herein can be identification monitoring, analysis detection and the access control etc. of convection current amount, pass through entirety
The mode for assembling resource can to paralyse completely even if the server of a security domain, can also be quick by secure resources pond
Restore.It is finally traced to the source according to safety probe invasion source, and executes and close, complete entire intrusion prevention movement.The present invention
By the way that above-mentioned steps are arranged, the variation of demand when meeting security domain boundaries changes in flow rate to security protection ability is effectively mentioned
The high safety of whole system, and the time of answering a pager's call greatly is shortened, it ensure that the safe and stable operation of system.
Embodiment 2
On the basis of embodiment 1, step S1 includes following sub-step to the present embodiment: respectively being serviced in statistics cloud computing platform
The flow of device simultaneously distributes server into multiple security domains, so that the flow of each security domain is same or similar.
When the present embodiment is implemented, for more efficient, the optimal situation to each security domain progress security resources allocation
Be exactly each security domain flow it is identical, but flow itself is a float value, thus flow it is similar be also one can
With the range of receiving, judging that flow is similar can be by the way of variance judgement, that is, the flow for counting all security domains forms number
Column, and variance is asked to the ordered series of numbers, the smallest value of variance is optimal security domain networking plan.
Embodiment 3
On the basis of embodiment 1, step S2 includes following sub-step: S21 to the present embodiment: being obtained every in secure resources pond
The parameter of Partial security resource, the parameter include the residual negative carrying capacity, every Partial security resource and mesh of every Partial security resource
Mark physical distance, the elastic telescopic situation of every Partial security resource of security domain;S22: the resource of processing target security domain is estimated
Aequum, and multiple groups secure resources are chosen in secure resources pond, the residual negative carrying capacity of every group of secure resources is more than target peace
The resource aequum of universe;S23: the parameter of same group of secure resources is subjected to linear regression, and is selected according to linear regression result
One group of optimal security resources allocation to targeted security domain is taken to carry out security service.
When the present embodiment is implemented, in order to enable distribution resource is more reasonable from secure resources pond, need to comprehensively consider peace
The own situation of each secure resources, at this moment needs first to obtain the parameter of every Partial security resource in secure resources pond in full pond,
The parameter include the residual negative carrying capacity of every Partial security resource, the physical distance in every Partial security resource and targeted security domain,
The elastic telescopic situation of every Partial security resource.
Then the resource aequum for estimating processing target security domain, by the flow value of invasion can to this aequum into
Row judgement is at this time chosen multiple groups secure resources alternately secure resources group, is then evaluated these secure resources groups,
The mode of evaluation is carried out by the way of linear regression, and this mode operand is very low, the peace being readily applicable under case of emergency
Full resource allocation.
Embodiment 4
For the present embodiment on the basis of embodiment 3, step S23 includes following sub-step: according to the safety in targeted security domain
Situation judges this subintrusion type;The corresponding weighted value of parameter of each secure resources is chosen according to intrusion type, and to each
The parameter of secure resources is normalized to obtain normalized parameter;Normalized parameter is linearly returned according to the weighted value of selection
Return, obtain the evaluation of estimate of every group of secure resources, and choose grading be worth one group of optimal security resources allocation to targeted security domain into
Row security service.
When the present embodiment is implemented, for different intrusion types, needs to choose different types of secure resources and carry out safety
Service, the corresponding weighted value of the parameter of each secure resources can embody the importance of each parameter at this time, such as
Distributed denial of service attack, that is, the most common DDOS attack, at this time, the elastic telescopic of every Partial security resource is to peace
The application of wholly-owned source in this section influences less, to carry out in time resilient expansion and carry out operation, but secure resources and mesh
The network latency problems that the physical distance of mark security domain represents will play bigger effect, that is, network delay herein
More lower, better, and the residual negative carrying capacity of secure resources as most controlling and embody calculate power part, need to account for maximum
Weight.
And the attack for ARP deception type, the influence that network delay generates at this time are just smaller, it is only necessary to largely calculate power
ARP deception is settled accounts, so that it may it is coped with, it at this moment can be by the physical distance weight of secure resources and targeted security domain
It drops to very low, it might even be possible to be reduced to 0.
Embodiment 5
For the present embodiment on the basis of embodiment 3, step S22 includes following sub-step: being chosen in secure resources pond more
Before group secure resources, operand in secure resources pond is minimum and completely idle secure resources as prioritized resources distribute to
Targeted security domain carries out security service;When choosing multiple groups secure resources, every group of secure resources include prioritized resources.
When the present embodiment is implemented, due to the emergentness that network attack occurs, it can be paralysed completely in the server attacked
It is preceding just carry out security service intervention, can ensure data safety to the greatest extent, thus the invention by operand most
Small and completely idle secure resources, which are distributed as prioritized resources to targeted security domain, carries out security service, the smallest peace of operand
In general wholly-owned source is called gets up just most fastly, carries out safety clothes so quickly distributing this resource to targeted security domain
Business can open security service in first time.
Embodiment 6
A kind of cloud resource security management and control system of the present invention, including cloud computing platform and secure cloud control platform;Described Yunan County
Full control platform includes data capture unit, security domain unit, matching unit and security resources allocation unit;Data acquisition list
Member: for obtaining the flow of each server in cloud computing platform;Security domain unit: by the flow according to each server by cloud based on
It calculates platform and is divided into multiple security domains, be isolated between the multiple security domain;Security resources allocation unit: it is used for from cloud computing platform
It extraction section resource and carries out being integrally formed secure resources pond in the secure resources of each server, and peace is set in each server
Full probe;Matching unit: for using the security domain as targeted security domain, adjusting when the flow amplification exception of a security domain
It takes in secure resources pond and security service is carried out to targeted security domain with the flow amplification matched secure resources;The secure resources
Allocation unit is also used to trace to the source to invasion source according to safety probe, and executes and close.
When the present embodiment is implemented, the flow of each server first in acquisition cloud computing platform, and according to the stream of each server
Cloud computing platform is divided into multiple security domains by amount, and will be isolated between multiple security domains, can be square by this means
Just it to security service Resource allocation and smoothing, and to being isolated between multiple security domains, can ensure when a security domain is invaded
Afterwards, invader can only obtain the permission of a security domain, at this time can be to invasion by transferring the secure resources of other security domains
It is purged;The realization that safety probe, which is arranged, in each server can be convenient traces to the source to invasion, and completes subsequent envelope
Taboo activity.
When attacking, using security domain as targeted security domain, and transfer in secure resources pond with the flow amplification
The secure resources matched carry out security service to targeted security domain, due to being to choose resource from entire secure resources pond to carry out safety
Service, security service said herein can be identification monitoring, analysis detection and the access control etc. of convection current amount, be assembled by whole
The mode of resource can to paralyse completely even if the server of a security domain, can also be quickly extensive by secure resources pond
It is multiple.It is finally traced to the source according to safety probe invasion source, and executes and close, complete entire intrusion prevention movement.The present invention is logical
Setting said units are crossed, the variation of demand when meeting security domain boundaries changes in flow rate to security protection ability effectively improves
The safety of whole system, and the time of answering a pager's call greatly is shortened, it ensure that the safe and stable operation of system.
Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects
It is described in detail, it should be understood that being not intended to limit the present invention the foregoing is merely a specific embodiment of the invention
Protection scope, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should all include
Within protection scope of the present invention.
Claims (8)
1. a kind of cloud resource security control method, which comprises the following steps:
S1: obtaining the flow of each server in cloud computing platform, and according to the flow of each server is divided into cloud computing platform more
A security domain is isolated between the multiple security domain;The extraction section resource from the secure resources of each server of cloud computing platform
And it carries out being integrally formed secure resources pond;Safety probe is set in each server;
S2: it when the flow amplification exception of a security domain, using the security domain as targeted security domain, transfers in secure resources pond
Security service is carried out to targeted security domain with the flow amplification matched secure resources;
S3: tracing to the source to invasion source according to safety probe, and executes and close.
2. a kind of cloud resource security control method according to claim 1, which is characterized in that step S1 includes following sub-step
It is rapid:
It counts the flow of each server in cloud computing platform and distributes server into multiple security domains, so that each security domain
Flow it is same or similar.
3. a kind of cloud resource security control method according to claim 1, which is characterized in that step S2 includes following sub-step
It is rapid:
S21: the parameter of every Partial security resource in secure resources pond is obtained, the parameter includes the residue of every Partial security resource
Physical distance, the elastic telescopic situation of every Partial security resource of load capacity, every Partial security resource and targeted security domain;
S22: estimating the resource aequum of processing target security domain, and multiple groups secure resources are chosen in secure resources pond, and every group
The residual negative carrying capacity of secure resources is more than the resource aequum in targeted security domain;
S23: the parameter of same group of secure resources is subjected to linear regression, and chooses one group of optimal peace according to linear regression result
Full resource allocation to targeted security domain carries out security service.
4. a kind of cloud resource security control method according to claim 3, which is characterized in that step S23 includes following son
Step:
This subintrusion type is judged according to the security situation in targeted security domain;
The corresponding weighted value of parameter of each secure resources is chosen according to intrusion type, and the parameter of each secure resources is carried out
Normalization obtains normalized parameter;
Linear regression is carried out to normalized parameter according to the weighted value of selection, obtains the evaluation of estimate of every group of secure resources, and choose
Grading is worth one group of optimal security resources allocation to targeted security domain and carries out security service.
5. a kind of cloud resource security control method according to claim 4, which is characterized in that when this subintrusion type is
When DDOS is invaded, the weight of the residual negative carrying capacity of secure resources is improved, the object of every Partial security resource and targeted security domain is improved
The weight of distance is managed, and reduces the weight of the elastic telescopic situation of every Partial security resource.
6. a kind of cloud resource security control method according to claim 3, which is characterized in that step S22 includes following son
Step:
Before choosing multiple groups secure resources in secure resources pond, by the peace that operand in secure resources pond is minimum and completely idle
Wholly-owned source is distributed to targeted security domain as prioritized resources and carries out security service;
When choosing multiple groups secure resources, every group of secure resources include prioritized resources.
7. a kind of cloud resource security management and control system, which is characterized in that including cloud computing platform and secure cloud control platform;
The cloud security control platform includes data capture unit, security domain unit, matching unit and security resources allocation unit;
Data capture unit: for obtaining the flow of each server in cloud computing platform;
Security domain unit: for cloud computing platform to be divided into multiple security domains, the multiple safety according to the flow of each server
It is isolated between domain;
Security resources allocation unit: it for the extraction section resource from the secure resources of each server of cloud computing platform and carries out whole
Conjunction forms secure resources pond, and safety probe is arranged in each server;
Matching unit: for using the security domain as targeted security domain, transferring peace when the flow amplification exception of a security domain
Security service is carried out to targeted security domain with the flow amplification matched secure resources in full resource pool;
The security resources allocation unit is also used to trace to the source to invasion source according to safety probe, and executes and close.
8. a kind of cloud resource security management and control system according to claim 7, which is characterized in that the data capture unit is also
For obtaining the parameter of every Partial security resource in secure resources pond, the parameter includes the remaining load of every Partial security resource
Amount, physical distance, the elastic telescopic situation of every Partial security resource of every Partial security resource and targeted security domain;
The security resources allocation unit is also used to estimate the resource aequum of processing target security domain, and in secure resources pond
Multiple groups secure resources are chosen, the residual negative carrying capacity of every group of secure resources is more than the resource aequum in targeted security domain;
The security resources allocation unit is also used to carry out the parameter of same group of secure resources linear regression, and is returned according to linear
Sum up fruit and chooses one group of optimal security resources allocation to the progress security service of targeted security domain.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811376253.3A CN109525581B (en) | 2018-11-19 | 2018-11-19 | Cloud resource security management and control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811376253.3A CN109525581B (en) | 2018-11-19 | 2018-11-19 | Cloud resource security management and control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109525581A true CN109525581A (en) | 2019-03-26 |
| CN109525581B CN109525581B (en) | 2021-01-26 |
Family
ID=65776312
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811376253.3A Expired - Fee Related CN109525581B (en) | 2018-11-19 | 2018-11-19 | Cloud resource security management and control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109525581B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110163731A (en) * | 2019-04-30 | 2019-08-23 | 广州市中智软件开发有限公司 | Method for building up, system and the storage medium of the room of virtually bidding of intermediary sevices supermarket |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719842A (en) * | 2009-11-20 | 2010-06-02 | 中国科学院软件研究所 | Cloud computing environment-based distributed network security pre-warning method |
| US20120324572A1 (en) * | 2011-06-16 | 2012-12-20 | Telefonaktiebolaget L M Ericsson (Publ) | Systems and methods that perform application request throttling in a distributed computing environment |
| CN102857548A (en) * | 2012-04-25 | 2013-01-02 | 梁宏斌 | Mobile cloud computing resource optimal allocation method |
| CN103354530A (en) * | 2013-07-18 | 2013-10-16 | 北京启明星辰信息技术股份有限公司 | Virtualization network boundary data flow gathering method and apparatus |
| CN104038444A (en) * | 2013-03-05 | 2014-09-10 | 中国移动通信集团山西有限公司 | Resource allocation method, equipment and system |
| CN104580090A (en) * | 2013-10-18 | 2015-04-29 | 华为技术有限公司 | Method and device for evaluating operation and maintenance of safety strategy |
| CN105991738A (en) * | 2015-02-27 | 2016-10-05 | 中国移动通信集团四川有限公司 | Method and system for cross safety domain resource sharing in cloud resource pool |
| CN108173842A (en) * | 2017-12-26 | 2018-06-15 | 国家电网公司 | The disposition optimization method of software definition fire wall based on openstack cloud platforms |
-
2018
- 2018-11-19 CN CN201811376253.3A patent/CN109525581B/en not_active Expired - Fee Related
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719842A (en) * | 2009-11-20 | 2010-06-02 | 中国科学院软件研究所 | Cloud computing environment-based distributed network security pre-warning method |
| US20120324572A1 (en) * | 2011-06-16 | 2012-12-20 | Telefonaktiebolaget L M Ericsson (Publ) | Systems and methods that perform application request throttling in a distributed computing environment |
| CN102857548A (en) * | 2012-04-25 | 2013-01-02 | 梁宏斌 | Mobile cloud computing resource optimal allocation method |
| CN104038444A (en) * | 2013-03-05 | 2014-09-10 | 中国移动通信集团山西有限公司 | Resource allocation method, equipment and system |
| CN103354530A (en) * | 2013-07-18 | 2013-10-16 | 北京启明星辰信息技术股份有限公司 | Virtualization network boundary data flow gathering method and apparatus |
| CN104580090A (en) * | 2013-10-18 | 2015-04-29 | 华为技术有限公司 | Method and device for evaluating operation and maintenance of safety strategy |
| CN105991738A (en) * | 2015-02-27 | 2016-10-05 | 中国移动通信集团四川有限公司 | Method and system for cross safety domain resource sharing in cloud resource pool |
| CN108173842A (en) * | 2017-12-26 | 2018-06-15 | 国家电网公司 | The disposition optimization method of software definition fire wall based on openstack cloud platforms |
Non-Patent Citations (1)
| Title |
|---|
| 周丹丹等: "媒体云平台安全防护及管理体系方案设计 ", 《中国有线电视》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110163731A (en) * | 2019-04-30 | 2019-08-23 | 广州市中智软件开发有限公司 | Method for building up, system and the storage medium of the room of virtually bidding of intermediary sevices supermarket |
| CN110163731B (en) * | 2019-04-30 | 2021-07-27 | 广州市中智软件开发有限公司 | Method, system and storage medium for establishing virtual bidding room of intermediary service supermarket |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109525581B (en) | 2021-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230308465A1 (en) | System and method for dnn-based cyber-security using federated learning-based generative adversarial network | |
| CN110929648B (en) | Monitoring data processing method and device, computer equipment and storage medium | |
| CN110378487B (en) | Method, device, equipment and medium for verifying model parameters in horizontal federal learning | |
| CN102571746B (en) | Virtual machine deployment method oriented to side channel attack defense of cloud computation environment | |
| CN106209856B (en) | Method for generating big data security posture map based on trusted computing | |
| CN104092756B (en) | A kind of resource dynamic distributing method of the cloud storage system based on DHT mechanism | |
| Mo et al. | Optimal resource distribution between protection and redundancy considering the time and uncertainties of attacks | |
| US10180867B2 (en) | System and method for bruteforce intrusion detection | |
| US11115455B2 (en) | Technique for monitoring activity in a content delivery network utilizing geohashing indexes | |
| CN112433808B (en) | Network security event detection system and method based on grid computing | |
| CN111353172B (en) | Hadoop cluster big data access method and system based on block chain | |
| DE112020002552T5 (en) | SYSTEM AND PROCEDURES FOR A SIEM RULE ORDER AND CONDITIONAL EXECUTION | |
| CN110224977A (en) | A kind of composite defense policy conflict digestion procedure and system | |
| CN107317864A (en) | The data balancing method and device of a kind of storage device | |
| CN109525581A (en) | A kind of cloud resource security control method and system | |
| CN107767014B (en) | A kind of power information physics system security risk assessment and defence resource allocation methods | |
| David | Kubernetes Auto-Scaling: YoYo attack vulnerability and mitigation | |
| Yeom et al. | Improving performance of collaborative source-side ddos attack detection | |
| CN116599765B (en) | Honeypot deployment method | |
| CN111817290A (en) | Voltage control strategy for power information physical system under attack of data tampering | |
| Dai et al. | A cyber-resilience enhancement method for network controlled microgrid against denial of service attack | |
| CN116776324A (en) | Abnormal user behavior processing method and system based on cloud computing service | |
| CN108259363A (en) | A kind of method and device of staged service traffics control | |
| CN107395554A (en) | The defence processing method and processing device of flow attacking | |
| CN110972060A (en) | Deployment method of edge control center accessed to terminal on power communication network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20210126 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |