CN109885379A - A kind of cloud invades automation osmosis system - Google Patents

A kind of cloud invades automation osmosis system Download PDF

Info

Publication number
CN109885379A
CN109885379A CN201910044976.1A CN201910044976A CN109885379A CN 109885379 A CN109885379 A CN 109885379A CN 201910044976 A CN201910044976 A CN 201910044976A CN 109885379 A CN109885379 A CN 109885379A
Authority
CN
China
Prior art keywords
virtual
invades
strategy
automation
control centre
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201910044976.1A
Other languages
Chinese (zh)
Inventor
葛军
黄土平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Anhui Yunxue Network Technology Co Ltd
Original Assignee
Anhui Yunxue Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Anhui Yunxue Network Technology Co Ltd filed Critical Anhui Yunxue Network Technology Co Ltd
Priority to CN201910044976.1A priority Critical patent/CN109885379A/en
Publication of CN109885379A publication Critical patent/CN109885379A/en
Withdrawn legal-status Critical Current

Links

Abstract

The invention discloses a kind of clouds to invade automation osmosis system, is related to cloud and invades infiltration technology field.The present invention includes: several hierarchy systems;The hierarchy system includes high-rise GM, middle layer GM, base GM again;Any one hierarchy system includes at least one virtual management control centre and a management console;When hierarchy system not at the same level carries out across grade operation, information router and forwarding, communication protocol CIM over SSL play in the virtual management control centre of every level-one of process.The present invention is by forming multi-level hierarchical system by a virtual management control centre and a management console, and when carrying out across grade, information router and forwarding play in the virtual management control centre of every level-one, improves safety and treatment effeciency that cloud invades system.

Description

A kind of cloud invades automation osmosis system
Technical field
The invention belongs to clouds to invade infiltration technology field, invade automation osmosis system more particularly to a kind of cloud.
Background technique
Application layer virtual secure research based on grid is currently based primarily upon Keberos, SSL, SSH, XML encryption, solves Authentication and access control problem under grid environment;And it is based on isomery lattice Environmental security data transmission channel structure emphatically Frame, but the safeguard protection based on application, resource security are multiplexed and are not related to too many;Under the virtualized environment of nodes oriented Research on Security Technology is based on the High Availabitities technologies such as subregion isolation, disaster recovery, subregion thermophoresis, subregion warm back-up and solves part The safety of virtual application and reliable problem (such as Vmware, Virtual Station), but when the virtualization ring for facing hardware level Border is directly managed the resource in subregion by bottom hardware, once biggish failure occurs, and cannot be effectively isolated, then should Failure may be diffused into all subregions using the resource, cause global failure (as: Xen, Intel The Pacifica of Virtualization Technology, AMD);The virtual intrusion detection center collapsa provides Virtual honeypot The mode for concentrating deployment management solves the problems, such as the centralization of management and deployment centralization, and provides global intrusion detection view; But collapsa is nonetheless focused upon the Virtual honeypot on physical vlan machine from virtual mechanism itself, and there is no solve extensive point Under cloth environment resource dynamic resolution, component on a large scale share brought by security monitoring management, distributed Intrusion Detection Systems engine, The problems such as user identity authentication, user's space isolation.Similar capabilities are served by the current enterprise of virtual environment security study There is no the relevant technologies and its solutions for boundary, academia.
Virtualization technology based on capacity calculation application is mainly based upon thin-client thought, passes through tearing open in hardware layer Divide, the extensive resource-sharing of virtualization technology realization of system and application layer integrated on these three levels, improves the utilization of resources Rate;Thus total resources sharp fall required for identical computing capability is provided, calculate energy to significantly reduce and lift position The totle drilling cost of power.
Compared with the safety problem under the safety problem of other distributed systems or grid computing environment, capability service is calculated The safety problem of lower virtual environment has several key problems caused by following reason: extensive dynamic subscriber's quantity, extensive The problems such as dynamic virtual resource object, dynamic increase and the computational load of reduction, user's space isolation and protection, communication security. Its key problem is that the completely privately owned system of user one how is supplied under capable server application model, is provided for user The resource access monitoring authentication of capability service domain inside and outside and encrypted data transmission channel provide user's space isolation and protection And application of the ultimate guarantee based on capable server is safe.
Summary of the invention
The purpose of the present invention is to provide a kind of clouds to invade automation osmosis system, by by a virtual management control centre Multi-level hierarchical system is formed with a management console, when carrying out across grade, information plays in the virtual management control centre of every level-one It is inefficient poor to solve the problems, such as that existing cloud invades osmosis system safety for routing and forwarding effect.
In order to solve the above technical problems, the present invention is achieved by the following technical solutions:
The present invention is that a kind of cloud invades automation osmosis system, comprising: several hierarchy systems;The hierarchy system includes height again Layer GM, middle layer GM, base GM;Any one hierarchy system includes at least one virtual management control centre and a management control Platform processed;When hierarchy system not at the same level carries out across grade operation, information road is played by the virtual management control centre of every level-one of process By being acted on forwarding, communication protocol CIM over SSL;
The virtual management control centre is responsible for saving security strategy and capability service field object resource description information, protects It deposits and superior transmits assets, strategy, alarm and log information;Grided object at different levels, application service into capability service domain Device and virtual ID S engine convey administration order and distributing security policies;The alarm and log information supply after formatting processing Statistical analysis and data mining;
The CIM over ssl protocol is based on SSL, using XML as data descriptor format;It is former to define 22 operations Language;The communication interface for meeting soap protocol is added as needed;
The virtual ID S engine uses centralized management mode, and detection management distribution is concentrated to be implemented in physical virtual machine On software virtual machine state, virtual machine log, file integrality, virtual machine system loophole and be based on security strategy and use The customized strategy in family provides Scattered Attack unified view.
Preferably, the virtual ID S engine is based on self-described mechanism, constructs or migrates, application schedules in software virtual machine The downloading and operation of the initialization of virtual ID S engine, the real columnization and security strategy of running environment are automatically performed after generation.
Preferably, dynamic construction, software virtual machine of the capability service domain uniform security policies with physical virtual machine Migration, using real columnization dynamic generation, and in strategy editor completion but not yet by the distribution of high-rise virtual management control centre when Implement emulation, simulates attack, allow network security policy loophole to expose in advance, so that the effect of Test Strategy, avoids safety Hidden danger occurs.
Preferably, the virtual distributed intruding detection system in capability service domain adjusts safe plan according to simulation result dynamic Slightly, it and is distributed in capability service domain on each virtual ID S engine by high-rise virtual management control centre.
Preferably, the analysis mechanisms of the security strategy are to give an event set, event merger and filtration problem are exactly It generates support and confidence level is respectively greater than the correlating event of strategy given minimum support and Minimum support4.
Preferably, the system Network Abnormal description language establish based on predicate logic attack and capable server Resource in domain in the modeling using three's incidence relation, using XML specification, object-oriented, is provided and is being sent out under capability service domain Raw Attack Scenarios.
Preferably, the capability service domain virtual ID S engine Integrated Virtual vulnerability scanning, Virtual honeypot module and virtual ring Border security evaluation tool, Proactive authentication, actively capture invasion and capable server loophole;Outside discovery comes under capability service domain It, can be by linking truncation with firewall or router after the attack of net.
The invention has the following advantages:
The present invention by forming multi-level hierarchical system by a virtual management control centre and a management console, when into When row is across grade, information router and forwarding play in the virtual management control centre of every level-one, raising cloud invade the safety of system with Treatment effeciency.
Certainly, it implements any of the products of the present invention and does not necessarily require achieving all the advantages described above at the same time.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, will be described below to embodiment required Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for ability For the those of ordinary skill of domain, without creative efforts, it can also be obtained according to these attached drawings other attached Figure.
Fig. 1 is that a kind of cloud of the invention invades automation osmosis system structural schematic diagram.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts all other Embodiment shall fall within the protection scope of the present invention.
Refering to Figure 1, the present invention is that a kind of cloud invades automation osmosis system, comprising: several hierarchy systems;Classification system System includes high level GM, middle layer GM, base GM again;Any one hierarchy system includes at least one virtual management control centre and one Manage console;When hierarchy system not at the same level carries out across grade operation, the virtual management control centre of every level-one of process is risen Information router and forwarding effect, communication protocol CIM over SSL;
Virtual management control centre is responsible for saving security strategy and capability service field object resource description information, saves simultaneously Superior transmits assets, strategy, alarm and log information;Into capability service domain grided object at different levels, application server and Virtual ID S engine conveys administration order and distributing security policies;Alarm and log information are after formatting processing for statistical analysis And data mining;
CIM over ssl protocol is based on SSL, using XML as data descriptor format;Define 22 operation primitive;Root According to the communication interface for needing addition to meet soap protocol;
Virtual ID S engine uses centralized management mode, and detection management distribution is concentrated to be implemented on physical virtual machine Software virtual machine state, virtual machine log, file integrality, virtual machine system loophole and based on security strategy and user from Definition strategy provides Scattered Attack unified view.
Wherein, virtual ID S engine is based on self-described mechanism, after software virtual machine is constructed or migrated, application schedules generate It is automatically performed the downloading and operation of the initialization of virtual ID S engine, the real columnization and security strategy of running environment.
Wherein, capability service domain uniform security policies with the dynamic construction, software virtual machine of physical virtual machine migration, Using real columnization dynamic generation, and it is in strategy editor completion but not yet imitative by implementing when the distribution of high-rise virtual management control centre Very, attack is simulated, allows network security policy loophole to expose in advance, so that the effect of Test Strategy, avoids security risk from sending out It is raw.
Wherein, the virtual distributed intruding detection system in capability service domain adjusts security strategy according to simulation result dynamic, and It is distributed in capability service domain on each virtual ID S engine by high-rise virtual management control centre.
Wherein, the analysis mechanisms of security strategy are to give an event set, and event merger and filtration problem are exactly to generate branch Degree of holding and confidence level are respectively greater than the correlating event of strategy given minimum support and Minimum support4.
Wherein, system Network Abnormal description language establish based on predicate logic attack and capable server domain it is domestic-investment On source, the modeling using three's incidence relation, using XML specification, object-oriented, occurent under capability service domain attack is provided Hit scene.
Wherein, capability service domain virtual ID S engine Integrated Virtual vulnerability scanning, Virtual honeypot module and virtual environment safety Assessment tool, Proactive authentication, actively capture invasion and capable server loophole;When discovery attacking from outer net under capability service domain It, can be by linking truncation with firewall or router after hitting.
It is worth noting that, included each unit is only drawn according to function logic in the above system embodiment Point, but be not limited to the above division, as long as corresponding functions can be realized;In addition, each functional unit is specific Title is also only for convenience of distinguishing each other, the protection scope being not intended to restrict the invention.
In addition, those of ordinary skill in the art will appreciate that realizing all or part of the steps in the various embodiments described above method It is that relevant hardware can be instructed to complete by program, corresponding program can store to be situated between in a computer-readable storage In matter.
Present invention disclosed above preferred embodiment is only intended to help to illustrate the present invention.There is no detailed for preferred embodiment All details are described, are not limited the invention to the specific embodiments described.Obviously, according to the content of this specification, It can make many modifications and variations.These embodiments are chosen and specifically described to this specification, is in order to better explain the present invention Principle and practical application, so that skilled artisan be enable to better understand and utilize the present invention.The present invention is only It is limited by claims and its full scope and equivalent.

Claims (7)

1. a kind of cloud invades automation osmosis system characterized by comprising several hierarchy systems;The hierarchy system includes again High-rise GM, middle layer GM, base GM;Any one hierarchy system includes at least one virtual management control centre and a management Console;When hierarchy system not at the same level carries out across grade operation, information plays in the virtual management control centre of every level-one of process Routing and forwarding effect, communication protocol CIM over SSL;
The virtual management control centre is responsible for saving security strategy and capability service field object resource description information, saves simultaneously Superior transmits assets, strategy, alarm and log information;Into capability service domain grided object at different levels, application server and Virtual ID S engine conveys administration order and distributing security policies;The alarm and log information are after formatting processing for statistics Analysis and data mining;
The CIM over ssl protocol is based on SSL, using XML as data descriptor format;Define 22 operation primitive;Root According to the communication interface for needing addition to meet soap protocol;
The virtual ID S engine uses centralized management mode, and detection management distribution is concentrated to be implemented on physical virtual machine Software virtual machine state, virtual machine log, file integrality, virtual machine system loophole and based on security strategy and user from Definition strategy provides Scattered Attack unified view.
2. a kind of cloud according to claim 1 invades automation osmosis system, which is characterized in that the virtual ID S engine base In self-described mechanism, the initial of virtual ID S engine is automatically performed after software virtual machine is constructed or migrated, application schedules generate Change, the downloading and operation of the real columnization and security strategy of running environment.
3. a kind of cloud according to claim 1 invades automation osmosis system, which is characterized in that the capability service domain is unified Security strategy with the migration of the dynamic construction, software virtual machine of physical virtual machine, using real columnization dynamic generation, and in strategy Editor completes but implements to emulate when not yet being distributed by high-rise virtual management control centre, simulates attack, allows network security plan Slightly loophole exposes in advance, so that the effect of Test Strategy, avoids security risk.
4. a kind of cloud according to claim 1 invades automation osmosis system, which is characterized in that the capability service domain is virtual Distributed Intrusion Detection System is distributed to according to simulation result dynamic adjustment security strategy by high-rise virtual management control centre In capability service domain on each virtual ID S engine.
5. a kind of cloud according to claim 1 invades automation osmosis system, which is characterized in that the analysis of the security strategy Mechanism is, gives an event set, event merger and filtration problem be exactly generate support and confidence level be respectively greater than strategy to The correlating event of fixed minimum support and Minimum support4.
6. a kind of cloud according to claim 1 invades automation osmosis system, which is characterized in that the Network Abnormal of the system Description language establish based on predicate logic attack and capable server domain in resource, using the modeling of three's incidence relation On, using XML specification, object-oriented, provide occurent Attack Scenarios under capability service domain.
7. a kind of cloud according to claim 1 invades automation osmosis system, which is characterized in that the capability service domain is virtual IDS engine Integrated Virtual vulnerability scanning, Virtual honeypot module and virtual environment security evaluation tool, Proactive authentication actively capture Invasion and capable server loophole;After attack of the discovery from outer net under capability service domain, can by with firewall or Person's router linkage truncation.
CN201910044976.1A 2019-01-17 2019-01-17 A kind of cloud invades automation osmosis system Withdrawn CN109885379A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910044976.1A CN109885379A (en) 2019-01-17 2019-01-17 A kind of cloud invades automation osmosis system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910044976.1A CN109885379A (en) 2019-01-17 2019-01-17 A kind of cloud invades automation osmosis system

Publications (1)

Publication Number Publication Date
CN109885379A true CN109885379A (en) 2019-06-14

Family

ID=66926179

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910044976.1A Withdrawn CN109885379A (en) 2019-01-17 2019-01-17 A kind of cloud invades automation osmosis system

Country Status (1)

Country Link
CN (1) CN109885379A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111600953A (en) * 2020-05-18 2020-08-28 广州锦行网络科技有限公司 Method for realizing distributed deployment based on honeypot system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111600953A (en) * 2020-05-18 2020-08-28 广州锦行网络科技有限公司 Method for realizing distributed deployment based on honeypot system
CN111600953B (en) * 2020-05-18 2021-01-08 广州锦行网络科技有限公司 Method for realizing distributed deployment based on honeypot system

Similar Documents

Publication Publication Date Title
WO2021017279A1 (en) Cluster security management method and apparatus based on kubernetes and network domain, and storage medium
CN110378103A (en) A kind of micro- isolating and protecting method and system based on OpenFlow agreement
CN105991734B (en) A kind of cloud platform management method and system
CN103038749B (en) Split process between cluster by process type to optimize the use of cluster particular configuration
CN101512510B (en) It is intended to provide the method and system of network management based on definition and application network management
Hu et al. Anomaly detection system in secure cloud computing environment
CN106803796B (en) Multi-tenant network topology reconstruction method based on cloud platform
CN103973676A (en) Cloud computing safety protection system and method based on SDN
CN107659543A (en) The means of defence of facing cloud platform APT attacks
CN106599694A (en) Security protection management methods, computer systems and computer-readable storage media
EP3466014B1 (en) Method and arrangement for configuring a secure domain in a network functions virtualization infrastructure
CN102438047A (en) Dynamic adaptive method of safety of cloud service under mobile internet environment
CN103067380A (en) Deployment configuration method and system of virtual safety device
Holtz et al. Building scalable distributed intrusion detection systems based on the mapreduce framework
KR20130083726A (en) Virtual machine integration monitoring apparatus and method for cloud system
CN112738200B (en) Convenient operation and maintenance tool and method based on closed public network system
CN106850549A (en) A kind of distributed cryptographic services gateway and implementation method
Wenhao et al. Vulnerability analysis and security research of docker container
Yang et al. EdgeKeeper: a trusted edge computing framework for ubiquitous power Internet of Things
WO2018049583A1 (en) User plane sharing method, device and supervising management device based on network slicing
CN109885379A (en) A kind of cloud invades automation osmosis system
CN113270940A (en) Wind energy and photovoltaic integrated monitoring system of energy storage station
WO2023142087A1 (en) Method for realizing cloud resource multi-account permission management and control for cloud host and cloud bastion host
Li et al. Design and implementation of the campus network monitoring system
CN108270718A (en) A kind of control method and system based on Hadoop clusters

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20190614

WW01 Invention patent application withdrawn after publication