CN109885379A - A kind of cloud invades automation osmosis system - Google Patents
A kind of cloud invades automation osmosis system Download PDFInfo
- Publication number
- CN109885379A CN109885379A CN201910044976.1A CN201910044976A CN109885379A CN 109885379 A CN109885379 A CN 109885379A CN 201910044976 A CN201910044976 A CN 201910044976A CN 109885379 A CN109885379 A CN 109885379A
- Authority
- CN
- China
- Prior art keywords
- virtual
- invades
- strategy
- automation
- control centre
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Abstract
The invention discloses a kind of clouds to invade automation osmosis system, is related to cloud and invades infiltration technology field.The present invention includes: several hierarchy systems;The hierarchy system includes high-rise GM, middle layer GM, base GM again;Any one hierarchy system includes at least one virtual management control centre and a management console;When hierarchy system not at the same level carries out across grade operation, information router and forwarding, communication protocol CIM over SSL play in the virtual management control centre of every level-one of process.The present invention is by forming multi-level hierarchical system by a virtual management control centre and a management console, and when carrying out across grade, information router and forwarding play in the virtual management control centre of every level-one, improves safety and treatment effeciency that cloud invades system.
Description
Technical field
The invention belongs to clouds to invade infiltration technology field, invade automation osmosis system more particularly to a kind of cloud.
Background technique
Application layer virtual secure research based on grid is currently based primarily upon Keberos, SSL, SSH, XML encryption, solves
Authentication and access control problem under grid environment;And it is based on isomery lattice Environmental security data transmission channel structure emphatically
Frame, but the safeguard protection based on application, resource security are multiplexed and are not related to too many;Under the virtualized environment of nodes oriented
Research on Security Technology is based on the High Availabitities technologies such as subregion isolation, disaster recovery, subregion thermophoresis, subregion warm back-up and solves part
The safety of virtual application and reliable problem (such as Vmware, Virtual Station), but when the virtualization ring for facing hardware level
Border is directly managed the resource in subregion by bottom hardware, once biggish failure occurs, and cannot be effectively isolated, then should
Failure may be diffused into all subregions using the resource, cause global failure (as: Xen, Intel
The Pacifica of Virtualization Technology, AMD);The virtual intrusion detection center collapsa provides Virtual honeypot
The mode for concentrating deployment management solves the problems, such as the centralization of management and deployment centralization, and provides global intrusion detection view;
But collapsa is nonetheless focused upon the Virtual honeypot on physical vlan machine from virtual mechanism itself, and there is no solve extensive point
Under cloth environment resource dynamic resolution, component on a large scale share brought by security monitoring management, distributed Intrusion Detection Systems engine,
The problems such as user identity authentication, user's space isolation.Similar capabilities are served by the current enterprise of virtual environment security study
There is no the relevant technologies and its solutions for boundary, academia.
Virtualization technology based on capacity calculation application is mainly based upon thin-client thought, passes through tearing open in hardware layer
Divide, the extensive resource-sharing of virtualization technology realization of system and application layer integrated on these three levels, improves the utilization of resources
Rate;Thus total resources sharp fall required for identical computing capability is provided, calculate energy to significantly reduce and lift position
The totle drilling cost of power.
Compared with the safety problem under the safety problem of other distributed systems or grid computing environment, capability service is calculated
The safety problem of lower virtual environment has several key problems caused by following reason: extensive dynamic subscriber's quantity, extensive
The problems such as dynamic virtual resource object, dynamic increase and the computational load of reduction, user's space isolation and protection, communication security.
Its key problem is that the completely privately owned system of user one how is supplied under capable server application model, is provided for user
The resource access monitoring authentication of capability service domain inside and outside and encrypted data transmission channel provide user's space isolation and protection
And application of the ultimate guarantee based on capable server is safe.
Summary of the invention
The purpose of the present invention is to provide a kind of clouds to invade automation osmosis system, by by a virtual management control centre
Multi-level hierarchical system is formed with a management console, when carrying out across grade, information plays in the virtual management control centre of every level-one
It is inefficient poor to solve the problems, such as that existing cloud invades osmosis system safety for routing and forwarding effect.
In order to solve the above technical problems, the present invention is achieved by the following technical solutions:
The present invention is that a kind of cloud invades automation osmosis system, comprising: several hierarchy systems;The hierarchy system includes height again
Layer GM, middle layer GM, base GM;Any one hierarchy system includes at least one virtual management control centre and a management control
Platform processed;When hierarchy system not at the same level carries out across grade operation, information road is played by the virtual management control centre of every level-one of process
By being acted on forwarding, communication protocol CIM over SSL;
The virtual management control centre is responsible for saving security strategy and capability service field object resource description information, protects
It deposits and superior transmits assets, strategy, alarm and log information;Grided object at different levels, application service into capability service domain
Device and virtual ID S engine convey administration order and distributing security policies;The alarm and log information supply after formatting processing
Statistical analysis and data mining;
The CIM over ssl protocol is based on SSL, using XML as data descriptor format;It is former to define 22 operations
Language;The communication interface for meeting soap protocol is added as needed;
The virtual ID S engine uses centralized management mode, and detection management distribution is concentrated to be implemented in physical virtual machine
On software virtual machine state, virtual machine log, file integrality, virtual machine system loophole and be based on security strategy and use
The customized strategy in family provides Scattered Attack unified view.
Preferably, the virtual ID S engine is based on self-described mechanism, constructs or migrates, application schedules in software virtual machine
The downloading and operation of the initialization of virtual ID S engine, the real columnization and security strategy of running environment are automatically performed after generation.
Preferably, dynamic construction, software virtual machine of the capability service domain uniform security policies with physical virtual machine
Migration, using real columnization dynamic generation, and in strategy editor completion but not yet by the distribution of high-rise virtual management control centre when
Implement emulation, simulates attack, allow network security policy loophole to expose in advance, so that the effect of Test Strategy, avoids safety
Hidden danger occurs.
Preferably, the virtual distributed intruding detection system in capability service domain adjusts safe plan according to simulation result dynamic
Slightly, it and is distributed in capability service domain on each virtual ID S engine by high-rise virtual management control centre.
Preferably, the analysis mechanisms of the security strategy are to give an event set, event merger and filtration problem are exactly
It generates support and confidence level is respectively greater than the correlating event of strategy given minimum support and Minimum support4.
Preferably, the system Network Abnormal description language establish based on predicate logic attack and capable server
Resource in domain in the modeling using three's incidence relation, using XML specification, object-oriented, is provided and is being sent out under capability service domain
Raw Attack Scenarios.
Preferably, the capability service domain virtual ID S engine Integrated Virtual vulnerability scanning, Virtual honeypot module and virtual ring
Border security evaluation tool, Proactive authentication, actively capture invasion and capable server loophole;Outside discovery comes under capability service domain
It, can be by linking truncation with firewall or router after the attack of net.
The invention has the following advantages:
The present invention by forming multi-level hierarchical system by a virtual management control centre and a management console, when into
When row is across grade, information router and forwarding play in the virtual management control centre of every level-one, raising cloud invade the safety of system with
Treatment effeciency.
Certainly, it implements any of the products of the present invention and does not necessarily require achieving all the advantages described above at the same time.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, will be described below to embodiment required
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for ability
For the those of ordinary skill of domain, without creative efforts, it can also be obtained according to these attached drawings other attached
Figure.
Fig. 1 is that a kind of cloud of the invention invades automation osmosis system structural schematic diagram.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts all other
Embodiment shall fall within the protection scope of the present invention.
Refering to Figure 1, the present invention is that a kind of cloud invades automation osmosis system, comprising: several hierarchy systems;Classification system
System includes high level GM, middle layer GM, base GM again;Any one hierarchy system includes at least one virtual management control centre and one
Manage console;When hierarchy system not at the same level carries out across grade operation, the virtual management control centre of every level-one of process is risen
Information router and forwarding effect, communication protocol CIM over SSL;
Virtual management control centre is responsible for saving security strategy and capability service field object resource description information, saves simultaneously
Superior transmits assets, strategy, alarm and log information;Into capability service domain grided object at different levels, application server and
Virtual ID S engine conveys administration order and distributing security policies;Alarm and log information are after formatting processing for statistical analysis
And data mining;
CIM over ssl protocol is based on SSL, using XML as data descriptor format;Define 22 operation primitive;Root
According to the communication interface for needing addition to meet soap protocol;
Virtual ID S engine uses centralized management mode, and detection management distribution is concentrated to be implemented on physical virtual machine
Software virtual machine state, virtual machine log, file integrality, virtual machine system loophole and based on security strategy and user from
Definition strategy provides Scattered Attack unified view.
Wherein, virtual ID S engine is based on self-described mechanism, after software virtual machine is constructed or migrated, application schedules generate
It is automatically performed the downloading and operation of the initialization of virtual ID S engine, the real columnization and security strategy of running environment.
Wherein, capability service domain uniform security policies with the dynamic construction, software virtual machine of physical virtual machine migration,
Using real columnization dynamic generation, and it is in strategy editor completion but not yet imitative by implementing when the distribution of high-rise virtual management control centre
Very, attack is simulated, allows network security policy loophole to expose in advance, so that the effect of Test Strategy, avoids security risk from sending out
It is raw.
Wherein, the virtual distributed intruding detection system in capability service domain adjusts security strategy according to simulation result dynamic, and
It is distributed in capability service domain on each virtual ID S engine by high-rise virtual management control centre.
Wherein, the analysis mechanisms of security strategy are to give an event set, and event merger and filtration problem are exactly to generate branch
Degree of holding and confidence level are respectively greater than the correlating event of strategy given minimum support and Minimum support4.
Wherein, system Network Abnormal description language establish based on predicate logic attack and capable server domain it is domestic-investment
On source, the modeling using three's incidence relation, using XML specification, object-oriented, occurent under capability service domain attack is provided
Hit scene.
Wherein, capability service domain virtual ID S engine Integrated Virtual vulnerability scanning, Virtual honeypot module and virtual environment safety
Assessment tool, Proactive authentication, actively capture invasion and capable server loophole;When discovery attacking from outer net under capability service domain
It, can be by linking truncation with firewall or router after hitting.
It is worth noting that, included each unit is only drawn according to function logic in the above system embodiment
Point, but be not limited to the above division, as long as corresponding functions can be realized;In addition, each functional unit is specific
Title is also only for convenience of distinguishing each other, the protection scope being not intended to restrict the invention.
In addition, those of ordinary skill in the art will appreciate that realizing all or part of the steps in the various embodiments described above method
It is that relevant hardware can be instructed to complete by program, corresponding program can store to be situated between in a computer-readable storage
In matter.
Present invention disclosed above preferred embodiment is only intended to help to illustrate the present invention.There is no detailed for preferred embodiment
All details are described, are not limited the invention to the specific embodiments described.Obviously, according to the content of this specification,
It can make many modifications and variations.These embodiments are chosen and specifically described to this specification, is in order to better explain the present invention
Principle and practical application, so that skilled artisan be enable to better understand and utilize the present invention.The present invention is only
It is limited by claims and its full scope and equivalent.
Claims (7)
1. a kind of cloud invades automation osmosis system characterized by comprising several hierarchy systems;The hierarchy system includes again
High-rise GM, middle layer GM, base GM;Any one hierarchy system includes at least one virtual management control centre and a management
Console;When hierarchy system not at the same level carries out across grade operation, information plays in the virtual management control centre of every level-one of process
Routing and forwarding effect, communication protocol CIM over SSL;
The virtual management control centre is responsible for saving security strategy and capability service field object resource description information, saves simultaneously
Superior transmits assets, strategy, alarm and log information;Into capability service domain grided object at different levels, application server and
Virtual ID S engine conveys administration order and distributing security policies;The alarm and log information are after formatting processing for statistics
Analysis and data mining;
The CIM over ssl protocol is based on SSL, using XML as data descriptor format;Define 22 operation primitive;Root
According to the communication interface for needing addition to meet soap protocol;
The virtual ID S engine uses centralized management mode, and detection management distribution is concentrated to be implemented on physical virtual machine
Software virtual machine state, virtual machine log, file integrality, virtual machine system loophole and based on security strategy and user from
Definition strategy provides Scattered Attack unified view.
2. a kind of cloud according to claim 1 invades automation osmosis system, which is characterized in that the virtual ID S engine base
In self-described mechanism, the initial of virtual ID S engine is automatically performed after software virtual machine is constructed or migrated, application schedules generate
Change, the downloading and operation of the real columnization and security strategy of running environment.
3. a kind of cloud according to claim 1 invades automation osmosis system, which is characterized in that the capability service domain is unified
Security strategy with the migration of the dynamic construction, software virtual machine of physical virtual machine, using real columnization dynamic generation, and in strategy
Editor completes but implements to emulate when not yet being distributed by high-rise virtual management control centre, simulates attack, allows network security plan
Slightly loophole exposes in advance, so that the effect of Test Strategy, avoids security risk.
4. a kind of cloud according to claim 1 invades automation osmosis system, which is characterized in that the capability service domain is virtual
Distributed Intrusion Detection System is distributed to according to simulation result dynamic adjustment security strategy by high-rise virtual management control centre
In capability service domain on each virtual ID S engine.
5. a kind of cloud according to claim 1 invades automation osmosis system, which is characterized in that the analysis of the security strategy
Mechanism is, gives an event set, event merger and filtration problem be exactly generate support and confidence level be respectively greater than strategy to
The correlating event of fixed minimum support and Minimum support4.
6. a kind of cloud according to claim 1 invades automation osmosis system, which is characterized in that the Network Abnormal of the system
Description language establish based on predicate logic attack and capable server domain in resource, using the modeling of three's incidence relation
On, using XML specification, object-oriented, provide occurent Attack Scenarios under capability service domain.
7. a kind of cloud according to claim 1 invades automation osmosis system, which is characterized in that the capability service domain is virtual
IDS engine Integrated Virtual vulnerability scanning, Virtual honeypot module and virtual environment security evaluation tool, Proactive authentication actively capture
Invasion and capable server loophole;After attack of the discovery from outer net under capability service domain, can by with firewall or
Person's router linkage truncation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910044976.1A CN109885379A (en) | 2019-01-17 | 2019-01-17 | A kind of cloud invades automation osmosis system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910044976.1A CN109885379A (en) | 2019-01-17 | 2019-01-17 | A kind of cloud invades automation osmosis system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109885379A true CN109885379A (en) | 2019-06-14 |
Family
ID=66926179
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910044976.1A Withdrawn CN109885379A (en) | 2019-01-17 | 2019-01-17 | A kind of cloud invades automation osmosis system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109885379A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111600953A (en) * | 2020-05-18 | 2020-08-28 | 广州锦行网络科技有限公司 | Method for realizing distributed deployment based on honeypot system |
-
2019
- 2019-01-17 CN CN201910044976.1A patent/CN109885379A/en not_active Withdrawn
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111600953A (en) * | 2020-05-18 | 2020-08-28 | 广州锦行网络科技有限公司 | Method for realizing distributed deployment based on honeypot system |
CN111600953B (en) * | 2020-05-18 | 2021-01-08 | 广州锦行网络科技有限公司 | Method for realizing distributed deployment based on honeypot system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021017279A1 (en) | Cluster security management method and apparatus based on kubernetes and network domain, and storage medium | |
CN110378103A (en) | A kind of micro- isolating and protecting method and system based on OpenFlow agreement | |
CN105991734B (en) | A kind of cloud platform management method and system | |
CN103038749B (en) | Split process between cluster by process type to optimize the use of cluster particular configuration | |
CN101512510B (en) | It is intended to provide the method and system of network management based on definition and application network management | |
Hu et al. | Anomaly detection system in secure cloud computing environment | |
CN106803796B (en) | Multi-tenant network topology reconstruction method based on cloud platform | |
CN103973676A (en) | Cloud computing safety protection system and method based on SDN | |
CN107659543A (en) | The means of defence of facing cloud platform APT attacks | |
CN106599694A (en) | Security protection management methods, computer systems and computer-readable storage media | |
EP3466014B1 (en) | Method and arrangement for configuring a secure domain in a network functions virtualization infrastructure | |
CN102438047A (en) | Dynamic adaptive method of safety of cloud service under mobile internet environment | |
CN103067380A (en) | Deployment configuration method and system of virtual safety device | |
Holtz et al. | Building scalable distributed intrusion detection systems based on the mapreduce framework | |
KR20130083726A (en) | Virtual machine integration monitoring apparatus and method for cloud system | |
CN112738200B (en) | Convenient operation and maintenance tool and method based on closed public network system | |
CN106850549A (en) | A kind of distributed cryptographic services gateway and implementation method | |
Wenhao et al. | Vulnerability analysis and security research of docker container | |
Yang et al. | EdgeKeeper: a trusted edge computing framework for ubiquitous power Internet of Things | |
WO2018049583A1 (en) | User plane sharing method, device and supervising management device based on network slicing | |
CN109885379A (en) | A kind of cloud invades automation osmosis system | |
CN113270940A (en) | Wind energy and photovoltaic integrated monitoring system of energy storage station | |
WO2023142087A1 (en) | Method for realizing cloud resource multi-account permission management and control for cloud host and cloud bastion host | |
Li et al. | Design and implementation of the campus network monitoring system | |
CN108270718A (en) | A kind of control method and system based on Hadoop clusters |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20190614 |
|
WW01 | Invention patent application withdrawn after publication |