CN109951337A - A kind of virtualization O&M fort system - Google Patents
A kind of virtualization O&M fort system Download PDFInfo
- Publication number
- CN109951337A CN109951337A CN201910230127.5A CN201910230127A CN109951337A CN 109951337 A CN109951337 A CN 109951337A CN 201910230127 A CN201910230127 A CN 201910230127A CN 109951337 A CN109951337 A CN 109951337A
- Authority
- CN
- China
- Prior art keywords
- degree
- belief
- cloud platform
- resource
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a kind of virtualization O&M fort systems, are related to technical field of network security.The invention is characterized in that being deployed in the mode of virtual machine in cloud platform, hardware cost is directly eliminated;By cooperating with the intrinsic component of cloud platform, connection while great amount of terminals and O&M target may be implemented, resource can also be discharged in the O&M free time, ensure that high resource utilization;Cooperate with the intrinsic component of cloud platform, it is easy to obtain the whole resources disposed in cloud, greatly simplify initialization operation.Whole O&M operations can be completely recorded by graphically auditing, the fix duty after facilitating accident.
Description
Technical field
The present invention relates to technical field of network security, and in particular to a kind of virtualization O&M fort system.
Background technique
Currently, to data center network (including outside cloud platform and cloud platform all devices and equipment make the net formed
Network) the internal network equipment, server and safety equipment carry out O&M debugging, generally use two methods of method.One is
Directly O&M computer is connect with interchanger or target device, the administration page by accessing O&M target carries out O&M;Its
Two, to set up a fort machine between operation maintenance personnel and target device, take unified single-sign-on mode, pass through fort machine
Webpage agency carry out remote control O&M.The first O&M method is not because access net to O&M computer, operation maintenance personnel
Network equipment is isolated, access monitoring and access control, and there are the risks of other network equipments of operation maintenance personnel unauthorized access, at present
It eliminates substantially.Second of O&M method is relatively able to satisfy for conventional data centers network using the fort machine of example, in hardware
O&M demand, but often because physical equipment self performance is restricted, quality be difficult to the problems such as controlled cause O&M low efficiency,
Effect is poor.
Data center network construction compares previous conventional data centers net all using the network architecture of cloud computing mostly at present
Network, network size sharply expands, number of devices increases sharply, and necessary not only for equipment O&M, while needing to carry out virtual machine
Corresponding maintenance, conventional hardware fort machine are faced with that O&M resource addition manner is complicated, O&M capacity is low simultaneously for multithreading, needs
Inefficient, O&M operate multiple challenges such as not comprehensive of auditing when to multiple virtual resource unified operations.
And traditional fort machine often only has TSM Security Agent function, and the input record rank of order line is only rested on to audit
Section, the audit means not new to increasing graphical operation.
Therefore traditional hardware fort machine has been not suitable with present O&M demand.
Summary of the invention
(1) technical problems to be solved
The technical problem to be solved by the present invention is how to solve and efficiency cumbersome in face of large-scale cloud framework network O&M means
Low problem.
(2) technical solution
In order to solve the above-mentioned technical problems, the present invention provides a kind of virtualization O&M fort systems, comprising:
Virtualization installation module makes this system and Yun Ping for disposing in system initialization process to this system
Platform is built simultaneously;
Source obtaining module, for obtaining data center network based on cloud platform resource center in system initialization process
In all resources for needing O&M operation, and establish and the real-time connection of resource center;
Link control module is based on cloud platform for controlling the connection number of user and O&M target after system initialization
Memory, the real-time partition characteristic of CPU, establish interface with cloud platform, according to demand to cloud platform carry out elasticity distribution require;
Entitlement management module, the permission for whether having permission to access O&M target to user after system initialization carry out
Control, wherein providing authorization foundation by degree of belief computation model for manager;
Control module is operated, for what is inputted when user accesses and limits user using this system in O&M object procedure
Instruction;
Audit Module is operated, takes input interception and screen scraping mode in O&M object procedure for accessing in user,
It audits to the behavior operation by this system, and is sent in this system database and is saved with video file, textual form.
Preferably, the virtualization installation module and the module of source obtaining module composition system initialization, wherein institute
Stating virtualization installation module takes two methods to carry out system deployment, and one is directly to dispose simultaneously with cloud platform, i.e., is by this
The installation procedure of system and cloud platform build program packing, when complete to the environment configurations of the principal server of affiliated cloud platform with
After building, a virtual machine is opened, and operating system is installed in virtual machine and starts the installation kit of this system, program is automatic
It is deployed in cloud platform;Secondly being manually dispose, i.e., apply for a set of resources of virtual machine of cloud platform, manually with artificial deployment way
Program is installed in virtual machine.
Preferably, acquisition of the source obtaining module to O&M target resource in data center network, according to resource institute
The difference for belonging to position is divided into two kinds of approach:
One is resource in cloud platform, as virtual resource, also includes entity host according to the difference of cloud platform type
Machine takes the acquisition of such resource and establishes interface with the management program hypervisor of cloud platform bottom, obtains cloud platform
Instance Name, operating status, operating system, public network IP address and the IP address of internal network of interior all resources, and by specific
Operating system and IP address establish connection;
Secondly being resource outside cloud platform, the acquisition of such resource is taken, example name, IP address, behaviour is filled in manually
Make the mode of system type.
Preferably, the link control module and entitlement management module form system management module;
The link control module takes oneself state to monitor, and establishes with cloud platform bottom management program hypervisor
The mode of connection realizes control, user concurrent number while system monitoring itself, and multiple threshold values are arranged, when number of concurrent is more than threshold
It then issues and requests to hypervisor when value, apply for more memories, guarantee the availability of system itself.If threshold value is c, when working as
When preceding number of concurrent drops below preset threshold c, then system starts timing, and timing is divided into two kinds of situations and stops, and returns to difference
As a result, then stopping timing, issuing request to hypervisor and return in certain one is timing is more than the time of setting
It deposits;The second is current number of concurrent is greater than or equal to threshold value c, then stops timing, do not do any movement, with ckThe setting of expression system
K-th of threshold value is then gathered and is denoted as C={ c1,c2,…,cK, wherein c1<c2<c3<…<ck.If each variable continues not
Become the state that the time is more than setting timing time T ', d indicates current number of concurrent, then for any node ci,cj∈C∪ci<
cj, there is ci<d<cj, as any time d < ciWhen, then timer starts timing, counter gate time t > T ', then to cloud platform
Apply for that memory obtains.
Preferably, the entitlement management module is taken to the role group for using this system, according to administrator to user group
Access authority setting, open or shielding Client-initiated connection request, so that particular user is connected to purpose resource controlled;
In the degree of belief computation model, for each system user create a role, each role by this system into
The primary evaluation of upper management person user can be obtained after O&M operation of row, then degree of enhancing trust, unfavorable ratings are evaluated in front
Reduce degree of belief, the degree of belief of user be set as authorization factor, administrator can real time inspection degree of belief value;
If C ' is role, role is established based on IP address, using IP address as representation method;
If T is degree of belief, degree of belief is to embody the standard of the previous behavior trustworthy information of role, the corresponding letter of each role
Ren Du, T ∈ [0,5], degree of belief are divided into high degree of belief T with grade classification, by the subordinate range of its valueh, middle degree of belief Tm, low
Degree of belief TlWith zero degree of belief TzFour grades, Th∈ [4,5], Tm∈ (2,4), Tl∈ (0,2], Tz=0;
If Tu is degree of belief updated value, degree of belief updated value is one of the variable for influencing degree of belief;
IfTo trust vector, trusting vector is binary value, is one of the variable for influencing degree of belief updated value, each angle
Color corresponds to a trust vector;
If τ is behavior magnitude, behavior magnitude is one of the variable for influencing degree of belief updated value, the value of behavior magnitude according to
Administrator's opinion rating obtains;
If DTFor degree of belief database, for storing role, degree of belief and the data for trusting vector;
If TiThe degree of belief being calculated for i-th;
IfThe trust vector being calculated for i-th;
In the degree of belief computation model, storage is influenced for the evaluation bring degree of belief updated value after role's operation
Trusting vectorIn, trust vector and degree of belief updated value is updated, trusting vector is 8 binary vectors, warp
After administrator's evaluation, evaluation write-in 0 is born, normal behaviour data packet write-in 1, i.e., 1 represents credible, and 0 represents insincere, and 0 or 1 are write
Enter the left end in binary vector, while by the numerical value effacement of right end, obtaining the trust vector that i-th is calculated
To obtain the trust vector being arbitrarily once calculated
The update of the degree of belief of role is updated by degree of belief updated value Tu, and it is Tu (τ) that degree of belief, which updates value function,The degree of belief being calculated to expression i-th updates value function, then the indexing i on Tu, behavior amount
The value of value τ is obtained according to administrator's opinion rating, and administrator provides user's last time O&M and operates three kinds of evaluation results, respectively
High praise, middle evaluation, lower assessment valence and difference are evaluated, wherein the corresponding behavior magnitude τ of high praiseh=8;It is middle to evaluate corresponding behavior amount
Value τm=12;The corresponding behavior magnitude τ of lower assessment valencen=16, difference evaluates corresponding behavior magnitude τl=20;
Read group total, calculation method T are carried out to the degree of belief of rolei=(1+ α Tui)Ti-1, believe used in the formula
Appoint degree to update value function and " (τ) " is omitted, α is adjusting parameter, the α=- 1 when for low, poor evaluation, α=1 when high, middle evaluation.It will
Ti、It is recorded in degree of belief database, corresponding covering Ti-1、
Preferably, the operation control module and operation Audit Module composition function run module;
The operation control module is specifically used for being read out the keyboard input of user, carries out to the character input of malice
It intercepts, keyboard input intercepts the input information of interception user, and takes effective obstruction, reads, spells comprising progress recognizing, character
Be connected into string, data buffer storage, data exchange, data send, take design one system in Hook Function, come realize to specify into
The input of journey intercepts, reading input content, the order after splicing to input content in matching system itself malicious commands library,
After fuzzy inspection comparison, the low normal command of similarity carries out exit-entry operation, and similarity is high then to be given up, to interception
Order data is cached.
Preferably, the operation Audit Module is specifically for carrying out keyboard input audit and auditing with graphical;
Keyboard input audit by intercept input order, take the mode of filtering to exclude to repeatedly input, and according to user,
Input time, O&M target are visualized;
The design graphically audited is to carry out screen scraping by gdigrap component using the library ffmepg, when fixed length
Between the one-frame video data that grabs, video data is after being decoded as yuv420 formatted file, then recompiles as h264 format
Video file, and compressed, system circulation sends video data, exits signal until receiving one, then clears up resource
It exits, auditor can check video resource at any time.
Preferably, the virtual resource includes virtual machine, operation system, virtual switch.
Preferably, the resource outside cloud platform includes safety equipment, entity interchanger, physical server.
(3) beneficial effect
The present invention proposes a kind of virtualization O&M fort system, is deployed in cloud platform by way of virtual machine taking,
Directly eliminate hardware cost;By cooperating with the intrinsic component of cloud platform, while great amount of terminals and O&M target may be implemented
Connection, can also discharge resource in the O&M free time, ensure that high resource utilization;Cooperate with the intrinsic component of cloud platform,
It is easy to obtain the whole resources disposed in cloud, greatly simplify initialization operation.It can be complete by graphically auditing
Record whole O&M operations, the fix duty after facilitating accident.
Detailed description of the invention
Fig. 1 is system structure diagram of the invention.
Specific embodiment
To keep the purpose of the present invention, content and advantage clearer, with reference to the accompanying drawings and examples, to of the invention
Specific embodiment is described in further detail.
The present invention provides a kind of O&M fort system of virtualization, and this virtualization O&M fort system is for realizing logarithm
According to central site network internal network devices, the unified O&M of virtual resource, multithreading O&M simultaneously is realized according to virtualization infrastructure, and
Take the operation behavior of control measure specification operation maintenance personnel.The system function realize be mainly reflected in obtain O&M in need
Resource, to personnel access resource control and operate when real-time auditing.The present invention proposes a kind of virtualization O&M fort system
System solves the problems, such as and low efficiency cumbersome in face of large-scale cloud framework network O&M means, while this system to a certain extent
In such a way that keyboard input is combined with graphical audit, it is more convenient administrative staff's supervision.
System of the invention includes:
Virtualization installation module, for being disposed in system initialization process to this system, can make this system with
Cloud platform (such as Ali's cloud) is built simultaneously, and this system can be packaged using operating system and main functionality component as individual
One deploying virtual machine is in cloud.
Source obtaining module, for being based on the cloud platform resource center (clothes that cloud platform is relied in system initialization process
The application system of business device, virtual machine and On-premise has a unified administrative center, referred to as resource center) it obtains in data
All resources for needing O&M operation in heart network, and the real-time connection with resource center is established, keep resource has in real time
Effect.
Authentication management module takes the authentication interface unified with cloud platform, and design for authenticating to user identity
For multiple-factor authentication mode, including password, dynamic password (cooperation mobile terminal), biological characteristic etc..
Link control module is based on cloud platform for controlling the connection number of user and O&M target after system initialization
Memory, the real-time partition characteristic of CPU, establish interface with cloud platform, according to demand to cloud platform carry out elasticity distribution require, with this
Expand or shrink connection number.
Entitlement management module, the permission for whether having permission to access O&M target to user after system initialization carry out
Control.Authorization foundation is provided by degree of belief computation model for manager.
Control module is operated, for what is inputted when user accesses and limits user using this system in O&M object procedure
Instruction.
Audit Module is operated, takes input interception and screen scraping mode in O&M object procedure for accessing in user,
It audits to the behavior operation by this system, and is sent in this system database and is saved with video file, textual form.
The module of virtualization installation module and source obtaining module composition system initialization.
(1) virtualization installation module
Virtualization installation module can take two methods, and one is directly to dispose simultaneously with cloud platform, i.e., by this system
Installation procedure and cloud platform build program packing, when complete to the environment configurations of the principal server of affiliated cloud platform with take
After building, a virtual machine is opened, and operating system is installed in virtual machine and starts the installation kit of this system, by the automatic portion of program
Administration is in cloud;Secondly be manually dispose, i.e. a set of resources of virtual machine of application cloud platform manually, with artificial deployment way by program
It is installed in virtual machine.
(2) source obtaining module
Acquisition to O&M target resource in data center network is divided into two kinds of ways according to the difference of resource belonging positions
Diameter.
One is resource in cloud platform, i.e. usually virtual resource, covers virtual machine, operation system, virtual switch
Deng, also according to the difference of cloud platform type include entity host, the acquisition of such resource is taken and cloud platform bottom
System supervisor hypervisor establishes interface, obtains Instance Name, the operating status, operation system of all resources in cloud platform
System, public network IP address and IP address of internal network etc., and connection is established by specific operating system and IP address.
Secondly be resource outside cloud platform, usually safety equipment, entity interchanger, physical server etc..For such
The mode that the contents such as example name, IP address, OS Type are filled in manually is taken in the acquisition of resource.
Link control module and entitlement management module form system management module.
(1) link control module
Link control module takes oneself state to monitor, and establishes connection with cloud platform bottom management program hypervisor
Mode.User concurrent number while system monitoring itself, and multiple threshold values are set.When number of concurrent is more than threshold value Shi Zexiang
Hypervisor issues request, applies for more memories, guarantees the availability of system itself.If threshold value is c, when current number of concurrent
When dropping below preset threshold c, then system starts timing, and timing is divided into two kinds of situations and stops, and returns to different results.Its
First is that timing is more than the time of setting, then stop timing, issues request to hypervisor and return certain memory;The second is working as
Preceding number of concurrent is greater than or equal to threshold value c, then stops timing, do not do any movement.With ckK-th of threshold value of expression system setting,
It can then be gathered and be denoted as C={ c1,c2,…,cK, wherein c1<c2<c3<…<ck.It is super with the lasting invariant time of each variable
It crosses for the stable state of setting timing time T ', d indicates current number of concurrent, then for any node ci,cj∈C∪ci<
cj, there is ci<d<cj, as any time d < ciWhen, then timer starts timing.Counter gate time t > T ', then to cloud platform
Apply for that memory obtains.
(2) entitlement management module
Entitlement management module is taken to the role group for using this system, is set according to access authority of the administrator to user group
It sets, opens or shield Client-initiated connection request, so that particular user is connected to purpose resource controlled.
In degree of belief computation model, a role is created for each system user, each role carries out one by this system
The primary evaluation of upper management person user can be obtained after secondary O&M operation, then degree of enhancing trust, unfavorable ratings are reduced for front evaluation
Degree of belief.The degree of belief of user is set as authorization factor, administrator can be with the value of real time inspection degree of belief.
C ': role, role is established based on IP address, using IP address as representation method, since IP address has uniqueness,
Therefore each role is unique;
T: degree of belief, degree of belief are to embody the standard of the previous behavior trustworthy information of role, the corresponding trust of each role
Degree, T ∈ [0,5], degree of belief are divided into high degree of belief T with grade classification, by the subordinate range of its valueh, middle degree of belief Tm, low letter
Appoint degree TlWith zero degree of belief TzFour grades, Th∈ [4,5], Tm∈ (2,4), Tl∈ (0,2], Tz=0;
Tu: degree of belief updated value, degree of belief updated value are one of the variables for influencing degree of belief;
Trust vector, trusting vector is binary value, is one of the variable for influencing degree of belief updated value, each role
A corresponding trust vector;
τ: behavior magnitude, behavior magnitude are one of the variables for influencing degree of belief updated value, and the value of behavior magnitude is according to pipe
Reason person's opinion rating obtains;
DT: degree of belief database, for storing role, degree of belief and the data for trusting vector;
Ti: the degree of belief that i-th is calculated;
The trust vector that i-th is calculated;
In degree of belief computation model, letter is stored in for the evaluation bring degree of belief updated value influence after role's operation
Appoint vectorIn, trust vector and degree of belief updated value is updated, trusting vector is 8 binary vectors, through managing
After member's evaluation, negative evaluation can be written 0, normal behaviour data packet write-in 1, i.e., 1 represent it is credible, 0 represent it is insincere, by 0 or 1 write-in
In the left end of binary vector, while by the numerical value effacement of right end, the trust vector that i-th is calculated is obtainedFrom
And obtain the trust vector being arbitrarily once calculated
The update of the degree of belief of role is updated by degree of belief updated value Tu, and it is Tu (τ) that degree of belief, which updates value function,To indicate that the degree of belief that i-th is calculated updates value function, then indexing i, behavior amount on Tu are somebody's turn to do
The value of value τ is obtained according to administrator's opinion rating, and administrator provides user's last time O&M and operates three kinds of evaluation results, respectively
High praise, middle evaluation, lower assessment valence and difference evaluation.The wherein corresponding behavior magnitude τ of high praiseh=8;It is middle to evaluate corresponding behavior amount
Value τm=12;The corresponding behavior magnitude τ of lower assessment valencen=16, difference evaluates corresponding behavior magnitude τl=20;
Read group total, calculation method T are carried out to the degree of belief of rolei=(1+ α Tui)Ti-1, believe used in the formula
Appoint degree to update value function and " (τ) " is omitted, α is adjusting parameter, the α=- 1 when for low, poor evaluation, α=1 when high, middle evaluation.It will
Ti、It is recorded in degree of belief database, corresponding covering Ti-1、
It operates control module and operation Audit Module composition function runs module
(1) control module is operated
Operation control module is mainly to be read out to the keyboard input of user, is intercepted to the character input of malice.
Keyboard input intercepts the control complementary as one, intercepts the input information of user, and take effective obstruction, includes process
Identification, character are read, splicing bunchiness, data buffer storage, data exchange, data are sent.Take the hook letter in one system of design
Number reads input content to realize that the input to specified process intercepts.Matching system itself is disliked after splicing to input content
The order anticipated in command library, after fuzzy inspection comparison, the low normal command of similarity carries out exit-entry operation, and similarity is high
Then given up.Module is cached to order data is intercepted, convenient for audit.
(2) Audit Module is operated
Operation audit includes keyboard input audit and graphically two parts of audit.
Keyboard input audit takes the mode of filtering to exclude repetition defeated by the input order intercepted in operation control module
Enter, and is visualized according to user, input time, O&M target etc..
The design graphically audited is to carry out screen scraping by gdigrap component using the library ffmepg, and module is every fixed
The one-frame video data of crawl for a long time, video data is after being decoded as yuv420 formatted file, then recompiles as h264
The video file of format, and compressed, it is then passed to this system, system circulation sends video data, until receiving one
Signal is exited, resource is then cleared up and exits.Auditor can check video resource at any time.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, without departing from the technical principles of the invention, several improvement and deformations can also be made, these improvement and deformations
Also it should be regarded as protection scope of the present invention.
Claims (9)
1. a kind of virtualization O&M fort system characterized by comprising
Virtualization installation module keeps this system same with cloud platform for disposing in system initialization process to this system
When build;
Source obtaining module, for obtaining institute in data center network based on cloud platform resource center in system initialization process
The resource in need for thering is O&M to operate, and establish the real-time connection with resource center;
Link control module, for controlling the connection number of user and O&M target after system initialization, based in cloud platform
It deposits, the real-time partition characteristic of CPU, establishes interface with cloud platform, elasticity distribution is carried out to cloud platform according to demand and is required;
Entitlement management module, the permission for whether having permission to access O&M target to user after system initialization are controlled
System, wherein providing authorization foundation by degree of belief computation model for manager;
Control module is operated, the finger for being inputted when user accesses and limits user using this system in O&M object procedure
It enables;
Audit Module is operated, input interception and screen scraping mode are taken in O&M object procedure for accessing in user, to logical
The behavior operation for crossing this system is audited, and is sent in this system database and is saved with video file, textual form.
2. the system as claimed in claim 1, which is characterized in that the virtualization installation module and source obtaining module composition
The module of system initialization, wherein virtualization installation module takes two methods to carry out system deployment, one be directly with
Cloud platform is disposed simultaneously, i.e., the installation procedure of this system and cloud platform is built program and are packaged, when completion is to affiliated cloud platform
Environment configurations of principal server and after building, open a virtual machine, and install operating system in virtual machine and start
The installation kit of this system, by program automatic deployment in cloud platform;Secondly being manually dispose, i.e., apply for a set of of cloud platform manually
Program is installed in virtual machine by resources of virtual machine with artificial deployment way.
3. system as claimed in claim 2, which is characterized in that the source obtaining module is to O&M mesh in data center network
The acquisition for marking resource, is divided into two kinds of approach according to the difference of resource belonging positions:
One is resource in cloud platform, as virtual resource, also includes entity host according to the difference of cloud platform type, right
It is taken in the acquisition of such resource and establishes interface with the management program hypervisor of cloud platform bottom, obtain the institute in cloud platform
There are Instance Name, operating status, operating system, public network IP address and the IP address of internal network of resource, and passes through specifically operation system
System establishes connection with IP address;
Secondly being resource outside cloud platform, the acquisition of such resource is taken, example name, IP address, operation system is filled in manually
The mode for type of uniting.
4. the system as claimed in claim 1, which is characterized in that the link control module and entitlement management module form system
Management module;
The link control module takes oneself state to monitor, and establishes connection with cloud platform bottom management program hypervisor
Mode realize control, user concurrent number while system monitoring itself, and multiple threshold values are set, when number of concurrent is more than threshold value
It then issues and requests to hypervisor, apply for more memories, guarantee the availability of system itself.If threshold value is c, when currently simultaneously
When hair number drops below preset threshold c, then system starts timing, and timing is divided into two kinds of situations and stops, and returns to different knots
Fruit then stops timing one is timing is more than the time of setting, issues request to hypervisor and returns certain memory;Its
Second is that current number of concurrent is greater than or equal to threshold value c, then stops timing, do not do any movement, with ckK-th of expression system setting
Threshold value is then gathered and is denoted as C={ c1,c2,…,cK, wherein c1<c2<c3<…<ck.If the lasting invariant time of each variable
More than the state of setting timing time T ', d indicates current number of concurrent, then for any node ci,cj∈C∪ci<cj, there is ci
<d<cj, as any time d < ciWhen, then timer starts timing, counter gate time t > T ', then to cloud platform application memory
It obtains.
5. system as claimed in claim 4, which is characterized in that the entitlement management module is taken to the role for using this system
Grouping is arranged according to access authority of the administrator to user group, opens or shield Client-initiated connection request, make particular user
It is controlled to be connected to purpose resource;
In the degree of belief computation model, a role is created for each system user, each role carries out one by this system
The primary evaluation of upper management person user can be obtained after secondary O&M operation, then degree of enhancing trust, unfavorable ratings are reduced for front evaluation
Degree of belief, is arranged the degree of belief of user as authorization factor, administrator can real time inspection degree of belief value;
If C ' is role, role is established based on IP address, using IP address as representation method;
If T is degree of belief, degree of belief is to embody the standard of the previous behavior trustworthy information of role, the corresponding trust of each role
Degree, T ∈ [0,5], degree of belief are divided into high degree of belief T with grade classification, by the subordinate range of its valueh, middle degree of belief Tm, low letter
Appoint degree TlWith zero degree of belief TzFour grades, Th∈ [4,5], Tm∈ (2,4), Tl∈ (0,2], Tz=0;
If Tu is degree of belief updated value, degree of belief updated value is one of the variable for influencing degree of belief;
IfTo trust vector, trusting vector is binary value, is one of the variable for influencing degree of belief updated value, each role couple
Answer a trust vector;
If τ is behavior magnitude, behavior magnitude is one of the variable for influencing degree of belief updated value, and the value of behavior magnitude is according to management
Member's opinion rating obtains;
If DTFor degree of belief database, for storing role, degree of belief and the data for trusting vector;
If TiThe degree of belief being calculated for i-th;
IfThe trust vector being calculated for i-th;
In the degree of belief computation model, letter is stored in for the evaluation bring degree of belief updated value influence after role's operation
Appoint vectorIn, trust vector and degree of belief updated value is updated, trusting vector is 8 binary vectors, through administrator
After evaluation, evaluation write-in 0 is born, normal behaviour data packet write-in 1, i.e., 1 represents credible, and 0 represents insincere, and 0 or 1 are written in two
The left end of system vector, while by the numerical value effacement of right end, obtain the trust vector that i-th is calculatedTo
To the trust vector being arbitrarily once calculated
The update of the degree of belief of role is updated by degree of belief updated value Tu, and it is Tu (τ) that degree of belief, which updates value function,The degree of belief being calculated to expression i-th updates value function, then the indexing i on Tu, behavior amount
The value of value τ is obtained according to administrator's opinion rating, and administrator provides user's last time O&M and operates three kinds of evaluation results, respectively
High praise, middle evaluation, lower assessment valence and difference are evaluated, wherein the corresponding behavior magnitude τ of high praiseh=8;It is middle to evaluate corresponding behavior amount
Value τm=12;The corresponding behavior magnitude τ of lower assessment valencen=16, difference evaluates corresponding behavior magnitude τl=20;
Read group total, calculation method T are carried out to the degree of belief of rolei=(1+ α Tui)Ti-1, degree of belief used in the formula
It updates value function and " (τ) " is omitted, α is adjusting parameter, the α=- 1 when for low, poor evaluation, α=1 when high, middle evaluation.By Ti、It is recorded in degree of belief database, corresponding covering Ti-1、
6. the system as claimed in claim 1, which is characterized in that the operation control module and operation Audit Module composition function
Run module;
The operation control module is specifically used for being read out the keyboard input of user, blocks to the character input of malice
It cuts, keyboard input intercepts the input information of interception user, and takes effective obstruction, reads comprising progress recognizing, character, splicing
Bunchiness, data buffer storage, data exchange, data are sent, and the Hook Function in one system of design are taken, to realize to specified process
Input intercept, read input content, the order after splicing to input content in matching system itself malicious commands library, lead to
After crossing fuzzy inspection comparison, the low normal command of similarity carries out exit-entry operation, and similarity is high then to be given up, and orders intercepting
Data are enabled to be cached.
7. system as claimed in claim 6, which is characterized in that the operation Audit Module, which is specifically used for progress keyboard input, to be examined
It counts and audits with graphical;
Keyboard input audit takes the mode of filtering to exclude to repeatedly input by the input order intercepted, and according to user, input
Time, O&M target are visualized;
The design graphically audited is to carry out screen scraping by gdigrap component using the library ffmepg, is grabbed every fixed length time
The one-frame video data taken, video data is after being decoded as yuv420 formatted file, then recompiles as the view of h264 format
Frequency file, and compressed, system circulation sends video data, exits signal until receiving one, and it then clears up resource and exits,
Auditor can check video resource at any time.
8. system as claimed in claim 3, which is characterized in that the virtual resource includes virtual machine, operation system, virtual friendship
It changes planes.
9. system as claimed in claim 3, which is characterized in that the resource outside cloud platform includes safety equipment, entity exchange
Machine, physical server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910230127.5A CN109951337B (en) | 2019-03-26 | 2019-03-26 | Virtual operation and maintenance fortress system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910230127.5A CN109951337B (en) | 2019-03-26 | 2019-03-26 | Virtual operation and maintenance fortress system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109951337A true CN109951337A (en) | 2019-06-28 |
CN109951337B CN109951337B (en) | 2022-02-11 |
Family
ID=67011695
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910230127.5A Active CN109951337B (en) | 2019-03-26 | 2019-03-26 | Virtual operation and maintenance fortress system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109951337B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110890979A (en) * | 2019-11-14 | 2020-03-17 | 光通天下网络科技股份有限公司 | Automatic deploying method, device, equipment and medium for fortress machine |
CN113127137A (en) * | 2019-12-30 | 2021-07-16 | 中标软件有限公司 | Cloud computing management platform using self-hosting virtual machine and creation implementation method thereof |
CN113467816A (en) * | 2021-06-28 | 2021-10-01 | 国网上海市电力公司 | Management platform for remote safe operation and maintenance of automation system based on virtualization |
CN114338105A (en) * | 2021-12-16 | 2022-04-12 | 山西云时代研发创新中心有限公司 | Bastion creating bastion machine system based on zero trust |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110265082A1 (en) * | 2010-04-26 | 2011-10-27 | International Business Machines Corporation | Virtual image overloading for solution deployment |
CN102664888A (en) * | 2012-04-19 | 2012-09-12 | 中国科学院软件研究所 | Trust-based access control method and system thereof |
CN203301532U (en) * | 2013-05-06 | 2013-11-20 | 北京启创卓越科技有限公司 | Cloud desktop system |
CN108255580A (en) * | 2018-01-11 | 2018-07-06 | 上海有云信息技术有限公司 | A kind of method and device of cloud platform structure virtual machine |
CN108965388A (en) * | 2018-06-13 | 2018-12-07 | 新华三信息安全技术有限公司 | A kind of operation audit method and device |
CN109347807A (en) * | 2018-09-20 | 2019-02-15 | 北京计算机技术及应用研究所 | A kind of differentiation intrusion prevention method based on degree of belief |
-
2019
- 2019-03-26 CN CN201910230127.5A patent/CN109951337B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110265082A1 (en) * | 2010-04-26 | 2011-10-27 | International Business Machines Corporation | Virtual image overloading for solution deployment |
CN102664888A (en) * | 2012-04-19 | 2012-09-12 | 中国科学院软件研究所 | Trust-based access control method and system thereof |
CN203301532U (en) * | 2013-05-06 | 2013-11-20 | 北京启创卓越科技有限公司 | Cloud desktop system |
CN108255580A (en) * | 2018-01-11 | 2018-07-06 | 上海有云信息技术有限公司 | A kind of method and device of cloud platform structure virtual machine |
CN108965388A (en) * | 2018-06-13 | 2018-12-07 | 新华三信息安全技术有限公司 | A kind of operation audit method and device |
CN109347807A (en) * | 2018-09-20 | 2019-02-15 | 北京计算机技术及应用研究所 | A kind of differentiation intrusion prevention method based on degree of belief |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110890979A (en) * | 2019-11-14 | 2020-03-17 | 光通天下网络科技股份有限公司 | Automatic deploying method, device, equipment and medium for fortress machine |
CN113127137A (en) * | 2019-12-30 | 2021-07-16 | 中标软件有限公司 | Cloud computing management platform using self-hosting virtual machine and creation implementation method thereof |
CN113467816A (en) * | 2021-06-28 | 2021-10-01 | 国网上海市电力公司 | Management platform for remote safe operation and maintenance of automation system based on virtualization |
CN114338105A (en) * | 2021-12-16 | 2022-04-12 | 山西云时代研发创新中心有限公司 | Bastion creating bastion machine system based on zero trust |
CN114338105B (en) * | 2021-12-16 | 2024-04-05 | 山西云时代研发创新中心有限公司 | Zero trust based system for creating fort |
Also Published As
Publication number | Publication date |
---|---|
CN109951337B (en) | 2022-02-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109951337A (en) | A kind of virtualization O&M fort system | |
WO2023216641A1 (en) | Security protection method and system for power terminal | |
CN111597109B (en) | Defect detection method and system for cross-architecture firmware stack memory | |
CN107317718B (en) | A kind of O&M service management and management platform | |
CN107659543A (en) | The means of defence of facing cloud platform APT attacks | |
CN106687971A (en) | Automated code lockdown to reduce attack surface for software | |
CN105138920A (en) | Method for realizing safety management of intranet terminal | |
CN106682492B (en) | A kind of management method and device of memory overwriting | |
CN110166285A (en) | A kind of network security experiment porch building method based on Docker | |
CN110020687B (en) | Abnormal behavior analysis method and device based on operator situation perception portrait | |
CN109564609A (en) | It mitigates and corrects using the detection of the computer attack of advanced computers decision-making platform | |
CN109977680A (en) | A kind of business datum security risk recognition methods and system | |
CN102170372B (en) | Method for network structure monitoring and boundary inspection | |
DE112021005364T5 (en) | DEFENSE TARGETED DATABASE ATTACKS THROUGH DYNAMIC HONEYPOT DATABASE RESPONSE GENERATION | |
CN113435505A (en) | Construction method and device for safe user portrait | |
Zuo et al. | Power information network intrusion detection based on data mining algorithm | |
CN108737373A (en) | A kind of security forensics method for catenet equipment concealment techniques | |
CN113672479A (en) | Data sharing method and device and computer equipment | |
CN108092808A (en) | A kind of method for managing security of data center's total management system | |
DE112020004806T5 (en) | CLUSTER SECURITY BASED ON VIRTUAL MACHINE CONTENT | |
CN107800575A (en) | The appraisal procedure of electric power industrial control system information security | |
CN116346432A (en) | Access control system, electronic equipment and storage medium of energy industry internet | |
CN109729089A (en) | A kind of intelligent network security function management method and system based on container | |
DE102021124371A1 (en) | BUFFER OVERFLOW COLLECTION | |
CN114363079A (en) | Distributed intelligent data supervision system of cloud platform |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |