CN109951337A - A kind of virtualization O&M fort system - Google Patents

A kind of virtualization O&M fort system Download PDF

Info

Publication number
CN109951337A
CN109951337A CN201910230127.5A CN201910230127A CN109951337A CN 109951337 A CN109951337 A CN 109951337A CN 201910230127 A CN201910230127 A CN 201910230127A CN 109951337 A CN109951337 A CN 109951337A
Authority
CN
China
Prior art keywords
degree
belief
cloud platform
resource
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910230127.5A
Other languages
Chinese (zh)
Other versions
CN109951337B (en
Inventor
姜琦
吴朝雄
石波
于冰
王晓菲
郭敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN201910230127.5A priority Critical patent/CN109951337B/en
Publication of CN109951337A publication Critical patent/CN109951337A/en
Application granted granted Critical
Publication of CN109951337B publication Critical patent/CN109951337B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of virtualization O&M fort systems, are related to technical field of network security.The invention is characterized in that being deployed in the mode of virtual machine in cloud platform, hardware cost is directly eliminated;By cooperating with the intrinsic component of cloud platform, connection while great amount of terminals and O&M target may be implemented, resource can also be discharged in the O&M free time, ensure that high resource utilization;Cooperate with the intrinsic component of cloud platform, it is easy to obtain the whole resources disposed in cloud, greatly simplify initialization operation.Whole O&M operations can be completely recorded by graphically auditing, the fix duty after facilitating accident.

Description

A kind of virtualization O&M fort system
Technical field
The present invention relates to technical field of network security, and in particular to a kind of virtualization O&M fort system.
Background technique
Currently, to data center network (including outside cloud platform and cloud platform all devices and equipment make the net formed Network) the internal network equipment, server and safety equipment carry out O&M debugging, generally use two methods of method.One is Directly O&M computer is connect with interchanger or target device, the administration page by accessing O&M target carries out O&M;Its Two, to set up a fort machine between operation maintenance personnel and target device, take unified single-sign-on mode, pass through fort machine Webpage agency carry out remote control O&M.The first O&M method is not because access net to O&M computer, operation maintenance personnel Network equipment is isolated, access monitoring and access control, and there are the risks of other network equipments of operation maintenance personnel unauthorized access, at present It eliminates substantially.Second of O&M method is relatively able to satisfy for conventional data centers network using the fort machine of example, in hardware O&M demand, but often because physical equipment self performance is restricted, quality be difficult to the problems such as controlled cause O&M low efficiency, Effect is poor.
Data center network construction compares previous conventional data centers net all using the network architecture of cloud computing mostly at present Network, network size sharply expands, number of devices increases sharply, and necessary not only for equipment O&M, while needing to carry out virtual machine Corresponding maintenance, conventional hardware fort machine are faced with that O&M resource addition manner is complicated, O&M capacity is low simultaneously for multithreading, needs Inefficient, O&M operate multiple challenges such as not comprehensive of auditing when to multiple virtual resource unified operations.
And traditional fort machine often only has TSM Security Agent function, and the input record rank of order line is only rested on to audit Section, the audit means not new to increasing graphical operation.
Therefore traditional hardware fort machine has been not suitable with present O&M demand.
Summary of the invention
(1) technical problems to be solved
The technical problem to be solved by the present invention is how to solve and efficiency cumbersome in face of large-scale cloud framework network O&M means Low problem.
(2) technical solution
In order to solve the above-mentioned technical problems, the present invention provides a kind of virtualization O&M fort systems, comprising:
Virtualization installation module makes this system and Yun Ping for disposing in system initialization process to this system Platform is built simultaneously;
Source obtaining module, for obtaining data center network based on cloud platform resource center in system initialization process In all resources for needing O&M operation, and establish and the real-time connection of resource center;
Link control module is based on cloud platform for controlling the connection number of user and O&M target after system initialization Memory, the real-time partition characteristic of CPU, establish interface with cloud platform, according to demand to cloud platform carry out elasticity distribution require;
Entitlement management module, the permission for whether having permission to access O&M target to user after system initialization carry out Control, wherein providing authorization foundation by degree of belief computation model for manager;
Control module is operated, for what is inputted when user accesses and limits user using this system in O&M object procedure Instruction;
Audit Module is operated, takes input interception and screen scraping mode in O&M object procedure for accessing in user, It audits to the behavior operation by this system, and is sent in this system database and is saved with video file, textual form.
Preferably, the virtualization installation module and the module of source obtaining module composition system initialization, wherein institute Stating virtualization installation module takes two methods to carry out system deployment, and one is directly to dispose simultaneously with cloud platform, i.e., is by this The installation procedure of system and cloud platform build program packing, when complete to the environment configurations of the principal server of affiliated cloud platform with After building, a virtual machine is opened, and operating system is installed in virtual machine and starts the installation kit of this system, program is automatic It is deployed in cloud platform;Secondly being manually dispose, i.e., apply for a set of resources of virtual machine of cloud platform, manually with artificial deployment way Program is installed in virtual machine.
Preferably, acquisition of the source obtaining module to O&M target resource in data center network, according to resource institute The difference for belonging to position is divided into two kinds of approach:
One is resource in cloud platform, as virtual resource, also includes entity host according to the difference of cloud platform type Machine takes the acquisition of such resource and establishes interface with the management program hypervisor of cloud platform bottom, obtains cloud platform Instance Name, operating status, operating system, public network IP address and the IP address of internal network of interior all resources, and by specific Operating system and IP address establish connection;
Secondly being resource outside cloud platform, the acquisition of such resource is taken, example name, IP address, behaviour is filled in manually Make the mode of system type.
Preferably, the link control module and entitlement management module form system management module;
The link control module takes oneself state to monitor, and establishes with cloud platform bottom management program hypervisor The mode of connection realizes control, user concurrent number while system monitoring itself, and multiple threshold values are arranged, when number of concurrent is more than threshold It then issues and requests to hypervisor when value, apply for more memories, guarantee the availability of system itself.If threshold value is c, when working as When preceding number of concurrent drops below preset threshold c, then system starts timing, and timing is divided into two kinds of situations and stops, and returns to difference As a result, then stopping timing, issuing request to hypervisor and return in certain one is timing is more than the time of setting It deposits;The second is current number of concurrent is greater than or equal to threshold value c, then stops timing, do not do any movement, with ckThe setting of expression system K-th of threshold value is then gathered and is denoted as C={ c1,c2,…,cK, wherein c1<c2<c3<…<ck.If each variable continues not Become the state that the time is more than setting timing time T ', d indicates current number of concurrent, then for any node ci,cj∈C∪ci< cj, there is ci<d<cj, as any time d < ciWhen, then timer starts timing, counter gate time t > T ', then to cloud platform Apply for that memory obtains.
Preferably, the entitlement management module is taken to the role group for using this system, according to administrator to user group Access authority setting, open or shielding Client-initiated connection request, so that particular user is connected to purpose resource controlled;
In the degree of belief computation model, for each system user create a role, each role by this system into The primary evaluation of upper management person user can be obtained after O&M operation of row, then degree of enhancing trust, unfavorable ratings are evaluated in front Reduce degree of belief, the degree of belief of user be set as authorization factor, administrator can real time inspection degree of belief value;
If C ' is role, role is established based on IP address, using IP address as representation method;
If T is degree of belief, degree of belief is to embody the standard of the previous behavior trustworthy information of role, the corresponding letter of each role Ren Du, T ∈ [0,5], degree of belief are divided into high degree of belief T with grade classification, by the subordinate range of its valueh, middle degree of belief Tm, low Degree of belief TlWith zero degree of belief TzFour grades, Th∈ [4,5], Tm∈ (2,4), Tl∈ (0,2], Tz=0;
If Tu is degree of belief updated value, degree of belief updated value is one of the variable for influencing degree of belief;
IfTo trust vector, trusting vector is binary value, is one of the variable for influencing degree of belief updated value, each angle Color corresponds to a trust vector;
If τ is behavior magnitude, behavior magnitude is one of the variable for influencing degree of belief updated value, the value of behavior magnitude according to Administrator's opinion rating obtains;
If DTFor degree of belief database, for storing role, degree of belief and the data for trusting vector;
If TiThe degree of belief being calculated for i-th;
IfThe trust vector being calculated for i-th;
In the degree of belief computation model, storage is influenced for the evaluation bring degree of belief updated value after role's operation Trusting vectorIn, trust vector and degree of belief updated value is updated, trusting vector is 8 binary vectors, warp After administrator's evaluation, evaluation write-in 0 is born, normal behaviour data packet write-in 1, i.e., 1 represents credible, and 0 represents insincere, and 0 or 1 are write Enter the left end in binary vector, while by the numerical value effacement of right end, obtaining the trust vector that i-th is calculated To obtain the trust vector being arbitrarily once calculated
The update of the degree of belief of role is updated by degree of belief updated value Tu, and it is Tu (τ) that degree of belief, which updates value function,The degree of belief being calculated to expression i-th updates value function, then the indexing i on Tu, behavior amount The value of value τ is obtained according to administrator's opinion rating, and administrator provides user's last time O&M and operates three kinds of evaluation results, respectively High praise, middle evaluation, lower assessment valence and difference are evaluated, wherein the corresponding behavior magnitude τ of high praiseh=8;It is middle to evaluate corresponding behavior amount Value τm=12;The corresponding behavior magnitude τ of lower assessment valencen=16, difference evaluates corresponding behavior magnitude τl=20;
Read group total, calculation method T are carried out to the degree of belief of rolei=(1+ α Tui)Ti-1, believe used in the formula Appoint degree to update value function and " (τ) " is omitted, α is adjusting parameter, the α=- 1 when for low, poor evaluation, α=1 when high, middle evaluation.It will TiIt is recorded in degree of belief database, corresponding covering Ti-1
Preferably, the operation control module and operation Audit Module composition function run module;
The operation control module is specifically used for being read out the keyboard input of user, carries out to the character input of malice It intercepts, keyboard input intercepts the input information of interception user, and takes effective obstruction, reads, spells comprising progress recognizing, character Be connected into string, data buffer storage, data exchange, data send, take design one system in Hook Function, come realize to specify into The input of journey intercepts, reading input content, the order after splicing to input content in matching system itself malicious commands library, After fuzzy inspection comparison, the low normal command of similarity carries out exit-entry operation, and similarity is high then to be given up, to interception Order data is cached.
Preferably, the operation Audit Module is specifically for carrying out keyboard input audit and auditing with graphical;
Keyboard input audit by intercept input order, take the mode of filtering to exclude to repeatedly input, and according to user, Input time, O&M target are visualized;
The design graphically audited is to carry out screen scraping by gdigrap component using the library ffmepg, when fixed length Between the one-frame video data that grabs, video data is after being decoded as yuv420 formatted file, then recompiles as h264 format Video file, and compressed, system circulation sends video data, exits signal until receiving one, then clears up resource It exits, auditor can check video resource at any time.
Preferably, the virtual resource includes virtual machine, operation system, virtual switch.
Preferably, the resource outside cloud platform includes safety equipment, entity interchanger, physical server.
(3) beneficial effect
The present invention proposes a kind of virtualization O&M fort system, is deployed in cloud platform by way of virtual machine taking, Directly eliminate hardware cost;By cooperating with the intrinsic component of cloud platform, while great amount of terminals and O&M target may be implemented Connection, can also discharge resource in the O&M free time, ensure that high resource utilization;Cooperate with the intrinsic component of cloud platform, It is easy to obtain the whole resources disposed in cloud, greatly simplify initialization operation.It can be complete by graphically auditing Record whole O&M operations, the fix duty after facilitating accident.
Detailed description of the invention
Fig. 1 is system structure diagram of the invention.
Specific embodiment
To keep the purpose of the present invention, content and advantage clearer, with reference to the accompanying drawings and examples, to of the invention Specific embodiment is described in further detail.
The present invention provides a kind of O&M fort system of virtualization, and this virtualization O&M fort system is for realizing logarithm According to central site network internal network devices, the unified O&M of virtual resource, multithreading O&M simultaneously is realized according to virtualization infrastructure, and Take the operation behavior of control measure specification operation maintenance personnel.The system function realize be mainly reflected in obtain O&M in need Resource, to personnel access resource control and operate when real-time auditing.The present invention proposes a kind of virtualization O&M fort system System solves the problems, such as and low efficiency cumbersome in face of large-scale cloud framework network O&M means, while this system to a certain extent In such a way that keyboard input is combined with graphical audit, it is more convenient administrative staff's supervision.
System of the invention includes:
Virtualization installation module, for being disposed in system initialization process to this system, can make this system with Cloud platform (such as Ali's cloud) is built simultaneously, and this system can be packaged using operating system and main functionality component as individual One deploying virtual machine is in cloud.
Source obtaining module, for being based on the cloud platform resource center (clothes that cloud platform is relied in system initialization process The application system of business device, virtual machine and On-premise has a unified administrative center, referred to as resource center) it obtains in data All resources for needing O&M operation in heart network, and the real-time connection with resource center is established, keep resource has in real time Effect.
Authentication management module takes the authentication interface unified with cloud platform, and design for authenticating to user identity For multiple-factor authentication mode, including password, dynamic password (cooperation mobile terminal), biological characteristic etc..
Link control module is based on cloud platform for controlling the connection number of user and O&M target after system initialization Memory, the real-time partition characteristic of CPU, establish interface with cloud platform, according to demand to cloud platform carry out elasticity distribution require, with this Expand or shrink connection number.
Entitlement management module, the permission for whether having permission to access O&M target to user after system initialization carry out Control.Authorization foundation is provided by degree of belief computation model for manager.
Control module is operated, for what is inputted when user accesses and limits user using this system in O&M object procedure Instruction.
Audit Module is operated, takes input interception and screen scraping mode in O&M object procedure for accessing in user, It audits to the behavior operation by this system, and is sent in this system database and is saved with video file, textual form.
The module of virtualization installation module and source obtaining module composition system initialization.
(1) virtualization installation module
Virtualization installation module can take two methods, and one is directly to dispose simultaneously with cloud platform, i.e., by this system Installation procedure and cloud platform build program packing, when complete to the environment configurations of the principal server of affiliated cloud platform with take After building, a virtual machine is opened, and operating system is installed in virtual machine and starts the installation kit of this system, by the automatic portion of program Administration is in cloud;Secondly be manually dispose, i.e. a set of resources of virtual machine of application cloud platform manually, with artificial deployment way by program It is installed in virtual machine.
(2) source obtaining module
Acquisition to O&M target resource in data center network is divided into two kinds of ways according to the difference of resource belonging positions Diameter.
One is resource in cloud platform, i.e. usually virtual resource, covers virtual machine, operation system, virtual switch Deng, also according to the difference of cloud platform type include entity host, the acquisition of such resource is taken and cloud platform bottom System supervisor hypervisor establishes interface, obtains Instance Name, the operating status, operation system of all resources in cloud platform System, public network IP address and IP address of internal network etc., and connection is established by specific operating system and IP address.
Secondly be resource outside cloud platform, usually safety equipment, entity interchanger, physical server etc..For such The mode that the contents such as example name, IP address, OS Type are filled in manually is taken in the acquisition of resource.
Link control module and entitlement management module form system management module.
(1) link control module
Link control module takes oneself state to monitor, and establishes connection with cloud platform bottom management program hypervisor Mode.User concurrent number while system monitoring itself, and multiple threshold values are set.When number of concurrent is more than threshold value Shi Zexiang Hypervisor issues request, applies for more memories, guarantees the availability of system itself.If threshold value is c, when current number of concurrent When dropping below preset threshold c, then system starts timing, and timing is divided into two kinds of situations and stops, and returns to different results.Its First is that timing is more than the time of setting, then stop timing, issues request to hypervisor and return certain memory;The second is working as Preceding number of concurrent is greater than or equal to threshold value c, then stops timing, do not do any movement.With ckK-th of threshold value of expression system setting, It can then be gathered and be denoted as C={ c1,c2,…,cK, wherein c1<c2<c3<…<ck.It is super with the lasting invariant time of each variable It crosses for the stable state of setting timing time T ', d indicates current number of concurrent, then for any node ci,cj∈C∪ci< cj, there is ci<d<cj, as any time d < ciWhen, then timer starts timing.Counter gate time t > T ', then to cloud platform Apply for that memory obtains.
(2) entitlement management module
Entitlement management module is taken to the role group for using this system, is set according to access authority of the administrator to user group It sets, opens or shield Client-initiated connection request, so that particular user is connected to purpose resource controlled.
In degree of belief computation model, a role is created for each system user, each role carries out one by this system The primary evaluation of upper management person user can be obtained after secondary O&M operation, then degree of enhancing trust, unfavorable ratings are reduced for front evaluation Degree of belief.The degree of belief of user is set as authorization factor, administrator can be with the value of real time inspection degree of belief.
C ': role, role is established based on IP address, using IP address as representation method, since IP address has uniqueness, Therefore each role is unique;
T: degree of belief, degree of belief are to embody the standard of the previous behavior trustworthy information of role, the corresponding trust of each role Degree, T ∈ [0,5], degree of belief are divided into high degree of belief T with grade classification, by the subordinate range of its valueh, middle degree of belief Tm, low letter Appoint degree TlWith zero degree of belief TzFour grades, Th∈ [4,5], Tm∈ (2,4), Tl∈ (0,2], Tz=0;
Tu: degree of belief updated value, degree of belief updated value are one of the variables for influencing degree of belief;
Trust vector, trusting vector is binary value, is one of the variable for influencing degree of belief updated value, each role A corresponding trust vector;
τ: behavior magnitude, behavior magnitude are one of the variables for influencing degree of belief updated value, and the value of behavior magnitude is according to pipe Reason person's opinion rating obtains;
DT: degree of belief database, for storing role, degree of belief and the data for trusting vector;
Ti: the degree of belief that i-th is calculated;
The trust vector that i-th is calculated;
In degree of belief computation model, letter is stored in for the evaluation bring degree of belief updated value influence after role's operation Appoint vectorIn, trust vector and degree of belief updated value is updated, trusting vector is 8 binary vectors, through managing After member's evaluation, negative evaluation can be written 0, normal behaviour data packet write-in 1, i.e., 1 represent it is credible, 0 represent it is insincere, by 0 or 1 write-in In the left end of binary vector, while by the numerical value effacement of right end, the trust vector that i-th is calculated is obtainedFrom And obtain the trust vector being arbitrarily once calculated
The update of the degree of belief of role is updated by degree of belief updated value Tu, and it is Tu (τ) that degree of belief, which updates value function,To indicate that the degree of belief that i-th is calculated updates value function, then indexing i, behavior amount on Tu are somebody's turn to do The value of value τ is obtained according to administrator's opinion rating, and administrator provides user's last time O&M and operates three kinds of evaluation results, respectively High praise, middle evaluation, lower assessment valence and difference evaluation.The wherein corresponding behavior magnitude τ of high praiseh=8;It is middle to evaluate corresponding behavior amount Value τm=12;The corresponding behavior magnitude τ of lower assessment valencen=16, difference evaluates corresponding behavior magnitude τl=20;
Read group total, calculation method T are carried out to the degree of belief of rolei=(1+ α Tui)Ti-1, believe used in the formula Appoint degree to update value function and " (τ) " is omitted, α is adjusting parameter, the α=- 1 when for low, poor evaluation, α=1 when high, middle evaluation.It will TiIt is recorded in degree of belief database, corresponding covering Ti-1
It operates control module and operation Audit Module composition function runs module
(1) control module is operated
Operation control module is mainly to be read out to the keyboard input of user, is intercepted to the character input of malice. Keyboard input intercepts the control complementary as one, intercepts the input information of user, and take effective obstruction, includes process Identification, character are read, splicing bunchiness, data buffer storage, data exchange, data are sent.Take the hook letter in one system of design Number reads input content to realize that the input to specified process intercepts.Matching system itself is disliked after splicing to input content The order anticipated in command library, after fuzzy inspection comparison, the low normal command of similarity carries out exit-entry operation, and similarity is high Then given up.Module is cached to order data is intercepted, convenient for audit.
(2) Audit Module is operated
Operation audit includes keyboard input audit and graphically two parts of audit.
Keyboard input audit takes the mode of filtering to exclude repetition defeated by the input order intercepted in operation control module Enter, and is visualized according to user, input time, O&M target etc..
The design graphically audited is to carry out screen scraping by gdigrap component using the library ffmepg, and module is every fixed The one-frame video data of crawl for a long time, video data is after being decoded as yuv420 formatted file, then recompiles as h264 The video file of format, and compressed, it is then passed to this system, system circulation sends video data, until receiving one Signal is exited, resource is then cleared up and exits.Auditor can check video resource at any time.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, without departing from the technical principles of the invention, several improvement and deformations can also be made, these improvement and deformations Also it should be regarded as protection scope of the present invention.

Claims (9)

1. a kind of virtualization O&M fort system characterized by comprising
Virtualization installation module keeps this system same with cloud platform for disposing in system initialization process to this system When build;
Source obtaining module, for obtaining institute in data center network based on cloud platform resource center in system initialization process The resource in need for thering is O&M to operate, and establish the real-time connection with resource center;
Link control module, for controlling the connection number of user and O&M target after system initialization, based in cloud platform It deposits, the real-time partition characteristic of CPU, establishes interface with cloud platform, elasticity distribution is carried out to cloud platform according to demand and is required;
Entitlement management module, the permission for whether having permission to access O&M target to user after system initialization are controlled System, wherein providing authorization foundation by degree of belief computation model for manager;
Control module is operated, the finger for being inputted when user accesses and limits user using this system in O&M object procedure It enables;
Audit Module is operated, input interception and screen scraping mode are taken in O&M object procedure for accessing in user, to logical The behavior operation for crossing this system is audited, and is sent in this system database and is saved with video file, textual form.
2. the system as claimed in claim 1, which is characterized in that the virtualization installation module and source obtaining module composition The module of system initialization, wherein virtualization installation module takes two methods to carry out system deployment, one be directly with Cloud platform is disposed simultaneously, i.e., the installation procedure of this system and cloud platform is built program and are packaged, when completion is to affiliated cloud platform Environment configurations of principal server and after building, open a virtual machine, and install operating system in virtual machine and start The installation kit of this system, by program automatic deployment in cloud platform;Secondly being manually dispose, i.e., apply for a set of of cloud platform manually Program is installed in virtual machine by resources of virtual machine with artificial deployment way.
3. system as claimed in claim 2, which is characterized in that the source obtaining module is to O&M mesh in data center network The acquisition for marking resource, is divided into two kinds of approach according to the difference of resource belonging positions:
One is resource in cloud platform, as virtual resource, also includes entity host according to the difference of cloud platform type, right It is taken in the acquisition of such resource and establishes interface with the management program hypervisor of cloud platform bottom, obtain the institute in cloud platform There are Instance Name, operating status, operating system, public network IP address and the IP address of internal network of resource, and passes through specifically operation system System establishes connection with IP address;
Secondly being resource outside cloud platform, the acquisition of such resource is taken, example name, IP address, operation system is filled in manually The mode for type of uniting.
4. the system as claimed in claim 1, which is characterized in that the link control module and entitlement management module form system Management module;
The link control module takes oneself state to monitor, and establishes connection with cloud platform bottom management program hypervisor Mode realize control, user concurrent number while system monitoring itself, and multiple threshold values are set, when number of concurrent is more than threshold value It then issues and requests to hypervisor, apply for more memories, guarantee the availability of system itself.If threshold value is c, when currently simultaneously When hair number drops below preset threshold c, then system starts timing, and timing is divided into two kinds of situations and stops, and returns to different knots Fruit then stops timing one is timing is more than the time of setting, issues request to hypervisor and returns certain memory;Its Second is that current number of concurrent is greater than or equal to threshold value c, then stops timing, do not do any movement, with ckK-th of expression system setting Threshold value is then gathered and is denoted as C={ c1,c2,…,cK, wherein c1<c2<c3<…<ck.If the lasting invariant time of each variable More than the state of setting timing time T ', d indicates current number of concurrent, then for any node ci,cj∈C∪ci<cj, there is ci <d<cj, as any time d < ciWhen, then timer starts timing, counter gate time t > T ', then to cloud platform application memory It obtains.
5. system as claimed in claim 4, which is characterized in that the entitlement management module is taken to the role for using this system Grouping is arranged according to access authority of the administrator to user group, opens or shield Client-initiated connection request, make particular user It is controlled to be connected to purpose resource;
In the degree of belief computation model, a role is created for each system user, each role carries out one by this system The primary evaluation of upper management person user can be obtained after secondary O&M operation, then degree of enhancing trust, unfavorable ratings are reduced for front evaluation Degree of belief, is arranged the degree of belief of user as authorization factor, administrator can real time inspection degree of belief value;
If C ' is role, role is established based on IP address, using IP address as representation method;
If T is degree of belief, degree of belief is to embody the standard of the previous behavior trustworthy information of role, the corresponding trust of each role Degree, T ∈ [0,5], degree of belief are divided into high degree of belief T with grade classification, by the subordinate range of its valueh, middle degree of belief Tm, low letter Appoint degree TlWith zero degree of belief TzFour grades, Th∈ [4,5], Tm∈ (2,4), Tl∈ (0,2], Tz=0;
If Tu is degree of belief updated value, degree of belief updated value is one of the variable for influencing degree of belief;
IfTo trust vector, trusting vector is binary value, is one of the variable for influencing degree of belief updated value, each role couple Answer a trust vector;
If τ is behavior magnitude, behavior magnitude is one of the variable for influencing degree of belief updated value, and the value of behavior magnitude is according to management Member's opinion rating obtains;
If DTFor degree of belief database, for storing role, degree of belief and the data for trusting vector;
If TiThe degree of belief being calculated for i-th;
IfThe trust vector being calculated for i-th;
In the degree of belief computation model, letter is stored in for the evaluation bring degree of belief updated value influence after role's operation Appoint vectorIn, trust vector and degree of belief updated value is updated, trusting vector is 8 binary vectors, through administrator After evaluation, evaluation write-in 0 is born, normal behaviour data packet write-in 1, i.e., 1 represents credible, and 0 represents insincere, and 0 or 1 are written in two The left end of system vector, while by the numerical value effacement of right end, obtain the trust vector that i-th is calculatedTo To the trust vector being arbitrarily once calculated
The update of the degree of belief of role is updated by degree of belief updated value Tu, and it is Tu (τ) that degree of belief, which updates value function,The degree of belief being calculated to expression i-th updates value function, then the indexing i on Tu, behavior amount The value of value τ is obtained according to administrator's opinion rating, and administrator provides user's last time O&M and operates three kinds of evaluation results, respectively High praise, middle evaluation, lower assessment valence and difference are evaluated, wherein the corresponding behavior magnitude τ of high praiseh=8;It is middle to evaluate corresponding behavior amount Value τm=12;The corresponding behavior magnitude τ of lower assessment valencen=16, difference evaluates corresponding behavior magnitude τl=20;
Read group total, calculation method T are carried out to the degree of belief of rolei=(1+ α Tui)Ti-1, degree of belief used in the formula It updates value function and " (τ) " is omitted, α is adjusting parameter, the α=- 1 when for low, poor evaluation, α=1 when high, middle evaluation.By TiIt is recorded in degree of belief database, corresponding covering Ti-1
6. the system as claimed in claim 1, which is characterized in that the operation control module and operation Audit Module composition function Run module;
The operation control module is specifically used for being read out the keyboard input of user, blocks to the character input of malice It cuts, keyboard input intercepts the input information of interception user, and takes effective obstruction, reads comprising progress recognizing, character, splicing Bunchiness, data buffer storage, data exchange, data are sent, and the Hook Function in one system of design are taken, to realize to specified process Input intercept, read input content, the order after splicing to input content in matching system itself malicious commands library, lead to After crossing fuzzy inspection comparison, the low normal command of similarity carries out exit-entry operation, and similarity is high then to be given up, and orders intercepting Data are enabled to be cached.
7. system as claimed in claim 6, which is characterized in that the operation Audit Module, which is specifically used for progress keyboard input, to be examined It counts and audits with graphical;
Keyboard input audit takes the mode of filtering to exclude to repeatedly input by the input order intercepted, and according to user, input Time, O&M target are visualized;
The design graphically audited is to carry out screen scraping by gdigrap component using the library ffmepg, is grabbed every fixed length time The one-frame video data taken, video data is after being decoded as yuv420 formatted file, then recompiles as the view of h264 format Frequency file, and compressed, system circulation sends video data, exits signal until receiving one, and it then clears up resource and exits, Auditor can check video resource at any time.
8. system as claimed in claim 3, which is characterized in that the virtual resource includes virtual machine, operation system, virtual friendship It changes planes.
9. system as claimed in claim 3, which is characterized in that the resource outside cloud platform includes safety equipment, entity exchange Machine, physical server.
CN201910230127.5A 2019-03-26 2019-03-26 Virtual operation and maintenance fortress system Active CN109951337B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910230127.5A CN109951337B (en) 2019-03-26 2019-03-26 Virtual operation and maintenance fortress system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910230127.5A CN109951337B (en) 2019-03-26 2019-03-26 Virtual operation and maintenance fortress system

Publications (2)

Publication Number Publication Date
CN109951337A true CN109951337A (en) 2019-06-28
CN109951337B CN109951337B (en) 2022-02-11

Family

ID=67011695

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910230127.5A Active CN109951337B (en) 2019-03-26 2019-03-26 Virtual operation and maintenance fortress system

Country Status (1)

Country Link
CN (1) CN109951337B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110890979A (en) * 2019-11-14 2020-03-17 光通天下网络科技股份有限公司 Automatic deploying method, device, equipment and medium for fortress machine
CN113127137A (en) * 2019-12-30 2021-07-16 中标软件有限公司 Cloud computing management platform using self-hosting virtual machine and creation implementation method thereof
CN113467816A (en) * 2021-06-28 2021-10-01 国网上海市电力公司 Management platform for remote safe operation and maintenance of automation system based on virtualization
CN114338105A (en) * 2021-12-16 2022-04-12 山西云时代研发创新中心有限公司 Bastion creating bastion machine system based on zero trust

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110265082A1 (en) * 2010-04-26 2011-10-27 International Business Machines Corporation Virtual image overloading for solution deployment
CN102664888A (en) * 2012-04-19 2012-09-12 中国科学院软件研究所 Trust-based access control method and system thereof
CN203301532U (en) * 2013-05-06 2013-11-20 北京启创卓越科技有限公司 Cloud desktop system
CN108255580A (en) * 2018-01-11 2018-07-06 上海有云信息技术有限公司 A kind of method and device of cloud platform structure virtual machine
CN108965388A (en) * 2018-06-13 2018-12-07 新华三信息安全技术有限公司 A kind of operation audit method and device
CN109347807A (en) * 2018-09-20 2019-02-15 北京计算机技术及应用研究所 A kind of differentiation intrusion prevention method based on degree of belief

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110265082A1 (en) * 2010-04-26 2011-10-27 International Business Machines Corporation Virtual image overloading for solution deployment
CN102664888A (en) * 2012-04-19 2012-09-12 中国科学院软件研究所 Trust-based access control method and system thereof
CN203301532U (en) * 2013-05-06 2013-11-20 北京启创卓越科技有限公司 Cloud desktop system
CN108255580A (en) * 2018-01-11 2018-07-06 上海有云信息技术有限公司 A kind of method and device of cloud platform structure virtual machine
CN108965388A (en) * 2018-06-13 2018-12-07 新华三信息安全技术有限公司 A kind of operation audit method and device
CN109347807A (en) * 2018-09-20 2019-02-15 北京计算机技术及应用研究所 A kind of differentiation intrusion prevention method based on degree of belief

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110890979A (en) * 2019-11-14 2020-03-17 光通天下网络科技股份有限公司 Automatic deploying method, device, equipment and medium for fortress machine
CN113127137A (en) * 2019-12-30 2021-07-16 中标软件有限公司 Cloud computing management platform using self-hosting virtual machine and creation implementation method thereof
CN113467816A (en) * 2021-06-28 2021-10-01 国网上海市电力公司 Management platform for remote safe operation and maintenance of automation system based on virtualization
CN114338105A (en) * 2021-12-16 2022-04-12 山西云时代研发创新中心有限公司 Bastion creating bastion machine system based on zero trust
CN114338105B (en) * 2021-12-16 2024-04-05 山西云时代研发创新中心有限公司 Zero trust based system for creating fort

Also Published As

Publication number Publication date
CN109951337B (en) 2022-02-11

Similar Documents

Publication Publication Date Title
CN109951337A (en) A kind of virtualization O&amp;M fort system
WO2023216641A1 (en) Security protection method and system for power terminal
CN111597109B (en) Defect detection method and system for cross-architecture firmware stack memory
CN107317718B (en) A kind of O&M service management and management platform
CN107659543A (en) The means of defence of facing cloud platform APT attacks
CN106687971A (en) Automated code lockdown to reduce attack surface for software
CN105138920A (en) Method for realizing safety management of intranet terminal
CN106682492B (en) A kind of management method and device of memory overwriting
CN110166285A (en) A kind of network security experiment porch building method based on Docker
CN110020687B (en) Abnormal behavior analysis method and device based on operator situation perception portrait
CN109564609A (en) It mitigates and corrects using the detection of the computer attack of advanced computers decision-making platform
CN109977680A (en) A kind of business datum security risk recognition methods and system
CN102170372B (en) Method for network structure monitoring and boundary inspection
DE112021005364T5 (en) DEFENSE TARGETED DATABASE ATTACKS THROUGH DYNAMIC HONEYPOT DATABASE RESPONSE GENERATION
CN113435505A (en) Construction method and device for safe user portrait
Zuo et al. Power information network intrusion detection based on data mining algorithm
CN108737373A (en) A kind of security forensics method for catenet equipment concealment techniques
CN113672479A (en) Data sharing method and device and computer equipment
CN108092808A (en) A kind of method for managing security of data center&#39;s total management system
DE112020004806T5 (en) CLUSTER SECURITY BASED ON VIRTUAL MACHINE CONTENT
CN107800575A (en) The appraisal procedure of electric power industrial control system information security
CN116346432A (en) Access control system, electronic equipment and storage medium of energy industry internet
CN109729089A (en) A kind of intelligent network security function management method and system based on container
DE102021124371A1 (en) BUFFER OVERFLOW COLLECTION
CN114363079A (en) Distributed intelligent data supervision system of cloud platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant