CN110474981A - A kind of software definition dynamic security storage method and device - Google Patents

A kind of software definition dynamic security storage method and device Download PDF

Info

Publication number
CN110474981A
CN110474981A CN201910746345.4A CN201910746345A CN110474981A CN 110474981 A CN110474981 A CN 110474981A CN 201910746345 A CN201910746345 A CN 201910746345A CN 110474981 A CN110474981 A CN 110474981A
Authority
CN
China
Prior art keywords
node
memory node
software definition
dynamic
storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910746345.4A
Other languages
Chinese (zh)
Inventor
马多耀
邓高见
李萌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongke Tianyu (suzhou) Technology Co Ltd
Original Assignee
Zhongke Tianyu (suzhou) Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongke Tianyu (suzhou) Technology Co Ltd filed Critical Zhongke Tianyu (suzhou) Technology Co Ltd
Priority to CN201910746345.4A priority Critical patent/CN110474981A/en
Publication of CN110474981A publication Critical patent/CN110474981A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/90Buffering arrangements
    • H04L49/9005Buffering arrangements using dynamic buffer space allocation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • H04L67/1044Group management mechanisms 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a kind of software definition dynamic security storage method and devices, key step includes: that software definition store path module can create a plurality of virtual link and randomly choose a link when carrying out storing data, software definition memory node module randomly chooses the target server node to be stored, the latest data of each node is synchronized to each node in cluster by data simultaneous module, safety governor is to store path, memory node Dynamic Maintenance and extension, aperiodicity is increased newly, eliminated and is cleaned, to memory node and network switch distributing policy.The present invention realizes the dynamic security protection of storage, prevents attacker to the eavesdropping of store path and to the lasting detection and invasion of memory node, realizes the Initiative Defense of logical volume transfer method and storage network system.

Description

A kind of software definition dynamic security storage method and device
Technical field
The present invention relates to a kind of method for secure storing and devices, and in particular to a kind of software definition dynamic security storage method And device, belong to computer network security field.
Background technique
Data are most crucial assets, and shelf space of the storage system as data is the last line of defense of data protection; As storage system is developed by locally direct-connected towards networking and distributed direction, and it is total to by numerous computers on network It enjoys, storage system is made to become to be more vulnerable to attack, the storage system of relative quiescent often becomes the preferred object of attacker, reaches Steal, distort or destroy the purpose of data.
Information leakage event for data storage is to emerge one after another.2016, American Cable TV company epoch China There are about the mails at 32 general-purpose families and encrypted message under receiving is stolen by hacker.2017, the data that only first half of the year is stolen, just It has been more than annual stolen total amount of data in 2016.In March, 2018, Facebook are exposed more than 8700 general-purpose user datas and are revealed, and one The data analysis company Cambridge Analytica of service presidential election team, family obtains the number of Facebook number user According to these subsequent data are illegally used transmission political ad.3 the end of month in 2018, the U.S. move brand Under Armour (peace De Ma) indicate, under body-building application MyFitnessPal due to there are data loophole by hacker attack, cause more than 1.5 The data of hundred million users leak.In August, 2018 shows according to darknet Chinese network model, China live under all hotels data it is public It begins to sell and sells, including the hotel Han Ting, the U.S. rank of nobility, auspiciousness Yue, the unrestrained heart, Novotel, Mei Ju, CitiGo, orange, Quan Ji, star journey, preferably must The more China such as think of, happy Lay, extra large friend live under hotel in its column.Holland non-profit organization GDI foundation researcher in 2019 It was found that large-scale data, which occurs, for the recognition of face company positioned at Shenzhen reveals event, more than more than 680 ten thousand letters at 250 general-purpose families Breath record is leaked, and leak data includes the sensitive letters such as ID card information, recognition of face image, position record in 24 hours Breath.
Solve the problems, such as data storage security, conventional method is using data encryption and Certificate Authority administrative skill.In safety In storage, file is become messy code (encryption) using technological means and is stored, when using file, with identical or different hand Section reduction (decryption).In this way, storage and use, file just switches in ciphertext and plaintext state two ways.It is either symmetrical to add Close or asymmetric encryption, key management are all a complicated challenges, once key is lost, the safety of data storage will be swung So nothing is deposited.It demonstrate,proves empowerment management technology and on the one hand relies on the cryptographic techniques such as multiple-factor certification, colleague also needs to configure a variety of access controls System strategy, once attacker's bypassing authentication, data storage will be revealed with clear data.The Passive Defence method of this kind of static state is difficult The prolonged permeation of resistance attacker and new vulnerability exploit, and have no to resist energy for the eavesdropping attack in data storage link Power.
Analysis it is found that the weakness of data storage security be store target be it is static, defence policies are passively.Only Dynamic security is carried out, eavesdropping attack, APT attack etc. can be just resisted and threaten, software defined network (Software Defined Networking:SDN) technology, to realize that the Initiative Defense of data storage security provides new direction.
Summary of the invention
In view of this, the invention discloses a kind of software definition dynamic security storage methods and device, key step to include: A plurality of virtual link can be created and randomly choose a link when carrying out storing data by defining store path module, and software is fixed Adopted memory node module randomly chooses the target server node to be stored, and data simultaneous module is by the latest data of each node It is synchronized to each node in cluster, safety governor carries out store path, memory node Dynamic Maintenance and extension, aperiodicity Newly-increased, superseded and cleaning, to memory node and network switch distributing policy.The dynamic security that the present invention realizes storage is anti- Shield prevents attacker to the eavesdropping of store path and to the lasting detection and invasion of memory node, realizes logical volume transfer method and storage network system Initiative Defense.
Technical scheme is as follows: a kind of software definition dynamic security storage method, step include:
1) link dynamic dispatching of the software definition store path module to storage;
2) software definition memory node module randomly chooses the target server node to be stored;
3) latest data of each node is synchronized to each node in cluster by data simultaneous module;
4) safety governor is to store path, memory node Dynamic Maintenance and extension, and aperiodicity increased newly, is eliminated and clearly It washes, to memory node and network switch distributing policy.
Further, the software definition store path module can create a plurality of virtual link and carry out storing data When randomly choose a link, thus prevent malicious node on the particular link data eavesdrop attack and man-in-the-middle attack.
Further, the software definition memory node module is realized the movement of node destination by operation as follows and is mixed Confuse:
1) by virtualization creation diversity, multiple memory node clusters of function equivalence, cluster memory storage node IP address is Internal dynamic distributes IP;
2) memory node is externally abstracted as unified virtual interface, and user can only be carried out data storage by interface and be called;
3) when carrying out data storage, software definition memory node module randomly chooses a storage inside node, will be to external Port address dynamic translation is internal true memory node IP, when not setting up storage session, system do not create external interface and Transformational relation between storage inside node.
Further, the data that the data simultaneous module stores each memory node by internal interface file, Merge;
Further, the safety governor realizes dynamic security policy in the following way:
1) network link is managed collectively and is abstracted management, a plurality of virtual link of Dynamic Maintenance;
2) dynamic increase carried out to memory node, deleted, the operation such as IP address replacement, maintenance memory node body in a network Part attribute;
3) it according to demand for security, issues dynamic memory and fails to be sold at auction rule to SDN switch, convert inside external interface and memory node The connectivity of link of IP;
4) expiration operation of failing to be sold at auction is issued to Timeout policy, overtime memory node is recycled and cleaned.
Further, the safety governor is diversity controller redundancy, and multi-controller selects one at random as master control Device processed, remaining controller are standby from controller.
The present invention also proposes a kind of software definition dynamic security storage device, including software definition store path module, soft Part defines memory node module, data simultaneous module, safety governor,
The software definition store path module can create a plurality of virtual link and randomly choose one when carrying out storing data Link, to prevent the data of malicious node on the particular link from eavesdropping attack and man-in-the-middle attack;
The software definition memory node module creates multiple memory node clusters of diversity, function equivalence by virtualization, Cluster memory store up node IP address be internal dynamic distribute IP, when carrying out data storage, software definition memory node module with Machine selects a storage inside node, is internal true memory node IP by external interface address dynamic translation, is not setting up When storing session, system does not create the transformational relation between external interface and storage inside node, and memory node is externally abstracted as Unified virtual interface, user can only be carried out data storage by interface and called, to realize moving and obscuring for node destination;
The data that the data simultaneous module stores each memory node are filed by internal interface, are merged;
The safety governor is diversity controller redundancy, and multi-controller selects one at random as master controller, remaining is controlled Device be it is standby from controller, to store path, memory node Dynamic Maintenance and extension, aperiodicity increased newly, is eliminated and clearly It washes, to memory node and network switch distributing policy.
The invention has the benefit that
The present invention provides a kind of software definition dynamic security storage method and device, can create a plurality of virtual link and into A link is randomly choosed when row storage data, randomly chooses the target server node to be stored, data simultaneous module will be each The latest data of a node is synchronized to each node in cluster, and diversified safety governor ensures the reliability of security strategy.This Invention realizes the dynamic security protection of storage, prevents attacker to the eavesdropping of store path and to the lasting spy of memory node It surveys and invades, realize the Initiative Defense of logical volume transfer method and storage network system.
Detailed description of the invention
Attached drawing 1 is the configuration diagram that invention software defines dynamic security storage device.
Specific embodiment
The invention will be further described with reference to the accompanying drawings and examples.
Software definition dynamic security storage method, the steps include: disclosed in one embodiment of the invention
1) software definition store path module can create a plurality of virtual link and randomly choose one when carrying out storing data Link, to prevent the data of malicious node on the particular link from eavesdropping attack and man-in-the-middle attack;
2) software definition memory node module passes through virtualization creation diversity, multiple memory node clusters of function equivalence, collection Storage node IP address is that internal dynamic distributes IP in group, and when carrying out data storage, software definition memory node module is random A storage inside node is selected, is internal true memory node IP by external interface address dynamic translation, is deposited not setting up When storing up session, system does not create the transformational relation between external interface and storage inside node, and memory node is externally abstracted as system One virtual interface, user can only be carried out data storage by interface and be called, to realize moving and obscuring for node destination;
3) data that data simultaneous module stores each memory node pass through internal interface filing, merging;
4) safety governor is diversity controller redundancy, and it is master controller, remaining controller that multi-controller selects one at random To be standby from controller, to store path, memory node Dynamic Maintenance and extension, aperiodicity is increased newly, eliminated and is cleaned, To memory node and network switch distributing policy.
Software definition dynamic security storage method in attached drawing and device are carried out below by way of specific example further Explanation.
As shown in Fig. 1, a kind of software definition dynamic security storage device, including it is software definition store path module, soft Part defines memory node module, data simultaneous module, safety governor.Its key step includes:
1, the software definition store path module can create a plurality of virtual link and the random selection when carrying out storing data One link, to prevent the data of malicious node on the particular link from eavesdropping attack and man-in-the-middle attack;
2, the software definition memory node module realizes moving and obscuring for node destination by operation as follows:
(a) by virtualization creation diversity, multiple memory node clusters of function equivalence, cluster memory stores up node IP address IP is distributed for internal dynamic;
(b) memory node is externally abstracted as unified virtual interface, and user can only be carried out data storage by interface and be called;
(c) when carrying out data storage, software definition memory node module randomly chooses a storage inside node, will be to external Port address dynamic translation is internal true memory node IP, when not setting up storage session, system do not create external interface and Transformational relation between storage inside node;
3, the data that the data simultaneous module stores each memory node pass through internal interface filing, merging;
4, the safety governor realizes dynamic security policy in the following way:
(a) network link is managed collectively and is abstracted management, a plurality of virtual link of Dynamic Maintenance;
(b) dynamic increase carried out to memory node, deleted, the operation such as IP address replacement, maintenance memory node body in a network Part attribute;
(c) it according to demand for security, issues dynamic memory and fails to be sold at auction rule to SDN switch, convert in external interface and memory node The connectivity of link of portion IP;
(d) expiration operation of failing to be sold at auction is issued to Timeout policy, overtime memory node is recycled and cleaned;
5, the further characteristic of the safety governor is diversity controller redundancy, and multi-controller selects one at random as master control Device processed, remaining controller are standby from controller.
The purpose of the above described specific embodiments of the present invention is use for a better understanding of the present invention, is not constituted Limiting the scope of the present invention.Any modification made within the spirit and principles in the present invention essence deforms and is equal Replacement etc., all should belong within scope of protection of the claims of the invention.

Claims (7)

1. a kind of software definition dynamic security storage method, step include:
1) link dynamic dispatching of the software definition store path module to storage;
2) software definition memory node module randomly chooses the target server node to be stored;
3) latest data of each node is synchronized to each node in cluster by data simultaneous module;
4) safety governor is to store path, memory node Dynamic Maintenance and extension, and aperiodicity increased newly, is eliminated and clearly It washes, to memory node and network switch distributing policy.
2. software definition dynamic security storage method as described in claim 1, which is characterized in that the software definition stores road Diameter module can create a plurality of virtual link and randomly choose a link when carrying out storing data, to prevent in specific chain The data eavesdropping attack of road malicious node and man-in-the-middle attack.
3. software definition dynamic security storage method as described in claim 1, which is characterized in that the software definition storage section Point module realizes moving and obscuring for node destination by operation as follows:
1) by virtualization creation diversity, multiple memory node clusters of function equivalence, cluster memory storage node IP address is Internal dynamic distributes IP;
2) memory node is externally abstracted as unified virtual interface, and user can only be carried out data storage by interface and be called;
3) when carrying out data storage, software definition memory node module randomly chooses a storage inside node, will be to external Port address dynamic translation is internal true memory node IP, when not setting up storage session, system do not create external interface and Transformational relation between storage inside node.
4. software definition dynamic security storage method as described in claim 1, which is characterized in that the data simultaneous module The data that each memory node is stored are filed by internal interface, are merged.
5. software definition dynamic security storage method as described in claim 1, which is characterized in that the safety governor passes through As under type realizes dynamic security policy:
1) network link is managed collectively and is abstracted management, a plurality of virtual link of Dynamic Maintenance;
2) dynamic increase carried out to memory node, deleted, the operation such as IP address replacement, maintenance memory node body in a network Part attribute;
3) it according to demand for security, issues dynamic memory and fails to be sold at auction rule to SDN switch, convert inside external interface and memory node The connectivity of link of IP;
4) expiration operation of failing to be sold at auction is issued to Timeout policy, overtime memory node is recycled and cleaned.
6. software definition dynamic security storage method as claimed in claim 1 or 5, which is characterized in that the safety governor For diversity controller redundancy, multi-controller selects one at random as master controller, remaining controller is standby from controller.
7. a kind of software definition dynamic security storage device, including software definition store path module, software definition memory node Module, data simultaneous module, safety governor,
The software definition store path module can create a plurality of virtual link and randomly choose one when carrying out storing data Link, to prevent the data of malicious node on the particular link from eavesdropping attack and man-in-the-middle attack;
The software definition memory node module creates multiple memory node clusters of diversity, function equivalence by virtualization, Cluster memory store up node IP address be internal dynamic distribute IP, when carrying out data storage, software definition memory node module with Machine selects a storage inside node, is internal true memory node IP by external interface address dynamic translation, is not setting up When storing session, system does not create the transformational relation between external interface and storage inside node, and memory node is externally abstracted as Unified virtual interface, user can only be carried out data storage by interface and called, to realize moving and obscuring for node destination;
The data that the data simultaneous module stores each memory node are filed by internal interface, are merged;
The safety governor is diversity controller redundancy, and multi-controller selects one at random as master controller, remaining is controlled Device be it is standby from controller, to store path, memory node Dynamic Maintenance and extension, aperiodicity increased newly, is eliminated and clearly It washes, to memory node and network switch distributing policy.
CN201910746345.4A 2019-08-13 2019-08-13 A kind of software definition dynamic security storage method and device Pending CN110474981A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910746345.4A CN110474981A (en) 2019-08-13 2019-08-13 A kind of software definition dynamic security storage method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910746345.4A CN110474981A (en) 2019-08-13 2019-08-13 A kind of software definition dynamic security storage method and device

Publications (1)

Publication Number Publication Date
CN110474981A true CN110474981A (en) 2019-11-19

Family

ID=68510600

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910746345.4A Pending CN110474981A (en) 2019-08-13 2019-08-13 A kind of software definition dynamic security storage method and device

Country Status (1)

Country Link
CN (1) CN110474981A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105391690A (en) * 2015-10-19 2016-03-09 中国科学院信息工程研究所 POF-based network eavesdropping defending method and system
CN105511805A (en) * 2015-11-26 2016-04-20 深圳市中博科创信息技术有限公司 Data processing method and device for cluster file system
CN106407214A (en) * 2015-08-02 2017-02-15 郑建锋 Distributed storage method and system
CN109067758A (en) * 2018-08-23 2018-12-21 江苏大学 A kind of SDN network data transmission intimacy protection system and its method based on multipath
CN109314724A (en) * 2016-08-09 2019-02-05 华为技术有限公司 The methods, devices and systems of virtual machine access physical server in cloud computing system
US20190104207A1 (en) * 2017-09-29 2019-04-04 Fungible, Inc. Network access node virtual fabrics configured dynamically over an underlay network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106407214A (en) * 2015-08-02 2017-02-15 郑建锋 Distributed storage method and system
CN105391690A (en) * 2015-10-19 2016-03-09 中国科学院信息工程研究所 POF-based network eavesdropping defending method and system
CN105511805A (en) * 2015-11-26 2016-04-20 深圳市中博科创信息技术有限公司 Data processing method and device for cluster file system
CN109314724A (en) * 2016-08-09 2019-02-05 华为技术有限公司 The methods, devices and systems of virtual machine access physical server in cloud computing system
US20190104207A1 (en) * 2017-09-29 2019-04-04 Fungible, Inc. Network access node virtual fabrics configured dynamically over an underlay network
CN109067758A (en) * 2018-08-23 2018-12-21 江苏大学 A kind of SDN network data transmission intimacy protection system and its method based on multipath

Similar Documents

Publication Publication Date Title
US20220191012A1 (en) Methods For Splitting and Recovering Key, Program Product, Storage Medium, and System
CN105103488B (en) By the policy Enforcement of associated data
CN105051750B (en) System and method for encrypted file system layer
CN109246137A (en) The safety protecting method and device of naval warfare data based on block chain
KR20230157929A (en) Transfer cryptocurrency from a remote access restricted wallet
CN111464503B (en) Network dynamic defense method, device and system based on random multidimensional transformation
CN105656864B (en) Key management system and management method based on TCM
CN106104562A (en) Safety of secret data stores and recovery system and method
US10122708B2 (en) Systems and methods for deployment of mission plans using access control technologies
CN102724215A (en) Method for storing user key safely and improving data security of cloud platform based on user login password
US9516059B1 (en) Using mock tokens to protect against malicious activity
CN110380859A (en) Based on unsymmetrical key pond to and DH agreement quantum communications service station identity identifying method and system
CN111901338A (en) Data security protection method for application block chain
Gurunathan et al. A review and development methodology of a lightweight security model for IoT-based smart devices
Nakouri et al. A new biometric-based security framework for cloud storage
CN110365472A (en) Quantum communications service station digital signature method based on unsymmetrical key pond pair, system
CN110176989A (en) Quantum communications service station identity identifying method and system based on unsymmetrical key pond
Jasim et al. Cryptographic cloud computing environment as a more trusted communication environment
Kumari A Review: Different Challenges in Energy-Efficient Cloud Security
CN110474981A (en) A kind of software definition dynamic security storage method and device
CN114124392B (en) Data controlled circulation method, system, device and medium supporting access control
CN109687960A (en) Cloud storage method and system is acted on behalf of in anti-quantum calculation based on multiple public asymmetric key ponds
Sandıkkaya et al. Design and formal verification of a cloud compliant secure logging mechanism
Jacob et al. A security analysis of the emerging P2P-based personal cloud platform maidsafe
CN107343008A (en) A kind of data safety isolation of anti-access module leakage is with sharing implementation method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191119

RJ01 Rejection of invention patent application after publication