CN110572353A - Cloud computing network security service - Google Patents
Cloud computing network security service Download PDFInfo
- Publication number
- CN110572353A CN110572353A CN201810620168.0A CN201810620168A CN110572353A CN 110572353 A CN110572353 A CN 110572353A CN 201810620168 A CN201810620168 A CN 201810620168A CN 110572353 A CN110572353 A CN 110572353A
- Authority
- CN
- China
- Prior art keywords
- security
- service
- cloud
- health
- fmc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims abstract description 12
- 238000001514 detection method Methods 0.000 claims description 27
- 238000001914 filtration Methods 0.000 claims description 27
- 230000002155 anti-virotic effect Effects 0.000 claims description 9
- 230000006870 function Effects 0.000 claims description 6
- 238000012546 transfer Methods 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- WQZGKKKJIJFFOK-GASJEMHNSA-N Glucose Natural products OC[C@H]1OC(O)[C@H](O)[C@@H](O)[C@@H]1O WQZGKKKJIJFFOK-GASJEMHNSA-N 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 239000008280 blood Substances 0.000 description 1
- 210000004369 blood Anatomy 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000008103 glucose Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/308—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content
Abstract
The invention discloses a cloud computing network security service, which relates to the technical field of computers, and provides an automatic and efficient customized network security service aiming at the network security requirement of a healthy cloud user by using a healthy cloud-oriented network security service method; a unified log management format is provided, so that network situation analysis is facilitated, and system performance is improved; the method has better flexibility and robustness for the access control of the healthy cloud; the cost of the healthy cloud system and the complexity of maintenance and management are reduced; the network security service performances such as delay, throughput and packet loss rate of the healthy cloud system are improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to cloud computing network security service.
background
in the field of cloud computing, network security is considered one of the most important security issues, which may pose the same fatal threats as data security and privacy disclosure. If the cloud computing security adopts a customized security service strategy, the security level can be self-adapted according to the service type and the security requirement, so that the security requirement of the cloud user service is met, and the consumption of cloud computing resources is reduced.
CloudWatcher mentions a customized cloud computing network security service, fills security requirements according to cloud user services and issues to CloudWatcher, which parses the requirements and forms a customized security service. CloudWatcher only mentions the concept of no specific feasible implementation templates and analysis requirements, no generation of security check chains, and no consideration of Mboxes load balancing, usability and scalability. Chen, Jianyong et al attempt to provide on-demand cloud computing security services, but because the more stringent security requirements require more resources such as security detection time, memory, and bandwidth, it is impractical to apply the most stringent security measures to all cloud computing services, which can seriously impair cloud computing availability or even render it unusable.
The health cloud bears complex network services, the traditional mode adopts a mode of integrating a large amount of Mbox to protect network security, a large amount of equipment can cause high cost, high complexity, low expandability and serious performance bottlenecks, and network attacks among virtual machines cannot be prevented. The health cloud relates to various user types, important information of the users is stored, the privacy of the users needs to be guaranteed not to be disclosed, but a cloud service provider cannot know the network security requirements of the health cloud users and cannot provide customized network security services. And the traditional mode is to adopt a large amount of Mbox to protect the network security, but different types of Mbox have great difference in configuration and management, if the customized network security service is provided in a manual mode, the task can be almost impossible to be completed, and the cost of the Mbox is high, which is not beneficial to large-scale deployment.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a cloud computing network security service, and provide a scheme for configuring, managing and maintaining an Mbox in an automatic and efficient manner, so as to provide a customized network security service for healthy cloud users; meanwhile, the virtual Mbox is fully utilized to replace the Mbox, so that the expenditure of hardware equipment is reduced, the cost is reduced, and the system performance is improved.
In order to achieve the above purpose, the present invention provides the following technical solutions:
The cloud computing network security service comprises a health cloud platform, the health cloud platform acquires resident health data from a mobile terminal to establish a health file management system, provides health file query service, appointment registration service, health knowledge pushing service, home health service, health consultation service and big data intelligent analysis, a health cloud user only needs to fill a security template according to the self network security requirement, the security template comprises an IP address and a port number, and whether network layer detection, anti-virus detection, anti-spam inspection and the like are needed or not, then the security requirement needed to be provided is refined according to the needed inspection type, the health cloud user normalizes the security requirement into a security template and then encrypts and submits the security template to the system, and a SPEC analyzer analyzes through SPEC, Mbox state information, Mbox topology and vSwitch information of the cloud user to generate an FMC security path and a security filtering rule; the RouteGen converter converts the FMC security path into a forwarding rule, and safety detection and filtration are carried out on the FMC security path through forwarding flow to the FMC chain; then the MD issues the forwarding rules to the vSwitch, the safety filtering rules are forwarded to the corresponding Mbox, the whole process does not need manual intervention except the later-stage regulation of special rules, the whole process is completely and automatically completed by the system, and the network safety customized service facing the health cloud mainly comprises five components: SMG, SMD, DomO, service domains, and vSwitch (virtual switch), whenever a service domain is accessed, external or internal traffic needs to pass through the required filtering domain; if the network is attacked, the attack log is stored in the ELMD (log management domain).
Preferably, the functions of each part of the health cloud-oriented network security customization service are as follows:
(1) the SMG mainly comprises security groups such AS an AS (anti-spam) group, a FW (firewall) group and an AV (anti-virus) group, and is responsible for storing attack logs, statistical information and the like generated by detection and filtration into events and ELMD in the SMD;
(2) MD consists of MD (management domain) and ELMD. Where the ELMD stores and manages events and logs originating from the SMG. The main responsible functions of MD are: create/delete any domain in SMG; issuing a forwarding rule to vSwitch to enable an access service domain flow to pass through a corresponding FMC (safety detection link) for safety detection and filtration; collecting status information (e.g., load, failure) and accepting forwarding information (e.g., traffic) from the vSwitch for each group in the SMG;
(3) DomO reduces the rights, cannot create/start and stop/delete any Domain in SMG, but still maintains the rights to handle and manage any virtual machine in the server Domain, including scheduling by time slice, I/O allocation, etc.;
(4) The Service Domains bear various types of health cloud user services based on the network, such as FTP (file transfer protocol) services, Web services and the like;
(5) And the vSwtich is responsible for receiving the forwarding rule issued by the MD, and forwarding the internal and external flows to detect and filter through the security domain.
preferably, the MD mainly includes a SPEC analyzer and a RouteGen converter, the SPEC analyzer generates an FMC security path and a security filtering rule by analyzing SPEC of a cloud user, state information of an Mbox (network device), Mbox topology, and vSwitch information, the RouteGen converter converts the FMC security path into a forwarding rule, performs security detection and filtering by forwarding a stream to an FMC chain, and finally issues the forwarding rule into the vSwitch and forwards the security filtering rule into a corresponding Mbox.
Preferably, the virtual Mbox should have a unified log format, including: after the ELMD receives the logs, a log classifier of the ELMD classifies and stores the logs so as to facilitate subsequent access based on user permission.
The beneficial effect of adopting above technical scheme is:
1. the method comprises the steps of providing automatic and efficient customized network security service aiming at the network security requirement of a healthy cloud user;
2. A unified log management format is provided, so that network situation analysis is facilitated, and system performance is improved;
3. the method has better flexibility and robustness for the access control of the healthy cloud;
4. the cost of the healthy cloud system and the complexity of maintenance and management are reduced;
5. the network security service performances such as delay, throughput and packet loss rate of the healthy cloud system are improved.
drawings
the following describes embodiments of the present invention in further detail with reference to the accompanying drawings.
FIG. 1 is a schematic diagram of a health cloud oriented customized network security service application;
FIG. 2 is a schematic diagram of the overall design of a health cloud-oriented customized network security service;
Fig. 3 is a schematic diagram of a health cloud-oriented customized network security service application.
In the figure, IDS-intrusion detection system, WAF-Web application firewall, UMT-unified threat management, FW-firewall, EDS-encryption and decryption software, AV-antivirus, AS-anti-spam.
Detailed Description
the following describes a preferred embodiment of the cloud computing network security service according to the present invention in detail with reference to the accompanying drawings.
Fig. 1 to 3 show a specific embodiment of the cloud computing network security service:
the user types of the health cloud are largely divided into residents, hospital medical institutions, government health institutions, and third party institutions, each with a different role type. The health cloud platform acquires resident health data from a mobile terminal (such as a sphygmomanometer, a blood glucose meter and the like) to establish a health file management system, and provides health file query service, appointment registration service, health knowledge push service, home health service, health consultation service, big data intelligent analysis and the like, as shown in fig. 1. The health cloud-oriented network security customization service provides customized network security services aiming at different services with different roles.
the health cloud user only needs to fill in a security template according to the network security requirement of the health cloud user, the security template comprises an IP address, a port number and whether network layer detection, anti-virus detection, anti-spam detection and the like are needed, and then the security requirement needed to be provided is refined according to the required detection type. The method comprises the steps that a healthy cloud user normalizes security requirements into a security template and then encrypts the security template and submits the security template to a system, and a SPEC analyzer analyzes the security template through SPEC, Mbox state information, Mbox topology and vSwitch information of the cloud user to generate an FMC security path and a security filtering rule; the RouteGen converter converts the FMC security path into a forwarding rule, and safety detection and filtration are carried out on the FMC security path through forwarding flow to the FMC chain; then the MD issues the forwarding rules to vSwitch and forwards the security filtering rules to the corresponding Mbox. The overall system structure is shown in fig. 2. Except for the later adjustment of special rules, the whole process does not need manual intervention and is completely and automatically completed by the system.
The health cloud-oriented network security customization service mainly comprises five components: SMG, SMD, DomO, service domains, and vSwitch (virtual switch). In order to guarantee the network security of the service domain, whenever the service domain is accessed, external traffic or internal traffic needs to pass through the required filtering domain; if the network is attacked, the attack log is stored in the ELMD (log management domain), as shown in fig. 3.
The functions of the various parts are as follows:
(1) The SMG is mainly composed of security groups such AS an AS (anti-spam) group, a FW (firewall) group, and an AV (anti-virus) group, and is responsible for storing attack logs, statistical information, and the like generated by detection and filtering into events and ELMDs in the SMD.
(2) MD consists of MD (management domain) and ELMD. Where the ELMD stores and manages events and logs originating from the SMG. The main responsible functions of MD are: create/delete any domain in SMG; issuing a forwarding rule to vSwitch to enable an access service domain flow to pass through a corresponding FMC (safety detection link) for safety detection and filtration; collect status information (e.g., load, failure) for each group in the SMG and accept forwarding information (e.g., traffic) from the vSwitch.
(3) DomO reduces the rights, cannot create/start and stop/delete any Domain in SMG, but still maintains the rights to handle and manage any virtual machine in the server Domain, including scheduling by time slice, I/O allocation, etc.
(4) The Service Domains bear various types of health cloud user services based on the network, such as FTP (file transfer protocol) services, Web services and the like.
(5) And the vSwtich is responsible for receiving the forwarding rule issued by the MD, and forwarding the internal and external flows to detect and filter through the security domain.
MD consists primarily of a SPEC analyzer and a RouteGen converter. The SPEC analyzer analyzes through SPEC of cloud users, state information of the Mbox (network equipment), Mbox topology and vSwitch information to generate FMC security paths and security filtering rules. The RouteGen converter converts the FMC security path into forwarding rules, and performs security detection and filtering by forwarding the flow to the FMC chain. And finally, the MD issues the forwarding rules to the vSwitch and forwards the security filtering rules to the corresponding Mbox.
to facilitate identification and standardized management of the virtual Mbox logs, the virtual Mbox should have a unified log format. The method comprises the following steps: log type, Mbox unique identification, event indication, a particular service unique indication, source IP, source port, destination IP, destination port, Protocol, and a detailed description of the log event. After the ELMD accepts the logs, the log classifier of the ELMD classifies and stores the logs so as to facilitate later access based on user authority. For example, a healthy cloud user can only view logs and statistical data thereof generated when own service is attacked, and a cloud service provider can view system logs, audit logs and the like.
the above is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, many variations and modifications can be made without departing from the inventive concept of the present invention, which falls into the protection scope of the present invention.
Claims (4)
1. a cloud computing network security service, characterized by: the cloud computing network security service comprises a health cloud platform, the health cloud platform acquires resident health data from the mobile terminal to establish a health file management system, provides health file query service, appointment registration service, health knowledge push service, home health service and health consultation service, the method comprises the steps that big data are intelligently analyzed, a healthy cloud user only needs to fill a security template according to own network security requirements, the security template comprises an IP address and a port number, whether network layer detection, anti-virus detection, anti-spam detection and the like are needed, the security requirements needed to be provided are refined according to needed detection types, the healthy cloud user normalizes the security requirements into the security template and encrypts the security template and submits the security template to a system, and a SPEC analyzer analyzes the security template through SPEC, Mbox state information, Mbox topology and vSwitch information of the cloud user to generate an FMC security path and a security filtering rule; the RouteGen converter converts the FMC security path into a forwarding rule, and safety detection and filtration are carried out on the FMC security path through forwarding flow to the FMC chain; then the MD issues the forwarding rules to the vSwitch, the safety filtering rules are forwarded to the corresponding Mbox, the whole process does not need manual intervention except the later-stage regulation of special rules, the whole process is completely and automatically completed by the system, and the network safety customized service facing the health cloud mainly comprises five components: SMG, SMD, Dom0, service domains, and vSwitch (virtual switch), whenever a service domain is accessed, external or internal traffic needs to pass through the required filtering domain; if the network is attacked, the attack log is stored in the ELMD (log management domain).
2. The cloud computing network security service of claim 1, wherein: the functions of each part of the health cloud-oriented network security customized service are as follows:
(1) The SMG mainly comprises security groups such AS an AS (anti-spam) group, a FW (firewall) group and an AV (anti-virus) group, and is responsible for storing attack logs, statistical information and the like generated by detection and filtration into events and ELMD in the SMD;
(2) MD consists of MD (management domain) and ELMD. Where the ELMD stores and manages events and logs originating from the SMG. The main responsible functions of MD are: create/delete any domain in SMG; issuing a forwarding rule to vSwitch to enable an access service domain flow to pass through a corresponding FMC (safety detection link) for safety detection and filtration; collecting status information (e.g., load, failure) and accepting forwarding information (e.g., traffic) from the vSwitch for each group in the SMG;
(3) Dom0 reduces the rights to not create/start and stop/delete any Domain in SMG, but still maintains the rights to handle and manage any virtual machine in the server Domain, including scheduling by time slice, I/O allocation, etc.;
(4) The Service Domains bear various types of health cloud user services based on the network, such as FTP (file transfer protocol) services, Web services and the like;
(5) And the vSwtich is responsible for receiving the forwarding rule issued by the MD, and forwarding the internal and external flows to detect and filter through the security domain.
3. The cloud computing network security service of claim 2, wherein: the MD mainly comprises a SPEC analyzer and a RouteGen converter, the SPEC analyzer analyzes through state information of cloud users SPEC and Mbox (network equipment), Mbox topology and vSwitch information to generate an FMC safety path and a safety filtering rule, the RouteGen converter converts the FMC safety path into a forwarding rule, the FMC safety path is subjected to safety detection and filtering through a forwarding stream to an FMC chain, finally the MD issues the forwarding rule to the vSwitch, and the safety filtering rule is forwarded to the corresponding Mbox.
4. The cloud computing network security service of claim 1, wherein: the virtual Mbox should have a unified log format, including: after the ELMD receives the logs, a log classifier of the ELMD classifies and stores the logs so as to facilitate subsequent access based on user permission.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810620168.0A CN110572353A (en) | 2018-06-05 | 2018-06-05 | Cloud computing network security service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810620168.0A CN110572353A (en) | 2018-06-05 | 2018-06-05 | Cloud computing network security service |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110572353A true CN110572353A (en) | 2019-12-13 |
Family
ID=68772719
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810620168.0A Pending CN110572353A (en) | 2018-06-05 | 2018-06-05 | Cloud computing network security service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110572353A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109194623A (en) * | 2018-08-02 | 2019-01-11 | 谢聪敏 | Security server based on cloud computing |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103678935A (en) * | 2013-12-25 | 2014-03-26 | 柳州市欧博科技有限公司 | Cloud-service-platform-based digital medical diagnosis and treatment integration system for community medical treatment and health |
| CN103886529A (en) * | 2014-02-24 | 2014-06-25 | 深圳市爱康信息技术有限公司 | Health archive information management service system and method |
| CN105678098A (en) * | 2016-02-23 | 2016-06-15 | 济宁中科大象医疗电子科技有限公司 | Cloud platform based remote electrocardiogram monitoring and health management system and realization method |
| CN106331136A (en) * | 2016-08-31 | 2017-01-11 | 孟玲 | Health record information processing system |
-
2018
- 2018-06-05 CN CN201810620168.0A patent/CN110572353A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103678935A (en) * | 2013-12-25 | 2014-03-26 | 柳州市欧博科技有限公司 | Cloud-service-platform-based digital medical diagnosis and treatment integration system for community medical treatment and health |
| CN103886529A (en) * | 2014-02-24 | 2014-06-25 | 深圳市爱康信息技术有限公司 | Health archive information management service system and method |
| CN105678098A (en) * | 2016-02-23 | 2016-06-15 | 济宁中科大象医疗电子科技有限公司 | Cloud platform based remote electrocardiogram monitoring and health management system and realization method |
| CN106331136A (en) * | 2016-08-31 | 2017-01-11 | 孟玲 | Health record information processing system |
Non-Patent Citations (1)
| Title |
|---|
| 何进: "基于云计算网络安全研究", 《中国博士学位论文全文数据库(电子期刊)信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109194623A (en) * | 2018-08-02 | 2019-01-11 | 谢聪敏 | Security server based on cloud computing |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11750653B2 (en) | Network intrusion counter-intelligence | |
| Rawat et al. | Software defined networking architecture, security and energy efficiency: A survey | |
| EP3641225B1 (en) | Policy-driven compliance | |
| CN104115463B (en) | For processing the streaming method and system of network metadata | |
| CN101438255B (en) | Network and application attack protection based on application layer message inspection | |
| CN111543038B (en) | Network stream splicing using middleware stream splicing | |
| US7315903B1 (en) | Self-configuring server and server network | |
| US20190123983A1 (en) | Data integration and user application framework | |
| US11128700B2 (en) | Load balancing configuration based on traffic flow telemetry | |
| CN110226155B (en) | Collecting and processing context attributes on a host | |
| CN108234223B (en) | Safety service design method of data center integrated management system | |
| US20190230127A1 (en) | Secure publishing for policy updates | |
| CN103873379A (en) | Distributed route destroy-resistant strategy collocation method and system based on overlay network | |
| Wang et al. | A centralized HIDS framework for private cloud | |
| Du | Application of information communication network security management and control based on big data technology | |
| Jung et al. | Anomaly Detection in Smart Grids based on Software Defined Networks. | |
| Wang et al. | Novel architectures and security solutions of programmable software-defined networking: a comprehensive survey | |
| US20210392135A1 (en) | Securing workload and application access from unauthorized entities | |
| Liatifis et al. | Fault-tolerant SDN solution for cybersecurity applications | |
| CN110572353A (en) | Cloud computing network security service | |
| US11895156B2 (en) | Securing network resources from known threats | |
| US20220006842A1 (en) | Systems and methods for determining effectiveness of network segmentation policies | |
| Lan et al. | Future network architectures and core technologies | |
| CN112437070A (en) | Operation-based spanning tree state machine integrity verification calculation method and system | |
| CN109194623A (en) | Security server based on cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20191213 |