CN110956864A - Network security training scene simulation system and method - Google Patents
Network security training scene simulation system and method Download PDFInfo
- Publication number
- CN110956864A CN110956864A CN201811131073.9A CN201811131073A CN110956864A CN 110956864 A CN110956864 A CN 110956864A CN 201811131073 A CN201811131073 A CN 201811131073A CN 110956864 A CN110956864 A CN 110956864A
- Authority
- CN
- China
- Prior art keywords
- scene simulation
- instruction
- simulation
- scene
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09B—EDUCATIONAL OR DEMONSTRATION APPLIANCES; APPLIANCES FOR TEACHING, OR COMMUNICATING WITH, THE BLIND, DEAF OR MUTE; MODELS; PLANETARIA; GLOBES; MAPS; DIAGRAMS
- G09B9/00—Simulators for teaching or training purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/01—Input arrangements or combined input and output arrangements for interaction between user and computer
- G06F3/011—Arrangements for interaction with the human body, e.g. for user immersion in virtual reality
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45575—Starting, stopping, suspending or resuming virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2203/00—Indexing scheme relating to G06F3/00 - G06F3/048
- G06F2203/01—Indexing scheme relating to G06F3/01
- G06F2203/012—Walk-in-place systems for allowing a user to walk in a virtual environment while constraining him to a given position in the physical environment
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Human Computer Interaction (AREA)
- Business, Economics & Management (AREA)
- Educational Administration (AREA)
- Educational Technology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network security training scene simulation system and a method, wherein the system comprises: the system comprises a central control module, a simulation component module and a node monitoring module; the central control module is used for generating scene simulation demand information, converting the scene simulation demand information into a scene simulation instruction and sending the scene simulation instruction to the simulation component module; the scene simulation demand information comprises a plurality of preset virtualization technologies; the simulation component module is used for receiving a scene simulation instruction and calling various virtualization technologies to simulate the scene according to the scene simulation instruction; and the node monitoring module is used for monitoring the operating environment of the virtual nodes of the scene simulation when the simulation component module carries out the scene simulation. By adopting virtualization technologies of different levels in a scene simulation, the fidelity of the scene simulation is improved, the resource overhead is reduced, and the generation time of resource virtualization is shortened.
Description
Technical Field
The invention relates to the field of network security, in particular to a network security training scene simulation system and method.
Background
With the development of informatization, network security has become a problem that people pay more and more attention to, and network security practitioners need to perform network attack and defense operations or network security tests in order to ensure the security of information. However, network defense operations or network security testing tools are often destructive, for example, if a network security testing job is deployed in a production environment, security and availability of the production environment may be threatened, and the influence range is often difficult to control. Therefore, when network security actual combat training or network security testing is performed, an experimental environment, namely a network security training environment, which is properly isolated from the outside is generally established.
With the continuous development of network security technology, the automatic training environment for building the network test scene gradually replaces manual building, but with the continuous abundance of test environments, test tools or test methods, the safe training scene increasingly presents the characteristics of diversification, network scale and scene complication, however, in the prior art, the fidelity, resource overhead and generation time required to meet the characteristics are difficult to meet simultaneously.
Disclosure of Invention
In view of this, the embodiment of the invention discloses a network security training scene simulation system and method, which achieve the purpose of reducing resource overhead and shortening generation time while meeting fidelity.
The invention discloses a network security training scene simulation system, which comprises:
the system comprises a central control module, a simulation component module and a node monitoring module;
the central control module is used for generating scene simulation demand information, converting the scene simulation demand information into a scene simulation instruction and sending the scene simulation instruction to the simulation component module; the scene simulation demand information comprises a plurality of preset virtualization technologies;
the simulation component module is used for receiving the scene simulation instruction and calling a plurality of virtualization technologies to simulate the scene according to the scene simulation instruction;
and the node monitoring module is used for monitoring the operating environment of the virtual nodes of the scene simulation when the simulation component module carries out the scene simulation.
Optionally, the multiple virtualization technologies include:
vmwartsphere virtualization technology, KVM kernel-based virtual machine virtualization technology, Qemu virtualization technology, and Docker virtualization technology.
Optionally, the scene simulation instruction includes:
the method comprises a virtual node generation instruction, a virtual node destruction instruction, a virtual network generation instruction, a virtual network destruction instruction, a virtual node power supply control instruction, a virtual node snapshot management instruction, a virtual node remote control instruction, a client operating system command execution instruction and a client operating system file management instruction.
Optionally, the central control module includes:
the scene visualization control module is used for generating a network topological graph required by a user and converting the network topological graph into a scene simulation requirement in a preset standard format;
the scene simulation requirement analysis module is used for analyzing the scene simulation requirement in the preset standard format and verifying whether the analyzed scene simulation requirement meets preset regulations;
the scene simulation resource allocation module is used for receiving the analyzed scene simulation requirements and generating a scene simulation resource allocation scheme by adopting a preset network mapping algorithm based on the current resource use condition;
the scene simulation scheduling module is used for receiving the scene simulation resource allocation scheme and converting the scene simulation resource allocation scheme into a scene simulation instruction;
and the scene database module is used for storing relevant data of scene simulation.
Optionally, the analog component module includes:
the system comprises an instruction receiving module, a node simulation module, a link simulation module and a data acquisition module;
the instruction receiving module is used for receiving a scene simulation instruction and forwarding the scene simulation instruction to the node simulation module, the link control module and/or the data acquisition module;
the node simulation module is used for calling a virtualization technology corresponding to the scene simulation instruction to perform scene simulation of the virtual node according to the corresponding scene simulation instruction;
the link control module is used for receiving a scene simulation instruction related to a network link, and generating or destroying the network link between the virtual nodes by an SDN technology according to the scene simulation instruction related to the network link;
and the data acquisition module is used for receiving the scene simulation instruction related to data acquisition and executing the scene simulation instruction related to data acquisition.
Optionally, the node monitoring module includes:
the node control proxy module and the node control plug-in;
the node control agent module is used for receiving the monitoring instruction and the initialization instruction sent by the scene simulation component, initializing the system, monitoring the operating environment of the current node and determining a node control plug-in;
and the node control plug-in is used for receiving the command sent by the node control agent module and executing the command.
The embodiment of the invention discloses a network security training scene simulation method, which comprises the following steps:
generating a scene simulation demand, and converting the scene simulation demand into a scene simulation instruction; the scene simulation demand information comprises a plurality of preset virtualization technologies;
calling multiple preset virtualization technologies according to the scene simulation instruction;
executing the scene simulation instruction according to the plurality of virtualization technologies to simulate the scene of the virtualization node;
and monitoring the operating environment of the virtualization node when the scene simulation is carried out on the virtualization node.
Optionally, the multiple virtualization technologies include:
vmwartsphere virtualization technology, KVM kernel-based virtual machine virtualization technology, Qemu virtualization technology, and Docker virtualization technology.
Optionally, the generating a scene simulation requirement and converting the scene simulation requirement into a scene simulation instruction includes:
generating a scene simulation requirement designed by a user, and converting the scene simulation requirement designed by the user into a scene simulation requirement in a preset standard format;
analyzing the scene simulation requirement;
verifying whether the analyzed scene simulation duration conforms to a preset regulation or not;
generating a scene simulation resource allocation scheme by adopting a preset network mapping algorithm according to the analyzed scene simulation requirement and the current resource use condition;
and converting the scene simulation resource allocation scheme into a scene simulation instruction.
Optionally, the executing the scene simulation instruction according to the multiple virtualization technologies to perform scene simulation of the virtualization node includes:
calling a virtualization technology corresponding to the scene simulation instruction to perform scene simulation of the virtual nodes according to the corresponding scene simulation instruction;
and generating or destroying the network links among the virtual nodes by using SDN technology according to the scene simulation instruction related to the network links.
The embodiment of the invention discloses a network security training scene simulation system and a method thereof, wherein the system comprises: the system comprises a central control module, a simulation component module and a node monitoring module; the central control module is used for generating scene simulation demand information, converting the scene simulation demand information into a scene simulation instruction and sending the scene simulation instruction to the simulation component module; the scene simulation demand information comprises a plurality of preset virtualization technologies; the simulation component module is used for receiving a scene simulation instruction and calling various virtualization technologies to simulate the scene according to the scene simulation instruction; and the node monitoring module is used for monitoring the operating environment of the virtual nodes of the scene simulation when the simulation component module carries out the scene simulation. By adopting virtualization technologies of different levels in a scene simulation, the fidelity of the scene simulation is improved, the resource overhead is reduced, and the generation time of resource virtualization is shortened.
Furthermore, the fidelity of scene simulation is improved by adopting VMwartsphere virtualization technology and KVM virtualization technology; by adopting the Qemu virtualization technology and the Docker virtualization technology, the resource overhead is reduced, and the generation time of resource virtualization is shortened.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic structural diagram illustrating a network security training scene simulation system according to an embodiment of the present invention;
FIG. 2 shows a schematic of the structure of a central control module;
FIG. 3 is a schematic structural diagram of a simulation module provided by an embodiment of the invention;
fig. 4 is a schematic structural diagram of a node monitoring module according to an embodiment of the present invention;
fig. 5 is a schematic flow chart illustrating a network security training scene simulation method according to an embodiment of the present invention;
fig. 6 is a schematic flowchart illustrating a network security training scenario simulation method according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a schematic structural diagram of a network security training scene simulation system according to an embodiment of the present invention is shown, in this embodiment, the system includes:
the system comprises a central control module 100, a simulation component module 200 and a node monitoring module 300;
the central control module 100 is configured to generate scene simulation demand information, convert the scene simulation demand information into a scene simulation instruction, and send the scene simulation instruction to the simulation component module;
the scene simulation requirement information comprises: multiple virtualization techniques are required for virtual node simulation. Different virtual nodes can correspond to different virtualization technologies, and a user presets the virtualization technology required by the node to be simulated.
The multiple virtualization technologies required for generating the virtual nodes include: VMwarevSphere virtualization technology, KVM (English-based Virtual Machine, Chinese-based Virtual Machine) virtualization technology, Qemu virtualization technology, Docker virtualization technology and the like.
The simulation component module 200 is configured to receive the scene simulation instruction, and invoke a plurality of virtualization technologies to perform scene simulation according to the scene simulation instruction;
the node monitoring module 300 is configured to monitor a state of a virtual node of the scene simulation when the simulation component module performs the scene simulation.
In addition, when the destruction instruction is executed in the scene of the safe network training field, the use condition of the bottom layer link resource is maintained.
The scene simulation fidelity is improved by adopting the VMwartsphere virtualization technology and the KVM virtualization technology; by adopting the Qemu virtualization technology and the Docker virtualization technology, the resource overhead is reduced, and the generation time of resource virtualization is shortened. Therefore, in the embodiment, by adopting virtualization technologies of different levels in one scene simulation, the fidelity of the scene simulation is improved, the resource overhead is reduced, and the generation time of resource virtualization is shortened.
Referring to fig. 2, there is shown a schematic structural diagram of a central control module, which in this embodiment includes:
the system comprises a scene visualization design module 101, a scene simulation requirement analysis module 102, a scene simulation resource allocation module 103, a scene simulation resource scheduling module 104 and a scene database module 105.
The scene visualization design module 101 is configured to generate a network topology map required by a user, and convert the network topology map into a scene simulation requirement in a preset standard format.
In this embodiment, the scene visualization design module 101 may provide a network topology drawing function for a user, for example, the user may draw a required network topology drawing in a drawing interface by dragging. The network topology drawing by the user comprises the following steps: network topology, node configuration, network configuration. In order to realize the automatic simulation of the scene, a network topological graph drawn by a user is converted into a scene simulation requirement in a preset standard format.
The scene requirement of the preset standard format may be any format that can be used for automated execution, for example, the preset standard format may be a standard XML format.
For example, the following steps are carried out: the DTD of the converted scene topology XML comprises:
<!ELEMENT topo(node*,link*)>
<!ATTLIST topo version CDATA#REQUIRED>
<!ELEMENT node(port*,config*)>
<!ATTLIST node id ID#REQUIRED>
<!ATTLIST node template CDATA#REQUIRED>
<!ATTLIST node emulation(qemu|kvm|docker|switch)"kvm">
<!ELEMENT port(config*)>
<!ATTLIST portindex CDATA#REQUIRED>
<!ELEMENTlink(config*)>
<!ATTLIST link id ID#REQUIRED>
<!ATTLIST link node1 IDREF#REQUIRED>
<!ATTLIST link node2 IDREF#REQUIRED>
<!ATTLIST link port1 CDATA#REQUIRED>
<!ATTLIST link port2 CDATA#REQUIRED>
<!ELEMENT config ANY>
<!ATTLIST config name CDATA#REQUIRED>
<!ATTLIST config unit CDATA>。
the topo element represents the whole topology and comprises a plurality of node and link sub-elements, and in the attribute of the topo, the version attribute represents the current format version so as to facilitate the modification of the description format along with the evolution of the requirement. The Node element represents a Node in the network topology, and comprises a plurality of port and config sub-elements which respectively represent a network card and Node configuration information. In the node attribute, id represents the unique identifier of the node in the document; the template attribute represents a node template adopted by the current node; the emulation indicates the current simulation method adopted by the node, and must be one of the preset virtualization technologies, such as one of Qemu, KVM, Docker, and vmwartfsphere.
The link element represents a network link in the network topology, containing several links as sub-elements. In the link attributes, a node1 and a port1 respectively represent a node and a network card connecting a source end; node2 and port2 represent the node and network card, respectively, at the other end.
The config element represents configuration information of a node, a port, or a link, and generally includes an attribute name (element attribute name), a configuration unit (element attribute unit), and a TEXT sub-element. The name value range of the config element is different with different parent elements. When a node is used as a parent element, the value of the name may include CPU count (number of CPUs), ram (memory capacity, unit attribute may be MB or GB), routeTable (routing table), dnsstable (DNS table), and the like; when the port is taken as a parent element, the value of the name can comprise IP (IP address) and netmask (subnet mask); when link is used as a parent element, the name value may include bandwidth (transmission bandwidth, unit element value may be Kbps, Mbps, Gbps), lossar (packet loss rate, 0-100), delay (average delay), and the like.
The scene simulation requirement analysis module 102 is configured to analyze the scene simulation requirement in the preset standard format, and verify whether the analyzed scene simulation requirement meets a preset specification.
The scene simulation resource allocation module 103 is configured to receive the analyzed scene simulation requirement, and generate a scene simulation resource allocation scheme based on the current resource usage by using a preset network mapping algorithm;
in this embodiment, the allocation of the scene simulation resources may be performed by an improved simulated annealing algorithm, specifically, a mapping scheme is defined as a weighted sum of physical resource vectors occupied by the mapping scheme; defining an end condition as a sufficiently low temperature or a sufficiently high score; two solutions with different node mappings are defined to be adjacent in a solution space, and the adjacent mapping solution is obtained by replacing a certain node mapping of the existing solution.
In order to avoid the problem of limited search space caused by resource fragmentation, a foul number concept is designed, namely the number of the mapping schemes which do not meet the constraint conditions is designed. In order to solve the problem of low solution rate in the case of high load, an infeasible solution is allowed to be a new search starting point in the search process. Besides, in order to accelerate algorithm convergence, the solution with the penalty number exceeding 1 also participates in the calculation process of probabilistically accepting a worse solution.
And the scene simulation scheduling module 104 is configured to receive the scene simulation resource allocation scheme and convert the scene simulation resource allocation scheme into a scene simulation instruction.
In this embodiment, the scene simulation instruction may be represented as command information for implementing a simulation resource allocation scheme, and in this embodiment, the scene simulation instruction may be in the form of a directed acyclic graph.
In this embodiment, multiple scene simulation instructions may be included, which specifically may include:
a virtual node generation instruction indicating generation of a virtual node of a specified configuration;
a virtual node destruction instruction which represents the destruction of a specified virtual node;
a virtual network generation instruction indicating destruction of the virtual network of the designated configuration;
a virtual network destruction instruction representing destruction of a specified virtual network;
the virtual node snapshot management instruction represents the creation, the reply and the deletion of the specified virtual node snapshot;
the virtual node remote control instruction represents that the remote access control of the specified virtual node is realized, and comprises graphical interface access control and command line access control;
a guest operating system command execution instruction representing a command implemented in a guest operating system within a specified virtual node;
and the guest operating system file management instruction represents the management of files in the guest operating system in the designated virtual node.
The virtual node generation (vnode. create) simulation instruction is the most complex, and is mainly used for notifying the simulation component module 102 to generate a virtual node with a specified configuration. The simulation instruction needs to provide configuration information of the virtual node, including a scene ID, a node ID, an emulation technique used (Docker, KVM, vSphere, etc.), a node template, a basic hardware configuration, a network card configuration, an additional guest operating system configuration, and the like.
And the scene database module 105 is used for storing relevant data of scene simulation.
For example, the following steps are carried out: relevant data for scene simulation may include: and the storage node module, the scene instance, the physical resource and other scene simulation related data.
Referring to fig. 3, a schematic structural diagram of an analog component module provided in an embodiment of the present invention is shown, where the module includes:
the system comprises an instruction receiving module 201, a node simulation module 202, a link simulation module 203 and a data acquisition module 204;
the instruction receiving module 201 is configured to receive a scene simulation instruction, and forward the scene simulation instruction to the node simulation module 202, the link control module 203, and/or the data acquisition module 204.
In this embodiment, the simulation instruction related to the node is sent to the node simulation module 202, and the instruction related to the network link is sent to the link control module 203.
The node simulation module 202 is configured to invoke a virtualization technology corresponding to a scene simulation instruction to perform scene simulation of a virtual node according to the corresponding scene simulation instruction;
in this embodiment, as can be seen from the above description, the instructions related to the virtual nodes include multiple types, for example, include generation and destruction of the virtual nodes, where the generation of the virtual nodes is complicated.
In this embodiment, a Docker virtualization technology and a KVM virtualization technology are introduced:
the generation process of the virtual node of the Docker virtualization technology may include:
1) creating a container: create container may specifically be called, including creating base images, resource restrictions, network configuration, and other information.
2) Operating the container: calling container start to run the container and waiting for the completion of starting;
3) executing internal configuration, calling a container unit to transmit a configuration program and a configuration file, calling a container unit exec to run the configuration program, waiting for the running to be finished, and calling a container unit get to obtain an execution result.
The generation process of the virtual node of the KVM virtualization technology comprises the following steps:
1) creating a virtual machine, and calling a VM (virtual machine) clone instance virtual machine from a template;
2) configuring a virtual machine, calling VM.config to configure basic hardware such as a CPU (central processing unit), a memory and the like, and calling VM.net _ config to configure a network card and connect a specified virtual network;
3) running a virtual machine, calling VM.power _ on to run the virtual machine, calling VM.query _ guest _ state to train the running state of the virtual machine, and waiting for the start of a guest operating system (KVM detects through a specific serial port service state, vSphere tries to call Vmware Tools through an interface);
4) executing internal configuration, calling interfaces such as VM.put _ file/create _ dir/exists and the like to finish writing of a configuration program and the configuration file, calling VM.exec to execute the configuration program, and calling interfaces such as VM.get _ file/exists and the like to judge whether the execution is finished or not and obtain a result.
Wherein other interfaces are handled in a similar manner in case by case.
The link control module 203 is configured to receive a scene simulation instruction related to a network link, and generate or destroy the network link between the virtual nodes according to the scene simulation instruction related to the network link through an SDN technology.
The virtualization technique mentioned in this embodiment may generate virtual nodes, but these nodes are isolated and SDN technique is also required to generate network links of these virtual nodes.
In this embodiment, the method may include: VLAN (Virtual Local Area Network), GRE (Generic Routing Encapsulation), VxLAN (Virtual extensible Local Area Network), and link generation methods. And for the interior of the single cluster, a virtual network generation scheme based on the VLAN is adopted, and the virtual network generation of the cross-physical server is realized under the support of a local two-layer physical switching network. And for the cross-cluster training scene joint generation, the GRE/VxLAN technology is selected according to the deployment condition to realize the training network generation crossing the simulation cluster network boundary. If all virtual nodes in a virtual network belong to a unified node or exist in a physical node, a virtual network is generated by adopting a VLAN technology so as to provide better performance; and if virtual machines from different sites exist in the virtual network, generating the virtual network by adopting the GRE/VxLAN technology. Furthermore, when the number of virtual networks encountering a VLAN exceeds 4090, all newly generated networks are all based on the generation scheme of the GRE/VxLAN technique.
The data acquisition module 204 is configured to receive a scene simulation instruction related to data acquisition and execute the scene simulation instruction related to data acquisition;
the data acquisition module is used for managing internal files of the nodes, configuring an internal operating system of the nodes and monitoring internal behaviors of the nodes.
Referring to fig. 4, a schematic structural diagram of a node monitoring module according to an embodiment of the present invention is shown, where in this embodiment, the node monitoring module includes:
a node control agent module 301 and a node control plug-in 302;
the node control agent module 301 is configured to receive a monitoring instruction sent by the scene simulation component, monitor an operating environment of a current virtual node, and determine a node control plug-in;
the node control plug-in 302 is configured to receive the command sent by the node control agent module and execute the command.
In this embodiment, the node monitoring module monitors the operating environment of the node, and ensures normal execution of the scene simulation.
Referring to fig. 5, a flowchart of a network security training scenario simulation method provided in an embodiment of the present invention is shown, where in this embodiment, the method is applied to a network security training scenario simulation system, and the method includes:
s501: the central control module generates a scene simulation demand, converts the scene simulation demand into a scene simulation instruction, and sends the scene simulation instruction to the simulation component module; the scene simulation demand information comprises a plurality of preset virtualization technologies;
s502: the simulation component module calls a plurality of preset virtualization technologies according to the scene simulation instruction, executes the scene simulation instruction according to the plurality of virtualization technologies, and performs scene simulation of the virtualization nodes;
s503: and the node monitoring module monitors the operating environment of the virtualization node when carrying out scene simulation on the virtualization node.
Wherein, the multiple virtualization technologies include:
vmwartsphere virtualization technology, KVM kernel-based virtual machine virtualization technology, Qemu virtualization technology, and Docker virtualization technology.
The scene simulation instructions include:
the method comprises a virtual node generation instruction, a virtual node destruction instruction, a virtual network generation instruction, a virtual network destruction instruction, a virtual node power supply control instruction, a virtual node snapshot management instruction, a virtual node remote control instruction, a client operating system command execution instruction and a client operating system file management instruction.
Specifically, S501 includes:
generating a scene simulation requirement designed by a user, and converting the scene simulation requirement designed by the user into a scene simulation requirement in a preset standard format;
analyzing the scene simulation requirement;
verifying whether the analyzed scene simulation duration conforms to a preset regulation or not;
generating a scene simulation resource allocation scheme by adopting a preset network mapping algorithm according to the analyzed scene simulation requirement and the current resource use condition;
and converting the scene simulation resource allocation scheme into a scene simulation instruction.
Specifically, S502 includes:
calling a virtualization technology corresponding to the scene simulation instruction to perform scene simulation of the virtual nodes according to the corresponding scene simulation instruction;
and generating or destroying the network links among the virtual nodes by using SDN technology according to the scene simulation instruction related to the network links.
Specifically, S503 includes:
receiving a monitoring instruction and an initialization instruction sent by the scene simulation component;
initializing the system, monitoring the operating environment of the current node, and determining a node control plug-in.
In addition, when the secure network training field scenario is destroyed, the use of underlying link resources is maintained while executing various instructions.
In this embodiment, if the simulation scenario of the safety training is destroyed, the specific process includes:
s601: the central control module receives a scene destroying instruction;
s602, the central control module searches the scene example to be destroyed from a database and sends a scene destroying instruction to the simulation component module;
s603, the simulation component module receives a scene destroying instruction, converts the scene destroying instruction related to the node into a first control command corresponding to the node virtualization solution, and destroys the corresponding virtual node according to the first control command;
s604, the simulation component module converts the scene destroying instruction related to the network link into a second control command of the network virtualization solution, and destroys the corresponding virtual network and the link according to the second control command.
In addition, when the destruction instruction is executed in the scene of the safe network training field, the use condition of the bottom layer link resource is maintained.
The simulation component module converts the scene destruction instruction into a corresponding destruction scheme of the virtualization node and converts the destruction scheme into a destruction command;
according to the method, virtualization technologies of different levels are adopted in one scene simulation, so that the fidelity of the scene simulation is improved, the resource overhead is reduced, and the generation time of resource virtualization is shortened.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A network security training scene simulation system is characterized by comprising:
the system comprises a central control module, a simulation component module and a node monitoring module;
the central control module is used for generating scene simulation demand information, converting the scene simulation demand information into a scene simulation instruction and sending the scene simulation instruction to the simulation component module; the scene simulation demand information comprises a plurality of preset virtualization technologies;
the simulation component module is used for receiving the scene simulation instruction and calling a plurality of virtualization technologies to simulate the scene according to the scene simulation instruction;
and the node monitoring module is used for monitoring the operating environment of the virtual nodes of the scene simulation when the simulation component module carries out the scene simulation.
2. The system of claim 1, wherein the plurality of virtualization techniques comprises:
vmwartsphere virtualization technology, KVM kernel-based virtual machine virtualization technology, Qemu virtualization technology, and Docker virtualization technology.
3. The system of claim 1, wherein the scene simulation instructions comprise:
the method comprises a virtual node generation instruction, a virtual node destruction instruction, a virtual network generation instruction, a virtual network destruction instruction, a virtual node power supply control instruction, a virtual node snapshot management instruction, a virtual node remote control instruction, a client operating system command execution instruction and a client operating system file management instruction.
4. The system of claim 1, wherein the central control module comprises:
the scene visualization control module is used for generating a network topological graph required by a user and converting the network topological graph into a scene simulation requirement in a preset standard format;
the scene simulation requirement analysis module is used for analyzing the scene simulation requirement in the preset standard format and verifying whether the analyzed scene simulation requirement meets preset regulations;
the scene simulation resource allocation module is used for receiving the analyzed scene simulation requirements and generating a scene simulation resource allocation scheme by adopting a preset network mapping algorithm based on the current resource use condition;
the scene simulation scheduling module is used for receiving the scene simulation resource allocation scheme and converting the scene simulation resource allocation scheme into a scene simulation instruction;
and the scene database module is used for storing relevant data of scene simulation.
5. The system of claim 1, wherein the simulation component module comprises:
the system comprises an instruction receiving module, a node simulation module, a link simulation module and a data acquisition module;
the instruction receiving module is used for receiving a scene simulation instruction and forwarding the scene simulation instruction to the node simulation module, the link control module and/or the data acquisition module;
the node simulation module is used for calling a virtualization technology corresponding to the scene simulation instruction to perform scene simulation of the virtual node according to the corresponding scene simulation instruction;
the link control module is used for receiving a scene simulation instruction related to a network link, and generating or destroying the network link between the virtual nodes by an SDN technology according to the scene simulation instruction related to the network link;
and the data acquisition module is used for receiving the scene simulation instruction related to data acquisition and executing the scene simulation instruction related to data acquisition.
6. The system of claim 1, wherein the node monitoring module comprises:
the node control proxy module and the node control plug-in;
the node control agent module is used for receiving the monitoring instruction and the initialization instruction sent by the scene simulation component, initializing the system, monitoring the operating environment of the current node and determining a node control plug-in;
and the node control plug-in is used for receiving the command sent by the node control agent module and executing the command.
7. A network security training scene simulation method is characterized by comprising the following steps:
generating a scene simulation demand, and converting the scene simulation demand into a scene simulation instruction; the scene simulation demand information comprises a plurality of preset virtualization technologies;
calling multiple preset virtualization technologies according to the scene simulation instruction;
executing the scene simulation instruction according to the plurality of virtualization technologies to simulate the scene of the virtualization node;
and monitoring the operating environment of the virtualization node when the scene simulation is carried out on the virtualization node.
8. The method of claim 7, wherein the plurality of virtualization techniques comprises:
vmwartsphere virtualization technology, KVM kernel-based virtual machine virtualization technology, Qemu virtualization technology, and Docker virtualization technology.
9. The method of claim 7, wherein generating the scene simulation requirements and converting the scene simulation requirements into scene simulation instructions comprises:
generating a scene simulation requirement designed by a user, and converting the scene simulation requirement designed by the user into a scene simulation requirement in a preset standard format;
analyzing the scene simulation requirement;
verifying whether the analyzed scene simulation duration conforms to a preset regulation or not;
generating a scene simulation resource allocation scheme by adopting a preset network mapping algorithm according to the analyzed scene simulation requirement and the current resource use condition;
and converting the scene simulation resource allocation scheme into a scene simulation instruction.
10. The method according to claim 7 or 9, wherein the executing the scene simulation instructions according to the plurality of virtualization technologies to perform scene simulation of virtualization nodes comprises:
calling a virtualization technology corresponding to the scene simulation instruction to perform scene simulation of the virtual nodes according to the corresponding scene simulation instruction;
and generating or destroying the network links among the virtual nodes by using SDN technology according to the scene simulation instruction related to the network links.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811131073.9A CN110956864A (en) | 2018-09-27 | 2018-09-27 | Network security training scene simulation system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811131073.9A CN110956864A (en) | 2018-09-27 | 2018-09-27 | Network security training scene simulation system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110956864A true CN110956864A (en) | 2020-04-03 |
Family
ID=69967861
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811131073.9A Pending CN110956864A (en) | 2018-09-27 | 2018-09-27 | Network security training scene simulation system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110956864A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112511431A (en) * | 2020-11-12 | 2021-03-16 | 中国科学院计算技术研究所 | Routing flow fusion method for virtual network simulation |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070058957A (en) * | 2005-12-05 | 2007-06-11 | 한국전자통신연구원 | Apparatus and method for debugging sensor network using simulation |
| CN103001823A (en) * | 2012-11-13 | 2013-03-27 | 中国科学院信息工程研究所 | Method and system for establishing virtual network on basis of multi-grit abstract theory |
| CN104599315A (en) * | 2014-12-09 | 2015-05-06 | 深圳市腾讯计算机系统有限公司 | Three-dimensional scene construction method and system |
| CN105763570A (en) * | 2016-04-26 | 2016-07-13 | 北京交通大学 | Virtualization-technology-based distributed real-time network simulation system |
| CN106713003A (en) * | 2016-05-12 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Virtual node creating method and apparatus based on network topological diagram |
| CN107193627A (en) * | 2017-03-30 | 2017-09-22 | 中国电力科学研究院 | A kind of simulating scenes creation method and device based on virtualization technology |
-
2018
- 2018-09-27 CN CN201811131073.9A patent/CN110956864A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070058957A (en) * | 2005-12-05 | 2007-06-11 | 한국전자통신연구원 | Apparatus and method for debugging sensor network using simulation |
| CN103001823A (en) * | 2012-11-13 | 2013-03-27 | 中国科学院信息工程研究所 | Method and system for establishing virtual network on basis of multi-grit abstract theory |
| CN104599315A (en) * | 2014-12-09 | 2015-05-06 | 深圳市腾讯计算机系统有限公司 | Three-dimensional scene construction method and system |
| CN105763570A (en) * | 2016-04-26 | 2016-07-13 | 北京交通大学 | Virtualization-technology-based distributed real-time network simulation system |
| CN106713003A (en) * | 2016-05-12 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Virtual node creating method and apparatus based on network topological diagram |
| CN107193627A (en) * | 2017-03-30 | 2017-09-22 | 中国电力科学研究院 | A kind of simulating scenes creation method and device based on virtualization technology |
Non-Patent Citations (1)
| Title |
|---|
| 李剑锋,等: "基于多粒度虚拟化的虚实融合网络仿真", 《传感器与微系统》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112511431A (en) * | 2020-11-12 | 2021-03-16 | 中国科学院计算技术研究所 | Routing flow fusion method for virtual network simulation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9628339B1 (en) | Network testbed creation and validation | |
| CN109802852B (en) | Method and system for constructing network simulation topology applied to network target range | |
| US10678746B2 (en) | Virtual network optimizing a physical network | |
| CN109218046B (en) | Method and system for managing network slices and storage medium | |
| US20150082308A1 (en) | Method and apparatus for network virtualization | |
| CN106301829A (en) | A kind of method and apparatus of Network dilatation | |
| CN102195803B (en) | Data communication method and system | |
| WO2016180464A1 (en) | Method and entities for service availability management | |
| CN108345490B (en) | Method and system for deploying virtual machine in NFV | |
| WO2022267175A1 (en) | Information processing method and apparatus, and computer device and storage medium | |
| CN111371608B (en) | Method, device and medium for deploying SFC service chain | |
| US10999369B2 (en) | Network topology templates for internal states of management and control planes | |
| Nguyen et al. | How to build complex, large-scale emulated networks | |
| CN113747150B (en) | Method and system for testing video service system based on container cloud | |
| CN108650337B (en) | Server detection method, system and storage medium | |
| CN110956864A (en) | Network security training scene simulation system and method | |
| CN112953739B (en) | K8S platform-based method, system and storage medium for nanotube SDN | |
| CN109962914A (en) | A kind of firewall configuration method and device | |
| KR101737468B1 (en) | Apparatus and method for managing resource in virtualization environment | |
| Taher | Testing of floodlight controller with mininet in sdn topology | |
| JP6818654B2 (en) | Test automation equipment, test methods, and programs | |
| KR102518390B1 (en) | Apparatus and Method for Selecting Backup Service Function of Service Function Chain based on Software Defined Network | |
| KR20140052835A (en) | System for controlling and verifying open programmable network and method thereof | |
| Atwal et al. | A novel approach for simulation and analysis of cloud data center applications | |
| CN112615745B (en) | Method and system for accessing Internet of things card platform to upstream through parameter configuration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200403 |