CN111262841B - Resource scheduling method and system for virtual micro-isolation network - Google Patents

Resource scheduling method and system for virtual micro-isolation network Download PDF

Info

Publication number
CN111262841B
CN111262841B CN202010023867.4A CN202010023867A CN111262841B CN 111262841 B CN111262841 B CN 111262841B CN 202010023867 A CN202010023867 A CN 202010023867A CN 111262841 B CN111262841 B CN 111262841B
Authority
CN
China
Prior art keywords
micro
virtual machine
virtual
isolation
virtual machines
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010023867.4A
Other languages
Chinese (zh)
Other versions
CN111262841A (en
Inventor
段彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN202010023867.4A priority Critical patent/CN111262841B/en
Publication of CN111262841A publication Critical patent/CN111262841A/en
Application granted granted Critical
Publication of CN111262841B publication Critical patent/CN111262841B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a resource scheduling method and a system of a virtual micro-isolation network, which are characterized in that an OpenFlow protocol is used for collecting, analyzing and extracting a characteristic vector and a flow table item in flow data to obtain a communication relation between virtual machines in a distributed virtual environment, clustering processing is used for micro-isolation grouping of the virtual machines, whether network attack behaviors exist between the virtual machines in the communication relation is verified, a security protection strategy is dynamically deployed for the micro-isolation grouping of the virtual machines according to a verification result, whether resource scheduling is needed or not is judged according to service progress and residual resources, and other micro-isolation grouping resources which are adjacent and have the same security protection strategy grade are scheduled to process services if the service progress needs to be accelerated and the residual resources in the micro-isolation grouping are insufficient.

Description

Resource scheduling method and system for virtual micro-isolation network
Technical Field
The present application relates to the field of network security technologies, and in particular, to a resource scheduling method and system for a virtual micro-isolation network.
Background
Now, it is more and more common to use virtualization technology to construct data centers, which brings new security problems, and in a virtualized network environment, a large amount of flow data is forwarded through a virtual switch, and cannot pass through a firewall, so that the traditional security protection measures are invalid. The amount of communication flow between the virtual machines becomes uncontrollable and the threat of the internal virtual machines cannot be detected nor controlled. The distributed virtual environment has a large number of virtual machines, and how to dynamically deploy the security protection strategy is also a technical problem which needs to be solved urgently.
Meanwhile, a great amount of shared network resources exist in the virtual network, and how to continue to share and use the network resources under the condition that the virtual machines are mutually micro-isolated is also a technical problem to be solved.
Therefore, a method and a system for security protection of a targeted distributed virtual environment are urgently needed.
Disclosure of Invention
The invention aims to provide a resource scheduling method and system of a virtual micro-isolation network, and solves the technical problems that in the prior art, a control method and a dynamic deployment safety protection strategy are lacked for flow data among massive virtual machines, and how to schedule shared resources under the micro-isolation condition.
In a first aspect, the present application provides a resource scheduling method for a virtual micro-isolation network, where the method includes:
acquiring flow data in a distributed virtual network, collecting flow statistical information by using an OpenFlow protocol, analyzing and extracting a feature vector and a flow table item in the flow data, and obtaining a communication relation of each virtual machine in the distributed virtual network according to an association relation of the flow table item;
before the communication relationship of each virtual machine in the distributed virtual network is obtained, acquiring all node identifiers of the distributed virtual network, forming a new unique identifier character string by the node identifiers and the virtual machine identifiers, and generating the communication relationship of each virtual machine in the distributed virtual network according to the front-back association relationship between the unique identifier character string and the flow table entry;
clustering according to the generated communication relationship of each virtual machine, the association degree of the service data and the adjacency degree of each virtual machine, and dividing all the virtual machines in the distributed virtual network into a plurality of micro-isolation groups;
the clustering processing can also comprise the step of determining whether communication links which are not frequently used exist in a service chain or not according to the utilization condition of each virtual machine resource;
verifying whether network attack behaviors exist among the virtual machines in the communication relation, if so, determining the attacked virtual machine as an unsafe virtual machine, upgrading the safety protection strategy of the micro-isolation group where the attacked virtual machine is located, marking the unsafe virtual machine, and suspending the communication between the unsafe virtual machine and other virtual machines; if the virtual machine does not exist, the verified virtual machine is determined to be a safe virtual machine;
when all the virtual machines of one micro-isolation group are safe virtual machines, issuing a common safety protection strategy for the micro-isolation group, allowing flow data to be normally transmitted between the virtual machines in the group, and allowing the virtual machines in the group to exchange the flow data with the virtual machines of other groups;
the upgrading of the security protection strategy of the micro-isolation packet in which the micro-isolation packet is located comprises the steps of suspending communication of the unsafe virtual machines in the packet, prohibiting traffic data transmission of all the virtual machines in the packet, and prohibiting the virtual machines in the packet from exchanging traffic data with the virtual machines in other packets;
regularly and repeatedly verifying whether the communication relation of the unsafe virtual machine still has network attack behaviors, if the network attack behaviors are eliminated, marking the unsafe virtual machine as a safe virtual machine, and adjusting the safety protection strategy of the micro-isolation group where the unsafe virtual machine is located;
counting the resource utilization condition and the service progress of each micro-isolation group, judging whether resource scheduling is needed according to the service progress and the residual resources, and scheduling other adjacent micro-isolation group resources with the same safety protection strategy grade to process the service if the service needs to accelerate the progress and the residual resources in the micro-isolation group are insufficient; if the service needs to be accelerated and the residual resources in the micro-isolation packet are rich, scheduling the virtual machine with lighter load in the packet to process the service, wherein the data volume of the processed service is determined according to the load condition of the virtual machine;
scheduling other micro-isolation grouping resources which are adjacent and have the same safety protection strategy grade, wherein the scheduling comprises scheduling the residual resources of part of the virtual machines in the other micro-isolation grouping, or the residual resources of all the virtual machines in the other micro-isolation grouping, or the resources in a plurality of other micro-isolation groupings;
and when the service progress is judged not to be accelerated, releasing the resources of other micro-isolation groups, and broadcasting a resource releasing message to all the virtual machines of the other relevant micro-isolation groups.
With reference to the first aspect, in a first possible implementation manner of the first aspect, before obtaining the communication relationship between each virtual machine in the distributed virtual network, the method further includes preprocessing a flow entry, deleting a communication link between the virtual machine and an external server or a gateway, deleting an irrelevant field, and using a source IP address and a destination IP address as a matching condition.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the neighboring degree of each virtual machine includes determining whether the virtual machines belong to the same cluster or the same node.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the clustering algorithm used in the clustering process includes a K-Means algorithm, a mean shift clustering algorithm, a density-based clustering algorithm, or a coacervate hierarchical clustering algorithm.
In a second aspect, the present application provides a resource scheduling system of a virtual micro-isolation network, the system including: the system comprises an acquisition unit, a grouping unit, a strategy deployment unit and a scheduling unit;
the acquiring unit is used for acquiring flow data in the distributed virtual network, collecting flow statistical information by using an OpenFlow protocol, analyzing and extracting a feature vector and a flow table item in the flow data, and acquiring a communication relation of each virtual machine in the distributed virtual network according to an incidence relation of the flow table item;
before the communication relation of each virtual machine in the distributed virtual network is obtained, all node identifiers of the distributed virtual network are obtained, a new unique identifier character string is formed by the node identifiers and the virtual machine identifiers, and the communication relation of each virtual machine in the distributed virtual network is generated according to the front-back association relation of the unique identifier character string and the flow table item;
the grouping unit is used for performing clustering processing according to the generated communication relationship of each virtual machine, the association degree of the service data and the adjacent degree of each virtual machine, and dividing all the virtual machines in the distributed virtual network into a plurality of micro-isolated groups;
the clustering processing can also comprise the step of determining whether communication links which are not frequently used exist in a service chain or not according to the utilization condition of each virtual machine resource;
the policy deployment unit is used for verifying whether network attack behaviors exist among the virtual machines in the communication relationship, if so, determining the attacked virtual machine as an unsafe virtual machine, upgrading the security protection policy of the micro-isolation group where the attacked virtual machine is located, marking the unsafe virtual machine, and suspending the communication between the unsafe virtual machine and other virtual machines; if the virtual machine does not exist, the verified virtual machine is determined to be a safe virtual machine;
when all the virtual machines of one micro-isolation group are safe virtual machines, issuing a common safety protection strategy for the micro-isolation group, allowing flow data to be normally transmitted between the virtual machines in the group, and allowing the virtual machines in the group to exchange the flow data with the virtual machines of other groups;
the upgrading of the security protection strategy of the micro-isolation packet in which the micro-isolation packet is located comprises the steps of suspending communication of the unsafe virtual machines in the packet, prohibiting traffic data transmission of all the virtual machines in the packet, and prohibiting the virtual machines in the packet from exchanging traffic data with the virtual machines in other packets;
regularly and repeatedly verifying whether the communication relation of the unsafe virtual machine still has a network attack behavior, if the network attack behavior is eliminated, marking the unsafe virtual machine as a safe virtual machine, and adjusting the safety protection strategy of the micro-isolation group where the unsafe virtual machine is located;
the scheduling unit is used for counting the resource utilization condition and the service progress of each micro-isolation group, judging whether resource scheduling is needed according to the service progress and the residual resources, and scheduling other adjacent micro-isolation group resources with the same safety protection strategy grade to process the service if the service needs to accelerate the progress and the residual resources in the micro-isolation group are insufficient; if the service needs to be accelerated and the residual resources in the micro-isolation packet are rich, scheduling the virtual machine with lighter load in the packet to process the service, wherein the data volume of the processed service is determined according to the load condition of the virtual machine;
scheduling other micro-isolation grouping resources which are adjacent and have the same safety protection strategy grade, wherein the scheduling comprises scheduling the residual resources of part of the virtual machines in the other micro-isolation grouping, or the residual resources of all the virtual machines in the other micro-isolation grouping, or the resources in a plurality of other micro-isolation groupings;
and when the service progress does not need to be accelerated, releasing the resources of other micro-isolation groups, and broadcasting a resource releasing message to all the virtual machines of the other relevant micro-isolation groups.
With reference to the second aspect, in a first possible implementation manner of the second aspect, before obtaining the communication relationship between each virtual machine in the distributed virtual network, the method further includes preprocessing a flow entry, deleting a communication link between the virtual machine and an external server or a gateway, deleting an irrelevant field, and using a source IP address and a destination IP address as matching conditions.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the neighboring degree of each virtual machine includes determining whether the virtual machines belong to the same cluster or the same node.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the clustering algorithm used in the clustering process includes a K-Means algorithm, a mean shift clustering algorithm, a density-based clustering algorithm, or a coacervation hierarchical clustering algorithm.
The invention provides a resource scheduling method and a system of a virtual micro-isolation network, which are characterized in that an OpenFlow protocol is used for collecting, analyzing and extracting a characteristic vector and a flow table item in flow data to obtain a communication relation between virtual machines in a distributed virtual environment, clustering processing is used for micro-isolation grouping of the virtual machines, whether network attack behaviors exist between the virtual machines in the communication relation is verified, a security protection strategy is dynamically deployed for the micro-isolation grouping of the virtual machines according to a verification result, whether resource scheduling is needed or not is judged according to service progress and residual resources, and other micro-isolation grouping resources which are adjacent and have the same security protection strategy grade are scheduled to process services if the service progress needs to be accelerated and the residual resources in the micro-isolation grouping are insufficient.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a resource scheduling method of a virtual micro-isolation network according to the present invention;
FIG. 2 is an architecture diagram of a resource scheduling system of the virtual micro-isolation network according to the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a flowchart of a resource scheduling method of a virtual micro-isolation network provided in the present application, where the method includes:
acquiring flow data in a distributed virtual network, collecting flow statistical information by using an OpenFlow protocol, analyzing and extracting a feature vector and a flow table item in the flow data, and obtaining a communication relation of each virtual machine in the distributed virtual network according to an association relation of the flow table item;
before the communication relationship of each virtual machine in the distributed virtual network is obtained, acquiring all node identifiers of the distributed virtual network, forming a new unique identifier character string by the node identifiers and the virtual machine identifiers, and generating the communication relationship of each virtual machine in the distributed virtual network according to the front-back association relationship between the unique identifier character string and the flow table entry;
clustering according to the generated communication relationship of each virtual machine, the association degree of the service data and the adjacency degree of each virtual machine, and dividing all the virtual machines in the distributed virtual network into a plurality of micro-isolation groups;
the clustering processing can also comprise the step of determining whether communication links which are not frequently used exist in a service chain or not according to the utilization condition of each virtual machine resource;
verifying whether network attack behaviors exist among the virtual machines in the communication relation, if so, determining the attacked virtual machine as an unsafe virtual machine, upgrading the safety protection strategy of the micro-isolation group where the attacked virtual machine is located, marking the unsafe virtual machine, and suspending the communication between the unsafe virtual machine and other virtual machines; if the virtual machine does not exist, the verified virtual machine is determined to be a safe virtual machine;
when all the virtual machines of one micro-isolation group are safe virtual machines, issuing a common safety protection strategy for the micro-isolation group, allowing flow data to be normally transmitted between the virtual machines in the group, and allowing the virtual machines in the group to exchange the flow data with the virtual machines of other groups;
the upgrading of the security protection strategy of the micro-isolation packet in which the micro-isolation packet is located comprises the steps of suspending communication of the unsafe virtual machines in the packet, prohibiting traffic data transmission of all the virtual machines in the packet, and prohibiting the virtual machines in the packet from exchanging traffic data with the virtual machines in other packets;
regularly and repeatedly verifying whether the communication relation of the unsafe virtual machine still has network attack behaviors, if the network attack behaviors are eliminated, marking the unsafe virtual machine as a safe virtual machine, and adjusting the safety protection strategy of the micro-isolation group where the unsafe virtual machine is located;
counting the resource utilization condition and the service progress of each micro-isolation group, judging whether resource scheduling is needed or not according to the service progress and the residual resources, and scheduling other adjacent micro-isolation group resources with the same safety protection strategy grade to process the service if the service needs to accelerate the progress and the residual resources in the micro-isolation group are insufficient; if the service needs to be accelerated and the residual resources in the micro-isolation packet are rich, scheduling the virtual machine with lighter load in the packet to process the service, wherein the data volume of the processed service is determined according to the load condition of the virtual machine;
scheduling other micro-isolation grouping resources which are adjacent and have the same safety protection strategy grade, wherein the scheduling comprises scheduling the residual resources of part of the virtual machines in the other micro-isolation grouping, or the residual resources of all the virtual machines in the other micro-isolation grouping, or the resources in a plurality of other micro-isolation groupings;
and when the service progress is judged not to be accelerated, releasing the resources of other micro-isolation groups, and broadcasting a resource releasing message to all the virtual machines of the other relevant micro-isolation groups.
In some preferred embodiments, before obtaining the communication relationship of each virtual machine in the distributed virtual network, the method further includes preprocessing a flow entry, deleting a communication link between the virtual machine and an external server or gateway, deleting an irrelevant field, and using the source IP address and the destination IP address as a matching condition.
In some preferred embodiments, the degree of adjacency of the virtual machines includes determining whether the virtual machines belong to the same cluster or the same node.
In some preferred embodiments, the clustering process uses a clustering algorithm that includes a K-Means algorithm, a mean shift clustering algorithm, a density-based clustering algorithm, or a coacervate hierarchy clustering algorithm.
Fig. 2 is an architecture diagram of a resource scheduling system of a virtual micro-isolation network provided in the present application, where the system includes: the system comprises an acquisition unit, a grouping unit, a strategy deployment unit and a scheduling unit;
the acquisition unit is used for acquiring flow data in the distributed virtual network, collecting flow statistical information by using an OpenFlow protocol, analyzing and extracting a feature vector and a flow table item in the flow data, and acquiring a communication relation of each virtual machine in the distributed virtual network according to an association relation of the flow table item;
before the communication relation of each virtual machine in the distributed virtual network is obtained, all node identifiers of the distributed virtual network are obtained, a new unique identifier character string is formed by the node identifiers and the virtual machine identifiers, and the communication relation of each virtual machine in the distributed virtual network is generated according to the front-back association relation of the unique identifier character string and the flow table item;
the grouping unit is used for performing clustering processing according to the generated communication relationship of each virtual machine, the association degree of the service data and the adjacent degree of each virtual machine, and dividing all the virtual machines in the distributed virtual network into a plurality of micro-isolated groups;
the clustering processing can also comprise the step of determining whether communication links which are not frequently used exist in a service chain or not according to the utilization condition of each virtual machine resource;
the policy deployment unit is used for verifying whether network attack behaviors exist among the virtual machines in the communication relationship, if so, determining the attacked virtual machine as an unsafe virtual machine, upgrading the security protection policy of the micro-isolation group where the attacked virtual machine is located, marking the unsafe virtual machine, and suspending the communication between the unsafe virtual machine and other virtual machines; if the virtual machine does not exist, the verified virtual machine is determined to be a safe virtual machine;
when all the virtual machines of one micro-isolation group are safe virtual machines, issuing a common safety protection strategy for the micro-isolation group, allowing flow data to be normally transmitted between the virtual machines in the group, and allowing the virtual machines in the group to exchange the flow data with the virtual machines of other groups;
the upgrading of the security protection strategy of the micro-isolation packet in which the micro-isolation packet is located comprises the steps of suspending communication of the unsafe virtual machines in the packet, prohibiting traffic data transmission of all the virtual machines in the packet, and prohibiting the virtual machines in the packet from exchanging traffic data with the virtual machines in other packets;
regularly and repeatedly verifying whether the communication relation of the unsafe virtual machine still has network attack behaviors, if the network attack behaviors are eliminated, marking the unsafe virtual machine as a safe virtual machine, and adjusting the safety protection strategy of the micro-isolation group where the unsafe virtual machine is located;
the scheduling unit is used for counting the resource utilization condition and the service progress of each micro-isolation group, judging whether resource scheduling is needed according to the service progress and the residual resources, and scheduling other adjacent micro-isolation group resources with the same safety protection strategy grade to process the service if the service needs to accelerate the progress and the residual resources in the micro-isolation group are insufficient; if the service needs to be accelerated and the residual resources in the micro-isolation packet are rich, scheduling the virtual machine with lighter load in the packet to process the service, wherein the data volume of the processed service is determined according to the load condition of the virtual machine;
scheduling other micro-isolation grouping resources which are adjacent and have the same security protection policy grade, wherein the scheduling comprises scheduling the residual resources of part of the virtual machines in the other micro-isolation grouping, or the residual resources of all the virtual machines in the other micro-isolation grouping, or the resources in a plurality of other micro-isolation groupings;
and when the service progress is judged not to be accelerated, releasing the resources of other micro-isolation groups, and broadcasting a resource releasing message to all the virtual machines of the other relevant micro-isolation groups.
In some preferred embodiments, before obtaining the communication relationship of each virtual machine in the distributed virtual network, the method further includes preprocessing a flow entry, deleting a communication link between the virtual machine and an external server or gateway, deleting an irrelevant field, and using the source IP address and the destination IP address as a matching condition.
In some preferred embodiments, the degree of adjacency of the virtual machines includes determining whether the virtual machines belong to the same cluster or the same node.
In some preferred embodiments, the clustering process uses a clustering algorithm that includes a K-Means algorithm, a mean shift clustering algorithm, a density-based clustering algorithm, or a coacervate hierarchy clustering algorithm.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented using software plus any required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (6)

1. A resource scheduling method of a virtual micro-isolation network is characterized by comprising the following steps:
acquiring flow data in a distributed virtual network, collecting flow statistical information by using an OpenFlow protocol, analyzing and extracting a feature vector and a flow table item in the flow data, and obtaining a communication relation of each virtual machine in the distributed virtual network according to an association relation of the flow table item;
before the communication relationship of each virtual machine in the distributed virtual network is obtained, acquiring all node identifiers of the distributed virtual network, forming a new unique identifier character string by the node identifiers and the virtual machine identifiers, and generating the communication relationship of each virtual machine in the distributed virtual network according to the front-back association relationship between the unique identifier character string and the flow table entry;
clustering according to the generated communication relationship of each virtual machine, the association degree of the service data and the adjacency degree of each virtual machine, and dividing all the virtual machines in the distributed virtual network into a plurality of micro-isolation groups;
the clustering processing also comprises the step of determining whether communication links which are not frequently used exist in a service chain or not according to the utilization condition of each virtual machine resource;
verifying whether network attack behaviors exist among the virtual machines in the communication relation, if so, determining the attacked virtual machine as an unsafe virtual machine, upgrading the safety protection strategy of the micro-isolation group where the attacked virtual machine is located, marking the unsafe virtual machine, and suspending the communication between the unsafe virtual machine and other virtual machines; if the virtual machine does not exist, the verified virtual machine is determined to be a safe virtual machine;
when all the virtual machines of one micro-isolation group are safe virtual machines, issuing a common safety protection strategy for the micro-isolation group, allowing flow data to be normally transmitted between the virtual machines in the group, and allowing the virtual machines in the group to exchange the flow data with the virtual machines of other groups;
the upgrading of the security protection strategy of the micro-isolation packet in which the micro-isolation packet is located comprises the steps of suspending communication of the unsafe virtual machines in the packet, prohibiting traffic data transmission of all the virtual machines in the packet, and prohibiting the virtual machines in the packet from exchanging traffic data with the virtual machines in other packets;
regularly and repeatedly verifying whether the communication relation of the unsafe virtual machine still has network attack behaviors, if the network attack behaviors are eliminated, marking the unsafe virtual machine as a safe virtual machine, and adjusting the safety protection strategy of the micro-isolation group where the unsafe virtual machine is located;
counting the resource utilization condition and the service progress of each micro-isolation group, judging whether resource scheduling is needed or not according to the service progress and the residual resources, and scheduling other adjacent micro-isolation group resources with the same safety protection strategy grade to process the service if the service needs to accelerate the progress and the residual resources in the micro-isolation group are insufficient; if the service needs to be accelerated and the residual resources in the micro-isolation packet are rich, scheduling the virtual machine with lighter load in the packet to process the service, wherein the data volume of the processed service is determined according to the load condition of the virtual machine;
scheduling other micro-isolation grouping resources which are adjacent and have the same safety protection strategy grade, wherein the scheduling comprises scheduling the residual resources of part of the virtual machines in the other micro-isolation grouping, or the residual resources of all the virtual machines in the other micro-isolation grouping, or the resources in a plurality of other micro-isolation groupings;
when the service progress is judged not to be accelerated, releasing the resources of other micro-isolation groups, and broadcasting a resource releasing message to all the virtual machines of the other relevant micro-isolation groups;
before the communication relation of each virtual machine in the distributed virtual network is obtained, the method further comprises the steps of preprocessing the flow table entry, deleting a communication link between the virtual machine and an external server or a gateway, deleting irrelevant fields, and taking the source IP address and the destination IP address as matching conditions.
2. The method of claim 1, wherein: the adjacent degree of each virtual machine comprises judging whether the virtual machines belong to the same cluster or the same node.
3. The method of claim 1, wherein: the clustering algorithm used by the clustering process comprises a K-Means algorithm, a mean shift clustering algorithm, a density-based clustering algorithm, or a coacervation hierarchical clustering algorithm.
4. A resource scheduling system for a virtual micro-isolation network, the system comprising: the system comprises an acquisition unit, a grouping unit, a strategy deployment unit and a scheduling unit;
the acquiring unit is used for acquiring flow data in the distributed virtual network, collecting flow statistical information by using an OpenFlow protocol, analyzing and extracting a feature vector and a flow table item in the flow data, and acquiring a communication relation of each virtual machine in the distributed virtual network according to an incidence relation of the flow table item;
before the communication relationship of each virtual machine in the distributed virtual network is obtained, acquiring all node identifiers of the distributed virtual network, forming a new unique identifier character string by the node identifiers and the virtual machine identifiers, and generating the communication relationship of each virtual machine in the distributed virtual network according to the front-back association relationship between the unique identifier character string and the flow table entry;
the grouping unit is used for performing clustering processing according to the generated communication relationship of each virtual machine, the association degree of the service data and the adjacent degree of each virtual machine, and dividing all the virtual machines in the distributed virtual network into a plurality of micro-isolated groups;
the clustering processing also comprises the step of determining whether communication links which are not frequently used exist in a service chain or not according to the utilization condition of each virtual machine resource;
the policy deployment unit is used for verifying whether network attack behaviors exist among the virtual machines in the communication relationship, if so, determining the attacked virtual machine as an unsafe virtual machine, upgrading the security protection policy of the micro-isolation group where the attacked virtual machine is located, marking the unsafe virtual machine, and suspending the communication between the unsafe virtual machine and other virtual machines; if the virtual machine does not exist, the verified virtual machine is determined to be a safe virtual machine;
when all the virtual machines of one micro-isolation group are safe virtual machines, issuing a common safety protection strategy for the micro-isolation group, allowing flow data to be normally transmitted between the virtual machines in the group, and allowing the virtual machines in the group to exchange the flow data with the virtual machines of other groups;
the upgrading of the security protection strategy of the micro-isolation packet in which the micro-isolation packet is located comprises the steps of suspending communication of the unsafe virtual machines in the packet, prohibiting traffic data transmission of all the virtual machines in the packet, and prohibiting the virtual machines in the packet from exchanging traffic data with the virtual machines in other packets;
regularly and repeatedly verifying whether the communication relation of the unsafe virtual machine still has network attack behaviors, if the network attack behaviors are eliminated, marking the unsafe virtual machine as a safe virtual machine, and adjusting the safety protection strategy of the micro-isolation group where the unsafe virtual machine is located;
the scheduling unit is used for counting the resource utilization condition and the service progress of each micro-isolation group, judging whether resource scheduling is needed according to the service progress and the residual resources, and scheduling other adjacent micro-isolation group resources with the same safety protection strategy grade to process the service if the service needs to accelerate the progress and the residual resources in the micro-isolation group are insufficient; if the service needs to be accelerated and the residual resources in the micro-isolation packet are rich, scheduling the virtual machine with lighter load in the packet to process the service, wherein the data volume of the processed service is determined according to the load condition of the virtual machine;
scheduling other micro-isolation grouping resources which are adjacent and have the same safety protection strategy grade, wherein the scheduling comprises scheduling the residual resources of part of the virtual machines in the other micro-isolation grouping, or the residual resources of all the virtual machines in the other micro-isolation grouping, or the resources in a plurality of other micro-isolation groupings;
when the service progress is judged not to be accelerated, releasing the resources of other micro-isolation groups, and broadcasting a resource releasing message to all the virtual machines of the other relevant micro-isolation groups;
before the communication relation of each virtual machine in the distributed virtual network is obtained, the method further comprises the steps of preprocessing the flow table entry, deleting a communication link between the virtual machine and an external server or a gateway, deleting irrelevant fields, and taking the source IP address and the destination IP address as matching conditions.
5. The system of claim 4, wherein the proximity of the virtual machines comprises determining whether the virtual machines belong to the same cluster or the same node.
6. The system of claim 4, wherein the clustering process uses a clustering algorithm comprising a K-Means algorithm, a mean shift clustering algorithm, a density-based clustering algorithm, or a coacervate hierarchy clustering algorithm.
CN202010023867.4A 2020-01-09 2020-01-09 Resource scheduling method and system for virtual micro-isolation network Active CN111262841B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010023867.4A CN111262841B (en) 2020-01-09 2020-01-09 Resource scheduling method and system for virtual micro-isolation network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010023867.4A CN111262841B (en) 2020-01-09 2020-01-09 Resource scheduling method and system for virtual micro-isolation network

Publications (2)

Publication Number Publication Date
CN111262841A CN111262841A (en) 2020-06-09
CN111262841B true CN111262841B (en) 2022-05-03

Family

ID=70950369

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010023867.4A Active CN111262841B (en) 2020-01-09 2020-01-09 Resource scheduling method and system for virtual micro-isolation network

Country Status (1)

Country Link
CN (1) CN111262841B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118466B (en) * 2022-06-14 2024-04-12 深信服科技股份有限公司 Policy generation method and device, electronic equipment and storage medium
CN115459968B (en) * 2022-08-25 2023-06-06 中国人民解放军国防科技大学 Isolation method for high-performance computer system and high-performance computer system
CN115622808B (en) * 2022-12-13 2023-05-23 北京市大数据中心 Method for secure isolation, electronic device, computer readable medium
CN115981825B (en) * 2023-02-06 2023-08-01 上海交通大学 Cluster parallel scheduling system based on hybrid shared state view architecture

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102369688A (en) * 2011-04-07 2012-03-07 华为技术有限公司 Method for adjusting resources dynamically and scheduling device
CN102637138A (en) * 2012-03-20 2012-08-15 浪潮电子信息产业股份有限公司 Method for computing and scheduling virtual machine
CN104917805A (en) * 2015-01-14 2015-09-16 杭州华三通信技术有限公司 Load sharing method and equipment

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102427475B (en) * 2011-12-08 2014-01-29 无锡城市云计算中心有限公司 Load balance scheduling system in cloud computing environment
CN107179957B (en) * 2016-03-10 2020-08-25 阿里巴巴集团控股有限公司 Physical machine fault classification processing method and device and virtual machine recovery method and system
CN105577702A (en) * 2016-03-15 2016-05-11 耿童童 Virtual machine level security protection system and method
US20190273718A1 (en) * 2018-03-01 2019-09-05 ShieldX Networks, Inc. Intercepting network traffic routed by virtual switches for selective security processing
CN109167795B (en) * 2018-09-27 2022-03-22 深信服科技股份有限公司 Security defense system and method
CN110378103B (en) * 2019-07-22 2022-11-25 电子科技大学 Micro-isolation protection method and system based on OpenFlow protocol

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102369688A (en) * 2011-04-07 2012-03-07 华为技术有限公司 Method for adjusting resources dynamically and scheduling device
CN102637138A (en) * 2012-03-20 2012-08-15 浪潮电子信息产业股份有限公司 Method for computing and scheduling virtual machine
CN104917805A (en) * 2015-01-14 2015-09-16 杭州华三通信技术有限公司 Load sharing method and equipment

Also Published As

Publication number Publication date
CN111262841A (en) 2020-06-09

Similar Documents

Publication Publication Date Title
CN111262841B (en) Resource scheduling method and system for virtual micro-isolation network
CN111224990B (en) Flow traction method and system of distributed micro-isolation network
CA2635969C (en) Systems and methods for improved network based content inspection
CN111273995A (en) Safety scheduling method and system for virtual micro-isolation network
CN109688105B (en) Threat alarm information generation method and system
CN111431881B (en) Method and device for trapping nodes based on windows operating system
CN110347501A (en) A kind of service testing method, device, storage medium and electronic equipment
US20120134271A1 (en) Identification of underutilized network devices
CN111176795B (en) Dynamic migration method and system of distributed virtual network
CN109561100B (en) Method and system for duplex energized network attack and defense based on distributed and artificial intelligence
Zhang et al. Toward online virtual network function placement in software defined networks
CN111212079B (en) Service-based micro-isolation flow traction method and system
CN111224989A (en) Attack surface protection method and system for virtual micro-isolation network
Sun et al. Detecting and mitigating ARP attacks in SDN-based cloud environment
CN111262840A (en) Attack plane transfer method and system of virtual network
CN107835145A (en) The method and distributed system of a kind of anti-replay-attack
CN111277568A (en) Isolation attack method and system for distributed virtual network
CN113259175B (en) Security service and function service combined arrangement method in edge computing environment
CN111258711B (en) Multi-protocol network micro-isolation method and system
Liu et al. Using blockchain technology in IoT manufacture environment for intelligence prediction
Dansana et al. A Study of Recent Security Attacks on Cognitive Radio Ad Hoc Networks (CRAHNs)
CN111586045A (en) Attribute encryption and dynamic security layer protection method and corresponding firewall
Abdulqadder et al. Validating user flows to protect software defined network environments
CN111443986A (en) Micro-isolation protection method and system for distributed virtual environment
Fadel et al. HDLIDP: A Hybrid Deep Learning Intrusion Detection and Prevention Framework.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant