CN111431914A - Energy internet cloud platform safety protection method and system - Google Patents

Energy internet cloud platform safety protection method and system Download PDF

Info

Publication number
CN111431914A
CN111431914A CN202010238293.2A CN202010238293A CN111431914A CN 111431914 A CN111431914 A CN 111431914A CN 202010238293 A CN202010238293 A CN 202010238293A CN 111431914 A CN111431914 A CN 111431914A
Authority
CN
China
Prior art keywords
security
cloud platform
flow
domain
safety
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202010238293.2A
Other languages
Chinese (zh)
Inventor
廖清阳
袁龙
陈晓
宗志亚
谢威
姚璐
宋尧
张华�
黄传炳
吴小康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guizhou Power Grid Co Ltd
Original Assignee
Guizhou Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guizhou Power Grid Co Ltd filed Critical Guizhou Power Grid Co Ltd
Priority to CN202010238293.2A priority Critical patent/CN111431914A/en
Publication of CN111431914A publication Critical patent/CN111431914A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/20Traffic policing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an energy internet cloud platform security protection method which comprises the steps of constructing a tenant-level virtual security resource pool; establishing a flow guide mechanism, constructing a cloud platform flow guide control network, and performing flow processing on the east-west flow and the north-south flow according to a set rule; the safety protection module of the system domain and the safety protection module of the application domain are controlled by utilizing a safety strategy; the safety protection system comprises a safety protection module of a system domain and a safety protection module of an application domain; the system domain security protection module adopts a layered architecture and comprises a basic hardware and network layer security protection unit, a cloud virtualization layer security protection unit and a virtual resource layer security protection unit; the safety protection module of the system domain is the basis of the safety protection module of the application domain, and the safe storage and stable use of data are ensured.

Description

Energy internet cloud platform safety protection method and system
Technical Field
The invention relates to the technical field of energy internet security, in particular to a method and a system for protecting energy internet cloud platform security.
Background
The energy Internet cloud platform is an open cloud platform serving the energy industry for the first time under the policy background of 'Internet plus' in China, supports the access of various energy type data such as electricity, water, gas, oil, coal, heat and the like based on the ISO/IEC/IEEE 18880 standard, adopts advanced technologies such as IPv6, SDN, OpenStack, HTM L5, big data and the like to realize third-party public services such as cloud storage, real-time monitoring, visual management, data analysis, risk control, energy efficiency analysis and the like, and can thoroughly change the energy use mode and efficiency, bring huge benefits to industries, governments, energy units and individuals through real-time monitoring and scientific analysis, and generate more new states and new modes.
In recent years, the ukrainian power system is frequently attacked, and safety events such as large-area power failure in venezuela and the like show that the key infrastructure becomes dominant, and the network safety moves the whole body. Any tiny security hole can lead to paralysis of a large number of power stations, and further threatens the social safety and national safety. However, the current energy internet cloud platform construction takes the improvement of energy information-based intelligent service application as a core, and the importance of safety protection is not sufficient. Although some inventions propose a security management and supervision and guarantee system which needs to be perfected on a cloud platform, a systematic and targeted security protection system is not established, and a 'security protection architecture method of an energy internet' is searched, and no related invention content exists, so that the data security is the problem which is considered first in the process of establishing and maintaining the energy internet cloud platform, and the establishment of the security protection and guarantee capability of the energy internet is urgently promoted.
Disclosure of Invention
This section is for the purpose of summarizing some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. In this section, as well as in the abstract and the title of the invention of this application, simplifications or omissions may be made to avoid obscuring the purpose of the section, the abstract and the title, and such simplifications or omissions are not intended to limit the scope of the invention.
The invention is provided in view of the problems existing in the process of establishing and maintaining the existing energy Internet cloud platform.
Therefore, the technical problem solved by the invention is as follows: the problem of current energy internet cloud platform do not have sufficient safety protection structure to ensure data security is solved.
In order to solve the technical problems, the invention provides the following technical scheme: a safety protection method for an energy Internet cloud platform comprises the steps of constructing a tenant-level virtual safety resource pool; establishing a flow guide mechanism, constructing a cloud platform flow guide control network, and performing flow processing on the east-west flow and the north-south flow according to a set rule; the safety protection module of the system domain and the safety protection module of the application domain are controlled by utilizing a safety strategy; and safety protection of the energy Internet cloud platform is realized.
The invention discloses a preferable scheme of a safety protection method of an energy internet cloud platform, wherein the method comprises the following steps: the virtual security resource pool combines all security service nodes required by the tenant into a chain structure, performs security service arrangement through the security policy, and performs protection processing on tenant flow according to the corresponding security policy.
The invention discloses a preferable scheme of a safety protection method of an energy internet cloud platform, wherein the method comprises the following steps: the traffic steering mechanism includes flow monitoring and flow filtering.
The invention discloses a preferable scheme of a safety protection method of an energy internet cloud platform, wherein the method comprises the following steps: the flow monitoring does not need to change the original route of the flow, and copies all the flow to a safety device for processing; the flow filtration requires modification of the flow route, the flow is bent into the safety device, and the flow returns to the target after treatment.
The invention discloses a preferable scheme of a safety protection method of an energy internet cloud platform, wherein the method comprises the following steps: the security strategy establishes a password mechanism in a security domain, establishes a tenant security diversion strategy, arranges security resource pool security services, and senses the situation and security management based on a flow guide protection system.
In order to solve the technical problems, the invention also provides the following technical scheme: an energy internet cloud platform safety protection system comprises a safety protection module of a system domain and a safety protection module of an application domain; the system domain security protection module adopts a layered architecture and comprises a basic hardware and network layer security protection unit, a cloud virtualization layer security protection unit and a virtual resource layer security protection unit; the security module of the system domain is the basis of the security module of the application domain.
The invention relates to a preferable scheme of an energy internet cloud platform safety protection system, which comprises the following steps: and the safety protection module of the application domain adopts a password mechanism to construct a strong isolation control lease.
The invention relates to a preferable scheme of an energy internet cloud platform safety protection system, which comprises the following steps: different tenants construct different security domains based on different passwords, and intra-domain service application security interaction and inter-domain service application security isolation are realized through the password protection mechanism of the security domains.
The invention relates to a preferable scheme of an energy internet cloud platform safety protection system, which comprises the following steps: and a firm defense line is constructed between the security domains by adopting passwords, and the management and control and the application security protection are internally strengthened.
The invention relates to a preferable scheme of an energy internet cloud platform safety protection system, which comprises the following steps: and aiming at different application security requirements in the security domain, constructing a tenant level security resource pool, and importing service traffic into the tenant level security resource pool through a traffic guide mechanism in a cloud platform traffic guide control network.
The invention has the beneficial effects that: the invention provides a safety protection method and system for an energy internet cloud platform, which perfects a safety mechanism from different aspects of networks, data, users and the like, optimizes energy data distributed storage, enhances a data call safety mechanism, and ensures safe storage and stable use of data.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise. Wherein:
fig. 1 is a basic architecture and functional diagram of a conventional energy internet cloud platform;
FIG. 2 is a schematic diagram of basic types of security threats of a cloud platform;
FIG. 3 is a schematic diagram of an infrastructure of a conventional energy Internet cloud platform security protection system;
fig. 4 is a schematic structural diagram of an energy internet cloud platform security protection system provided by the present invention;
fig. 5 is a schematic diagram of a security protection method for an energy internet cloud platform provided by the invention;
FIG. 6 is a diagram of CPU exception recovery;
FIG. 7 is a diagram of process exception recovery;
fig. 8 is a flowchart illustrating the operation of the energy internet cloud platform security protection system provided in the present invention;
FIG. 9 is a flow chart of a security protection method for an energy Internet cloud platform provided by the invention;
fig. 10 is a schematic diagram of constructing a virtual resource pool in the energy internet cloud platform security protection method provided by the invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, specific embodiments accompanied with figures are described in detail below, and it is apparent that the described embodiments are a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making creative efforts based on the embodiments of the present invention, shall fall within the protection scope of the present invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways than those specifically described and will be readily apparent to those of ordinary skill in the art without departing from the spirit of the present invention, and therefore the present invention is not limited to the specific embodiments disclosed below.
Furthermore, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
The present invention will be described in detail with reference to the drawings, wherein the cross-sectional views illustrating the structure of the device are not enlarged partially in general scale for convenience of illustration, and the drawings are only exemplary and should not be construed as limiting the scope of the present invention. In addition, the three-dimensional dimensions of length, width and depth should be included in the actual fabrication.
Meanwhile, in the description of the present invention, it should be noted that the terms "upper, lower, inner and outer" and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of describing the present invention and simplifying the description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation and operate, and thus, cannot be construed as limiting the present invention. Furthermore, the terms first, second, or third are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The terms "mounted, connected and connected" in the present invention are to be understood broadly, unless otherwise explicitly specified or limited, for example: can be fixedly connected, detachably connected or integrally connected; they may be mechanically, electrically, or directly connected, or indirectly connected through intervening media, or may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Example 1
At present, the construction of an energy internet cloud platform is in an exploration stage, the invented energy internet functional system architecture basically comprises four levels, namely an end level, a network level, a cloud level, a technical level and a safety guarantee system, wherein the technical level comprises a physical perception layer, a network transmission layer, a data and service cluster layer, a platform application layer, a system display layer and the like, and the construction of the safety guarantee system is also provided in part of the invention, as shown in fig. 1.
The invention provides a 'domain security + stream protection' cloud security architecture based on a domain-division protection security strategy and a security service chain protection idea, and provides a description of a related security protection method.
Firstly, analyzing the security risk of a cloud computing platform:
according to the invention, the security risks of the cloud computing platform are classified into 4 categories of data, systems, personnel and supervision, as shown in fig. 2, and specifically include data leakage, permanent data loss, risk sharing, denial of service attack, system vulnerability exploitation, APT attack, interface and interface attack, account hijacking, damage to a credential and identity verification mechanism, malicious insiders, insufficient investigation and cloud service abuse.
Then, analyzing the basic technology of cloud platform safety protection:
currently, there are typically 5 types: a role-based security architecture; a hierarchical based security architecture; an isolation-based security architecture; the security architecture based on the trusted root and the security architecture based on the service have the advantages and the disadvantages as shown in figure 3. The 5 cloud platform security architectures embody the cloud security protection idea of 'two-thirds and two parts integration'. The three divisions are respectively started from 3 dimensions of system layering, application domain division and role classification, and based on the protection idea of division and treatment, the safety problem and the protection measure are gradually refined, so that a complete safety protection scheme is formed. The 'two-way integration' is based on the protection concept of a trusted cloud platform and a safe cloud service integration, a trusted chain transfer mechanism is adopted to construct a bottom-up and multi-level cloud platform trusted execution environment, a cloud platform safety control mechanism is strengthened, a safe virtualization technology is adopted to construct a cloud virtual safe resource pool which is served and elasticated, and a cloud platform safety service mechanism is strengthened.
Cloud platform security protection is a complex system engineering, and is often not completely solved by a single security architecture and protection mechanism. Various safety architectures and protection mechanisms of the cloud have advantages and disadvantages, the safety complementarity is strong, the advantages should be made up for the disadvantages, various safety mechanisms are comprehensively applied, the safety protection mechanisms on 3 sides of the cloud ecology, the cloud platform and the cloud application are organically combined, and a cloud safety comprehensive protection system of ' system layering, application domain division, role classification and multi-dimensional cooperation ' is formed by dynamically enabling safety as a service '.
Based on the above technical foundation and thought, the following is an improved thought and innovation of the invention.
In the existing main safety protection mechanism, a safety framework based on roles is macroscopic and is not suitable for specific safety protection; based on a trusted security mechanism, it is slightly deficient in openness, flexibility and platform adaptability. The invention selectively uses the safety protection thought based on layering, isolation and service, carries out scheme improvement design aiming at the problems of insufficient safety, insufficient flexibility and adaptability of safety deployment means and the like of the existing isolation mechanism of the cloud platform, takes a password as a safety background means, and provides a cloud tenant safety framework of 'domain safety + stream protection' taking tenant safety domain construction as a core and taking service chain to promote safety flexibility as means, as shown in figure 4.
Referring to fig. 5 to 7, 9 and 10, a first embodiment of a security protection method for an energy internet cloud platform according to the present invention is shown: an energy internet cloud platform safety protection method comprises the following steps:
constructing a tenant-level virtual security resource pool;
establishing a flow guide mechanism, constructing a cloud platform flow guide control network, and performing flow processing on the east-west flow and the north-south flow according to a set rule;
the safety protection module of the system domain and the safety protection module of the application domain are controlled by utilizing a safety strategy;
and safety protection of the energy Internet cloud platform is realized.
Furthermore, the virtual security resource pool combines all security service nodes required by the tenant into a chain structure, performs security service arrangement through a security policy, and performs protection processing on tenant flow according to the corresponding security policy.
It should be noted that: as shown in fig. 10, the virtual secure resource pool is constructed by using secure virtualization technology. Virtualization technology is a key step for realizing multi-tenant based service isolation. Different from the virtualization implementation mode of the traditional manufacturer, the secure virtualization is a container-based full virtualization technology. Each security engine manages system hardware resources through a unique OS kernel, each virtual firewall operates on the same kernel as a container instance, the virtual firewalls are independent of one another, and each virtual firewall has refined resource limitation capability. When a high-performance security resource pool is built through a distributed security machine frame, security resources can be completely and uniformly scheduled and distributed, an administrator can select multiple security modules in the frame or cross-frame security modules to form a logic engine group, meanwhile, backup relations among the security modules can be defined in the engine group, in addition, different service flows can be introduced into different security resource backup groups through a policy drainage mechanism at an I/O inlet of the machine frame, and in-frame flow backup or inter-frame flow reliability backup is formed.
The flow guiding mechanism builds a cloud platform flow guiding control network by means of network flow guiding, cloud platform flow guiding, safety virtual machine flow guiding and the like, and flow processing is carried out on the east-west flow and the south-north flow according to set rules.
It should be noted that:
① virtual safe resource pool is constructed based on the idea of safe service chain, each safe domain is set with a corresponding tenant level virtual safe resource pool, the virtual safe resource pool establishes a tenant level virtual mapping with the cloud platform physical safe resource pool through virtualization technology, each kind of physical safe device of the cloud platform maps into a virtual safe service node in the virtual resource pool, when the user data message in the safe domain is transmitted in the network, the virtual safe resource pool corresponding to the business flow guide is guided through the flow guide technology, and passes through each safe service node in the virtual resource pool in turn, each service node provides safe service for the user in turn, namely a so-called safe service chain, common safe service nodes comprise a firewall, a man invasion detection system, a virus protection and a WEB application firewall, etc. by implementing the safety strategy-based on-demand safety protection to different business flows, the business flows pass through different safe service nodes in the safe resource pool in order to complete the corresponding safety function processing, and provide the safe protection service flexible on-demand for the tenant;
② cloud platform flow guide control network:
the flow security protection mechanism takes flow guiding and management as a core. The "flow" refers to all network traffic caused by a service information system in a cloud computing environment, including north-south traffic and east-west traffic. The cloud platform mainly has 3 kinds of flow guiding modes: the method comprises the following steps that firstly, basic network flow guiding is carried out, namely, tenant service data flow is guided to a virtual resource pool through redirection of traditional network equipment or configuration of a flow table strategy through an SDN network controller; secondly, cloud platform flow guiding, namely intercepting service flow through a cloud platform network component or a virtual switch to guide and control the flow; and thirdly, cloud security flow guiding, wherein flow guiding and control based on security labels and security rules are implemented through a security virtual machine/security flow guiding agent.
The flow guiding mechanism comprises flow monitoring and flow filtering.
Furthermore, the original route of the flow is not required to be changed in flow monitoring, and all the flow is copied and handed to the safety equipment for processing; flow filtration requires modification of the flow route, which allows the flow to bend into the safety equipment and return to the target after processing.
Furthermore, the security policy establishes a password mechanism in the security domain, formulates a tenant security diversion policy, arranges security resource pool security service, senses the situation and security management based on a traffic guidance protection system, and is a 'security brain' of the traffic protection mechanism.
In summary, the flow guidance mechanism mainly relies on network flow guidance, cloud platform flow guidance, security virtual machine flow guidance and other forms to construct a cloud platform flow guidance control network, and implement flow processing including flow monitoring and flow filtering for east-west flow and south-north flow. The former does not need to change the original route of the flow, and the whole flow needs to be copied and handed to the safety equipment for processing; the latter requires modification of the flow route, which causes the flow to "wrap around" to enter the personal security device and return to the target after processing. The safety strategy control platform is the core of a flow guiding protection mechanism, is mainly responsible for tenant safety flow guiding strategy formulation and safety resource pool safety service arrangement, is responsible for situation awareness and safety management based on a flow guiding protection system, and is a safety brain of the flow guiding protection mechanism.
In order to verify the effectiveness of the invention, a virtual platform experiment is set up. The host configuration is shown in table 1 below:
table 1: host configuration case
Figure BDA0002431738170000071
Figure BDA0002431738170000081
The cloud platform safety protection system is used for monitoring the running state of a cloud platform cluster, accurately grasping the information of each monitoring node of the cluster, comprehensively checking the performance index of the monitoring node, managing the cloud platform cluster, and mainly aiming at collecting the data of the monitoring nodes, such as information of CPU utilization rate, memory utilization rate, cluster load, IO read-write, disk utilization rate, network load and the like. When the abnormal operation condition of the system is found, the node data is analyzed to make a corresponding decision, the system processes the abnormal condition and carries out abnormal blocking and system recovery in time, the cloud platform cluster can be ensured to operate normally, and the safety and the stability are improved.
When the system captures abnormal use states of a CPU, a memory, a process and the like, analyzing the use condition, checking the number and the running condition of the process and the thread, finding that the process occupies a large amount of CPU resources (or the memory), and generating strange and unstable application processes; the process is forcibly closed, the abnormal process in the process queue is cleared, the CPU resource is released, and the abnormality is recovered, with the results shown in fig. 6 and 7.
Fig. 6 shows the variation of the CPU utilization. Under normal conditions, the CPU utilization rate of the system is stabilized at about 41 percent, and the volatility is small; when the system runs for 20s, the external dangerous program invades, the CPU utilization rate rapidly rises to exceed 60 percent, and the volatility is large; at the moment, the safety protection system quickly detects the abnormal program, analyzes and processes the abnormal program (20s-40s), eliminates the dangerous program (40s), and after 40s, the system gradually restores to a normal state, and the abnormal state is inspected and eliminated for less than 20 s.
Fig. 7 shows a variation of the number of CPU processes. Under normal conditions, the CPU processes of the system are all common program processes, and the number of the processes is stabilized at a proper number; when the system runs for 20s, the external dangerous program invades, the number of CPU processes is rapidly increased, and a plurality of strange host programs appear; at the moment, the safety protection system quickly detects the abnormal program, the abnormal program is considered to be not related to the normal working program, the dangerous program is eliminated (40s) after analysis processing (20s-40s), after 40s, the system gradually restores to the normal state, and the abnormal state is eliminated and cleared within 20 s.
Example 2
Referring to fig. 4 and fig. 8, a first embodiment of the energy internet cloud platform security protection system provided by the present invention is shown: an energy internet cloud platform safety protection system comprises a safety protection module of a system domain and a safety protection module of an application domain;
the system domain security protection module adopts a layered architecture and comprises a basic hardware and network layer security protection unit, a cloud virtualization layer security protection unit and a virtual resource layer security protection unit;
the security module of the system domain is the basis of the security module of the application domain.
It should be noted that: the system domain refers to an environment of a cloud service provider for supporting various cloud service basic cloud platforms; the application domain is a tenant service application environment which is built by relying on a cloud platform shared resource environment and security isolation measures.
The safety protection module of the application domain adopts a password mechanism to construct a strong isolation control lease.
Preferably, different tenants construct different security domains based on different passwords, and intra-domain service application security interaction and inter-domain service application security isolation are realized through a security domain password protection mechanism.
Furthermore, firm defense lines are constructed among the security domains by adopting passwords, and management and control and application security protection are enhanced by a 'flow protection' strategy inside the security domains.
Furthermore, aiming at different application security requirements in a security domain, a tenant level security resource pool is constructed based on the idea of 'service chain', and service traffic is led into the tenant level security resource pool through a traffic guide mechanism in a cloud platform traffic guide control network, so that security protection of tenant application and data is realized.
As shown in fig. 8, it is a work flow diagram of the energy internet cloud platform security protection system provided in the present invention:
(1) after the cloud platform is started, all service processes are initialized, the resource availability rates of a CPU, a memory, a disk, a cache region, a network and the like are high, the cluster running load is low, the state metric value is low, and the cloud platform is in a stable state;
(2) continuously establishing a new service process along with the start of the work of the cloud platform, allocating resources such as a CPU (central processing unit), a memory, a disk, a cache region, a network and the like to a program process, gradually increasing the resource utilization rate, gradually reducing the resource availability rate, gradually increasing the cluster running load, increasing the state metric value, and enabling the cloud platform to be in a transition state;
(3) with the increase of the running time of the cloud platform, the service process occupies more resources, and due to network attack or program loophole and other abnormalities, the cloud platform resources are occupied and cannot be released and recycled in time, so that the resource availability ratios of a CPU (central processing unit), a memory, a disk, a cache area, a network and the like are reduced, the cluster running load continues to increase, the state metric value continues to increase, and finally the cloud platform is in an abnormal state;
(4) and carrying out abnormity monitoring on the cloud platform, and calculating a state metric value of the cluster according to the network metric value and the host metric value. When the cloud platform is in an abnormal state, performing abnormal recovery on the cloud platform to enable the cloud platform to be in an excessive state or a stable state; and when the cloud platform is in the transition state, performing abnormal recovery on the cloud platform to enable the cloud platform to be in a stable state, wherein the states can be mutually converted.
The invention provides a security protection mechanism framework and a method combining domain security and flow protection based on a domain division protection security strategy and a security service chain protection idea on the basis of selectively absorbing and borrowing existing research results about how to construct a safe and credible energy internet cloud platform security protection application environment, and optimizes and improves an existing cloud computing security protection scheme from the aspects of security and flexibility. The application result shows that the invention has better application value and popularization prospect.
It should be recognized that embodiments of the present invention can be realized and implemented by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The methods may be implemented in a computer program using standard programming techniques, including a non-transitory computer-readable storage medium configured with the computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner, according to the methods and figures described in the detailed description. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Further, the operations of processes described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes described herein (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) collectively executed on one or more processors, by hardware, or combinations thereof. The computer program includes a plurality of instructions executable by one or more processors.
Further, the method may be implemented in any type of computing platform operatively connected to a suitable interface, including but not limited to a personal computer, mini computer, mainframe, workstation, networked or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and the like. Aspects of the invention may be embodied in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated into a computing platform, such as a hard disk, optically read and/or write storage medium, RAM, ROM, or the like, such that it may be read by a programmable computer, which when read by the storage medium or device, is operative to configure and operate the computer to perform the procedures described herein. Further, the machine-readable code, or portions thereof, may be transmitted over a wired or wireless network. The invention described herein includes these and other different types of non-transitory computer-readable storage media when such media include instructions or programs that implement the steps described above in conjunction with a microprocessor or other data processor. The invention also includes the computer itself when programmed according to the methods and techniques described herein. A computer program can be applied to input data to perform the functions described herein to transform the input data to generate output data that is stored to non-volatile memory. The output information may also be applied to one or more output devices, such as a display. In a preferred embodiment of the invention, the transformed data represents physical and tangible objects, including particular visual depictions of physical and tangible objects produced on a display.
As used in this application, the terms "component," "module," "system," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, a component may be, but is not limited to being: a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of example, both an application running on a computing device and the computing device can be a component. One or more components can reside within a process and/or thread of execution and a component can be localized on one computer and/or distributed between two or more computers. In addition, these components can execute from various computer readable media having various data structures thereon. The components may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as the internet with other systems by way of the signal).
It should be noted that the above-mentioned embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.

Claims (10)

1. The energy internet cloud platform safety protection method is characterized by comprising the following steps: comprises the steps of (a) preparing a mixture of a plurality of raw materials,
constructing a tenant-level virtual security resource pool;
establishing a flow guide mechanism, constructing a cloud platform flow guide control network, and performing flow processing on the east-west flow and the north-south flow according to a set rule;
the safety protection module of the system domain and the safety protection module of the application domain are controlled by utilizing a safety strategy;
and safety protection of the energy Internet cloud platform is realized.
2. The energy internet cloud platform security protection method according to claim 1, wherein: the virtual security resource pool combines all security service nodes required by the tenant into a chain structure, performs security service arrangement through the security policy, and performs protection processing on tenant flow according to the corresponding security policy.
3. The energy internet cloud platform security protection method according to claim 1, wherein: the traffic steering mechanism includes flow monitoring and flow filtering.
4. The energy internet cloud platform security protection method of claim 3, wherein: the flow monitoring does not need to change the original route of the flow, and copies all the flow to a safety device for processing; the flow filtration requires modification of the flow route, the flow is bent into the safety device, and the flow returns to the target after treatment.
5. The energy internet cloud platform security protection method according to claim 1 or 2, wherein: the security strategy establishes a password mechanism in a security domain, establishes a tenant security diversion strategy, arranges security resource pool security services, and senses the situation and security management based on a flow guide protection system.
6. The utility model provides an energy internet cloud platform safety protection system which characterized in that: the system comprises a security protection module of a system domain and a security protection module of an application domain;
the system domain security protection module adopts a layered architecture and comprises a basic hardware and network layer security protection unit, a cloud virtualization layer security protection unit and a virtual resource layer security protection unit;
the security module of the system domain is the basis of the security module of the application domain.
7. The energy internet cloud platform security protection system of claim 6, wherein: and the safety protection module of the application domain adopts a password mechanism to construct a strong isolation control lease.
8. The energy internet cloud platform security protection system of claim 7, wherein: different tenants construct different security domains based on different passwords, and intra-domain service application security interaction and inter-domain service application security isolation are realized through the password protection mechanism of the security domains.
9. The energy internet cloud platform security protection system of claim 8, wherein: and a firm defense line is constructed between the security domains by adopting passwords, and the management and control and the application security protection are internally strengthened.
10. The energy internet cloud platform security protection system of claim 8 or 9, wherein: and aiming at different application security requirements in the security domain, constructing a tenant level security resource pool, and importing service traffic into the tenant level security resource pool through a traffic guide mechanism in a cloud platform traffic guide control network.
CN202010238293.2A 2020-03-30 2020-03-30 Energy internet cloud platform safety protection method and system Withdrawn CN111431914A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010238293.2A CN111431914A (en) 2020-03-30 2020-03-30 Energy internet cloud platform safety protection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010238293.2A CN111431914A (en) 2020-03-30 2020-03-30 Energy internet cloud platform safety protection method and system

Publications (1)

Publication Number Publication Date
CN111431914A true CN111431914A (en) 2020-07-17

Family

ID=71549938

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010238293.2A Withdrawn CN111431914A (en) 2020-03-30 2020-03-30 Energy internet cloud platform safety protection method and system

Country Status (1)

Country Link
CN (1) CN111431914A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112039854A (en) * 2020-08-13 2020-12-04 深圳市信锐网科技术有限公司 Data transmission method, device and storage medium
CN113742735A (en) * 2021-09-18 2021-12-03 合肥力拓云计算科技有限公司 Big data-based energy balance analysis platform safety system and use method thereof
CN115996136A (en) * 2022-09-29 2023-04-21 华数云科技有限公司 SDN-based cloud security capability implementation method in multi-tenant scene

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160057075A1 (en) * 2014-08-20 2016-02-25 At&T Intellectual Property I, L.P. Load Adaptation Architecture Framework for Orchestrating and Managing Services in a Cloud Computing System
CN106790091A (en) * 2016-12-23 2017-05-31 深圳市深信服电子科技有限公司 A kind of cloud security guard system and flow cleaning method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160057075A1 (en) * 2014-08-20 2016-02-25 At&T Intellectual Property I, L.P. Load Adaptation Architecture Framework for Orchestrating and Managing Services in a Cloud Computing System
CN106790091A (en) * 2016-12-23 2017-05-31 深圳市深信服电子科技有限公司 A kind of cloud security guard system and flow cleaning method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
廖飞、陈捷等: "《云计算安全架构及防护机制研究》", 《通信技术》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112039854A (en) * 2020-08-13 2020-12-04 深圳市信锐网科技术有限公司 Data transmission method, device and storage medium
CN113742735A (en) * 2021-09-18 2021-12-03 合肥力拓云计算科技有限公司 Big data-based energy balance analysis platform safety system and use method thereof
CN115996136A (en) * 2022-09-29 2023-04-21 华数云科技有限公司 SDN-based cloud security capability implementation method in multi-tenant scene
CN115996136B (en) * 2022-09-29 2024-03-26 华数云科技有限公司 SDN-based cloud security capability implementation method in multi-tenant scene

Similar Documents

Publication Publication Date Title
CN111431914A (en) Energy internet cloud platform safety protection method and system
Gai et al. Intrusion detection techniques for mobile cloud computing in heterogeneous 5G
EP3641225B1 (en) Policy-driven compliance
CN108494729B (en) A kind of zero trust model realization system
WO2023216641A1 (en) Security protection method and system for power terminal
Reddy Cloud-based cyber physical systems: Design challenges and security needs
CN111709023A (en) Application isolation method and system based on trusted operating system
Chai et al. A short review of security-aware techniques in real-time embedded systems
Xue et al. Prediction of computer network security situation based on association rules mining
CN110225060A (en) A kind of malicious attack processing method, device, equipment and readable storage medium storing program for executing
Jiang et al. Performance research on industrial demilitarized zone in defense-in-depth architecture
Rouff et al. Sok: Autonomic cybersecurity-securing future disruptive technologies
CN102682240A (en) Method for controlling resources in large browser/server (BS) structured system
Zhang Research on the application of cloud computing technology in computer data processing
Wang Strategy of enterprise network security protection based on cloud computing
Xuan Research on Computer Network Security and Firewall Technology Based on Large Data Analysis
Zhou et al. Behavior based anomaly detection model in SCADA system
Fan et al. Research on Cloud Computing Security Problems and Protection Countermeasures
KR102540094B1 (en) User access control and access blocking apparatus using web application proxy
Hu et al. Research on 5G security protection system for Industry
Guo et al. New cybersecurity standards for IACS of the nuclear power industry in China
KR102577809B1 (en) Method, system and non-transitory computer-readable recording medium for managing information related to industrial technology leakage
Duan et al. Research and application of server security protection based on virtual patch
Mahfoudhi Challenges Facing IoT Expansion: Security and Energy
Cao et al. Design of network security situation awareness analysis module for electric power dispatching and control system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20200717

WW01 Invention patent application withdrawn after publication