CN111459609A - Virtual machine safety protection method and device and electronic equipment - Google Patents
Virtual machine safety protection method and device and electronic equipment Download PDFInfo
- Publication number
- CN111459609A CN111459609A CN202010162748.7A CN202010162748A CN111459609A CN 111459609 A CN111459609 A CN 111459609A CN 202010162748 A CN202010162748 A CN 202010162748A CN 111459609 A CN111459609 A CN 111459609A
- Authority
- CN
- China
- Prior art keywords
- virus
- killing
- virtual machine
- file
- killed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 241000700605 Viruses Species 0.000 claims abstract description 140
- 238000001514 detection method Methods 0.000 claims abstract description 43
- 230000005540 biological transmission Effects 0.000 claims abstract description 31
- 238000003860 storage Methods 0.000 claims abstract description 19
- 238000004590 computer program Methods 0.000 claims description 17
- 239000003795 chemical substances by application Substances 0.000 description 19
- 230000006870 function Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 8
- 230000002155 anti-virotic effect Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 238000011156 evaluation Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000007634 remodeling Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a virtual machine safety protection method, a virtual machine safety protection device and electronic equipment, belonging to the technical field of information safety, wherein the method comprises the following steps: transmitting the file to be checked and killed to a host machine through a data transmission channel between the virtual machine and the host machine; and receiving the virus detection and/or virus killing result transmitted back by the host machine through the data transmission channel. Compared with the prior art, the virtual machine safety protection method in the embodiment of the invention can not only eliminate the storage overhead of the virus characteristic library on the virtual machine and the network overhead of continuous update of the virus library, but also eliminate the memory overhead of loading the virus library characteristic data into the memory due to virus searching and killing and the cpu overhead during virus searching and killing, and can also effectively prevent 0day danger caused by the fact that the virus characteristic library cannot be updated in real time due to frequent shutdown of the virtual machine.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a virtual machine security protection method and device and electronic equipment.
Background
In recent years, cloud computing has received consistent attention from both the academic and industrial communities. With the increasing complexity of cloud computing applications, the security requirements are also higher and higher. Moreover, the traditional IT system is closed, exists in an enterprise, and only a few interfaces such as a webpage server and a mail server are exposed to the outside, so that most of safety problems can be solved only by arranging safety measures such as a firewall and access control at an outlet. However, in a cloud environment, the cloud is exposed in the public network, any one node and the network thereof may be attacked, and a plurality of security risks exist.
The security protection software running on the host computer can occupy the resources of the CPU, the internal memory and the magnetic disk of the host computer, and the regular updating of the engine and the virus library can occupy the network resources. In recent years, malicious programs have increased dramatically, and antivirus products and virus signature library files have become more and more bulky, and even though security manufacturers have continuously introduced new technologies to reduce the impact of security agents on hosts, the problem still cannot be effectively solved.
The virtualization of the server refers to an effective mode that physical resources of the server are abstracted into logical resources, one server becomes several or even hundreds of virtual servers which are isolated from each other, the physical limit is not limited, and hardware such as a CPU (central processing unit), a memory, a disk, an I/O (input/output) and the like becomes a resource pool which can be dynamically managed, so that the utilization rate of the resources is improved, the system management is simplified, the integration of the server is realized, the IT has higher adaptability to the change of services, and the efficiency and the agility of the IT are improved. However, in the security protection software in the conventional virtualization mode, if the host is frequently powered off or offline, the security product cannot be updated in time, and when the host is powered on again or online, the system is very easily infected and damaged. 0Day attacks are more and more, and if real-time updating of anti-virus products and virus database data cannot be guaranteed, the protection effect is greatly reduced. Meanwhile, when there is a vulnerability in the virtual machine tool, the infected and destroyed virtual machine may infect the physical machine and further infect all the virtual machines thereon, with catastrophic consequences.
Patent CN 106685999a provides a virtual machine security protection method, which intercepts data stream of a target virtual machine to obtain corresponding intercepted data; sending the intercepted data to the security device; screening out a security agent corresponding to the target virtual machine from a plurality of security agents contained in the security device to obtain a target security agent; utilizing a target security agent to perform virus detection on the intercepted data so as to determine whether the intercepted data is security data; and if the intercepted data is the safe data, performing subsequent corresponding data routing processing on the intercepted data through the safe equipment. In a security protection method for a virtual machine provided by patent CN 105320884 a, the virtual machine intercepts a file read-write event or a network event, and places data pointed by the file read-write event or the network event into the memory space; the host reads the data pointed by the file read-write event or the network event from the memory space; and the host detects the read file read-write event or the data pointed by the network event and obtains a detection result.
Therefore, the existing virtual machine security protection methods either need to set special security devices or need to open up special memory spaces on the host for each virtual machine, which not only is complex to operate, but also has high resource consumption, and therefore, a virtual machine security protection method which is simple and easy to implement is needed.
Disclosure of Invention
In view of this, embodiments of the present invention provide a virtual machine security protection method, a virtual machine security protection apparatus, and an electronic device, which at least partially solve the problems in the prior art.
In a first aspect, a method for protecting a virtual machine according to an embodiment of the present invention includes:
transmitting a file to be checked and killed to a host machine through a data transmission channel which is pre-constructed between the virtual machine and the host machine, wherein the host machine is used for carrying out virus detection and/or virus checking and killing on the file to be checked and killed after receiving the file to be checked and killed;
and receiving the virus detection and/or virus killing result transmitted back by the host machine through the data transmission channel.
According to a specific implementation manner of the embodiment of the invention, the virtual machine is provided with safety protection software in a non-proxy mode, and the host machine is provided with safety protection software in a proxy mode.
According to a specific implementation manner of the embodiment of the invention, the safety protection software with the agent mode comprises a main program, a killing engine and virus library characteristic data, and the safety protection software without the agent mode only comprises the main program; the main program is used for obtaining the file to be checked and killed, transmitting the file to be checked and killed to a checking and killing engine for checking and killing, receiving a checking and killing result and displaying the checking and killing result of the file to be checked and killed; the searching and killing engine is used for loading virus library characteristic data, carrying out virus detection or virus searching and killing on the file to be searched and killed transmitted by the main program and then feeding back a result to the main program; the virus library characteristic data comprises virus characteristic data used for virus detection or virus killing.
According to a specific implementation manner of the embodiment of the present invention, the main program is further configured to, before the file to be checked and killed is transmitted to a checking and killing engine for checking and killing and receiving a checking and killing result, determine a mode of the security protection software to which the file belongs, and determine whether to use a local checking and killing engine for virus detection or virus checking and killing based on the mode determination result, or transmit the file to be checked and killed to the host machine through the data transmission channel, and use the checking and killing engine on the host machine for virus detection or virus checking and killing.
According to a specific implementation manner of the embodiment of the invention, the checking and killing engine is further configured to determine a mode of the security protection software, and determine whether to feed back the virus detection or virus checking and killing result to the host machine main program or to feed back the virus detection or virus checking and killing result to the virtual machine main program through the data transmission channel based on a mode determination result.
In a second aspect, an embodiment of the present invention provides a virtual machine security protection apparatus, including:
the data transmission unit is used for transmitting the file to be checked and killed to the host machine through a data transmission channel which is pre-constructed between the virtual machine and the host machine, wherein the host machine is used for carrying out virus detection and/or virus checking and killing on the file to be checked and killed after receiving the file to be checked and killed;
the data receiving unit is used for receiving the virus detection and/or virus killing result transmitted back by the host machine through the data transmission channel.
According to a specific implementation manner of the embodiment of the invention, the data transmission channel is an RPC channel.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a virtual machine security method according to any one of the first aspect or any implementation manner of the first aspect.
In a fourth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute a virtual machine security protection method in the foregoing first aspect or any implementation manner of the first aspect.
In a fifth aspect, the present invention further provides a computer program product, where the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, and the computer program includes program instructions, when executed by a computer, cause the computer to execute a virtual machine security protection method in the foregoing first aspect or any implementation manner of the first aspect.
Advantageous effects
Compared with the prior art, the virtual machine safety protection method in the embodiment of the invention has the advantages that the non-proxy safety protection software is deployed on the virtual machine, the proxy safety protection software is deployed on the host machine, the file which needs virus searching and killing on the virtual machine is transmitted to the host machine, the host machine performs virus searching and killing on the file and feeds back the searching and killing result, the problem that the safety protection software occupies host machine (virtual machine) resources and network bandwidth is solved, and the saved resources and bandwidth quantity are particularly obvious under the condition that the virtual machine quantity is large. In addition, as the virtual machine is only provided with the agent security protection software, the redundant virus feature library is stripped, the consumption of the storage resources of the virtual machine caused by regular updating is saved, the network overhead caused by upgrading the virus feature library is reduced, and the consumption of the memory resources of the virus feature library loaded to the memory caused by local virus searching and killing is also saved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flow chart of a virtual machine security protection method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of interaction between the virtual machine and the host security protection software provided in the embodiment of the present invention;
fig. 3 is a schematic structural diagram of a virtual machine safety protection apparatus according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
The embodiments of the present disclosure are described below with specific examples, and other advantages and effects of the present disclosure will be readily apparent to those skilled in the art from the disclosure in the specification. It is to be understood that the described embodiments are merely illustrative of some, and not restrictive, of the embodiments of the disclosure. The disclosure may be embodied or carried out in various other specific embodiments, and various modifications and changes may be made in the details within the description without departing from the spirit of the disclosure. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present disclosure, and the drawings only show the components related to the present disclosure rather than the number, shape and size of the components in actual implementation, and the type, amount and ratio of the components in actual implementation may be changed arbitrarily, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided to facilitate a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
The embodiment of the disclosure provides a virtual machine safety protection method. The virtual machine security protection method provided by this embodiment may be executed by a computing apparatus or device, where the computing apparatus or device may be implemented as software, or implemented as a combination of software and hardware, and the computing apparatus or device may be integrally disposed in a server, a terminal device, or the like.
Before the present solution is detailed, some basic concepts are explained.
A host computer: the computer case comprises a case, a mainboard, a CPU, a memory, a hard disk, a display card and the like, and is a general name of the case and all the inside.
Host machine: refers to the computer on which the virtual machine software is to be installed, i.e., the physical machine that costs money.
Virtual machine: the virtual machine tool is used for constructing a whole set of hardware equipment, and the hardware equipment comprises an operating system and application software of the hardware equipment.
The host operating system: an operating system installed on a physical machine, such as the Win2K operating system installed on a physical machine, has VMWare virtual machine application software installed thereon.
Guest operating systems-operating systems on virtual machines, such as Red Hat L inux.
Referring to fig. 1, an embodiment of the present invention provides a virtual machine security protection method, including:
s101, transmitting a file to be checked and killed to a host machine through a data transmission channel which is pre-constructed between a virtual machine and the host machine, wherein the host machine is used for carrying out virus detection and/or virus checking and killing on the file to be checked and killed after receiving the file to be checked and killed;
and S102, receiving the virus detection and/or virus killing result transmitted back by the host machine through the data transmission channel.
As a specific example, the data transmission channel may be any channel supported or provided by an operating system or virtual machine tool, such as RPC, shared memory or pipes, and so forth.
As a specific example, the virtual machine is installed with security protection software, and provides an UI for interactive interfaces such as virus detection and/or virus killing, when receiving a killing instruction or automatically killing some files according to system setting requirements, the virtual machine transmits the file to be killed to the host security protection software through the data transmission channel for virus detection and/or virus killing, receives a detection and/or killing result fed back by the host from the data transmission channel, and displays or performs other processing on the result through the UI, such as writing in a predefined file. The safety protection software on the virtual machine is different from the safety protection software on the host machine, but the respective role functions can be realized, and the host machine only needs to provide a calling interface for checking and killing the remote viruses. As long as the host machine is provided with an interface for virus searching and killing through a related data transmission channel, any software manufacturer or individual can realize safety protection software at the virtual machine side through the method, so that the actual virus detection and/or virus searching and killing functions are completed on the host machine.
As a specific example, for a user, the host and the virtual machine need to learn to adapt to different software products when using different security protection software, and for a security protection software production company, a huge amount of overhead is brought to produce and maintain different series of products, so that the existing security protection product can be modified to adapt to a dual use scenario of the virtual machine and the host, which brings good use experience of consistency of user software products.
The safety protection software used by the existing host is software with a terminal safety guarantee function and has the functions of file safety level identification, virus real-time searching, killing and repairing and the like; the method comprises the following steps that logically, the method comprises a main program, a searching and killing engine and virus library characteristic data, wherein the main program is used for interacting with a user to obtain a file to be searched and killed, transmitting the file to be searched and killed to the searching and killing engine to search and kill and receive searching and killing results, and displaying the searching and killing results of the file to be searched and killed, and comprises foreground display interfaces, file enumeration, engine scheduling, foreground and background interaction and other background functions which interact with the user, such as user login, virus searching and killing, level identification searching and killing result display and the like; the searching and killing engine is used for loading virus library characteristic data, carrying out virus detection or virus searching and killing on the file to be searched and killed transmitted by the main program and then feeding back a result to the main program, namely the searching and killing engine is an interface for upper-layer program calling, and the interfaces have the capabilities of virus library characteristic data loading, file grade identification, virus real-time searching and killing and the like; the virus library characteristic data comprises virus characteristic data used for virus detection or virus killing. The above is only a logical division, and different security software manufacturers have different definitions.
The method aims to reduce the product maintenance cost of a safety protection software manufacturer and provide the consistent experience that a user uses the safety protection software produced by the same manufacturer. And transforming the safety protection software, reshaping the safety protection software according to the logic function division, and dividing the safety protection software into safety protection software with an agent mode and safety protection software without the agent mode. As shown in fig. 2, the virtual machine non-proxy mode security protection software, the host machine proxy mode security protection software, and the interaction architecture thereof are shown, wherein the layers where the AVE, the QEX, the QVM, the cloud engine, and the cloud QVM are located are the antivirus engines, the antivirus engines can load their own virus library feature data to perform virus feature comparison during virus antivirus, and the transmission of the file and the identification information is completed by relying on the channel provided by the virtual machine (e.g., vmware vsphere) through the upper layer RPC. Modifying virus searching and killing interfaces provided by a searching and killing engine, adding mode judging parameters to an engine calling unit of a main program, adding mode judging parameters to the virus searching and killing interface of the searching and killing engine, realizing mode judgment of safety protection software, and determining whether to use a local searching and killing engine to perform virus detection or virus searching and killing or file repair or use the searching and killing engine of the safety protection software with a proxy mode of a host machine to perform virus detection or virus searching and killing or file repair through a data transmission channel such as RPC based on a mode judging result. Corresponding to the remodeling, the modification of the safety protection software can be carried out in another mode, an engine calling unit of a main program realizes the mode discrimination of the safety protection software, the virus detection or virus killing is carried out by using the existing virus killing calling interface of a local killing engine or by using the killing engine of a host computer through RPC (remote procedure control), the virus killing calling interface without an agent mode is added in the killing engine, and the purpose of receiving the file, carrying out virus killing by adopting the existing killing mode on the received file and feeding the result back to an interface caller through an RPC channel is realized.
As a specific example, the virus checking and killing process of the virtual machine is as follows:
1. the main program obtains a file to be searched and killed;
2. the main program reads a preset safety protection software mode and judges whether the mode is a non-agent mode, if so, the step 3 is switched to;
3. the main program calls a searching and killing engine of a host machine through RPC to search and kill viruses and transmits files to be searched and killed and software mode parameters;
4. loading local virus library characteristic data by a checking and killing engine of a host machine, and carrying out virus detection and/or virus checking and killing on the transmitted file to be checked and killed;
5. and the checking and killing engine of the host machine judges whether the introduced software mode parameters are in a non-proxy mode, and if so, returns virus detection and/or virus checking and killing results to the main program of the virtual machine through the RPC channel.
As a specific example, the host virus killing process is as follows:
1. the main program obtains a file to be searched and killed;
2. the main program reads a preset safety protection software mode, judges whether the mode is a non-agent mode or not, and if not, the step 3 is switched to;
3. calling a local searching and killing engine by the main program to search and kill viruses, and transmitting files to be searched and killed and software mode parameters;
4. loading local virus library characteristic data by a checking and killing engine of a host machine, and carrying out virus detection and/or virus checking and killing on the transmitted file to be checked and killed;
5. and the checking and killing engine of the host machine judges whether the introduced software mode parameters are in a non-agent mode, and if the introduced software mode parameters are not in the agent mode, the checking and killing engine feeds back virus detection and/or virus checking and killing results to the main program of the host machine.
According to the process, no matter the mode is a non-agent mode or an agent mode, the main programs are consistent, so that the product maintenance cost of a safety protection software manufacturer is reduced, and the consistent experience that a user uses safety protection software produced by the same manufacturer is provided.
Corresponding to the above method embodiment, referring to fig. 3, an embodiment of the present invention provides a virtual machine security apparatus 400, including:
the data transmission unit 401 is configured to transmit a file to be checked and killed to a host machine through a data transmission channel between the virtual machine and the host machine by the virtual machine;
the data receiving unit 402 is configured to receive a virus detection or virus killing result, where the result is transmitted through the data transmission channel, and the result is obtained by the host performing virus detection or virus killing on the file to be killed.
As a specific example, the data transmission channel is an RPC channel.
As a specific example, the virtual machine is installed with security protection software in a non-proxy mode, and the host is installed with security protection software in a proxy mode.
As a specific example, the safety protection software with the agent mode comprises a main program, a searching and killing engine and virus library characteristic data, and the safety protection software without the agent mode comprises only the main program, wherein the main program is used for interacting with a user to obtain the file to be searched and killed, transmitting the file to be searched and killed to the searching and killing engine for searching and killing, receiving a searching and killing result, and displaying the searching and killing result of the file to be searched and killed; the searching and killing engine is used for loading virus library characteristic data, carrying out virus detection or virus searching and killing on the file to be searched and killed transmitted by the main program and then feeding back a result to the main program; the virus library characteristic data comprises virus characteristic data used for virus detection or virus killing.
As a specific example, the engine call unit of the main program implements mode discrimination of the security protection software, and determines whether to use a local antivirus engine for virus detection or virus killing or use a antivirus engine of a host machine for virus detection or virus killing through RPC based on a result of the mode discrimination.
As a specific example, the virus searching and killing interface of the searching and killing engine implements virus searching and killing, determines whether the searched and killed file is a local file or a file transmitted by the virtual machine through the RPC channel according to the mode discrimination result of the security protection software, and feeds back the searching and killing result to the corresponding interface call source according to the mode discrimination result.
It is clear to those skilled in the art that the above-mentioned unit is only a specific example of logic division, and not limited thereto, different unit logics may be integrated into one unit, or a unit logic may be further split and completed by a plurality of units, as long as the program capable of implementing the above-mentioned logic is within the protection scope of the present invention.
The scheme of the application provides the lightweight safety protection software for the virtual machine for the user, so that the storage overhead of a virus characteristic library on the virtual machine and the network overhead of continuous updating of the virus library can be eliminated, the memory overhead of loading virus library characteristic data into a memory due to virus searching and killing and the cpu overhead during virus searching and killing are eliminated, the 0day danger caused by the fact that the virtual machine is frequently shut down and the virus characteristic library cannot be updated in real time can be effectively prevented, when the number of virtual machines on a host machine is large, the reduced system overhead is particularly considerable, and the performance of the system can be greatly improved.
Referring to fig. 4, an embodiment of the present invention further provides an electronic device 60, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the virtual machine security method of the above method embodiments.
The embodiment of the present invention further provides a non-transitory computer-readable storage medium, which stores computer instructions for causing the computer to execute the virtual machine security protection method in the foregoing method embodiment.
Embodiments of the present invention also provide a computer program product, which includes a computer program stored on a non-transitory computer readable storage medium, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer executes the virtual machine security protection method in the foregoing method embodiments.
The apparatus shown in fig. 3 may execute the embodiment shown in fig. 1-2 and the virtual machine security protection method described above, and reference may be made to the related descriptions of the embodiment shown in fig. 1-2 and the virtual machine security protection method described above for parts not described in detail in this embodiment. And will not be described in detail herein.
Referring now to FIG. 4, a block diagram of an electronic device 60 suitable for use in implementing embodiments of the present disclosure is shown. The electronic devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., car navigation terminals), and the like, and fixed terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 4, the electronic device 60 may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 601 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage means 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 60 are also stored. The processing device 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
In general, input devices 606 including, for example, a touch screen, touch pad, keyboard, mouse, image sensor, microphone, accelerometer, gyroscope, etc., output devices 607 including, for example, a liquid crystal display (L CD), speaker, vibrator, etc., storage devices 608 including, for example, magnetic tape, hard disk, etc., and communication devices 609.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication means 609, or may be installed from the storage means 608, or may be installed from the ROM 602. The computer program, when executed by the processing device 601, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring at least two internet protocol addresses; sending a node evaluation request comprising the at least two internet protocol addresses to node evaluation equipment, wherein the node evaluation equipment selects the internet protocol addresses from the at least two internet protocol addresses and returns the internet protocol addresses; receiving an internet protocol address returned by the node evaluation equipment; wherein the obtained internet protocol address indicates an edge node in the content distribution network.
Alternatively, the computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: receiving a node evaluation request comprising at least two internet protocol addresses; selecting an internet protocol address from the at least two internet protocol addresses; returning the selected internet protocol address; wherein the received internet protocol address indicates an edge node in the content distribution network.
Computer program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including AN object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of a unit does not in some cases constitute a limitation of the unit itself, for example, the first retrieving unit may also be described as a "unit for retrieving at least two internet protocol addresses".
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A virtual machine security protection method is characterized by comprising the following steps:
transmitting a file to be checked and killed to a host machine through a data transmission channel which is pre-constructed between the virtual machine and the host machine, wherein the host machine is used for carrying out virus detection and/or virus checking and killing on the file to be checked and killed after receiving the file to be checked and killed;
and receiving the virus detection and/or virus killing result transmitted back by the host machine through the data transmission channel.
2. The method according to claim 1, wherein the virtual machine is installed with a security protection software in a non-proxy mode, and the host machine is installed with a security protection software in a proxy mode.
3. The method of claim 2, wherein the agent-mode security protection software comprises a main program, a killing engine and virus library characteristic data, and the agent-free mode security protection software comprises only the main program; the main program is used for obtaining the file to be checked and killed, transmitting the file to be checked and killed to a checking and killing engine for checking and killing, receiving a checking and killing result and displaying the checking and killing result of the file to be checked and killed; the searching and killing engine is used for loading virus library characteristic data, carrying out virus detection or virus searching and killing on the file to be searched and killed transmitted by the main program and then feeding back a result to the main program; the virus library characteristic data comprises virus characteristic data used for virus detection or virus killing.
4. The method according to claim 3, wherein the main program is further configured to determine a mode of the security software to which the file to be killed belongs before the file to be killed is transmitted to a killing engine for killing and a killing result is received, and determine whether to use a local killing engine for virus detection or virus killing or to transmit the file to be killed to the host through the data transmission channel and use the killing engine on the host for virus detection or virus killing based on the mode determination result.
5. The method according to claim 3 or 4, wherein the killing engine is further configured to determine a mode of the security protection software, and determine whether to feed back the virus detection or virus killing result to the host main program or to the virtual machine main program through the data transmission channel based on the mode determination result.
6. The safety protection device for the virtual machine is characterized by comprising a data transmission unit, a host machine and a control unit, wherein the data transmission unit is used for transmitting a file to be checked and killed to the host machine through a data transmission channel which is pre-constructed between the virtual machine and the host machine, and the host machine is used for carrying out virus detection and/or virus checking and killing on the file to be checked and killed after receiving the file to be checked and killed; the data receiving unit is used for receiving the virus detection and/or virus killing result transmitted back by the host machine through the data transmission channel.
7. The apparatus of claim 6, wherein the data transmission channel is an RPC channel.
8. An electronic device, characterized in that the electronic device comprises:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a virtual machine security method as claimed in any one of claims 1 to 4.
9. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform a virtual machine security method as claimed in any one of claims 1 to 4.
10. A computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform a virtual machine security method as claimed in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010162748.7A CN111459609B (en) | 2020-03-10 | 2020-03-10 | Virtual machine safety protection method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010162748.7A CN111459609B (en) | 2020-03-10 | 2020-03-10 | Virtual machine safety protection method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111459609A true CN111459609A (en) | 2020-07-28 |
| CN111459609B CN111459609B (en) | 2024-04-19 |
Family
ID=71685179
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010162748.7A Active CN111459609B (en) | 2020-03-10 | 2020-03-10 | Virtual machine safety protection method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111459609B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111953565A (en) * | 2020-08-10 | 2020-11-17 | 苏州浪潮智能科技有限公司 | Method, system, device and medium for detecting bandwidth in virtualized environment |
| CN112528285A (en) * | 2020-12-18 | 2021-03-19 | 南方电网电力科技股份有限公司 | Security protection method and device for cloud computing platform, electronic equipment and storage medium |
| CN114615035A (en) * | 2022-02-28 | 2022-06-10 | 亚信科技(成都)有限公司 | Security detection method, server and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
| CN105117649A (en) * | 2015-07-30 | 2015-12-02 | 中国科学院计算技术研究所 | Anti-virus method and anti-virus system for virtual machine |
| US20160092679A1 (en) * | 2014-09-25 | 2016-03-31 | Electronics And Telecommunications Research Institute | Inspection and recovery method and apparatus for handling virtual machine vulnerability |
| CN106685999A (en) * | 2017-02-27 | 2017-05-17 | 郑州云海信息技术有限公司 | Safety protection method for virtual machine, system and safety device |
| CN106790270A (en) * | 2017-02-16 | 2017-05-31 | 郑州云海信息技术有限公司 | A kind of safety system of cloud operating system |
| CN106778275A (en) * | 2016-12-29 | 2017-05-31 | 北京瑞星信息技术股份有限公司 | Based on safety protecting method and system and physical host under virtualized environment |
| CN107342963A (en) * | 2016-04-28 | 2017-11-10 | 中移(苏州)软件技术有限公司 | A kind of secure virtual machine control method, system and the network equipment |
| CN107358096A (en) * | 2017-07-10 | 2017-11-17 | 成都虫洞奇迹科技有限公司 | File virus checking and killing method and system |
-
2020
- 2020-03-10 CN CN202010162748.7A patent/CN111459609B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
| US20160092679A1 (en) * | 2014-09-25 | 2016-03-31 | Electronics And Telecommunications Research Institute | Inspection and recovery method and apparatus for handling virtual machine vulnerability |
| CN105117649A (en) * | 2015-07-30 | 2015-12-02 | 中国科学院计算技术研究所 | Anti-virus method and anti-virus system for virtual machine |
| CN107342963A (en) * | 2016-04-28 | 2017-11-10 | 中移(苏州)软件技术有限公司 | A kind of secure virtual machine control method, system and the network equipment |
| CN106778275A (en) * | 2016-12-29 | 2017-05-31 | 北京瑞星信息技术股份有限公司 | Based on safety protecting method and system and physical host under virtualized environment |
| CN106790270A (en) * | 2017-02-16 | 2017-05-31 | 郑州云海信息技术有限公司 | A kind of safety system of cloud operating system |
| CN106685999A (en) * | 2017-02-27 | 2017-05-17 | 郑州云海信息技术有限公司 | Safety protection method for virtual machine, system and safety device |
| CN107358096A (en) * | 2017-07-10 | 2017-11-17 | 成都虫洞奇迹科技有限公司 | File virus checking and killing method and system |
Non-Patent Citations (1)
| Title |
|---|
| 展旭升;高云伟;冯百明;蒋芸;杨鹏斐;: "虚拟桌面杀毒模型的设计与实现", no. 03, pages 107 - 110 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111953565A (en) * | 2020-08-10 | 2020-11-17 | 苏州浪潮智能科技有限公司 | Method, system, device and medium for detecting bandwidth in virtualized environment |
| CN112528285A (en) * | 2020-12-18 | 2021-03-19 | 南方电网电力科技股份有限公司 | Security protection method and device for cloud computing platform, electronic equipment and storage medium |
| CN114615035A (en) * | 2022-02-28 | 2022-06-10 | 亚信科技(成都)有限公司 | Security detection method, server and storage medium |
| CN114615035B (en) * | 2022-02-28 | 2023-12-08 | 亚信科技(成都)有限公司 | Security detection method, server and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111459609B (en) | 2024-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210182239A1 (en) | Trusted File Indirection | |
| US20210409270A1 (en) | Dynamic Configuration in Cloud Computing Environments | |
| US10614233B2 (en) | Managing access to documents with a file monitor | |
| US8707417B1 (en) | Driver domain as security monitor in virtualization environment | |
| US10324754B2 (en) | Managing virtual machine patterns | |
| CN111459609B (en) | Virtual machine safety protection method and device and electronic equipment | |
| Adekotujo et al. | A comparative study of operating systems: Case of windows, unix, linux, mac, android and ios | |
| US10887350B2 (en) | Method and system for applying compliance policies on private and public cloud | |
| US9203700B2 (en) | Monitoring client information in a shared environment | |
| US20230021216A1 (en) | Systems and methods for deploying secure edge platforms | |
| US20180343174A1 (en) | Rule based page processing and network request processing in browsers | |
| US9977898B1 (en) | Identification and recovery of vulnerable containers | |
| EP3000024B1 (en) | Dynamically provisioning storage | |
| CN111324891A (en) | System and method for container file integrity monitoring | |
| US20170147315A1 (en) | Configuring dependent services associated with a software package on a host system | |
| CN103677878A (en) | Method and device for patching | |
| US20140067864A1 (en) | File access for applications deployed in a cloud environment | |
| CN116257320B (en) | DPU-based virtualization configuration management method, device, equipment and medium | |
| US10169027B2 (en) | Upgrade of an operating system of a virtual machine | |
| CN110825499A (en) | Method and device for realizing security isolation based on unified container cloud platform | |
| CN113010268B (en) | Malicious program identification method and device, storage medium and electronic equipment | |
| EP4150453A1 (en) | Methods and systems for managing computing virtual machine instances | |
| CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
| CN114579167A (en) | Method, device and storage medium for downloading application upgrade file | |
| US20200210571A1 (en) | System and method of optimizing antivirus scanning of files on virtual machines |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Country or region after: China Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: QAX Technology Group Inc. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: QAX Technology Group Inc. Country or region before: China Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |