Disclosure of Invention
In view of this, embodiments of the present invention provide a virtual machine security protection method, a virtual machine security protection apparatus, and an electronic device, which at least partially solve the problems in the prior art.
In a first aspect, a method for protecting a virtual machine according to an embodiment of the present invention includes:
transmitting a file to be checked and killed to a host machine through a data transmission channel which is pre-constructed between the virtual machine and the host machine, wherein the host machine is used for carrying out virus detection and/or virus checking and killing on the file to be checked and killed after receiving the file to be checked and killed;
and receiving the virus detection and/or virus killing result transmitted back by the host machine through the data transmission channel.
According to a specific implementation manner of the embodiment of the invention, the virtual machine is provided with safety protection software in a non-proxy mode, and the host machine is provided with safety protection software in a proxy mode.
According to a specific implementation manner of the embodiment of the invention, the safety protection software with the agent mode comprises a main program, a killing engine and virus library characteristic data, and the safety protection software without the agent mode only comprises the main program; the main program is used for obtaining the file to be checked and killed, transmitting the file to be checked and killed to a checking and killing engine for checking and killing, receiving a checking and killing result and displaying the checking and killing result of the file to be checked and killed; the searching and killing engine is used for loading virus library characteristic data, carrying out virus detection or virus searching and killing on the file to be searched and killed transmitted by the main program and then feeding back a result to the main program; the virus library characteristic data comprises virus characteristic data used for virus detection or virus killing.
According to a specific implementation manner of the embodiment of the present invention, the main program is further configured to, before the file to be checked and killed is transmitted to a checking and killing engine for checking and killing and receiving a checking and killing result, determine a mode of the security protection software to which the file belongs, and determine whether to use a local checking and killing engine for virus detection or virus checking and killing based on the mode determination result, or transmit the file to be checked and killed to the host machine through the data transmission channel, and use the checking and killing engine on the host machine for virus detection or virus checking and killing.
According to a specific implementation manner of the embodiment of the invention, the checking and killing engine is further configured to determine a mode of the security protection software, and determine whether to feed back the virus detection or virus checking and killing result to the host machine main program or to feed back the virus detection or virus checking and killing result to the virtual machine main program through the data transmission channel based on a mode determination result.
In a second aspect, an embodiment of the present invention provides a virtual machine security protection apparatus, including:
the data transmission unit is used for transmitting the file to be checked and killed to the host machine through a data transmission channel which is pre-constructed between the virtual machine and the host machine, wherein the host machine is used for carrying out virus detection and/or virus checking and killing on the file to be checked and killed after receiving the file to be checked and killed;
the data receiving unit is used for receiving the virus detection and/or virus killing result transmitted back by the host machine through the data transmission channel.
According to a specific implementation manner of the embodiment of the invention, the data transmission channel is an RPC channel.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a virtual machine security method according to any one of the first aspect or any implementation manner of the first aspect.
In a fourth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute a virtual machine security protection method in the foregoing first aspect or any implementation manner of the first aspect.
In a fifth aspect, the present invention further provides a computer program product, where the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, and the computer program includes program instructions, when executed by a computer, cause the computer to execute a virtual machine security protection method in the foregoing first aspect or any implementation manner of the first aspect.
Advantageous effects
Compared with the prior art, the virtual machine safety protection method in the embodiment of the invention has the advantages that the non-proxy safety protection software is deployed on the virtual machine, the proxy safety protection software is deployed on the host machine, the file which needs virus searching and killing on the virtual machine is transmitted to the host machine, the host machine performs virus searching and killing on the file and feeds back the searching and killing result, the problem that the safety protection software occupies host machine (virtual machine) resources and network bandwidth is solved, and the saved resources and bandwidth quantity are particularly obvious under the condition that the virtual machine quantity is large. In addition, as the virtual machine is only provided with the agent security protection software, the redundant virus feature library is stripped, the consumption of the storage resources of the virtual machine caused by regular updating is saved, the network overhead caused by upgrading the virus feature library is reduced, and the consumption of the memory resources of the virus feature library loaded to the memory caused by local virus searching and killing is also saved.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
The embodiments of the present disclosure are described below with specific examples, and other advantages and effects of the present disclosure will be readily apparent to those skilled in the art from the disclosure in the specification. It is to be understood that the described embodiments are merely illustrative of some, and not restrictive, of the embodiments of the disclosure. The disclosure may be embodied or carried out in various other specific embodiments, and various modifications and changes may be made in the details within the description without departing from the spirit of the disclosure. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present disclosure, and the drawings only show the components related to the present disclosure rather than the number, shape and size of the components in actual implementation, and the type, amount and ratio of the components in actual implementation may be changed arbitrarily, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided to facilitate a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
The embodiment of the disclosure provides a virtual machine safety protection method. The virtual machine security protection method provided by this embodiment may be executed by a computing apparatus or device, where the computing apparatus or device may be implemented as software, or implemented as a combination of software and hardware, and the computing apparatus or device may be integrally disposed in a server, a terminal device, or the like.
Before the present solution is detailed, some basic concepts are explained.
A host computer: the computer case comprises a case, a mainboard, a CPU, a memory, a hard disk, a display card and the like, and is a general name of the case and all the inside.
Host machine: refers to the computer on which the virtual machine software is to be installed, i.e., the physical machine that costs money.
Virtual machine: the virtual machine tool is used for constructing a whole set of hardware equipment, and the hardware equipment comprises an operating system and application software of the hardware equipment.
The host operating system: an operating system installed on a physical machine, such as the Win2K operating system installed on a physical machine, has VMWare virtual machine application software installed thereon.
Guest operating systems-operating systems on virtual machines, such as Red Hat L inux.
Referring to fig. 1, an embodiment of the present invention provides a virtual machine security protection method, including:
s101, transmitting a file to be checked and killed to a host machine through a data transmission channel which is pre-constructed between a virtual machine and the host machine, wherein the host machine is used for carrying out virus detection and/or virus checking and killing on the file to be checked and killed after receiving the file to be checked and killed;
and S102, receiving the virus detection and/or virus killing result transmitted back by the host machine through the data transmission channel.
As a specific example, the data transmission channel may be any channel supported or provided by an operating system or virtual machine tool, such as RPC, shared memory or pipes, and so forth.
As a specific example, the virtual machine is installed with security protection software, and provides an UI for interactive interfaces such as virus detection and/or virus killing, when receiving a killing instruction or automatically killing some files according to system setting requirements, the virtual machine transmits the file to be killed to the host security protection software through the data transmission channel for virus detection and/or virus killing, receives a detection and/or killing result fed back by the host from the data transmission channel, and displays or performs other processing on the result through the UI, such as writing in a predefined file. The safety protection software on the virtual machine is different from the safety protection software on the host machine, but the respective role functions can be realized, and the host machine only needs to provide a calling interface for checking and killing the remote viruses. As long as the host machine is provided with an interface for virus searching and killing through a related data transmission channel, any software manufacturer or individual can realize safety protection software at the virtual machine side through the method, so that the actual virus detection and/or virus searching and killing functions are completed on the host machine.
As a specific example, for a user, the host and the virtual machine need to learn to adapt to different software products when using different security protection software, and for a security protection software production company, a huge amount of overhead is brought to produce and maintain different series of products, so that the existing security protection product can be modified to adapt to a dual use scenario of the virtual machine and the host, which brings good use experience of consistency of user software products.
The safety protection software used by the existing host is software with a terminal safety guarantee function and has the functions of file safety level identification, virus real-time searching, killing and repairing and the like; the method comprises the following steps that logically, the method comprises a main program, a searching and killing engine and virus library characteristic data, wherein the main program is used for interacting with a user to obtain a file to be searched and killed, transmitting the file to be searched and killed to the searching and killing engine to search and kill and receive searching and killing results, and displaying the searching and killing results of the file to be searched and killed, and comprises foreground display interfaces, file enumeration, engine scheduling, foreground and background interaction and other background functions which interact with the user, such as user login, virus searching and killing, level identification searching and killing result display and the like; the searching and killing engine is used for loading virus library characteristic data, carrying out virus detection or virus searching and killing on the file to be searched and killed transmitted by the main program and then feeding back a result to the main program, namely the searching and killing engine is an interface for upper-layer program calling, and the interfaces have the capabilities of virus library characteristic data loading, file grade identification, virus real-time searching and killing and the like; the virus library characteristic data comprises virus characteristic data used for virus detection or virus killing. The above is only a logical division, and different security software manufacturers have different definitions.
The method aims to reduce the product maintenance cost of a safety protection software manufacturer and provide the consistent experience that a user uses the safety protection software produced by the same manufacturer. And transforming the safety protection software, reshaping the safety protection software according to the logic function division, and dividing the safety protection software into safety protection software with an agent mode and safety protection software without the agent mode. As shown in fig. 2, the virtual machine non-proxy mode security protection software, the host machine proxy mode security protection software, and the interaction architecture thereof are shown, wherein the layers where the AVE, the QEX, the QVM, the cloud engine, and the cloud QVM are located are the antivirus engines, the antivirus engines can load their own virus library feature data to perform virus feature comparison during virus antivirus, and the transmission of the file and the identification information is completed by relying on the channel provided by the virtual machine (e.g., vmware vsphere) through the upper layer RPC. Modifying virus searching and killing interfaces provided by a searching and killing engine, adding mode judging parameters to an engine calling unit of a main program, adding mode judging parameters to the virus searching and killing interface of the searching and killing engine, realizing mode judgment of safety protection software, and determining whether to use a local searching and killing engine to perform virus detection or virus searching and killing or file repair or use the searching and killing engine of the safety protection software with a proxy mode of a host machine to perform virus detection or virus searching and killing or file repair through a data transmission channel such as RPC based on a mode judging result. Corresponding to the remodeling, the modification of the safety protection software can be carried out in another mode, an engine calling unit of a main program realizes the mode discrimination of the safety protection software, the virus detection or virus killing is carried out by using the existing virus killing calling interface of a local killing engine or by using the killing engine of a host computer through RPC (remote procedure control), the virus killing calling interface without an agent mode is added in the killing engine, and the purpose of receiving the file, carrying out virus killing by adopting the existing killing mode on the received file and feeding the result back to an interface caller through an RPC channel is realized.
As a specific example, the virus checking and killing process of the virtual machine is as follows:
1. the main program obtains a file to be searched and killed;
2. the main program reads a preset safety protection software mode and judges whether the mode is a non-agent mode, if so, the step 3 is switched to;
3. the main program calls a searching and killing engine of a host machine through RPC to search and kill viruses and transmits files to be searched and killed and software mode parameters;
4. loading local virus library characteristic data by a checking and killing engine of a host machine, and carrying out virus detection and/or virus checking and killing on the transmitted file to be checked and killed;
5. and the checking and killing engine of the host machine judges whether the introduced software mode parameters are in a non-proxy mode, and if so, returns virus detection and/or virus checking and killing results to the main program of the virtual machine through the RPC channel.
As a specific example, the host virus killing process is as follows:
1. the main program obtains a file to be searched and killed;
2. the main program reads a preset safety protection software mode, judges whether the mode is a non-agent mode or not, and if not, the step 3 is switched to;
3. calling a local searching and killing engine by the main program to search and kill viruses, and transmitting files to be searched and killed and software mode parameters;
4. loading local virus library characteristic data by a checking and killing engine of a host machine, and carrying out virus detection and/or virus checking and killing on the transmitted file to be checked and killed;
5. and the checking and killing engine of the host machine judges whether the introduced software mode parameters are in a non-agent mode, and if the introduced software mode parameters are not in the agent mode, the checking and killing engine feeds back virus detection and/or virus checking and killing results to the main program of the host machine.
According to the process, no matter the mode is a non-agent mode or an agent mode, the main programs are consistent, so that the product maintenance cost of a safety protection software manufacturer is reduced, and the consistent experience that a user uses safety protection software produced by the same manufacturer is provided.
Corresponding to the above method embodiment, referring to fig. 3, an embodiment of the present invention provides a virtual machine security apparatus 400, including:
the data transmission unit 401 is configured to transmit a file to be checked and killed to a host machine through a data transmission channel between the virtual machine and the host machine by the virtual machine;
the data receiving unit 402 is configured to receive a virus detection or virus killing result, where the result is transmitted through the data transmission channel, and the result is obtained by the host performing virus detection or virus killing on the file to be killed.
As a specific example, the data transmission channel is an RPC channel.
As a specific example, the virtual machine is installed with security protection software in a non-proxy mode, and the host is installed with security protection software in a proxy mode.
As a specific example, the safety protection software with the agent mode comprises a main program, a searching and killing engine and virus library characteristic data, and the safety protection software without the agent mode comprises only the main program, wherein the main program is used for interacting with a user to obtain the file to be searched and killed, transmitting the file to be searched and killed to the searching and killing engine for searching and killing, receiving a searching and killing result, and displaying the searching and killing result of the file to be searched and killed; the searching and killing engine is used for loading virus library characteristic data, carrying out virus detection or virus searching and killing on the file to be searched and killed transmitted by the main program and then feeding back a result to the main program; the virus library characteristic data comprises virus characteristic data used for virus detection or virus killing.
As a specific example, the engine call unit of the main program implements mode discrimination of the security protection software, and determines whether to use a local antivirus engine for virus detection or virus killing or use a antivirus engine of a host machine for virus detection or virus killing through RPC based on a result of the mode discrimination.
As a specific example, the virus searching and killing interface of the searching and killing engine implements virus searching and killing, determines whether the searched and killed file is a local file or a file transmitted by the virtual machine through the RPC channel according to the mode discrimination result of the security protection software, and feeds back the searching and killing result to the corresponding interface call source according to the mode discrimination result.
It is clear to those skilled in the art that the above-mentioned unit is only a specific example of logic division, and not limited thereto, different unit logics may be integrated into one unit, or a unit logic may be further split and completed by a plurality of units, as long as the program capable of implementing the above-mentioned logic is within the protection scope of the present invention.
The scheme of the application provides the lightweight safety protection software for the virtual machine for the user, so that the storage overhead of a virus characteristic library on the virtual machine and the network overhead of continuous updating of the virus library can be eliminated, the memory overhead of loading virus library characteristic data into a memory due to virus searching and killing and the cpu overhead during virus searching and killing are eliminated, the 0day danger caused by the fact that the virtual machine is frequently shut down and the virus characteristic library cannot be updated in real time can be effectively prevented, when the number of virtual machines on a host machine is large, the reduced system overhead is particularly considerable, and the performance of the system can be greatly improved.
Referring to fig. 4, an embodiment of the present invention further provides an electronic device 60, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the virtual machine security method of the above method embodiments.
The embodiment of the present invention further provides a non-transitory computer-readable storage medium, which stores computer instructions for causing the computer to execute the virtual machine security protection method in the foregoing method embodiment.
Embodiments of the present invention also provide a computer program product, which includes a computer program stored on a non-transitory computer readable storage medium, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer executes the virtual machine security protection method in the foregoing method embodiments.
The apparatus shown in fig. 3 may execute the embodiment shown in fig. 1-2 and the virtual machine security protection method described above, and reference may be made to the related descriptions of the embodiment shown in fig. 1-2 and the virtual machine security protection method described above for parts not described in detail in this embodiment. And will not be described in detail herein.
Referring now to FIG. 4, a block diagram of an electronic device 60 suitable for use in implementing embodiments of the present disclosure is shown. The electronic devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., car navigation terminals), and the like, and fixed terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 4, the electronic device 60 may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 601 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage means 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 60 are also stored. The processing device 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
In general, input devices 606 including, for example, a touch screen, touch pad, keyboard, mouse, image sensor, microphone, accelerometer, gyroscope, etc., output devices 607 including, for example, a liquid crystal display (L CD), speaker, vibrator, etc., storage devices 608 including, for example, magnetic tape, hard disk, etc., and communication devices 609.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication means 609, or may be installed from the storage means 608, or may be installed from the ROM 602. The computer program, when executed by the processing device 601, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring at least two internet protocol addresses; sending a node evaluation request comprising the at least two internet protocol addresses to node evaluation equipment, wherein the node evaluation equipment selects the internet protocol addresses from the at least two internet protocol addresses and returns the internet protocol addresses; receiving an internet protocol address returned by the node evaluation equipment; wherein the obtained internet protocol address indicates an edge node in the content distribution network.
Alternatively, the computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: receiving a node evaluation request comprising at least two internet protocol addresses; selecting an internet protocol address from the at least two internet protocol addresses; returning the selected internet protocol address; wherein the received internet protocol address indicates an edge node in the content distribution network.
Computer program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including AN object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of a unit does not in some cases constitute a limitation of the unit itself, for example, the first retrieving unit may also be described as a "unit for retrieving at least two internet protocol addresses".
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.