CN113703908A - Mimicry virtual network management system - Google Patents
Mimicry virtual network management system Download PDFInfo
- Publication number
- CN113703908A CN113703908A CN202010436998.5A CN202010436998A CN113703908A CN 113703908 A CN113703908 A CN 113703908A CN 202010436998 A CN202010436998 A CN 202010436998A CN 113703908 A CN113703908 A CN 113703908A
- Authority
- CN
- China
- Prior art keywords
- network
- virtual
- module
- management system
- pseudo
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006870 function Effects 0.000 claims abstract description 19
- 238000000605 extraction Methods 0.000 claims abstract description 8
- 238000004364 calculation method Methods 0.000 claims abstract description 7
- 238000003032 molecular docking Methods 0.000 claims abstract description 4
- 238000003860 storage Methods 0.000 claims description 16
- 238000004891 communication Methods 0.000 claims description 11
- 238000007667 floating Methods 0.000 claims description 3
- 238000013519 translation Methods 0.000 claims description 3
- 238000013508 migration Methods 0.000 claims description 2
- 230000005012 migration Effects 0.000 claims description 2
- 238000000034 method Methods 0.000 abstract description 5
- 238000012545 processing Methods 0.000 description 11
- 238000004140 cleaning Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000007123 defense Effects 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 241001494479 Pecora Species 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 210000000987 immune system Anatomy 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003278 mimic effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/4557—Distribution of virtual machine instances; Migration and load balancing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a mimicry virtual network management system, which comprises: the hardware resource module is used for providing hardware resources for the network management system; the virtual module is used for calling the hardware resources provided by the hardware resource module by using a virtual machine monitor to realize virtual functions; the cloud platform module is used for managing and controlling the mimicry virtual network management system; the mimicry software defined network control module is used for docking with the cloud platform, performing path calculation and issuing a flow table; and the configuration management module is used for providing an information extraction interface and a management configuration interface. The method can effectively reduce the probability of successful attack of the software defined network control layer, has good fault-tolerant/invasion-tolerant capability, can effectively improve the isomerism degree of the system and the accuracy of judgment, and further improves the safety performance.
Description
Technical Field
The invention belongs to the technical field of communication networks, relates to a system, and particularly relates to a mimicry virtual network management system.
Background
At present, the basic security situation of a network space can be described by using 'easy attack and difficult guard', and the core factor causing the current network security imbalance situation is unknown attack implemented based on an unknown vulnerability backdoor, namely an uncertain threat. The existing security protection system needs to obtain prior knowledge of attack sources, characteristics, ways, mechanisms and the like, is always in a state of sheep death reinforcement in the face of uncertain threats on the premise condition of known risks or unknown attacks based on known ways, can be self-perfected passively only by means of killing, blocking, sealing and the like, and cannot meet the requirements on security in some critical systems concerning human life safety and social stability by passive externally-hung and patched defense means. In recent years, there is an urgent need for systems with "endogenous security" capability, which generally refers to security capability grown in an information system, and which can be achieved by generating endogenous security efficacy through network self-configuration factors, aggregation of information systems and security systems, aggregation of business data and security data, and the like. Endogenous safety is like a strong immune system, and can effectively deal with safety (security) risks caused by human disturbance factors and safety (security) risks caused by natural factor disturbance without depending on prior knowledge, so that integrated treatment of traditional functional safety and non-traditional network safety problems becomes possible.
The Cyberspace Mimicry Defense (CMD) aims at providing a universal endogenous security defense theory and method for solving uncertain threats based on unknown bugs, backdoors or virus trojans and the like in the related application levels of different fields of cyberspace. The CMD technology is based on a Dynamic Heterogeneous Redundancy (DHR) integrated framework, the dynamic property and the randomness of a system are intensively realized, the detection and the invasion of an attacker are defended through uncertain attributes, the unknown threat is identified and shielded through a decision mechanism, the damage of the attack to the system is eliminated through an elastic reconfigurable framework, and the endogenous safety defense capability capable of actively coping with the unknown attack is brought to the system.
Therefore, how to provide a mimicry virtual network management system to solve the defect of uncertain threats based on unknown vulnerabilities, backdoors or virus trojans and the like on the related application levels in different fields of the existing network space has become a technical problem to be solved urgently by practitioners in the field.
Disclosure of Invention
In view of the above disadvantages of the prior art, an object of the present invention is to provide a mimicry virtual network management system, which is used for solving the problem of uncertainty threats based on unknown vulnerabilities, backdoors or virus trojans, etc. in the related application levels of different fields of network space in the prior art.
To achieve the above and other related objects, the present invention provides a pseudo virtual network management system, comprising: the hardware resource module is used for providing hardware resources for the network management system; the virtual module is used for calling the hardware resources provided by the hardware resource module by using a virtual machine monitor to realize virtual functions; the cloud platform module is used for constructing a virtual network environment by using the resources provided by the virtual module and performing management control; the mimicry software defines a network control module, is used for docking with the cloud platform module, and carries out path calculation and flow table issuing; and the configuration management module is used for providing an information extraction interface and a management configuration interface.
In an embodiment of the present invention, the hardware resource module includes a plurality of standard servers to build a hardware resource pool supporting a plurality of pseudo software-defined network devices.
In an embodiment of the present invention, the cloud platform module includes a control node, a computing node, a network node, and a storage node, which are arranged in parallel.
In an embodiment of the present invention, the control node is configured to control the computing node, the network node and the storage node.
In an embodiment of the present invention, the computing node interfaces with the control node and receives management control, provides a communication service with the network node, and provides creation, operation, and migration of a virtual machine by using the virtual module.
In an embodiment of the invention, the network node is configured to provide communication between an external network and an internal network.
In an embodiment of the invention, the storage node is configured to manage additional storage resources provided by the virtual module.
In an embodiment of the present invention, the pseudo-software-defined network control module includes a middle layer controller, a plurality of heterogeneous pseudo-software-defined network controllers connected to the middle layer controller, and a arbitrator connected to each of the heterogeneous pseudo-software-defined network controllers and the middle layer controller; the middle layer controller is used for collecting network topology information and transmitting the network topology information to the plurality of heterogeneous mimicry software-defined network controllers; the heterogeneous mimicry software definition network controller carries out path calculation according to network topology information and data packet information so as to obtain respective flow tables and transmits the flow tables to the resolver; the arbitrator is used to determine the consistency of the flow tables in order to pass the correct flow tables to the middle-tier controller.
In an embodiment of the invention, the configuration management module is configured to provide information extraction interface and management configuration interface including the middle layer controller, heterogeneous software defined network controller executables, network topology, tenant network, network address translation, floating IP, quality of service and/or security group functions.
In an embodiment of the present invention, the configuration management module is further configured to provide a management configuration interface for a third-party application.
As described above, the mimicry virtual network management system of the present invention has the following beneficial effects:
the mimicry virtual network management system adopts a heterogeneous redundant software-defined network controller, and adds a mimicry layer between a traditional software-defined network data layer and a traditional software-defined network control layer to realize a dynamic scheduling function, namely, the software-defined network controller under attack can be cleaned off-line according to the judgment result of a mimicry resolver, and the safe software-defined network controller on line redundancy standby is replaced. Specifically, firstly, the mimicry virtual network management system dynamically selects a plurality of heterogeneous software defined network controllers as active state parallel service by using a selector, then a final effective response is determined by a resolver to return to a bottom-layer switch according to the processing result of each controller, and under the condition of increasing limited time delay cost, the mimicry virtual network management system can effectively reduce the probability of successful attack of a software defined network control layer and has good fault tolerance/intrusion tolerance capability; on the basis, the provided tuning strategy and arbitration mechanism can effectively improve the system isomerism degree and the accuracy of judgment, and further improve the safety performance.
Drawings
Fig. 1 is a schematic structural diagram of a pseudo-virtual network management system according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of a cloud platform module according to an embodiment of the invention.
Fig. 3 is a schematic structural diagram of a pseudo-software-defined network control module according to an embodiment of the present invention.
Description of the element reference numerals
| 1 | Mimicry virtual |
| 11 | |
| 12 | |
| 13 | Cloud |
| 14 | Mimic software defined |
| 15 | |
| 131 | |
| 132 | Computing node |
| 133 | |
| 134 | |
| 141 | |
| 142 | Heterogeneous software |
| 143 | Judging device |
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention, and the components related to the present invention are only shown in the drawings rather than drawn according to the number, shape and size of the components in actual implementation, and the type, quantity and proportion of the components in actual implementation may be changed freely, and the layout of the components may be more complicated.
The technical principle of the mimicry virtual network management system is as follows:
the mimicry virtual network management system (MVNM) takes a mimicry defense theoretical model as guidance, realizes key technologies such as multi-heterogeneous software defined network controller execution body dynamic scheduling, flow table comparison arbitration issuing, offline restarting of the controller through container quick scheduling and the like based on a dynamic heterogeneous redundancy architecture, and realizes functions such as virtual network equipment unified management, tenant network, subnet isolation, NAT and the like through a software defined network based on an OpenStack architecture cloud platform, thereby providing safe and efficient system level management for a mimicry virtual network test field.
Examples
The embodiment provides a pseudo virtual network management system, which includes:
the hardware resource module is used for providing hardware resources for the network management system;
the virtual module is used for calling the hardware resources provided by the hardware resource module by using a virtual machine monitor so as to realize a virtual function;
the cloud platform module is used for constructing a virtual network environment by using the resources provided by the virtual module and performing management control;
the mimicry software defines a network control module, is used for docking with the cloud platform module, and carries out path calculation and flow table issuing;
and the configuration management module is used for providing an information extraction interface and a management configuration interface.
The following description will be made with reference to the drawings for describing the details of the pseudo virtual network management system provided in the present embodiment. Please refer to fig. 1, which is a schematic structural diagram of a pseudo virtual network management system in an embodiment. As shown in fig. 1, the virtual network management system 1 includes a hardware resource module 11, a virtual module 12, a cloud platform module 13, a virtual software defined network control module 14, and a configuration management module 15.
The hardware resource module 11 is configured to provide hardware resources for the network management system. In the embodiment, the advantage of building a virtual Software-Defined network (SDN) by using an open-source cloud computing management platform project is that the network environment can be supported by using standardized physical hardware.
In the embodiment, the hardware resource module comprises a plurality of standard servers (for example, standard servers of an X86 architecture) to constitute a hardware resource pool supporting a plurality of simulation software defined network devices.
Logically, the hardware resource module 11 is located at the bottom layer of the pseudo virtual network management system 1, and provides resources such as computation, storage, network, and the like for upper-layer services.
The virtual module 12 connected to the hardware resource module 11 is configured to call, by using a virtual machine monitor (hypervisor), the hardware resource provided by the hardware resource module 11 to implement a virtual function, that is, create a data structure for the virtual CPU and the network port, simulate data values of all registers and the network port of the CPU, and continuously track and modify the values, so that the upper-layer guest operating system can execute normally. In this embodiment, the virtual function includes a simulation operation of the CPU, a call to a network port, and the like.
The cloud platform module 13 connected to the virtual module 12 is configured to construct a virtual network environment by using resources provided by the virtual module. Please refer to fig. 2, which is a schematic structural diagram of a cloud platform module in an embodiment. As shown in fig. 2, the cloud platform module 13 includes a control node 131, a computing node 132, a network node 133, and a storage node 134, which are arranged in parallel.
The control node 131 is used for controlling the computing node 132, the network node 133 and the storage node 134. All the components of all the nodes are mainly based on an HTTP protocol, a RESTful Web API and the like, and the logical relationship is realized by mutually calling the API to transmit information among the nodes.
Specifically, the control of the other nodes by the control node 131 includes creating and migrating virtual machines, allocating networks, storing and the like. The control node 131 includes services such as management support, basic management, extended management, etc., provides functions such as authentication, mirroring, computing, network management, etc., and supports various plug-ins. Meanwhile, the control node 131 provides an API interface for console management, and in the pseudo-virtual network management system 1, the control node 131 calls the API interface of OpenStack to implement network information acquisition and addition, deletion and modification of a network structure.
The computing node 132 is connected to the control node 131, provides communication services with the network node, and provides services such as creating, running, and migrating virtual machines by using the virtual module.
The network node 133 is used to provide communication between an external network and an internal network. The network node 133 of OpenStack only includes Neutron services for managing communication of public and private network segments, communication between virtual machine networks, firewalls above virtual machines, and the like.
The storage node 134 is used to manage the extra storage resources provided by the virtual modules, and may provide both block storage and object storage services.
The mimicry software-defined network control module 14 connected to the cloud platform module 13 is configured to interface with the cloud platform module 13, perform path calculation, and issue a flow table, so as to perform a function of controlling forwarding of the software-defined network switch, that is, to discover a state of a device controlled by the software-defined network switch and a link connection state and change of the device, so as to provide necessary link connection information to the device management and topology management module, and to finally cooperate with other modules to implement topology presentation and management of a network. The controller communicates with the network switch through an OpenFlow protocol and manages a flow table of the network switch. A flow table (flow table) structure is maintained on the network switch, data packets are forwarded according to the flow table, and the controller may manage the generation, maintenance, and configuration of the flow table using the OpenFlow protocol.
Please refer to fig. 3, which is a schematic structural diagram of a pseudo-software-defined network control module in an embodiment. As shown in fig. 3, the pseudo-software-defined network control module 14 includes a middle layer controller 141, a plurality of heterogeneous software-defined network controller executors 142 connected to the middle layer controller 141, and a arbitrator 143 connected to each of the heterogeneous software-defined network controller executors 142 and the middle layer controller 142. In this embodiment, a plurality of heterogeneous software-defined network controller executors are combined, and provide arbitration and scheduling functions to implement heterogeneous, dynamic and redundant functions, and then called a mimicry, and a single controller executor is not called a mimicry.
The middle layer controller 141 is configured to collect network topology information and transmit the network topology information to a plurality of heterogeneous software-defined network controller executors. The middle layer controller 141 is used as a middle layer of the mimetic software defined network control module 14, a DCFabric controller is selected in this embodiment, and secondary development is performed on the DCFabric controller, so that data information analysis and flow table issue can be performed, that is, key field parameters of execution of the physical flow table by different heterogeneous controllers are extracted, and a unified flow table format is encapsulated again. The DCFabric controller may enable interfacing with OpenStack while passing the collected network topology information to a plurality of heterogeneous Software Defined Network (SDN) controller executors 142.
The heterogeneous software-defined network controller executor 142 is configured to perform path computation according to the network topology information and the packet information to obtain respective flow tables, and transfer the flow tables to the resolver 143. The Link Discovery Protocol uses an LLDP (Link Layer Discovery Protocol) Protocol. The protocol provides a standard link layer discovery mode, and can inquire information such as main capability, management address, equipment identification, interface identification and the like of equipment. It uses an OpenFlow channel in the communication of the controller and the switch. Each LLDP packet needs to include a send Port and datapath ID. A link discovery timeout needs to be triggered when no LLDP packet is received within the timeout period. Because the network topology of the switch level is pre-established, the DCFabric can optimize the flow of establishing the packet path, that is, the DCFabric only needs to process the same communication requirement of the destination host once, so that the table number of the network flow and the workload of the DCFabric are greatly reduced. When a DCFabric receives a packet-in message from a switch (e.g., an ARP request), it needs to first determine the addresses of the source host and the destination host. If the DCFabric's database has no information for the destination host address for a while, then the DCFabric will send the ARP request in a flooded manner to each port of all switches. Once the DCFabric captures the information of a new host, whether it gets an ARP request or an ARP response, it adds a new flow entry in the switch directly connected to the new host. After receiving the ARP response from the destination host, the DCFabric will issue a flow entry to each of the other switches of the switch. Next, the DCFabric sends an ARP response message to the source host, and loads a flow entry in each of the other switches, and the packet destined to the destination host is tagged with the ID of the destination switch. The switches along the unicast path forward the data packet according to the ID of the destination switch. When the packet arrives at the destination switch, the VLAN ID is cleared and the packet is forwarded to the destination host. In this embodiment, the heterogeneous network controller executor 142 selects open-source network controllers from different sources.
The arbitrator 143 is used to determine the consistency of the flow tables so as to pass the correct flow table to the middle layer controller 141. In this embodiment, the arbitrator 143 judges the security accuracy of the flow table through single-mode arbitration or multi-mode arbitration. The single-mode arbitration means that under the condition that at most one heterogeneous software defined network controller executive is attacked, an executive giving a flow table different from other executives is identified as attacked through consistency arbitration, and offline cleaning operation is carried out. The multi-mode arbitration assumes that there are multiple executives attacked, and by means of the consistency arbitration, firstly, the executives giving more identical flow tables are determined as safe, and the rest executives are offline and cleaned. After the multi-mode judgment, if all the cleaning is normal after the cleaning is finished and the cleaning is on line again, the judgment is correct; and if the situation that the flow tables are different still occurs after the cleaning is finished and the line is online again, identifying the executive body which is determined to be safe before as being attacked, and performing offline cleaning again.
The configuration management module 15 connected with the simulation software defined network control module 14 is used for providing an information extraction interface and managing a configuration interface.
In particular, the configuration management module 15 is configured to provide information extraction interfaces and management configuration interfaces including the middle layer controller, heterogeneous software defined network controller executables, network topology, tenant network, network address translation, floating IP, quality of service, and/or security group functions (network optimization management functions).
The configuration management module 15 is further configured to provide a management configuration interface for a third-party application.
The mimicry virtual network management system adopts a heterogeneous redundant software defined network controller, and a mimicry layer is additionally arranged between a data layer and a control layer of the traditional software defined network to realize the dynamic scheduling function. The dynamic scheduling function refers to that the attacked software-defined network controller can be cleaned off-line according to the judgment result of the mimicry arbitrator and replaced by the on-line redundant standby safe software-defined network controller. Specifically, firstly, the mimicry virtual network management system dynamically selects a plurality of heterogeneous software defined network controllers as active state parallel service by using a selector, then a final effective response is determined by a resolver to return to a bottom-layer switch according to the processing result of each controller, and under the condition of increasing limited time delay cost, the mimicry virtual network management system can effectively reduce the probability of successful attack of a software defined network control layer and has good fault tolerance/intrusion tolerance capability; on the basis, the provided tuning strategy and arbitration mechanism can effectively improve the system isomerism degree and the accuracy of judgment, and further improve the safety performance.
It should be noted that the division of the modules of the above system is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity, or may be physically separated. And the modules can be realized in a form that all software is called by the processing element, or in a form that all the modules are realized in a form that all the modules are called by the processing element, or in a form that part of the modules are called by the hardware. For example: the x module can be a separately established processing element, and can also be integrated in a certain chip of the system. In addition, the x-module may be stored in the memory of the system in the form of program codes, and may be called by one of the processing elements of the system to execute the functions of the x-module. Other modules are implemented similarly. All or part of the modules can be integrated together or can be independently realized. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software. These above modules may be one or more integrated circuits configured to implement the above methods, such as: one or more Application Specific Integrated Circuits (ASICs), one or more microprocessors (DSPs), one or more Field Programmable Gate Arrays (FPGAs), and the like. When a module is implemented in the form of a Processing element scheduler code, the Processing element may be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor capable of calling program code. These modules may be integrated together and implemented in the form of a System-on-a-chip (SOC).
In conclusion, the present invention effectively overcomes various disadvantages of the prior art and has high industrial utilization value.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical spirit of the present invention be covered by the claims of the present invention.
Claims (10)
1. A pseudo virtual network management system, comprising:
the hardware resource module is used for providing hardware resources for the network management system;
the virtual module is used for calling the hardware resources provided by the hardware resource module by using a virtual machine monitor to realize virtual functions;
the cloud platform module is used for constructing a virtual network environment by using the resources provided by the virtual module and performing management control;
the mimicry software defines a network control module, is used for docking with the cloud platform module, and carries out path calculation and flow table issuing;
and the configuration management module is used for providing an information extraction interface and a management configuration interface.
2. The pseudo virtual network management system as recited in claim 1, wherein the hardware resource modules comprise standard servers to build a pool of hardware resources that support a plurality of pseudo software defined network devices.
3. The mimicry virtual network management system of claim 1, wherein the cloud platform module comprises a control node, a computing node, a network node and a storage node arranged in parallel.
4. The pseudo virtual network management system of claim 3, wherein the control node is configured to control the compute node, the network node, and the storage node.
5. The mimicry virtual network management system of claim 4, wherein the compute nodes interface with the control nodes and receive management control, provide communication services with the network nodes, and provide creation, execution, migration of virtual machines using the virtual modules.
6. The pseudo virtual network management system of claim 5, wherein the network node is configured to provide communication between an external network and an internal network.
7. The pseudo virtual network management system of claim 1, wherein the storage node is configured to manage additional storage resources provided by virtual modules.
8. The pseudo virtual network management system of claim 1, wherein the pseudo software-defined network control module comprises a middle layer controller, a plurality of heterogeneous pseudo software-defined network controllers coupled to the middle layer controller, and a resolver coupled to each of the heterogeneous pseudo software-defined network controllers and the middle layer controller;
the middle layer controller is used for collecting network topology information and transmitting the network topology information to the plurality of heterogeneous mimicry software-defined network controllers;
the heterogeneous mimicry software definition network controller carries out path calculation according to network topology information and data packet information so as to obtain respective flow tables and transmits the flow tables to the resolver;
the arbitrator is used to determine the consistency of the flow tables in order to pass the correct flow tables to the middle-tier controller.
9. The pseudo virtual network management system of claim 8, wherein the configuration management module is configured to provide information extraction interfaces and management configuration interfaces including the middle layer controller, a plurality of heterogeneous software defined network controller executables, network topology, tenant network, network address translation, floating IP, quality of service, and/or security group functions.
10. The pseudo virtual network management system of claim 9, wherein the configuration management module is further configured to provide a management configuration interface for a third party application.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010436998.5A CN113703908A (en) | 2020-05-21 | 2020-05-21 | Mimicry virtual network management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010436998.5A CN113703908A (en) | 2020-05-21 | 2020-05-21 | Mimicry virtual network management system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113703908A true CN113703908A (en) | 2021-11-26 |
Family
ID=78646098
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010436998.5A Pending CN113703908A (en) | 2020-05-21 | 2020-05-21 | Mimicry virtual network management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113703908A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114650209A (en) * | 2022-04-15 | 2022-06-21 | 中国电信股份有限公司 | Network architecture |
| CN114826782A (en) * | 2022-06-28 | 2022-07-29 | 之江实验室 | Multi-mode arbitration negative feedback system based on multi-objective optimization algorithm |
| CN115174137A (en) * | 2022-05-23 | 2022-10-11 | 重庆移通学院 | Security function virtualization system based on cloud edge-side cooperation |
| CN115499322A (en) * | 2022-11-14 | 2022-12-20 | 网络通信与安全紫金山实验室 | Management system and method of mimicry equipment cluster and electronic equipment |
| CN115499253A (en) * | 2022-11-18 | 2022-12-20 | 网络通信与安全紫金山实验室 | Test field platform for testing defense technology and test method of defense technology |
| CN115834140A (en) * | 2022-10-31 | 2023-03-21 | 中国国家铁路集团有限公司 | Railway network security management method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106685787A (en) * | 2017-01-03 | 2017-05-17 | 华胜信泰信息产业发展有限公司 | Power VM virtualized network management method and device based on Open Stack |
| CN107147533A (en) * | 2017-05-31 | 2017-09-08 | 郑州云海信息技术有限公司 | A kind of flow table configuration distributing method and system based on SDN frameworks |
| US20180046486A1 (en) * | 2016-08-10 | 2018-02-15 | American Megatrends, Inc. | Cloud based platform simulation for management controller development |
| CN109587168A (en) * | 2018-12-29 | 2019-04-05 | 河南信大网御科技有限公司 | Network function dispositions method based on mimicry defence in software defined network |
| CN109768892A (en) * | 2019-03-04 | 2019-05-17 | 中山大学 | A kind of network security experimental system of micro services |
-
2020
- 2020-05-21 CN CN202010436998.5A patent/CN113703908A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180046486A1 (en) * | 2016-08-10 | 2018-02-15 | American Megatrends, Inc. | Cloud based platform simulation for management controller development |
| CN106685787A (en) * | 2017-01-03 | 2017-05-17 | 华胜信泰信息产业发展有限公司 | Power VM virtualized network management method and device based on Open Stack |
| CN107147533A (en) * | 2017-05-31 | 2017-09-08 | 郑州云海信息技术有限公司 | A kind of flow table configuration distributing method and system based on SDN frameworks |
| CN109587168A (en) * | 2018-12-29 | 2019-04-05 | 河南信大网御科技有限公司 | Network function dispositions method based on mimicry defence in software defined network |
| CN109768892A (en) * | 2019-03-04 | 2019-05-17 | 中山大学 | A kind of network security experimental system of micro services |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114650209A (en) * | 2022-04-15 | 2022-06-21 | 中国电信股份有限公司 | Network architecture |
| CN115174137A (en) * | 2022-05-23 | 2022-10-11 | 重庆移通学院 | Security function virtualization system based on cloud edge-side cooperation |
| CN114826782A (en) * | 2022-06-28 | 2022-07-29 | 之江实验室 | Multi-mode arbitration negative feedback system based on multi-objective optimization algorithm |
| CN115834140A (en) * | 2022-10-31 | 2023-03-21 | 中国国家铁路集团有限公司 | Railway network security management method and device, electronic equipment and storage medium |
| CN115834140B (en) * | 2022-10-31 | 2023-11-10 | 中国国家铁路集团有限公司 | Railway network security management method and device, electronic equipment and storage medium |
| CN115499322A (en) * | 2022-11-14 | 2022-12-20 | 网络通信与安全紫金山实验室 | Management system and method of mimicry equipment cluster and electronic equipment |
| CN115499253A (en) * | 2022-11-18 | 2022-12-20 | 网络通信与安全紫金山实验室 | Test field platform for testing defense technology and test method of defense technology |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113703908A (en) | Mimicry virtual network management system | |
| CN110378103B (en) | Micro-isolation protection method and system based on OpenFlow protocol | |
| Li et al. | Byzantine-resilient secure software-defined networks with multiple controllers in cloud | |
| US9122507B2 (en) | VM migration based on matching the root bridge of the virtual network of the origination host and the destination host | |
| Bilal et al. | Trends and challenges in cloud datacenters | |
| CN108234223B (en) | Safety service design method of data center integrated management system | |
| JP2019523949A (en) | Architecture that dynamically scales network security microservices based on load | |
| CN110545260A (en) | Cloud management platform construction method based on mimicry structure | |
| CN104125214B (en) | A kind of security architecture system and safety governor for realizing software definition safety | |
| Cui et al. | PLAN: Joint policy-and network-aware VM management for cloud data centers | |
| CN110661641B (en) | Virtual network function VNF deployment method and device | |
| US9112769B1 (en) | Programatically provisioning virtual networks | |
| Xia et al. | Reasonably migrating virtual machine in NFV-featured networks | |
| Xu et al. | Identifying SDN state inconsistency in OpenStack | |
| Lin et al. | Security function virtualization based moving target defense of SDN-enabled smart grid | |
| Bansal et al. | Disaggregating stateful network functions | |
| CN108881060A (en) | A kind of method and device handling communication message | |
| Xiao et al. | Modeling and verifying SDN under Multi‐controller architectures using CSP | |
| Chen et al. | Research and practice of dynamic network security architecture for IaaS platforms | |
| CN113190368A (en) | Method, device and system for realizing table item check and computer storage medium | |
| US11201887B1 (en) | Systems and methods for low latency stateful threat detection and mitigation | |
| CN109039823A (en) | A kind of network system firewall detection method, device, equipment and storage medium | |
| CN108848093B (en) | Route calculation unit and network node device | |
| Jiang et al. | ORP: An online rule placement scheme to optimize the traffic overhead for data center networks | |
| Zheng et al. | Research on SDN-based mimic server defense technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |