CN114363079A - Distributed intelligent data supervision system of cloud platform - Google Patents

Abstract

The invention provides a distributed intelligent data supervision system of a cloud platform, which comprises: the system comprises a physical layer, an operating system layer, a security detection and reinforcement layer, a security control layer, a cloud native layer and a tenant-end cloud management platform layer; the physical layer is distributed material resources; the operating system layer is connected with the physical layer and used for managing physical computer resources; the safety detection and reinforcement layer is used for carrying out safety scanning on asset management; the safety control layer is connected with the safety detection and reinforcing layer; the cloud native layer is connected with the security control layer; the tenant side cloud management platform layer is used for providing an independent resource access platform for multiple tenants. Monitoring data of each layer are collected based on the resource supervision mode of the endogenous hierarchy, and abnormal features of the data are analyzed in a self-learning mode, so that a corresponding supervision knowledge base is enriched.

Description

Distributed intelligent data supervision system of cloud platform

Technical Field

The invention relates to the field of data supervision, in particular to a distributed intelligent data supervision system of a cloud platform.

Background

Since 2008, the business system of the financial industry has handled a great deal of private data of individuals and enterprises, and with the continuous release of new regulations and regulations, financial institutions are struggling to keep up with the ever-changing regulatory requirements, and therefore face a great pressure. On the other hand, the cloud computing technology which is elastically telescopic, uniformly arranged and platformized quickly falls on the ground in the financial industry, so that the old technical supervision means based on the traditional IT architecture is not compelling. The cloud platform realizes scientific and technological innovation, and the main pressure comes from high complexity requirements of supervision compliance and strict time limits set by a supervision organization, and the cloud platform needs to have comprehensive auditing capability before, in the middle of the affairs and after the affairs. Therefore, how to support scientific and technological business development of agile business delivery and flexible resource supply in a multi-tenant financial cloud computing platform and realize isolation of data traffic among tenants and comprehensive protection and audit of sensitive confidential information is particularly important and urgent.

In the prior art, the security problem is monitored or repaired by adding a verification rule from a business layer. These schemes are very business intrusive and require changes to existing code to implement. Or a flow bypass mirror image is implanted in a network layer to analyze network messages, but the method cannot adapt to an elastic infrastructure, and particularly on a PaaS cloud platform mainly based on a container base, information points are dynamically changed forever.

Disclosure of Invention

In view of the above, the present invention has been developed to provide a distributed intelligent data supervision system for a cloud platform that overcomes or at least partially solves the above-mentioned problems.

According to an aspect of the present invention, there is provided a distributed intelligent data supervision system of a cloud platform, the supervision system comprising: the system comprises a physical layer, an operating system layer, a security detection and reinforcement layer, a security control layer, a cloud native layer and a tenant-end cloud management platform layer;

the physical layer is distributed material resources;

the operating system layer is connected with the physical layer and used for managing physical computer resources;

the safety detection and reinforcement layer is used for carrying out safety scanning on asset management to realize the reinforcement of a consistent safety baseline;

the safety control layer is connected with the safety detection and reinforcing layer and is used for taking safety control measures according to detection time;

the cloud native layer is connected with the security control layer and used for checking the configuration security and potential vulnerability risks of the cluster on the cluster security level;

the tenant side cloud management platform layer is used for providing an independent resource access platform for multiple tenants.

Optionally, the supervision system further includes: and the supervision engine module is used for maintaining, updating and positioning the supervision rules and analyzing and learning the characteristic data.

Optionally, the supervision engine module specifically includes: the system comprises a prior supervision unit, an in-process supervision unit and a post supervision unit;

the prior supervision unit is used for maintaining, issuing and executing rules;

the in-service supervision unit is used for supervising the request, the feature comparison and the learning engine;

and the post monitoring unit is used for alarming notification and carrying out linkage defense control.

Optionally, the post-incident supervision unit specifically includes: the monitoring system comprises a starting subunit, a started subunit and a monitoring subunit;

the supervision unit is respectively connected with the starting sub-unit and the started sub-unit, is used for monitoring an event record audit database in the whole process and is used for warning or later-stage supervision analysis;

the starting-time subunit is used for the cloud platform to send the service starting command line to the supervision rule of the local cache for processing;

and the started subunit is used for monitoring the service running process by the local monitoring agent in real time.

Optionally, the supervision unit in fact specifically includes: the system comprises a flow control subunit, a flow mirror subunit and a starting control subunit;

after the service mirror image is constructed, monitoring and scanning are carried out based on the mirror image cached by the node before the cloud platform node is pulled and started to operate;

when the business application is started, if the application program with the tampered mirror image is found, the cloud platform refuses to start the application service instance;

the flow is collected through the bypass, and the supervision platform sets whether to send an alarm or not until the preset action of blocking the flow if the leakage of the service supervision data is found according to the supervision requirement.

The invention provides a distributed intelligent data supervision system of a cloud platform, which comprises: the system comprises a physical layer, an operating system layer, a security detection and reinforcement layer, a security control layer, a cloud native layer and a tenant-end cloud management platform layer; the physical layer is distributed material resources; the operating system layer is connected with the physical layer and used for managing physical computer resources; the safety detection and reinforcement layer is used for carrying out safety scanning on asset management to realize the reinforcement of a consistent safety baseline; the safety control layer is connected with the safety detection and reinforcing layer and is used for taking safety control measures according to detection time; the cloud native layer is connected with the security control layer and used for checking the configuration security and potential vulnerability risks of the cluster on the cluster security level; the tenant side cloud management platform layer is used for providing an independent resource access platform for multiple tenants. Monitoring data of each layer are collected based on the resource supervision mode of the endogenous hierarchy, and abnormal features of the data are analyzed in a self-learning mode, so that a corresponding supervision knowledge base is enriched.

The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a block diagram of a distributed intelligent data monitoring system of a cloud platform according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of a vessel cloud platform according to an embodiment of the present invention;

FIG. 3 is a flowchart of business process in progress according to an embodiment of the present invention;

FIG. 4 is a flowchart of a post-business process provided by an embodiment of the present invention;

FIG. 5 is a schematic diagram illustrating an operation of a monitoring engine according to an embodiment of the present invention;

FIG. 6 is a diagram of a resource monitoring mode according to an embodiment of the present invention;

fig. 7 is a flowchart illustrating mode recognition and learning of empirical data by using an AI analysis model according to an embodiment of the present invention;

FIG. 8 is a flow chart of a method for modeling an analytical model according to an embodiment of the present invention;

fig. 9 is a flowchart of a training method of a generalized linear classifier-support vector machine model for binary classification of data in a supervised learning manner according to an embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

The terms "comprises" and "comprising," and any variations thereof, in the present description and claims and drawings are intended to cover a non-exclusive inclusion, such as a list of steps or elements.

The technical solution of the present invention is further described in detail with reference to the accompanying drawings and embodiments.

The invention designs and realizes a distributed monitoring management system from the specific technical framework and application mode of cloud protogenesis, such as containerized deployment, micro-service application mode, research, development and operation integration, and the like, combines the pre-affair, middle affair and post-affair supervision capabilities of a financial sensitive service system, and utilizes an AI machine learning technology to actively learn the possible supervision events, thereby designing a brand-new cloud protogenesis safety protection mode, meeting the safety requirements and challenges of the financial industry in the container cloud field based on dynamic workload, and realizing the safety supervision, compliance processing and comprehensive protection of the cloud protogenesis technical framework and scale application. On the basis of fully exerting the advantages of distributed deployment and elastic resource expansion of cloud platform computer resources and dynamically and intelligently arranging operation and maintenance, the comprehensive security and protection capability of the cloud platform is improved under the condition that no code is invaded in the existing application program. The invention is applicable to the field of container clouds.

As shown in fig. 1, the distributed monitoring management system framework:

the invention relates to a distributed monitoring management system based on a container cloud platform, which comprises:

distributed physical resources, e.g., servers, networks, firewalls, storage, etc.;

operating system layer: for managing physical computer hardware and software resources. Such as managing and configuring memory, prioritizing system resources, controlling input devices and output devices, operating networks, and managing file systems.

Safety detection and reinforcement layer: based on the security scanning of asset management such as containers, processes, workloads, middleware and the like, the consistency security baseline reinforcement is realized, for example, based on the authority control, identity recognition and access management of roles; and detecting that sensitive information leakage and the like may exist in the configuration file in the image.

A safety control layer: and according to the detection time, taking safety control measures, such as alarm reminding, network blocking, image downloading and running control, file handle cleaning, and running process control or killing.

Cloud native layer: the full life cycle of Build, Ship and Run is covered, the DevSecOps safety practice landing of an application system is realized, and the online business, namely the safety is realized. From the construction, distribution and operation angles of the container, whether an application vulnerability exists in the mirror image, whether a basic mirror image is used, whether the mirror image is a trusted mirror image, whether a malicious file exists, sensitive information and the like are detected at each stage. And at the cluster security level, checking the configuration security and potential vulnerability risk of the cluster.

A cloud management platform layer of a tenant end: and providing an independent resource access platform for multiple tenants, wherein the independent resource access platform comprises Web UI (user interface) viewing platform resources, workload, log monitoring information and the like, and the independent resource access platform further comprises a command line, an API (application program interface) and an SDK (software development kit) system butt joint resource control and management.

The monitoring engine runs through the above 6 layers to realize log audit, time monitoring, event tracing, sensitive information monitoring, message scanning, monitoring rule self-learning and issuing, monitoring analysis and visualization of each layer.

As shown in fig. 2, the security platform is based on the ability to supervise and process security events before, during, and after the security platform. The core function of the container cloud platform is to solve the problem of obtaining characteristic data such as starting of application examples on the cloud, networks, processes, files and the like, and has the capacity of carrying out example control, and the method is embodied in that:

in advance: and (4) constructing a pipeline, scanning codes and scanning products.

The application construction process provides a CICD production line by using a cloud platform:

in the process of acquiring and constructing the code, the code is subjected to security scanning based on the rule of a supervision engine;

and when the code construction product is merged with the basic mirror image, the quoted basic mirror image is monitored and verified, and if the quoted basic mirror image has defects, the construction of the service mirror image is stopped.

As shown in fig. 3, in this case: flow control, flow mirroring, start control.

After the service mirror image is constructed, before the cloud platform node is pulled and started to operate, the supervision and scanning are carried out again on the basis of the mirror image cached by the node, so that the mirror image is prevented from being tampered in the transmission process.

When the business application is started, if the mirror image is tampered or contains an application program which does not meet the supervision requirement, the cloud platform refuses to start the application service instance.

In a cloud platform environment, if resources of a plurality of hosts are pooled, the traffic of different applications is not leaked through a network traffic tunnel encryption encapsulation control technology, and the service traffic is encrypted and copied to a supervision engine agent program according to the applications through a traffic copying technology to perform bypass analysis.

The flow is collected through the bypass, the service communication efficiency is not influenced, and the supervision platform can set whether to send an alarm or not until the preset action of blocking the flow if the leakage of the service supervision data is found according to the supervision requirement.

As shown in fig. 4, after the fact: process checking and file handle tracking;

when the system is started, the cloud platform gives a service starting command line to a supervision rule of local cache for processing, and the system is stopped when the service starting command line is not met;

after the system is started, the local supervision agent program supervises the service running process in real time, and actively synchronizes rules from the supervision engine at regular time and compares the rules with an actual process list besides actively pushing the rule update by the supervision platform;

and the whole-course supervision event record audit database is used for warning or later-stage supervision analysis.

As shown in fig. 5, the supervision engine mainly solves the problems of maintenance, update and positioning of the supervision rules, has the ability to analyze and learn the feature data, has high-performance real-time processing capability, and is embodied in that:

in advance: maintaining and issuing the rules; in the process: a supervision request, a feature comparison and a learning engine; after the fact: alarm notification and linkage defense control.

The event processing flow and description are as follows:

a plurality of network isolation domains are established among the cloud platform multi-tenant business systems, and the tenant business system to which the dynamically migrated service instance belongs can be identified in a marking mode, so that the isolation rule is updated in real time. The isolation boundary comprises a tenant and different application instances of the same tenant;

and running a service agent program of the supervision engine on the cloud platform node, and ensuring the life cycle of the cloud platform node through the mechanism of the cloud platform. The service program can perform original acquisition on tenant service flow, performs admission control on a service starting operation flow, and has audit recognition capability on service integration running in the service;

the monitoring service agent program can be linked with the cloud platform, and automatically discovers and tracks detection points based on life cycle management events of tenants and service operation instances of the cloud platform;

the supervision service agent program does not analyze and process the service flow, and the acquired original data are transmitted to a special supervision engine platform in real time through an encryption pipeline because the supervision service agent program contains privacy protection data;

the supervision engine platform can control the supervision service agent program to make task assignment according to the supervision rules, and complete execution of supervision scheduled control actions on control points including but not limited to start control, traffic bandwidth, service processes and the like.

Resource supervision mode

The invention provides a resource supervision mode based on endogenous layering, wherein layering refers to monitoring and analyzing a CPU, a memory and a network layer by layer from bottom to top in a host layer, a cloud native layer and an application layer. Endogenous management means that host resources are monitored in a container cloud architecture system, namely a container cloud is taken as a core, namely a host operating system and virtualization of host hardware resources are realized; and (4) resource supervision of the program packed and operated by the upper butt joint container framework, namely the control right of the operation program of the container to the host machine resource and data information transmitted between the containers. The problems of control right abuse, container escape and insufficient protection of sensitive information in a traditional container cloud architecture are solved. And establishing a bottom-up resource mapping relationship and an association relationship between the three layers.

As shown in fig. 6, the resource monitoring mode,

and performing full-dimensional resource monitoring on a host layer or a CPU, a memory and network resources on an operating system layer, and performing detailed monitoring on a process layer.

In the cloud native layer, cloud native resource monitoring is covered, and in the resource monitoring, the identification and mapping relation of different layers of a CPU (central processing unit), a memory and the like, a Pod, a Service and a Tenant is required to be realized; in process monitoring, containers, even fine-grained system calls and kernel function calls of a process, need to be accurately identified; in network monitoring, in addition to the host physical network, a virtualized network between the pods and even a resource monitoring of Mesh network traffic between the applications are also included.

From the application layer, the application under the micro-service architecture makes the monitoring of application resources become abnormal and complex, and the monitoring comprises the average delay of the application, an API call chain between the applications and API call parameters; and service information carried by the application, such as service call logic, parameters, personal sensitive information and access control of the tenant to the data.

And the intelligent safety monitoring engine self-learns the safety events of the multi-tenant scene by utilizing an AI technology based on the resource supervision model.

System supervision is generally divided into feature-based scanning and supervision, anomaly-based supervision, and hybrid-based supervision. Feature-based surveillance aims to detect known attacks using their features. It is an efficient method to detect known attacks of existing rule bases. However, a new type of attack cannot be detected because its features are not present; to overcome this problem, current system monitoring is compared to a predefined profile based on detection of anomalous features for detecting anomalous behavior that may be a security breach. The detection based on the abnormal characteristics can effectively resist unknown attacks or zero-day attacks without any update on the system.

As shown in fig. 7, the AI analysis model used in the present invention performs pattern recognition and learning on empirical data for understanding.

As shown in FIG. 8, the modeling process of the analytical model employs the flow of traditional machine learning methodology from data collection, to data cleaning, feature engineering to full lifecycle management of data modeling.

As shown in fig. 9, a generalized linear classifier-support vector machine for binary classification of data in a supervised learning manner is adopted, and the training steps of the model are as follows:

and loading the data set in a master monitoring system or a log auditing system and importing the data set into a model distributed data set or a data frame. Data preprocessing, data cleaning and data standardization.

Selecting characteristics, namely selecting data characteristics by using a principal component analysis method and a card house selector; training the SVM classification model by using a training data set; the model is tested and evaluated using the test data set.

The invention collects the monitoring data of each layer based on the endogenous layered resource monitoring mode, and self-learns and analyzes the abnormal characteristics of the data, thereby enriching the corresponding monitoring knowledge base.

Has the advantages that: a distributed monitoring management system; safety event supervision and processing capacity before, during and after the safety platform; a cloud native security protection mode is characterized in that a system is free of code intrusion, an intelligent security monitoring engine is used for self-learning security events of a multi-tenant scene by utilizing an AI (artificial intelligence) technology.

The above embodiments are provided to further explain the objects, technical solutions and advantages of the present invention in detail, it should be understood that the above embodiments are merely exemplary embodiments of the present invention and are not intended to limit the scope of the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (5)

1. A distributed intelligent data surveillance system for a cloud platform, the surveillance system comprising: the system comprises a physical layer, an operating system layer, a security detection and reinforcement layer, a security control layer, a cloud native layer and a tenant-end cloud management platform layer;

the physical layer is distributed material resources;

the operating system layer is connected with the physical layer and used for managing physical computer resources;

the safety detection and reinforcement layer is used for carrying out safety scanning on asset management to realize the reinforcement of a consistent safety baseline;

the safety control layer is connected with the safety detection and reinforcing layer and is used for taking safety control measures according to detection time;

the cloud native layer is connected with the security control layer and used for checking the configuration security and potential vulnerability risks of the cluster on the cluster security level;

the tenant side cloud management platform layer is used for providing an independent resource access platform for multiple tenants.

2. The distributed intelligent data supervision system of a cloud platform according to claim 1, wherein the supervision system further comprises: and the supervision engine module is used for maintaining, updating and positioning the supervision rules and analyzing and learning the characteristic data.

3. The system according to claim 2, wherein the administration engine module specifically comprises: the system comprises a prior supervision unit, an in-process supervision unit and a post supervision unit;

the prior supervision unit is used for maintaining, issuing and executing rules;

the in-service supervision unit is used for supervising the request, the feature comparison and the learning engine;

and the post monitoring unit is used for alarming notification and carrying out linkage defense control.

4. The system according to claim 3, wherein the post-monitoring unit specifically comprises: the monitoring system comprises a starting subunit, a started subunit and a monitoring subunit;

the supervision unit is respectively connected with the starting sub-unit and the started sub-unit, is used for monitoring an event record audit database in the whole process and is used for warning or later-stage supervision analysis;

the starting-time subunit is used for the cloud platform to send the service starting command line to the supervision rule of the local cache for processing;

and the started subunit is used for monitoring the service running process by the local monitoring agent in real time.

5. The system according to claim 3, wherein the supervision unit specifically comprises: the system comprises a flow control subunit, a flow mirror subunit and a starting control subunit;

after the service mirror image is constructed, monitoring and scanning are carried out based on the mirror image cached by the node before the cloud platform node is pulled and started to operate;

when the business application is started, if the application program with the tampered mirror image is found, the cloud platform refuses to start the application service instance;

the flow is collected through the bypass, and the supervision platform sets whether to send an alarm or not until the preset action of blocking the flow if the leakage of the service supervision data is found according to the supervision requirement.

Images