CN115987566A - Isolation framework based on new energy power system server - Google Patents
Isolation framework based on new energy power system server Download PDFInfo
- Publication number
- CN115987566A CN115987566A CN202211537388.XA CN202211537388A CN115987566A CN 115987566 A CN115987566 A CN 115987566A CN 202211537388 A CN202211537388 A CN 202211537388A CN 115987566 A CN115987566 A CN 115987566A
- Authority
- CN
- China
- Prior art keywords
- new energy
- server
- isolation
- energy power
- domain0
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 29
- 238000002372 labelling Methods 0.000 claims abstract description 3
- 238000000034 method Methods 0.000 claims description 14
- 238000001514 detection method Methods 0.000 claims description 2
- 238000012795 verification Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 6
- 230000002708 enhancing effect Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
Images
Abstract
The invention discloses a server isolation framework based on a new energy power system, which is realized by adopting a virtual program Xen, wherein the Xen has more than one layer, and the bottommost layer and the highest privilege layer are Xen programs per se; the architecture is deployed according to the following positions: two software modules in the privileged Domain0, one for data isolation and one for network isolation; a marking Service (Labeling Service) is deployed on a storage device of a cloud Service provider; the system level information flow tracking component of the Peertree operation system is arranged on a user virtual machine example of the new energy power station using OmniSep; the technical problems of preventing sensitive information on the cloud service from being leaked and the like are solved.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a new energy power system server isolation framework.
Background
Renewable energy such as wind energy, solar energy as primary energy has can not store and the fluctuation characteristic for new energy power generation such as wind-powered electricity generation has great uncertainty, and the controllability of electric power system supply side reduces, and new energy electric power system needs in time to make the adjustment to electric power system's operational aspect in real time, in order to ensure new energy electric power system safety and stability operation. On the other hand, the computer network technology is used by modern power systems to replace the traditional distributed plant automation equipment technology, and emerging technologies such as cloud computing, big data and the internet of things are widely applied to the power systems. As a core carrier of the cloud computing technology, the data center is in contact with the whole digital and information network on one hand, and is in fusion development and inseparable with the traditional industry on the other hand, and the data center can realize power load regulation and control by changing the processing time and processing nodes of computing tasks. However, a data center of an existing power system simultaneously accesses data information of a plurality of new energy power stations, a large number of users share a unified network and a server, and how to ensure the safety and privacy of power data in such an environment is a serious problem.
At present, no good solution for preventing network attacks exists, and even if a data leakage prevention system is deployed, sensitive information on cloud services cannot be prevented from being leaked. The lack of technical means can lead to malicious attacks from inside, and how to control, protect and monitor power data becomes an important problem to be faced by a power system, so that a set of data security isolation methods for effective control is urgently needed.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the isolation architecture based on the new energy power system server is provided, so that a cloud service provider can provide safety as service to each new energy power station user, and even if software and service operated by the transformer substation are unsafe, the method can ensure data safety of each point side station, so that the technical problems that sensitive information on the cloud service cannot be prevented from being leaked even if a data leakage prevention system is deployed and a good solution for preventing network attack is not provided are solved.
The technical scheme of the invention is as follows:
an isolation framework based on a new energy power system server is realized by adopting a virtual program Xen, wherein the Xen has more than one layer, and the lowest layer and the highest privilege layer are the Xen program; the architecture is deployed according to the following positions: two software modules in the privileged Domain0, one for data isolation and one for network isolation; a marking Service (Labeling Service) is deployed on a storage device of a cloud Service provider; and the Pedigree operating system level information flow tracking component is installed on a user virtual machine example of the new energy power station using OmniSep.
The framework operation method comprises the following steps: the method comprises the steps that a service provider starts a cloud server, and a new energy power station user sends a registration request to the server; the server verifies the uniqueness through the domain name after receiving the registration request, if the uniqueness passes the verification, the server is allowed to log in, and the cloud server provider sets the authority for the user to operate the power system at the server side; and starting the Xen program, finding the virtual machine with the Domain0 through the xm list, wherein the Domain0 serves as a manager and a controller of the rest virtual machines.
Domain0 constructs Domain and manages virtual devices, and server processes of Xend in the virtual program manage systems through Domain0, and Xend is responsible for managing respective virtual hosts and providing a console access to these systems.
The command is transmitted to Xend through a HTTP interface by a command line tool; a user of the new energy power station operating the Pedigree specifies a security policy and automatically distributes marked data by using a marking service deployed in a cloud service provider, so that the Pedigree can track all information flows between processes and files in a virtual machine instance, and when the data of the new energy power station flows to a network outside the cloud in a non-compliance manner, an execution component in the Domain0 terminates similar data exchange.
And the module for network isolation in the privileged Domain0 is used for detecting user data of the new energy power station sharing hardware resources.
The detection method comprises the following steps: the IP address of the virtual machine instance is rewritten through the server database, so that other new energy power station users are prevented from detecting the real IP address of another user, and the ping value return time is adjusted, so that the ping time value between the virtual machines on the same physical host is the same as the ping time value between different physical hosts.
The invention has the beneficial effects that:
the invention provides a solution based on OmnisSep, and the architecture comprises a series of technologies for enhancing data and network isolation for the user environment of a plurality of new energy power stations in cloud computing. OmnisSep realizes data and network isolation according to the user intention through components deployed at different positions in the cloud, and fully guarantees the data security of the user.
The method has the advantages that the cloud service provider can provide safety as service to each new energy power station user, even if the software and service operated by the transformer substation are unsafe, the method can also ensure the safety of data of each point side station, and the technical problems of preventing sensitive information on the cloud service from being leaked and the like are solved.
Drawings
FIG. 1 is a block diagram of the logical structure of the operation of the present invention.
Detailed Description
The invention provides a new energy power system server isolation framework, so that a cloud service provider can provide safety as service to each new energy power station user, and even if software and service operated by a transformer substation are unsafe, the method can also ensure the safety of data of each point side station.
Example 1: based on a new energy power system server isolation framework, the framework is realized by adopting a virtual program Xen, the Xen has a plurality of layers, the lowest layer and the highest privilege layer are Xen programs, and the framework is deployed according to the following positions:
1) Two software modules in the privileged Domain0, one for data isolation and one for network isolation;
2) A marking Service (marking Service) is deployed on a storage device of a cloud Service provider;
3) The system level information flow tracking component of the Peertree operation system is arranged on a user virtual machine example of the new energy power station using OmniSep;
when Xen starts to run, finding a virtual machine with Domain0 through xm list, wherein the Domain0 is used as a manager and a controller of other virtual hosts, the Domain0 can construct other more domains and manage virtual equipment, a server process of Xend in a virtual program manages a system through the Domain0, and the Xend is responsible for managing a plurality of virtual hosts and providing a console for entering the systems; commands are transferred to Xend via a command line facility through an HTTP interface. A user of the new energy power station operating the Pedigree specifies a security policy and automatically distributes the data marked to the user by using a marking service deployed at a cloud service provider, so that the Pedigree can track all information flow between processes and files in a virtual machine instance, and when the data of the new energy power station flows to a network outside the cloud in a non-specified manner, an execution component in the Domain0 terminates similar data exchange.
The module aiming at network isolation in the privileged Domain0 is used for detecting the user data of the new energy power station sharing hardware resources, rewriting the IP address of the virtual machine instance through the server database, firstly preventing other new energy power station users from detecting the real IP address of another user, and simultaneously adjusting the ping value return time, so that the ping time value between virtual machines on the same physical host and the ping time value between different physical hosts are the same.
The architecture comprises a series of technologies for enhancing data and network isolation for the user environment of a plurality of new energy power stations through cloud computing, omnimeSep realizes data and network isolation according to the user intention through components deployed at different positions in the cloud, and the data security of users is fully guaranteed.
Claims (6)
1. The utility model provides a keep apart framework based on new forms of energy electric power system server which characterized in that: the architecture is realized by adopting a virtual program Xen, wherein Xen has more than one layer, and the bottommost layer and the highest privilege layer are the Xen program; the architecture is deployed according to the following positions: two software modules in privileged Domain0, one for data isolation and one for network isolation; a marking Service (Labeling Service) is deployed on a storage device of a cloud Service provider; and the Pedigree operating system level information flow tracking component is installed on a user virtual machine example of the new energy power station using OmniSep.
2. The new energy based power system server isolation framework of claim 1, wherein: the framework operation method comprises the following steps: the method comprises the steps that a service provider starts a cloud server, and a new energy power station user sends a registration request to the server; the server verifies the uniqueness through the domain name after receiving the registration request, if the uniqueness passes the verification, the server is allowed to log in, and the cloud server provider sets the authority for the user to operate the power system at the server side; and starting the Xen program, finding a virtual machine with Domain0 through xm list, wherein the Domain0 serves as a manager and a controller of the rest virtual machines.
3. The new energy power system server isolation architecture based on claim 2, wherein: domain0 constructs Domain and manages virtual devices, and server processes of Xend in the virtual program manage systems through Domain0, and Xend is responsible for managing respective virtual hosts and providing a console access to these systems.
4. The new energy based power system server isolation framework of claim 3, wherein: the command is transmitted to Xend through an HTTP interface via a command line tool; a user of the new energy power station operating the Pedigree specifies a security policy and automatically distributes marked data by using a marking service deployed in a cloud service provider, so that the Pedigree can track all information flows between processes and files in a virtual machine instance, and when the data of the new energy power station flows to a network outside the cloud in a non-compliance manner, an execution component in the Domain0 terminates similar data exchange.
5. The new energy based power system server isolation framework of claim 2, wherein: and the module for network isolation in the privileged Domain0 is used for detecting user data of the new energy power station sharing hardware resources.
6. The new energy based power system server isolation framework of claim 5, wherein: the detection method comprises the following steps: the IP address of the virtual machine instance is rewritten through the server database, so that other new energy power station users are prevented from detecting the real IP address of another user, and the ping value return time is adjusted, so that the ping time value between the virtual machines on the same physical host is the same as the ping time value between different physical hosts.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211537388.XA CN115987566A (en) | 2022-12-01 | 2022-12-01 | Isolation framework based on new energy power system server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211537388.XA CN115987566A (en) | 2022-12-01 | 2022-12-01 | Isolation framework based on new energy power system server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115987566A true CN115987566A (en) | 2023-04-18 |
Family
ID=85963771
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211537388.XA Pending CN115987566A (en) | 2022-12-01 | 2022-12-01 | Isolation framework based on new energy power system server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115987566A (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070136579A1 (en) * | 2005-12-09 | 2007-06-14 | University Of Washington | Web browser operating system |
| EP2513810A2 (en) * | 2009-12-14 | 2012-10-24 | Citrix Systems, Inc. | Methods and systems for communicating between trusted and non-trusted virtual machines |
| CN103902884A (en) * | 2012-12-28 | 2014-07-02 | 中国电信股份有限公司 | System and method for protecting data of virtual machine |
| CN103997502A (en) * | 2014-06-05 | 2014-08-20 | 浪潮电子信息产业股份有限公司 | Safety enhanced model designing method based on cloud computing data center |
| CN104009885A (en) * | 2014-05-22 | 2014-08-27 | 北京大学 | Virtual machine simultaneous-locating detection method based on hidden channel under cloud environment |
| US20150309832A1 (en) * | 2014-03-24 | 2015-10-29 | Huawei Technologies Co., Ltd. | Isolation Method for Management Virtual Machine and Apparatus |
| US20170155724A1 (en) * | 2015-12-01 | 2017-06-01 | Telefonaktiebolaget Lm Ericsson | Architecture for enabling fine granular service chaining |
| CN107179936A (en) * | 2016-03-11 | 2017-09-19 | 中国电子科技集团公司电子科学研究院 | A kind of virtualization partition method based on privilege separation |
| CN107992755A (en) * | 2016-10-26 | 2018-05-04 | 湖南移商动力网络技术有限公司 | A kind of configurable research of virutal machine memory partition method |
| US20190332683A1 (en) * | 2018-04-30 | 2019-10-31 | Nutanix, Inc. | Virtualized server systems and methods including domain joining techniques |
| CN112236752A (en) * | 2018-04-11 | 2021-01-15 | 康奈尔大学 | Method and system for improving software container performance and isolation |
| US20220279421A1 (en) * | 2021-03-01 | 2022-09-01 | Juniper Networks, Inc. | Containerized router with a generic data plane interface |
| CN115309511A (en) * | 2022-09-28 | 2022-11-08 | 亿咖通(湖北)技术有限公司 | Xen-based data interaction method and device, storage medium and electronic equipment |
-
2022
- 2022-12-01 CN CN202211537388.XA patent/CN115987566A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070136579A1 (en) * | 2005-12-09 | 2007-06-14 | University Of Washington | Web browser operating system |
| EP2513810A2 (en) * | 2009-12-14 | 2012-10-24 | Citrix Systems, Inc. | Methods and systems for communicating between trusted and non-trusted virtual machines |
| CN103902884A (en) * | 2012-12-28 | 2014-07-02 | 中国电信股份有限公司 | System and method for protecting data of virtual machine |
| US20150309832A1 (en) * | 2014-03-24 | 2015-10-29 | Huawei Technologies Co., Ltd. | Isolation Method for Management Virtual Machine and Apparatus |
| CN104009885A (en) * | 2014-05-22 | 2014-08-27 | 北京大学 | Virtual machine simultaneous-locating detection method based on hidden channel under cloud environment |
| CN103997502A (en) * | 2014-06-05 | 2014-08-20 | 浪潮电子信息产业股份有限公司 | Safety enhanced model designing method based on cloud computing data center |
| US20170155724A1 (en) * | 2015-12-01 | 2017-06-01 | Telefonaktiebolaget Lm Ericsson | Architecture for enabling fine granular service chaining |
| CN107179936A (en) * | 2016-03-11 | 2017-09-19 | 中国电子科技集团公司电子科学研究院 | A kind of virtualization partition method based on privilege separation |
| CN107992755A (en) * | 2016-10-26 | 2018-05-04 | 湖南移商动力网络技术有限公司 | A kind of configurable research of virutal machine memory partition method |
| CN112236752A (en) * | 2018-04-11 | 2021-01-15 | 康奈尔大学 | Method and system for improving software container performance and isolation |
| US20190332683A1 (en) * | 2018-04-30 | 2019-10-31 | Nutanix, Inc. | Virtualized server systems and methods including domain joining techniques |
| US20220279421A1 (en) * | 2021-03-01 | 2022-09-01 | Juniper Networks, Inc. | Containerized router with a generic data plane interface |
| CN115309511A (en) * | 2022-09-28 | 2022-11-08 | 亿咖通(湖北)技术有限公司 | Xen-based data interaction method and device, storage medium and electronic equipment |
Non-Patent Citations (6)
| Title |
|---|
| SANDRA SCOTT-HAYWARD,ET AL: ""A Survey of Security in Software Defined Networks"", 《IEEE》, 31 December 2016 (2016-12-31) * |
| YOGESH MUNDADA,ET AL: ""SilverLine: Data and Network Isolation for Cloud Services"", 《USENIX WORKSHOP ON HOT TOPICS IN CLOUD COMPUTING 》, 31 December 2011 (2011-12-31) * |
| 杨丽芳, 刘琳: ""基于虚拟机的可信计算安全平台架构设计"", 《煤炭技术》, 28 February 2014 (2014-02-28) * |
| 王蕾;: "基于可信虚拟域的政务云应用研究", 计算机应用与软件, no. 08, 15 August 2012 (2012-08-15) * |
| 胡志希;戴新发;徐士伟;: "一种可配置的虚拟机内存隔离方法", 计算机与数字工程, no. 08, 20 August 2016 (2016-08-20) * |
| 陈涛;马威;刘刚;: "一种高效的虚拟网络结构", 信息安全与技术, no. 08, 10 August 2013 (2013-08-10) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhang | Distributed network security framework of energy internet based on internet of things | |
| CN105553097A (en) | Working method of remote control system of unattended substation automation system | |
| Jin et al. | Multi-agent-based cloud architecture of smart grid | |
| CN104780221A (en) | Intellectual property comprehensive service platform system for middle and small-sized enterprises | |
| CN106899553A (en) | A kind of industrial control system safety protecting method based on private clound | |
| CN102403796B (en) | The stipulations self-adaptive access method of the intensive managing and control system of unattended substation | |
| CN115987566A (en) | Isolation framework based on new energy power system server | |
| CN107465688B (en) | Method for identifying network application permission of state monitoring and evaluating system | |
| CN115225664A (en) | Construction method of meteorological information infrastructure resource cloud platform | |
| Paukatong | SCADA security: A new concerning issue of an in-house EGAT-SCADA | |
| Chen et al. | Research on the application and security of cloud computing in smart power grids | |
| Wen et al. | Form follows function: designing smart grid communication systems using a framework approach | |
| CN113760449A (en) | Power transmission and transformation three-dimensional design data sharing system based on desktop cloud xView | |
| Wang et al. | Lightweight IT operation and maintenance integrated monitoring method for APP system | |
| CN112291157A (en) | Intelligent service access control center based on hybrid cloud in scoring system | |
| Fei et al. | The research on cyber-attack testbed with hardware-in-loop | |
| Yadav et al. | 5. Federated cloud service management and IoT | |
| Yan et al. | Realization of Electric Power Communication Network | |
| Zhang et al. | Research on resource scheduling algorithm in cloud computing data center | |
| Chen et al. | Automatic Analysis of RPA in Digital Service Testing of Grid System | |
| Zhu et al. | Research on User Electrical Safety Monitoring System Based on Cloud Computing Technology | |
| Hwang et al. | Analysis of the impact of cyber attacks on energy management system in smart grid environment | |
| Lin | Research on IT Operation and Maintenance Management Model in Cloud Computing Environment | |
| Li et al. | Access control method of SDN network based on zero trust | |
| Liu et al. | Wind Turbine operation and maintenance video supportive system based on the mobile internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |