CN117294533A - Network traffic collection method and system based on cloud environment - Google Patents
Network traffic collection method and system based on cloud environment Download PDFInfo
- Publication number
- CN117294533A CN117294533A CN202311579056.2A CN202311579056A CN117294533A CN 117294533 A CN117294533 A CN 117294533A CN 202311579056 A CN202311579056 A CN 202311579056A CN 117294533 A CN117294533 A CN 117294533A
- Authority
- CN
- China
- Prior art keywords
- virtual switch
- virtual
- monitoring
- flow
- instance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000012544 monitoring process Methods 0.000 claims abstract description 119
- 230000008859 change Effects 0.000 claims abstract description 7
- 238000012986 modification Methods 0.000 abstract description 8
- 230000004048 modification Effects 0.000 abstract description 8
- 230000005540 biological transmission Effects 0.000 abstract description 7
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000012545 processing Methods 0.000 description 7
- 238000012217 deletion Methods 0.000 description 4
- 230000037430 deletion Effects 0.000 description 4
- 238000007792 addition Methods 0.000 description 3
- 238000007654 immersion Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention discloses a network flow acquisition method and a system based on a cloud environment, which solve the problems that the existing flow acquisition has invasiveness to a monitored system, has system and software dependence requirements, has weak suitability, and occupies large computing resources and network transmission resources. Creating a mirror image virtual switch and a virtualized instance agent node at a computing node, guiding monitoring node data to the mirror image virtual switch in a mirror image flow mode of a patch port of the virtual switch, forwarding the mirror image virtual switch to the virtualized instance agent node, transferring network flow data into a file format, forwarding the file format to a data security monitoring platform, monitoring virtualized instance events in real time, and adjusting a virtual switch flow table according to a monitoring strategy when the events change. The invention realizes flow monitoring in a software mode, acquires the flow of the virtualized instance before the message is refitted, is beneficial to the accuracy of judging the security event, has no immersed modification to the instance, has no system requirement and occupies less resources.
Description
Technical Field
The invention relates to the technical field of data acquisition, in particular to a network traffic acquisition method and system based on a cloud environment.
Background
With the development of the internet, the network security problem is increased, and the security monitoring and early warning event reporting of the network traffic in the operation of the operation and protection network becomes a non-negligible topic for enterprises. The bypass monitoring mode has the advantages of flexible and convenient deployment and no influence on the existing network, and the network monitoring mainly adopts the bypass monitoring mode. The bypass monitoring mode is mainly realized by the port mirror image function of network equipment such as a switch and the like, and in the mode, the data security monitoring platform can collect, analyze and analyze network traffic only by connecting to a mirror image port appointed by the switch. In a physical environment, mirror traffic is generally mirrored from ports of upper devices such as core switches, and specific requirements for physical topology and hardware configuration are met. However, with the popularization and development of cloud computing technology, in a cloud environment (virtual machine, container, etc.), a solution of directly mirroring traffic to a switch is no longer applicable, and the main reasons are as follows:
(1) Traffic between virtual machines flows only inside the compute nodes (the physical machines that the virtualized instance runs) and the switch is not able to capture. Or flow only between computing nodes, end up at the access layer, and the convergence layer cannot capture this portion of traffic, resulting in missing much security event information.
(2) After the flow of the cloud environment exits the virtual machine, the flow is processed by a virtual machine network (switch, router, gateway, firewall), and operations such as NAT, flow table conversion, tunnel message encapsulation and the like may exist, so that a message field is replaced, an analysis node cannot restore an original message, a risk node and an event cannot be accurately analyzed, and problems such as false alarm, missing report, false alarm and the like of a security event are caused.
(3) The mirror image flow is obtained through network equipment such as a switch, and the method has certain limitation, such as limited application scenes because the network equipment is required to support mirror images.
In order to solve the problem of flow collection, a related solution is also proposed, for example, the application number is CN202210043683.3, and the patent name is a chinese invention application of a network flow collection method, which proposes a method for sending a flow file to a data security monitoring platform to realize flow monitoring based on capturing network flow on a monitored node (applicable to a virtual node and a physical node) in a file form, so as to solve the problem of network flow collection in a specialized scene. However, this solution has the following drawbacks:
1. the monitored nodes are required to be deployed with monitoring software to generate flow files, the monitored systems are invasive, the monitored nodes are required to be dependent on the systems and the software, and the adaptability is not particularly strong.
2. As the number of monitored nodes increases, deployment scale and workload increases. In a cloud computing environment, the operations of the new construction and destruction of the virtual machine are frequent, and each new monitored node needs to be manually installed with a monitoring program, so that the automatic implementation is not facilitated.
3. Each monitored node transmits the file to the data security monitoring platform, occupies additional network bandwidth resources, and network overhead may be unacceptable if the monitoring scale is large.
Disclosure of Invention
The invention mainly solves the problems that in the prior art, traffic cannot be captured, security event information is missed, the acquired traffic cannot be restored, so that security event false alarm, missing report and error are caused, certain requirements are provided for equipment, and the application scene is limited.
The invention also solves the problems that the flow collection in the prior art has invasiveness to the monitored system, has system and software dependence requirements, has weak suitability, is not beneficial to automatic implementation and occupies large computing resources and network transmission resources, and provides a network flow collection method and system based on cloud environment.
According to the scheme, the monitoring node data is streamed to the mirror virtual switch in a mode of mirror traffic of a patch port of the virtual switch, and then is forwarded to a virtualized instance agent node through the mirror virtual switch, and the network traffic data is transferred to a file format and forwarded to a data security monitoring platform for security analysis.
The method solves the problem of flow collection of virtualized examples of the cloud environment, automatically sends the flow data of the monitored nodes to the data security monitoring platform, and can adapt to the environment with dynamically changing number of the monitored virtual nodes. The unified flow collection can be carried out on the appointed virtualized instance or all virtualized instances of the computing nodes, and the flow collection of the multi-network card system is also supported. Meanwhile, the automatic monitoring of the flick event of the cloud computing virtual instance is supported, the change scene of the cloud computing environment virtual instance can be self-adapted, the flow table is automatically issued and cleared, and the flow collection is realized according to a pre-configuration strategy.
The technical problems of the invention are mainly solved by the following technical proposal: a network flow collection method based on cloud environment includes creating mirror virtual switch and virtual instance agent node at computing node, interconnecting mirror virtual switch and virtual switch, mirror the flow of monitored virtual instance to mirror virtual switch through virtual switch, interconnecting virtual instance agent node and mirror virtual switch, guiding received flow to virtual instance agent node through mirror virtual switch, converting received flow to message file by virtual instance agent node and sending to monitoring platform.
According to the invention, the mirror image virtual switch and the virtualized instance agent node are deployed at the computing node, the flow monitoring is realized in a software mode, the original flow can be intercepted at the access layer, the virtualized instance flow can be acquired before the message modification links of the cloud environment NAT, the tunnel and the like, and the accuracy of judging the security event is facilitated. The invention has no immersion modification to the monitoring instance, does not need to deploy software on the monitoring virtualization instance, has no requirements on monitoring nodes such as system and software dependence, can realize flow collection aiming at the environments such as x86, arm, linux, windows, mac and the like, has popularization in the environment with more virtual nodes and complex morphology, and has strong expandability. According to the invention, the flow collection of all the virtualized instances of the physical node is completed by deploying the virtualized instance agent nodes, and the occupied computing resources and network transmission resources are optimized. The invention supports flow collection in a multi-network card environment.
As a preferred scheme, a patch port is created on a virtual switch where a monitored virtualized instance exists, and a corresponding patch port is created on a mirrored virtual switch, interconnecting the detected virtual switch with the mirrored virtual switch.
As a preferable scheme, the flow table is issued at the virtual switch by analyzing the monitoring policy configuration, and the port traffic designated by the virtual switch or the traffic of the whole virtual switch is mirrored to the mirror virtual switch.
As a preferable scheme, the flow received by the patch port is forwarded to a virtual port connected with the virtualized instance agent node by issuing a flow table at the mirror virtual switch, and is drained to the virtualized instance agent node.
As a preferable scheme, a program is deployed on a virtualized instance agent node, a virtual port is subjected to packet capturing, the obtained flow is converted into a message file, and the message file is periodically sent to a monitoring platform through a timing task. The virtualized instance agent node only needs to be capable of deploying the software program, can be set to occupy the minimum computing resource, even has no operating system requirement, can run when the dependence required by the software program exists, for example, the software is realized by java, and only installs the java foundation bag to support related functions. The virtualized instance agent node occupies little computing resource. The parameters such as the size of the flow file generated by the virtualized instance agent node, the packet grabbing time length, the file sending period and the like can be configured according to requirements. The virtualized instance agent node sends the file to a data security monitoring platform, and the platform analyzes the flow file after receiving the flow file and reports a security alarm event.
As a preferable scheme, the method also comprises the step of monitoring the event of the virtualized instance in real time by the agent node of the virtualized instance, and when the event changes, adjusting the flow table of the virtual switch according to a monitoring strategy, and dynamically collecting the flow of the needed virtualized instance. The method supports automatic monitoring of the flick event of the cloud computing virtualization instance, can adapt to the changing scene of the cloud computing environment virtualization instance, automatically adjusts the flow meter, and realizes flow collection according to a pre-configuration strategy.
As a preferred scheme, the monitoring virtualization instance event is a virtualization instance life cycle change event, which comprises a new virtual machine, a startup event, a new network card event, a virtual machine deletion, a shutdown event and a network card deletion event, wherein the new virtual machine, the startup event and the new network card event issue a flow table according to a monitoring policy, and the virtual machine deletion, the shutdown event and the network card deletion event delete the flow table according to the monitoring policy.
And automatically monitoring a virtualized instance event, automatically issuing or deleting a flow table when the virtualized instance adding and deleting, switching on and switching off and network card increasing and decreasing events occur in the cloud computing environment, and dynamically collecting network flow of a required instance according to a strategy.
As a preferred scheme, for events of newly-built virtual machines, starting up and newly-added network cards, analyzing a flow monitoring granularity strategy of the associated configuration of the virtualized instance, if flow monitoring is carried out according to the granularity of the virtual switch, issuing a virtual switch granularity mirror image flow table for the associated virtual switch of the virtualized instance, and if flow monitoring is carried out according to the granularity of a port, issuing a port mirror image flow table on the virtual switch of the port of the virtualized instance based on a designated port.
In the scheme, when events of newly-built virtual machines, starting up and newly-added network cards are detected, whether configuration related to the virtualized instance is monitored according to the granularity of a virtual switch is judged, if yes, whether the virtual switch where the virtualized instance is located issues an overflow table according to a strategy of monitoring flow according to the granularity of the virtual switch, the flow of the corresponding virtualized instance is continuously monitored for the issued overflow table, and for the flow table which is not issued, a node of the virtualized instance calls a computing node interface to issue a mirror image flow table of the granularity of the virtual switch to the virtual switch related to the virtualized instance, and then the processing of the monitoring event is finished. If not, the configuration related to the virtualized instance of the occurrence event is indicated to monitor the flow according to the granularity of the port, then a port mirror image flow table is issued on the virtual switch where the port of the virtualized instance is located based on the designated port, and then the processing of the monitoring event is finished.
As a preferred scheme, for the events of deleting the virtual machine, shutting down and deleting the network card, analyzing a flow monitoring granularity strategy of the associated configuration of the virtualized instance, if the flow monitoring is performed according to the granularity of the virtual switch, deleting the mirror image flow table of the associated virtual switch under the condition that the virtualized instance is the last virtualized instance of the associated virtual switch, ending monitoring the flow of the virtual switch, and if the flow monitoring is performed according to the granularity of the port, deleting the mirror image flow table of the appointed port on the virtual switch where the port of the virtualized instance is located.
In the scheme, when events of deleting a virtual machine, shutting down and deleting a network card are detected, whether configuration related to the virtualized instance is monitored according to the granularity of a virtual switch is judged, if so, whether other virtualized instances exist in the virtual switch where the virtualized instance is located is judged, if not, the virtualized instance with the event is explained as the last virtualized instance on the virtual switch, all mirror image flow tables of the virtual switch are directly deleted, traffic on the virtual switch is not monitored any more, and the processing of the monitored event is finished; the method includes the steps that other virtualized examples exist, an event is detected to be not processed at this time, and the processing of the monitored event is finished; if not, the configuration related to the virtualized instance of the occurrence event is described as carrying out flow monitoring according to the port granularity, then deleting the mirror image flow table of the appointed port on the virtual switch where the port of the virtualized instance is located, and ending the processing of the monitoring event.
A network traffic acquisition system based on cloud environment comprises a plurality of virtual switches, mirror image virtual switches and virtualized instance agent nodes which are arranged at computing nodes,
the virtual switch is connected with a plurality of virtualized examples through virtual ports, is connected with the mirror image virtual switch through patch ports, monitors all traffic or appointed port traffic of the virtual switch, and mirrors all traffic or appointed port traffic of the virtual switch to the mirror image virtual switch;
the mirror image virtual switch is connected with the virtualized instance agent node through a virtual port, and the received flow is drained to the virtualized instance agent node;
and analyzing the monitoring policy configuration, issuing a flow table on the virtual switch and the mirror virtual switch, monitoring the event of the virtualized instance in real time, adjusting the flow table of the virtual switch according to the monitoring policy when the event changes, and dynamically collecting the flow of the required virtualized instance. The monitoring policy is configured as a monitoring policy configured in advance according to requirements by a user, such as whether to start flow monitoring, a monitoring range (a computing node designates a virtualized instance, a port or designates all flows of a virtual switch, etc.), a flow monitoring period, a generated flow file packet size, flow file transmission destination information (such as a data security monitoring platform IP, a port), etc., and the virtualized instance agent node analyzes the configuration file.
Therefore, the invention has the advantages that:
1. the flow monitoring is realized in a software mode, the original flow can be intercepted at the access layer, and the virtualized instance flow can be acquired before message modification links such as cloud environment NAT and tunnel, so that the accuracy of security event judgment is facilitated.
2. The monitoring example is not subjected to immersion modification, software does not need to be deployed on the monitoring virtualization example, the monitoring nodes are not required to be subjected to system, software dependence and the like, flow collection can be realized aiming at the environments such as x86, arm, linux, windows, mac and the like, and the monitoring system has popularization and strong expandability in the environments with more virtual nodes and complex forms.
3. And the flow collection of all the virtualized instances of the physical node is completed by deploying the virtualized instance agent nodes, and the occupied computing resources and network transmission resources are optimized.
4. The method comprises the steps of automatically monitoring a virtualized instance event, supporting flow collection of a multi-network card environment, automatically updating configuration when the cloud computing environment changes, and dynamically collecting network flow of a required instance according to a strategy.
Drawings
FIG. 1 is a schematic diagram of a system of the present invention;
FIG. 2 is a schematic flow chart of the method of the present invention.
Detailed Description
The technical scheme of the invention is further specifically described below through examples and with reference to the accompanying drawings.
Examples:
according to the network traffic collection method based on the cloud environment, a mirror virtual switch and a virtualized instance agent node are created at a computing node, as shown in fig. 1, a patch port is created on the virtual switch with a monitored virtualized instance, a corresponding patch port is created on the mirror virtual switch, the mirror virtual switch is interconnected with the virtual switch, and the virtualized instance agent node is interconnected with the mirror virtual switch.
The method comprises the steps that a virtualized instance agent node analyzes monitoring policy configuration, a flow table is issued by a virtual switch, the flow of a designated port of the virtual switch or the flow of the whole virtual switch is mirrored to the mirror virtual switch, the flow table is issued by the mirror virtual switch, the flow received by a patch port is forwarded to a virtual port connected with the virtualized instance agent node, the flow is led to the virtualized instance agent node, a software program is deployed by the virtualized instance agent node, the virtual port is subjected to packet capturing, the obtained flow is converted into a message file, and the message file is periodically sent to a data security monitoring platform through a timing task. The virtualized instance agent node monitors the virtualized instance event in real time, and when the event changes, the flow table of the virtual switch is adjusted according to the monitoring strategy, and the flow of the needed virtualized instance is dynamically acquired. The flow monitoring is realized in a software mode, the original flow can be intercepted at the access layer, and the virtualized instance flow can be acquired before message modification links such as cloud environment NAT and tunnel, so that the accuracy of security event judgment is facilitated. The method has the advantages that software does not need to be deployed on the monitoring virtualization instance, the monitoring virtualization instance is not subjected to immersion modification, the monitoring nodes are not subjected to requirements of system, software dependence and the like, flow collection can be realized for the environments such as x86, arm, linux, windows, mac and the like, and the method has popularization and strong expandability in the environments with more virtual nodes and complex forms. And the flow collection of all the virtualized instances of the physical node is completed by deploying the virtualized instance agent node, so that the virtualized instance agent node occupies less computing resources and network transmission resources, and the cost is reduced.
The method comprises the steps of automatically monitoring the flow flick event of the virtual instance, and specifically monitoring the life cycle change event of the virtual instance, wherein the life cycle change event comprises the events of newly building, starting up and adding a network card for the virtual machine, and the events of deleting, shutting down and deleting the network card for the virtual machine. And issuing a flow table according to a monitoring strategy for the events of the new building, starting and adding of the network card of the virtual machine, wherein the flow table comprises a flow monitoring granularity strategy for analyzing the associated configuration of the virtualized instance, if the flow monitoring is carried out according to the granularity of the virtual switch, issuing a virtual switch granularity mirror image flow table for the virtual switch associated with the virtualized instance, and if the flow monitoring is carried out according to the granularity of the port, issuing the port mirror image flow table on the virtual switch where the port of the virtualized instance is located based on the designated port. And deleting the flow table according to the monitoring policy for the events of deleting, shutting down and deleting the network card of the virtual machine, wherein the flow table deleting specifically comprises analyzing a flow monitoring granularity policy configured in association with the virtualized instance, deleting the associated virtual switch mirror image flow table if the flow monitoring is performed according to the granularity of the virtual switch, ending monitoring the flow of the virtual switch if the virtualized instance is the last virtualized instance of the associated virtual switch, and deleting the appointed port mirror image flow table on the virtual switch where the port of the virtualized instance is located if the flow monitoring is performed according to the granularity of the port.
The method is described in detail below by way of example, as shown in fig. 1, assuming that traffic for the following virtualized instances needs to be collected: virtualized instance 1, all virtualized instances on virtual switch 2, namely virtualized instance 3 and virtualized instance 4, wherein virtualized instance 3 has multiple network cards, different networks are connected to different virtual switches. Assuming that virtual switch 1 is the management network, it is required to monitor only the specified virtualized instance management network traffic, corresponding to vport1 and vport3 in fig. 1. The virtual switch 2 is a storage network and monitors all virtualized instance storage network traffic. The method is concretely implemented as follows:
creating mirror virtual switch and virtualized instance agent node, creating patch port pair, connecting virtual switch 1 and virtual switch 2 with mirror virtual switch respectively, creating vport port pair, and connecting mirror virtual switch with virtualized instance agent node.
And the virtual switch 1 issues a flow table, the flow of the vport1 and the vport3 is mirrored to the port1, the virtual switch 2 issues the flow table, and the flow of all the vport is mirrored to the port 2.
And issuing a flow table at the mirror virtual switch, directly forwarding the traffic of the patch1 'and the patch2' to a vport port, and draining to a virtualized instance agent node.
The virtualized instance agent node deploys a software program, converts the received flow into a message file, and sends the message file to the data security monitoring platform according to the management strategy.
As shown in fig. 2, the implementation process of the method of the present embodiment is specifically described in connection with automatic monitoring of the flow flick event of the virtual instance. First, a virtualized instance agent node is created, the virtualized instance agent node interacts with a computing node, and a method flow runs on the virtualized instance agent node. The method comprises the following steps:
s1, normally starting and running the virtualized instance agent node.
S2, analyzing monitoring strategy configuration. The monitoring strategy configured by the user in advance according to the requirement is such as whether to start flow monitoring, monitoring range (computing node designates virtualized instance, port or designates all flows of virtual switch, etc.), flow monitoring period, generated flow file packet size, flow file transmission destination information (such as data security monitoring platform IP, port), etc.
S3, judging whether the current configuration enables a flow monitoring function, if not, ending, and if so, entering the next step.
S4, the virtualized instance agent node calls a computing node interface and notifies the computing node to create a mirror image virtual switch;
creating a vport port pair, interconnecting a virtualized instance agent node with the mirror virtual switch, creating a patch port pair, and interconnecting the monitored virtual switch with the mirror virtual switch;
according to the configuration obtained by parsing, the default flow table is issued on the relevant virtual switch and the mirror virtual switch, and still the structure in fig. 1 is taken as an example for illustration, which specifically includes:
(1) Monitoring all flow of the virtual switch 2, issuing a flow table at the virtual switch 2, mirroring the in-out flow of all vport of the virtual switch 2 to a patch2 port, and transmitting the flow to the mirror virtual switch through the patch2' port.
(2) Monitoring the flow of a designated port on the virtual switch 1, sending a port mirror image flow table up and down in the virtual switch 1, mirroring the flow of the vport1 and vport3 ports to a patch1 port, and transmitting the flow to the mirror image virtual switch through a patch1' port.
(3) And (3) issuing a flow table on the mirror virtual switch, forwarding the flow of all ports to a vport port, and draining the flow to a virtualized instance agent node.
S5, monitoring life cycle events of the virtualized instance;
the virtualized instance agent node calls a computing node interface or a registration interface, and monitors the life cycle change event of the virtualized instance of the computing node in real time, wherein the events comprise the new addition, restarting, pausing and deleting of the virtualized instance, the new addition and deleting of the port of the virtualized instance and the like.
S6, if the occurrence of the virtualized instance event is monitored, judging whether the changed virtualized instance is the monitored virtualized instance according to the configuration file, if not, returning to the step S5, and if so, entering the next step.
S7, judging whether the event is a newly added virtual machine, starting up the virtual machine and newly adding a network card to the virtual machine, if so, entering a step S8, and if not, entering a step S11.
S8, judging whether the configuration associated with the virtualized instance is "flow monitoring according to the granularity of the virtual switch", if yes, entering step S9, otherwise, indicating that the configuration associated with the virtualized instance with the event is "flow monitoring according to the granularity of the port", and then, issuing a port mirror image flow table on the virtual switch where the port of the virtualized instance is located, and entering step S16.
S9, judging whether the virtual switch where the virtualized instance is located has issued an overflow table according to a policy of 'monitoring flow according to the granularity of the virtual switch', if not, entering step S10, if so, indicating that the granularity mirror image flow table of the virtual switch already exists, monitoring the flow of the corresponding virtualized instance, and entering step S16.
S10, if the corresponding virtual switch does not issue the virtual switch granularity mirror image flow table, the virtualized instance agent node calls a computing node interface to issue the virtual switch granularity mirror image flow table to the virtual switch associated with the virtualized instance, and the step S16 is entered.
S11, judging whether the event is an event for deleting the virtual machine, shutting down the virtual machine and deleting the network card by the virtual machine, if so, entering S12, and if not, entering S15.
S12, judging whether the configuration associated with the virtualized instance is "traffic monitoring according to the granularity of the virtual switch", if yes, entering a step S13, if not, indicating that the configuration associated with the virtualized instance with the occurrence event is "traffic monitoring according to the granularity of the port", deleting a mirror image flow table of the appointed port on the virtual switch where the port of the virtualized instance is located, and entering a step S16.
S13, judging whether other virtualized instances exist in the virtual switch where the virtualized instance exists or not, if not, entering the step S14, if so, indicating that the virtual switch also exists in other virtualized instances, and entering the step S16, wherein the event is not processed.
S14, the virtualized instance with the event is the last virtualized instance on the virtual switch, all mirror image flow tables of the virtual switch can be deleted directly, traffic on the virtual switch is not monitored any more, and step S16 is carried out.
S15, the event of the virtualized instance is irrelevant to the network card, processing is not performed, and the step S5 is returned to wait for the next event.
S16, ending the processing of the monitoring event, returning to the step S5, and waiting for the next event.
The embodiment also provides a network traffic collection system based on the cloud environment, as shown in fig. 1, including a plurality of virtual switches, mirror virtual switches and virtualized instance agent nodes, which are set in the computing nodes.
The virtual switch is connected with a plurality of virtualized examples through virtual ports, is connected with the mirror image virtual switch through patch ports, monitors all traffic or appointed port traffic of the virtual switch, and mirrors all traffic or appointed port traffic of the virtual switch to the mirror image virtual switch;
the mirror image virtual switch is connected with the virtualized instance agent node through a virtual port, and the received flow is drained to the virtualized instance agent node;
and analyzing the monitoring policy configuration, issuing a flow table on the virtual switch and the mirror virtual switch, monitoring the event of the virtualized instance in real time, adjusting the flow table of the virtual switch according to the monitoring policy when the event changes, and dynamically collecting the flow of the required virtualized instance.
The specific embodiments described herein are offered by way of example only to illustrate the spirit of the invention. Those skilled in the art may make various modifications or additions to the described embodiments or substitutions thereof without departing from the spirit of the invention or exceeding the scope of the invention as defined in the accompanying claims.
Claims (10)
1. A network traffic collection method based on cloud environment is characterized in that: creating a mirror image virtual switch and a virtual instance agent node at a computing node, wherein the mirror image virtual switch is interconnected with the virtual switch, the flow of a monitored virtual instance is mirrored to the mirror image virtual switch through the virtual switch, the virtual instance agent node is interconnected with the mirror image virtual switch, the received flow is guided to the virtual instance agent node through the mirror image virtual switch, and the virtual instance agent node converts the received flow into a message file and sends the message file to a monitoring platform.
2. The network traffic collection method based on the cloud environment according to claim 1, wherein a patch port is created on a virtual switch having a monitored virtualization instance, and a corresponding patch port is created on a mirror virtual switch, and the detected virtual switch is interconnected with the mirror virtual switch.
3. The network traffic collection method based on the cloud environment according to claim 2, wherein the flow table is issued by the virtual switch by analyzing the monitoring policy configuration, and the port traffic specified by the virtual switch or the traffic of the whole virtual switch is mirrored to the mirror virtual switch.
4. The network traffic collection method based on the cloud environment according to claim 2, wherein the flow received by the path port is forwarded to a virtual port connected to the virtualized instance agent node by issuing a flow table at the mirror virtual switch, and is drained to the virtualized instance agent node.
5. The network traffic collection method based on the cloud environment according to any one of claims 1 to 4, wherein a program is deployed on a node of a virtualized instance agent, a packet is grabbed on a virtual port, and the obtained traffic is converted into a message file and is periodically sent to a monitoring platform through a timing task.
6. The network traffic collection method based on the cloud environment according to claim 3, further comprising the step of monitoring the event of the virtualized instance in real time by the node of the virtualized instance agent, and adjusting a flow table of the virtual switch according to a monitoring strategy when the event changes, so as to dynamically collect the traffic of the required virtualized instance.
7. The network traffic collection method based on the cloud environment according to claim 6, wherein the monitoring virtualization instance event is a virtualization instance life cycle change event, including creating a virtual machine, starting up, adding a network card event, deleting the virtual machine, shutting down, deleting the network card event, issuing a flow table according to a monitoring policy for the creating the virtual machine, starting up, adding the network card event, and deleting the flow table according to the monitoring policy for the deleting the virtual machine, shutting down, deleting the network card event.
8. The network traffic collection method based on the cloud environment according to claim 7, wherein for newly-built virtual machines, start-up, newly-added network card events, traffic monitoring granularity policies of associated configuration of virtualized instances are analyzed, if traffic monitoring is performed according to granularity of the virtual switch, a virtual switch granularity mirror image flow table is issued to the virtualized instance associated virtual switch, if traffic monitoring is performed according to granularity of a port, an port mirror image flow table is issued on the virtual switch where a port of the virtualized instance is located based on a designated port.
9. The network traffic collection method based on the cloud environment according to claim 7, wherein for the events of deleting the virtual machine, shutting down and deleting the network card, the traffic monitoring granularity policy of the associated configuration of the virtualized instance is analyzed, if the traffic monitoring is performed according to the granularity of the virtual switch, the associated virtual switch mirror image flow table is deleted when the virtualized instance is the last virtualized instance of the associated virtual switch, the traffic monitoring of the virtual switch is ended, if the traffic monitoring is performed according to the granularity of the port, the designated port mirror image flow table is deleted on the virtual switch where the port of the virtualized instance is located.
10. A network traffic acquisition system based on a clouding environment for implementing the method as claimed in any one of claims 1-9, characterized in that: including a number of virtual switches, mirrored virtual switches and virtualized instance agent nodes disposed at the computing node,
the virtual switch is connected with a plurality of virtualized examples through virtual ports, is connected with the mirror image virtual switch through patch ports, monitors all traffic or appointed port traffic of the virtual switch, and mirrors all traffic or appointed port traffic of the virtual switch to the mirror image virtual switch;
the mirror image virtual switch is connected with the virtualized instance agent node through a virtual port, and the received flow is drained to the virtualized instance agent node;
and analyzing the monitoring policy configuration, issuing a flow table on the virtual switch and the mirror virtual switch, monitoring the event of the virtualized instance in real time, adjusting the flow table of the virtual switch according to the monitoring policy when the event changes, and dynamically collecting the flow of the required virtualized instance.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311579056.2A CN117294533B (en) | 2023-11-24 | 2023-11-24 | Network traffic collection method and system based on cloud environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311579056.2A CN117294533B (en) | 2023-11-24 | 2023-11-24 | Network traffic collection method and system based on cloud environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117294533A true CN117294533A (en) | 2023-12-26 |
| CN117294533B CN117294533B (en) | 2024-04-02 |
Family
ID=89241133
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311579056.2A Active CN117294533B (en) | 2023-11-24 | 2023-11-24 | Network traffic collection method and system based on cloud environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117294533B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110255538A1 (en) * | 2010-04-16 | 2011-10-20 | Udayakumar Srinivasan | Method of identifying destination in a virtual environment |
| CN106254176A (en) * | 2016-07-29 | 2016-12-21 | 浪潮(北京)电子信息产业有限公司 | A kind of traffic mirroring method based on openvswitch |
| CN106375384A (en) * | 2016-08-28 | 2017-02-01 | 北京瑞和云图科技有限公司 | Management system of mirror network flow in virtual network environment and control method |
| JP2018117193A (en) * | 2017-01-16 | 2018-07-26 | 富士通株式会社 | Port changeover program, port changeover method, and information processing apparatus |
| US20190068476A1 (en) * | 2017-08-24 | 2019-02-28 | Cisco Technology, Inc. | Virtual network function monitoring in a network function virtualization deployment |
| CN113660243A (en) * | 2021-08-11 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Application protection method and system, readable storage medium and computer equipment |
| CN113672343A (en) * | 2021-08-04 | 2021-11-19 | 浪潮云信息技术股份公司 | Method for calculating cold start acceleration based on function of lightweight safety container |
| CN114265666A (en) * | 2021-12-21 | 2022-04-01 | 北京永信至诚科技股份有限公司 | Network target range data acquisition system and method |
-
2023
- 2023-11-24 CN CN202311579056.2A patent/CN117294533B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110255538A1 (en) * | 2010-04-16 | 2011-10-20 | Udayakumar Srinivasan | Method of identifying destination in a virtual environment |
| CN106254176A (en) * | 2016-07-29 | 2016-12-21 | 浪潮(北京)电子信息产业有限公司 | A kind of traffic mirroring method based on openvswitch |
| CN106375384A (en) * | 2016-08-28 | 2017-02-01 | 北京瑞和云图科技有限公司 | Management system of mirror network flow in virtual network environment and control method |
| JP2018117193A (en) * | 2017-01-16 | 2018-07-26 | 富士通株式会社 | Port changeover program, port changeover method, and information processing apparatus |
| US20190068476A1 (en) * | 2017-08-24 | 2019-02-28 | Cisco Technology, Inc. | Virtual network function monitoring in a network function virtualization deployment |
| CN113672343A (en) * | 2021-08-04 | 2021-11-19 | 浪潮云信息技术股份公司 | Method for calculating cold start acceleration based on function of lightweight safety container |
| CN113660243A (en) * | 2021-08-11 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Application protection method and system, readable storage medium and computer equipment |
| CN114265666A (en) * | 2021-12-21 | 2022-04-01 | 北京永信至诚科技股份有限公司 | Network target range data acquisition system and method |
Non-Patent Citations (2)
| Title |
|---|
| CHEN-JEN CHUNG等: "NICE:Network Instrusion Detection and Countermeasure Selection in Virtual Network Systems", 《IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING》 * |
| 陆宏波;: "云环境下的虚拟网络智能监控分析关键技术研究与应用", 电脑知识与技术, no. 22 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117294533B (en) | 2024-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106789177B (en) | A kind of system of dealing with network breakdown | |
| CN108494657B (en) | OpenStack cloud platform virtual probe mirroring method based on Open vSwitch | |
| US20060274674A1 (en) | Packet transmitting apparatus for setting configuration | |
| CN111371640B (en) | SDN controller-based traffic collection analysis method and system | |
| CN103873379A (en) | Distributed route destroy-resistant strategy collocation method and system based on overlay network | |
| CN110855509A (en) | Novel cloud SPTN network architecture | |
| CN113867884B (en) | Method and system for computer network and storage medium | |
| CN101409654B (en) | Method for processing SNMP information in network management system | |
| CN111901154B (en) | Safety architecture system based on NFV and safety deployment and safety threat processing method | |
| CN112350854A (en) | Flow fault positioning method, device, equipment and storage medium | |
| CN102164048B (en) | Data stream optimization device and method for realizing multi-ISP (internet service provider) access in local area network | |
| CN117294533B (en) | Network traffic collection method and system based on cloud environment | |
| CN102571383B (en) | Access control method and system | |
| CN109150589A (en) | Based on the processing method and system that Open Stack virtual network obstruction is abnormal | |
| KR101829881B1 (en) | Flow management system, controller and method for detecting fault | |
| CN113630318B (en) | Message transmission method and frame type communication equipment | |
| CN113973127B (en) | Network deployment method, device and storage medium | |
| CN113055427B (en) | Service-based server cluster access method and device | |
| CN114553670A (en) | Information-based network security emergency linkage system and method | |
| Cisco | Using Command-Line Utilities | |
| Cisco | Using Command-Line Utilities | |
| CN110011834B (en) | Management and control fusion type telecommunication network management method and system | |
| CN113055217A (en) | Equipment offline repair method and device | |
| KR100898241B1 (en) | System of dynamic security service for intrusion detection and prevention from cyber attack by using path configuration and method thereof | |
| JP2016127391A (en) | Network monitoring system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |