US20150304344A1 - System and method for controlling virtual network including security function - Google Patents
System and method for controlling virtual network including security function Download PDFInfo
- Publication number
- US20150304344A1 US20150304344A1 US14/263,035 US201414263035A US2015304344A1 US 20150304344 A1 US20150304344 A1 US 20150304344A1 US 201414263035 A US201414263035 A US 201414263035A US 2015304344 A1 US2015304344 A1 US 2015304344A1
- Authority
- US
- United States
- Prior art keywords
- blocking
- vips
- security
- cloud
- rules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/22—Arrangements for preventing the taking of data from a data transmission channel without authorisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/34—Signalling channels for network management communication
- H04L41/342—Signalling channels for network management communication between virtual entities, e.g. orchestrators, SDN or NFV entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/20—Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
Definitions
- the present invention relates to a virtual network controlling system, and more particularly, to a virtual network controlling system including security function.
- an SDDC Software-Defined DataCenter
- SDN Software-Defined Network
- the cloud environment can minimize IT resource expenses by increasing the utilization rate and easiness in management of IT resources through application of the virtualization.
- the server virtualization in the cloud environment was previously in a stable stage, but the network virtualization is not yet steady. Recently, in order to improve the network virtualization, efforts to reduce the bottleneck in the cloud infrastructure by applying the SDN technology to the network virtualization are actively underway.
- virtualization refers to the act of creating and running a plurality of operating systems in one system by dividing a single physical hardware into a plurality of virtual hardware devices.
- Such software capable of virtualization is a hypervisor.
- the hypervisor is to provide how to access different operating systems from one physical computer resource, such as a processor or a memory existing in one host, namely, is a piece of computer software that makes one computer run a number of operating systems.
- a conventional physical server for instance, a host, generally leases one host to just one subscriber, but when the virtualization technology is applied, one virtualized system can run various subscriber services, for instance, file servers, mail servers, web servers, and so on, so as to lease one physical server, for instance, one host, to several subscribers.
- a hardware-based network security system for instance, an IPS (Intrusion Prevention System)
- IPS Intrusion Prevention System
- the conventional hardware-based network security system for instance, the IPS
- the IPS is installed in the virtualized system of the cloud environment which softwarely distributes and allocates resources through virtualization of the entire resources including servers and networks
- it is difficult to construct a security system which ideally comes into contact with the system structure, and cannot be effectively connected with the virtualized system of the cloud environment which has to frequently carry out variable distribution and allocation of resources in order to diffuse a system load.
- an important aspect of the present invention is that the present inventors recognized certain drawbacks of the related art, as mentioned above. As a result, the present inventors provided a solution to such drawbacks, as follows.
- a method for controlling a virtual network with a security function including the steps of: method for controlling a virtual network with a security function comprising the steps of: creating real time blocking rules by a vIPS (virtual Intrusion Prevention System) when any malicious behavior is detected according to a signature-based detection; sending the real time blocking rules to a vSwitch (virtual Switch) and blocking an attacking traffic by the vSwitch according to the sent blocking rules; checking whether or traffic blocking was actually carried out during a designated period of time (hereinafter, called ‘blocking time’) when the blocking time is lapsed according to the blocking rules; deleting the created blocking rules and terminating the corresponding traffic blocking by the vIPS if the traffic blocking was not carried out actually during the blocking time; and extending the blocking time based on the present state to which the blocking rules were applied and terminating blocking of the corresponding traffic by the vIPS if the traffic blocking was carried out actually during the blocking time.
- vIPS virtual Intrusion Prevention System
- a method for controlling a virtual network with a security function including the steps of: receiving an attack detection-related security alert (common event format) from vIPSs in a virtual network controlling system including a cloud ESM (Enterprise Security Management) system; analyzing a traffic or an attack pattern detected in the vIPS through a correlation analysis by the cloud ESM system when the attack detection-related event format is received; determining a real time blocking reaction against the detected traffic or attack in the cloud ESM system on the basis of the analyzed results and sending the blocking reaction command to the vIPS; creating real time blocking rules by the vIPS according to the blocking reaction command; sending the real time blocking rules to the vSwitch and blocking the attacking traffic by the vSwitch according to the received blocking rules; checking whether or traffic blocking was actually carried out during a blocking time when the blocking time is lapsed according to the blocking rules; deleting the created blocking rules and terminating the corresponding traffic blocking by the vIPS if the traffic blocking was not carried out actually
- the cloud ESM system includes: a cloud collection information management module which stores and manages virtualization resource information and security events collected in the vIPS; a cloud security event analysis and security state monitoring module which carries out attack correlation analysis in reference to information received from the vIPS; and a cloud security control management module which forcedly migrates the malicious virtual machine in a logical/physical manner, recognizes a change in information of the virtual machine, and sends a security control command according to a policy change to the vIPS through a cloud agent.
- a cloud collection information management module which stores and manages virtualization resource information and security events collected in the vIPS
- a cloud security event analysis and security state monitoring module which carries out attack correlation analysis in reference to information received from the vIPS
- a cloud security control management module which forcedly migrates the malicious virtual machine in a logical/physical manner, recognizes a change in information of the virtual machine, and sends a security control command according to a policy change to the vIPS through a cloud agent.
- the vIPS includes: an intrusion response processing module which request creation of the real time blocking rules according to the blocking reaction command; a policy and signature management module which manages creation, update and deletion of the real time blocking rules; an external interface module which provides an interface to send and receive policies of the real time blocking rules; and a hypervisor security API module which sets up or deletes the blocking rules on the vSwitch.
- an intrusion response processing module which request creation of the real time blocking rules according to the blocking reaction command
- a policy and signature management module which manages creation, update and deletion of the real time blocking rules
- an external interface module which provides an interface to send and receive policies of the real time blocking rules
- a hypervisor security API module which sets up or deletes the blocking rules on the vSwitch.
- the vIPS sends the created real time blocking rules to an SDN controller so as to expand security of the virtual network system to an SDN network.
- FIG. 1 is a conceptual diagram showing an operation of a system for controlling a virtual network with a security function according to a preferred embodiment of the present invention
- FIG. 2 is a block diagram of the system for controlling the virtual network with the security function according to the preferred embodiment of the present invention
- FIG. 3 is a block diagram of a vIPS (virtual Intrusion Prevention System) according to the present invention.
- vIPS virtual Intrusion Prevention System
- FIG. 4 is a flow chart of a method for controlling a virtual network with a security function according to a first preferred embodiment of the present invention
- FIG. 5 is a flow chart of a method for controlling a virtual network with a security function according to a second preferred embodiment of the present invention.
- FIG. 6 is an exemplary view of a method for controlling a virtual network with a security function according to a third preferred embodiment of the present invention.
- a virtual network controlling system with a security function which manages security states of virtual machines in a cloud datacenter, analyzes security states of malicious virtual machines and isolates and treats the malicious virtual machines.
- the virtual network controlling system with the security function needs detection and action of real time attacks of virtualized networks/hosts, collection of cloud resource information and security events, monitoring and analysis of cloud security states, application of cloud security policies, and so on.
- a software-based vIPS virtual Intrusion Prevention System constructed on the virtualized network has difficulty in providing high performance compared with a hardware-based IPS.
- a software-based virtual security appliance has a limitation in hardware resources which are allocated to improve performance of the IPS because sharing the same hardware with the virtual machines which provide actual services. That is, if lots of hardware resources are allocated to the IPS, the virtual machines which provide actual services are deteriorated in performance.
- the performance of signature-based IPSs are mainly affected by two elements, namely, the number of attacks to be detected (for instance, the number of signatures) and the number of network packets to be processed.
- the virtual network controlling system reduced the number of packets to which the IPS performs signature matching inspection through a DPI test by diffusing blocking against a previously detected intruder by the network level.
- FIG. 1 is a conceptual diagram showing an operation of a system for controlling a virtual network with a security function according to a preferred embodiment of the present invention
- FIG. 2 is a block diagram of the system for controlling the virtual network with the security function according to the preferred embodiment of the present invention.
- the virtual network controlling system 100 includes a cloud ESM (Enterprise Security Management) system 200 (hereinafter, called ‘cloud ESM’), a cloud agent 300 , a virtual Intrusion Prevention System 400 (hereinafter, called ‘vIPS’), and a virtual switch 500 (hereinafter, called ‘vSwitch’).
- cloud ESM Enterprise Security Management
- vIPS virtual Intrusion Prevention System
- vSwitch virtual switch 500
- the cloud agent 300 receives security events and resource information generated from the vIPS 400 and transfers the received security events and resource information to the cloud ESM system 200 or applies security policies transferred from the cloud ESM system 200 to the vIPS 400 .
- the cloud agent 300 includes a cloud resource information/security event collecting module and a cloud security control module inside the virtual security appliance (VSA).
- VSA virtual security appliance
- the cloud ESM system 200 collects, analyzes and manages information transferred from the cloud agent 300 or transfers security policies to the cloud agent 300 , and includes a cloud collection information management module, a cloud security control management module, a potentially malicious virtual machine inspection module, a cloud security event analysis and security state monitoring module, a cloud security policy management and virtual machine zone (VM zone) security management module, and a DBMS.
- the cloud ESM system 200 is linked with a legacy ESM/SIEM in order to transfer cloud security event and analysis information.
- the cloud ESM system 200 collects information and security events of virtualized systems from a number of the vIPSs 400 and carries out integrated security control of the whole cloud infrastructure, and then sends security controls and relevant security policies for coping with intrusion to each vIPS 400 . Furthermore, the cloud ESM system 200 controls operation of the vIPS 400 and sends system management commands for managing environmental variables to the vIPS 400 .
- the cloud collection information management module contracts the virtualization resource information and security events collected from the vIPS 400 and stores and manages them in the DBMS.
- the aggregation and storing of the collected information means definition of DB schema, aggregation and filtering, diffusion storage and search of the collected high-capacity information, conversion for legacy DB linkage, and so on.
- the cloud security control management module serves to forcedly migrate the malicious virtual machine in a logical/physical manner, to apply security control against a policy change after recognizing an information change of the virtual machine, and to send and manage security control commands to the vIPS 400 through the cloud agent 300 .
- the cloud security control management module logically (change of the VM zone) and physically (movement to a specific virtualized system) migrates a target which is detected as a malicious virtual machine.
- the cloud security control management module recognizes the live migration of the virtual machine and the change of the VM zone of the virtual machine, and then, promptly applies policies which are changed by the migration and the VM zone change.
- the potentially malicious virtual machine inspection module serves to trace and distinguish a potentially malicious virtual machine in relation with the virtualization resource information and security events collected from the vIPS 400 .
- Trace of the potentially malicious virtual machine means to trace a suspicious virtual machine and to discriminate it as a potentially malicious virtual machine candidate.
- Discrimination of the potentially malicious virtual machine means to precisely analyze the potentially malicious virtual machine candidate and to judge whether or not it is a malicious virtual machine.
- the cloud security event analysis and security state monitoring module serves to analyze a virtualization security state, a change in virtualzied resources, attack correlation, and information of virtual network traffic conditions in relation with the virtualized resource information and security events collected from the vIPS 400 .
- the cloud security policy management and virtual machine zone (VM zone) security management module serves to send and manage the cloud security policies, which will be applied to the vIPS 400 , and the VM zone policies for security management of the VM zone to the cloud agent in order to collect information of virtualized resources and detect and cope with virtualized attacks.
- VM zone virtual machine zone
- the DBMS (DB management system) serves to store input and output information, policy information and analysis results of each of the modules of the cloud ESM system 200 .
- the vSwitch 500 is an OpenFlow-based software switch existing inside a hypervisor for communication between the virtual machines.
- the vSwitch 500 blocks intruder's traffics according to blocking rules transferred from the vIPS 400 .
- the vIPS 400 is a hypervisor-based intrusion prevention platform, and controls an NIPS (Network-based IPS) service, a stateful firewall service, and an HIPS (Host-based IPS) service of a higher level and provides an interface for providing information necessary for carrying out an intrusion detection and an interface which receives detected results. Therefore, the vIPS provides not only the network-based IPS service, the host-based IPS service and the firewall service but also IPS services which can easily substitute and utilize other IPSs or firewalls.
- NIPS Network-based IPS
- HIPS Home-based IPS
- the vIPS 400 includes a virtualized system internal information collection and analysis module 410 , an intrusion response processing module 420 , a policy and signature management module 430 , an intrusion prevention system control module 440 , a logging module 445 , an integrity verification module 450 , a callback processing module 455 , a detection service interface module 470 , an environmental setup management module 475 , an administrator account management and authentication module 465 , an external interface module 460 , and a hypervisor security API module 480 .
- FIG. 3 is a block diagram of the vIPS according to the present invention.
- the virtualized system internal information collection and analysis module 410 acquires internal information of the virtual machine and the hypervisor including network packets of the virtualized system through the hypervisor security API module 480 , and provides interpretation of a virtual machine guest OS in connection with the memory contents of the virtual machine.
- the intrusion response processing module 420 requests formation of real time blocking rules according to rules of reactions to attacks or blocking response commands.
- the intrusion response processing module 420 carries out correspondence actions according to correspondence policies in relation with intrusion detection.
- the policy and signature management module 430 manages creation, update and deletion of the real time blocking rules.
- the policy and signature management module 430 manages attack detection signatures, correspondence policies and rules and firewall policies and rules of the NIPS.
- the intrusion prevention system control module 440 serves to control the entire operations of the vIPS 400 and to control services for intrusion detection, for instance, the stateful firewall service, the NIPS service, the HIPS service, and so on.
- the logging module 445 creates and manages logs.
- the integrity verification module 450 serves to verify integrity of the inside of the virtual machine which is designated by the HIPS or the entire or partial data structure of the hypervisor.
- the callback processing module 455 provides a callback function to help an effective communication of each module inside the vIPS framework and detection of the intrusion detection service.
- the detection service interface module 470 manages external detection services and processes communications between the platform and detection services and between the modules inside the platform.
- the environment setup management module 475 manages environment setup values so that the vIPS 400 always runs according to the newest setup value. All modules inside the vIPS 400 access the environment setup values, for instance, reading, writing, and others, through the environment setup management module 475 .
- the administrator account management and authentication module 465 manages an administrator's account and carries out authentication of the administrator's account.
- the external interface module 460 provides an interface for sending and receiving policies of the real time blocking rules. Furthermore, the external interface module 460 provides an interface for system management and security control of the cloud agent 300 and the vIPS 400 of the cloud ESM system 200 .
- the hypervisor security API module 480 sets up or deletes blocking rules of the vSwitch 500 .
- the vSwitch 500 organizes devices corresponding to an open vSwitch in a Xen server which is a virtualization platform.
- the hypervisor security API module 480 provides an API which can acquire the internal information of the virtualized system and carry out a security control to cope with the detection by directly accessing the hypervisor. Therefore, the hypervisor security API module 480 provides abstraction of a hypervisor access for a security-related function.
- the virtualized system internal information collection and analysis module 410 the intrusion response processing module 420 , the policy and signature management module 430 , the intrusion prevention system control module 440 , the logging module 445 , the integrity verification module 450 , and the callback processing module 455 form the vIPS framework.
- the vIPS framework is the aggregation of essential common modules to organize the IPS and the firewall which are the core functions in the hypervisor-based virtualizednetwork/host intrusion prevention system, and provides common functions and structures necessary for the NIPS (Network-based IPS) service, the HIPS (Host-based IPS) service and the stateful firewall service of the higher level to carry out access control, detection and response.
- NIPS Network-based IPS
- HIPS Home-based IPS
- the services for carrying out intrusion detection includes the NIPS service, the HIPS service and the stateful firewall service, and carries out detection by receiving input information (virtual network packets, virtual machine/hypervisor internal information, and so on) for intrusion detection and access control using the hypervisor-based intrusion prevention platform and sends the detected result to the platform using the vIPS framework.
- input information virtual network packets, virtual machine/hypervisor internal information, and so on
- the stateful firewall service serves as an engine of a stateful firewall.
- the NIPS service serves as an engine of the network-based IPS.
- the HIPS service serves as an engine of a host-based IPS, and includes a rootkit detection module and a virtual machine abnormal behavior detection module in a lower level. It is preferable that the lower-level modules of the HIPS service be developed based on signature.
- FIG. 4 is a flow chart of a method for controlling a virtual network with a security function according to a first preferred embodiment of the present invention.
- the hypervisor-based virtual network controlling system 100 with the security function enhances intrusion prevention performance by previously blocking attacking traffics in the network level before an application of a DPI (Deep Packet Inspection).
- DPI Deep Packet Inspection
- the vIPS 400 analyzes and detects malicious behaviors according to signature-based detection and checks an intruder's IP (Internet Protocol). Therefore, this embodiment is independently carried out according to different blocking rules in each vIPS 400 inside the virtual network controlling system 100 .
- IP Internet Protocol
- the vIPS 400 creates real time blocking rules (S 10 ⁇ S 20 ).
- the vIPS 400 sends the real time blocking rules of a flow rule type to the vSwitch 500 (S 30 ).
- the vSwitch 500 blocks the intruder's traffics according to the blocking rules sent from the vIPS 400 in advance (S 40 ).
- the vSwitch 500 carries out traffic blocking during a designated period of time (hereinafter, called ‘blocking time’) according to the blocking rules. After that, when the blocking time is lapsed, the vIPS 400 checks whether or not the traffic blocking was carried out actually during the blocking time (S 50 ⁇ S 60 ).
- the vIPS 400 deletes the created blocking rules and terminates the corresponding traffic blocking (S 70 ).
- the vIPS 400 extends the blocking time based on the present state to which the blocking rules were applied (S 80 ), and then, the steps (S 30 to S 60 ) are repeated.
- FIG. 5 is a flow chart of a method for controlling a virtual network with a security function according to a second preferred embodiment of the present invention.
- the vIPS 400 according to the second preferred embodiment of the present invention checks the intruder's IP (Internet Protocol) by carrying out malicious behavior analysis and detection according to correlation analysis procedures of the cloud ESM system 200 . Therefore, this embodiment is carried out according to the same blocking rules in all vIPSs 400 inside the virtual network controlling system 100 .
- IP Internet Protocol
- the vIPS 400 when a doubtful traffic or attack pattern is detected, creates an attack detection-related security alert (common event format), and sends it to the cloud ESM system 200 (S 110 ⁇ S 120 ).
- an attack detection-related security alert common event format
- the cloud ESM system 200 receives the attack detection-related event format from the vIPSs 400 organizing the virtual network controlling system 100 .
- the cloud ESM system 200 analyzes the traffic or attack pattern detected in the vIPS 400 through the correlation analysis (S 130 ). Moreover, a security administrator of the system 200 determines a real time blocking reaction (security policy) against the detected traffic or attack, based on the analyzed results (S 140 ). After that, the system 200 sends the determined blocking reaction command to the vIPS 400 .
- a security administrator of the system 200 determines a real time blocking reaction (security policy) against the detected traffic or attack, based on the analyzed results (S 140 ). After that, the system 200 sends the determined blocking reaction command to the vIPS 400 .
- the vIPS 400 When the blocking reaction command is received from the cloud ESM system 200 , the vIPS 400 creates real time blocking rules according to the blocking reaction command (S 170 ). Additionally, the vIPS 400 sends the created real time blocking rules of the flow rule type to the vSwitch 500 .
- the vSwitch 500 blocks the intruder's traffic according to the blocking rules sent from the vIPS 400 .
- the vSwitch 500 carries out traffic blocking for a predetermined period of time according to the blocking rules like the vSwitch of the first preferred embodiment (S 190 ). After that, when the blocking time is lapsed, the vIPS 400 checks whether or not the traffic blocking was carried out actually during the blocking time (S 200 ⁇ S 210 ).
- the vIPS 400 deletes the created blocking rules and terminates the corresponding traffic blocking (S 220 ).
- the vIPS 400 extends the blocking time based on the present state to which the blocking rules were applied (S 230 ), and then, the steps (S 150 to S 180 ) are repeated.
- FIG. 6 is an exemplary view of a method for controlling a virtual network with a security function according to a third preferred embodiment of the present invention.
- the vIPS 400 expands security to an SDN (Software-Defined Network) using a network flow control through an open flow.
- SDN Software-Defined Network
- the vIPS 400 when a doubtful traffic or attack pattern is detected, creates an attack detection-related security alert (common event format), and sends it to the cloud ESM system 200 .
- an attack detection-related security alert common event format
- the cloud ESM system 200 receives the attack detection-related event format from the vIPSs 400 organizing the virtual network controlling system 100 .
- the cloud ESM system 200 analyzes the traffic or attack pattern detected in the vIPS 400 through the correlation analysis. Moreover, a security administrator of the system 200 determines a real time blocking reaction (security policy) against the detected traffic or attack, based on the analyzed results. After that, the system 200 sends the determined blocking reaction command to the vIPS 400 .
- a security administrator of the system 200 determines a real time blocking reaction (security policy) against the detected traffic or attack, based on the analyzed results. After that, the system 200 sends the determined blocking reaction command to the vIPS 400 .
- the vIPS 400 When the blocking reaction command is received from the cloud ESM system 200 , the vIPS 400 creates real time blocking rules according to the blocking reaction command. Additionally, the vIPS 400 sends the created real time blocking rules of the flow rule type to the vSwitch 500 . In addition, the vIPS 400 sends the real time blocking rules to an SDN controller (network OS) of an SDN network.
- SDN controller network OS
- the vIPS 400 carries out blocking against malicious network traffics even in the SDN by sending the real time blocking rules to the SDN network.
- security of the virtual network system 100 with the security function is expanded (linked) to the SDN.
- the system and method for controlling the virtual network with the security function according to the present invention reduce the number of packets to which the IPS carries out the signature matching inspection through the DPI test by diffusing blocking against the previously detected intruder by the network level, so as to enhance performance of the virtualized network IPS.
- the vIPS 400 shares intruder information detected in the single virtualized system. That is, the vIPS 400 sends the intruder information detected in the single virtualized system to vIPSs running in another virtualized system so as to provide an early response or blocking to harmful traffics.
- the vIPS 400 according to the second preferred embodiment of the present invention can provide an early response against the detected intruder through the cloud security correlation analysis.
- the vIPS 400 sends the intruder information detected through the correlation analysis of the cloud ESM system 200 to other vIPSs and makes the vIPSs block the detected intruder in the vSwitch level, such that the vIPS 40 can previously cope with or block attacks or harmful traffics which are difficult to detect in the single vIPS level.
Abstract
Description
- 1. Field of the Invention
- The present invention relates to a virtual network controlling system, and more particularly, to a virtual network controlling system including security function.
- 2. Background Art
- Recently, an SDDC (Software-Defined DataCenter) attracts attention in the cloud computing environment, and enhances management efficiency and utilization rate of a cloud datacenter through virtualization of the whole resources including servers and networks. Particularly, in order to reduce the bottleneck of the cloud datacenter and efficiently construct and utilize the networks, a network virtualization through application of SDN (Software-Defined Network) is in progress.
- The cloud environment can minimize IT resource expenses by increasing the utilization rate and easiness in management of IT resources through application of the virtualization. The server virtualization in the cloud environment was previously in a stable stage, but the network virtualization is not yet steady. Recently, in order to improve the network virtualization, efforts to reduce the bottleneck in the cloud infrastructure by applying the SDN technology to the network virtualization are actively underway.
- In general, virtualization refers to the act of creating and running a plurality of operating systems in one system by dividing a single physical hardware into a plurality of virtual hardware devices. Such software capable of virtualization is a hypervisor. The hypervisor is to provide how to access different operating systems from one physical computer resource, such as a processor or a memory existing in one host, namely, is a piece of computer software that makes one computer run a number of operating systems.
- Recently, with the appearance of high-performance CPUs, multi core CPUs, and high-capacity memories, it became possible to construct various virtual machines in one host and install and run a plurality of operating systems in each of the virtual machines in an allowable range of a memory.
- A conventional physical server, for instance, a host, generally leases one host to just one subscriber, but when the virtualization technology is applied, one virtualized system can run various subscriber services, for instance, file servers, mail servers, web servers, and so on, so as to lease one physical server, for instance, one host, to several subscribers.
- However, such a physical server to which the virtualization technology is applied has several problems, such as attack and hacking into each of the virtual machines of the subscribers and information spill from the virtual machine, because many operating systems to the number of logical servers to be installed must be installed in one host. Additionally, the virtualized system in the cloud environment which is composed of hundreds of or thousands of virtual machines is difficult to establish and apply security policies to every virtual machine. In the cloud environment, when one virtual machine is infected, other virtual machines in the system are also infected, and finally, the entire cloud systems are infected.
- Conventionally, a hardware-based network security system, for instance, an IPS (Intrusion Prevention System), is an independent device which is physically installed on the outside and is very expensive.
- Moreover, if the conventional hardware-based network security system, for instance, the IPS, is installed in the virtualized system of the cloud environment which softwarely distributes and allocates resources through virtualization of the entire resources including servers and networks, it is difficult to construct a security system which ideally comes into contact with the system structure, and cannot be effectively connected with the virtualized system of the cloud environment which has to frequently carry out variable distribution and allocation of resources in order to diffuse a system load.
- Accordingly, an important aspect of the present invention is that the present inventors recognized certain drawbacks of the related art, as mentioned above. As a result, the present inventors provided a solution to such drawbacks, as follows.
- It is an object of the present invention to provide system and method for controlling a virtual network with a security function, which can actively blocks malicious traffics or harmful packets in advance and switch normal packets to a destination in the network level inside a virtualized system.
- To accomplish the above object, according to the present invention, there is provided a method for controlling a virtual network with a security function including the steps of: method for controlling a virtual network with a security function comprising the steps of: creating real time blocking rules by a vIPS (virtual Intrusion Prevention System) when any malicious behavior is detected according to a signature-based detection; sending the real time blocking rules to a vSwitch (virtual Switch) and blocking an attacking traffic by the vSwitch according to the sent blocking rules; checking whether or traffic blocking was actually carried out during a designated period of time (hereinafter, called ‘blocking time’) when the blocking time is lapsed according to the blocking rules; deleting the created blocking rules and terminating the corresponding traffic blocking by the vIPS if the traffic blocking was not carried out actually during the blocking time; and extending the blocking time based on the present state to which the blocking rules were applied and terminating blocking of the corresponding traffic by the vIPS if the traffic blocking was carried out actually during the blocking time.
- In another aspect of the present invention, there is provided a method for controlling a virtual network with a security function including the steps of: receiving an attack detection-related security alert (common event format) from vIPSs in a virtual network controlling system including a cloud ESM (Enterprise Security Management) system; analyzing a traffic or an attack pattern detected in the vIPS through a correlation analysis by the cloud ESM system when the attack detection-related event format is received; determining a real time blocking reaction against the detected traffic or attack in the cloud ESM system on the basis of the analyzed results and sending the blocking reaction command to the vIPS; creating real time blocking rules by the vIPS according to the blocking reaction command; sending the real time blocking rules to the vSwitch and blocking the attacking traffic by the vSwitch according to the received blocking rules; checking whether or traffic blocking was actually carried out during a blocking time when the blocking time is lapsed according to the blocking rules; deleting the created blocking rules and terminating the corresponding traffic blocking by the vIPS if the traffic blocking was not carried out actually during the blocking time; and extending the blocking time based on the present state to which the blocking rules were applied and terminating blocking of the corresponding traffic by the vIPS if the traffic blocking was carried out actually during the blocking time.
- Preferably, the cloud ESM system includes: a cloud collection information management module which stores and manages virtualization resource information and security events collected in the vIPS; a cloud security event analysis and security state monitoring module which carries out attack correlation analysis in reference to information received from the vIPS; and a cloud security control management module which forcedly migrates the malicious virtual machine in a logical/physical manner, recognizes a change in information of the virtual machine, and sends a security control command according to a policy change to the vIPS through a cloud agent.
- Preferably, the vIPS includes: an intrusion response processing module which request creation of the real time blocking rules according to the blocking reaction command; a policy and signature management module which manages creation, update and deletion of the real time blocking rules; an external interface module which provides an interface to send and receive policies of the real time blocking rules; and a hypervisor security API module which sets up or deletes the blocking rules on the vSwitch.
- Preferably, the vIPS sends the created real time blocking rules to an SDN controller so as to expand security of the virtual network system to an SDN network.
- Additional features and advantages of the present invention will be shown in the following description, will be apparent by the following description, and will be known well through practice of the present invention. The above and other objects and merits of the present invention will be apparent from the following detailed description of the preferred embodiments of the invention in conjunction with the accompanying drawings.
- The above and other objects, features and advantages of the present invention will be apparent from the following detailed description of the preferred embodiment of the present invention in conjunction with the accompanying drawings, in which:
-
FIG. 1 is a conceptual diagram showing an operation of a system for controlling a virtual network with a security function according to a preferred embodiment of the present invention; -
FIG. 2 is a block diagram of the system for controlling the virtual network with the security function according to the preferred embodiment of the present invention; -
FIG. 3 is a block diagram of a vIPS (virtual Intrusion Prevention System) according to the present invention; -
FIG. 4 is a flow chart of a method for controlling a virtual network with a security function according to a first preferred embodiment of the present invention; -
FIG. 5 is a flow chart of a method for controlling a virtual network with a security function according to a second preferred embodiment of the present invention; and -
FIG. 6 is an exemplary view of a method for controlling a virtual network with a security function according to a third preferred embodiment of the present invention. - Reference will be now made in detail to the preferred embodiments of the present invention with reference to the attached drawings.
- In order to cope with intrusion into a virtual network under a cloud computing environment, a virtual network controlling system with a security function which manages security states of virtual machines in a cloud datacenter, analyzes security states of malicious virtual machines and isolates and treats the malicious virtual machines.
- In order to cope with virtualized attacks inside the cloud system which the conventional security equipment cannot detect, such as hacking between virtual machines (VMs) and hypervisor rootkit, the virtual network controlling system with the security function according to the preferred embodiment of the present invention needs detection and action of real time attacks of virtualized networks/hosts, collection of cloud resource information and security events, monitoring and analysis of cloud security states, application of cloud security policies, and so on.
- A software-based vIPS (virtual Intrusion Prevention System) constructed on the virtualized network has difficulty in providing high performance compared with a hardware-based IPS.
- Moreover, a software-based virtual security appliance has a limitation in hardware resources which are allocated to improve performance of the IPS because sharing the same hardware with the virtual machines which provide actual services. That is, if lots of hardware resources are allocated to the IPS, the virtual machines which provide actual services are deteriorated in performance.
- The performance of signature-based IPSs are mainly affected by two elements, namely, the number of attacks to be detected (for instance, the number of signatures) and the number of network packets to be processed.
- If the number of attack detection signatures is reduced, it is ineffective because kinds of detectable attacks are reduced. Therefore, instead of reducing the number of the attack detection signatures, it is more effective to reduce the number of network packets to be processed.
- Therefore, the virtual network controlling system according to the preferred embodiment of the present invention reduced the number of packets to which the IPS performs signature matching inspection through a DPI test by diffusing blocking against a previously detected intruder by the network level.
-
FIG. 1 is a conceptual diagram showing an operation of a system for controlling a virtual network with a security function according to a preferred embodiment of the present invention, andFIG. 2 is a block diagram of the system for controlling the virtual network with the security function according to the preferred embodiment of the present invention. - As shown in
FIGS. 1 and 2 , the virtualnetwork controlling system 100 according to the preferred embodiment of the present invention includes a cloud ESM (Enterprise Security Management) system 200 (hereinafter, called ‘cloud ESM’), acloud agent 300, a virtual Intrusion Prevention System 400 (hereinafter, called ‘vIPS’), and a virtual switch 500 (hereinafter, called ‘vSwitch’). - The
cloud agent 300 receives security events and resource information generated from the vIPS 400 and transfers the received security events and resource information to thecloud ESM system 200 or applies security policies transferred from thecloud ESM system 200 to the vIPS 400. Thecloud agent 300 includes a cloud resource information/security event collecting module and a cloud security control module inside the virtual security appliance (VSA). - The
cloud ESM system 200 collects, analyzes and manages information transferred from thecloud agent 300 or transfers security policies to thecloud agent 300, and includes a cloud collection information management module, a cloud security control management module, a potentially malicious virtual machine inspection module, a cloud security event analysis and security state monitoring module, a cloud security policy management and virtual machine zone (VM zone) security management module, and a DBMS. Thecloud ESM system 200 is linked with a legacy ESM/SIEM in order to transfer cloud security event and analysis information. - The
cloud ESM system 200 collects information and security events of virtualized systems from a number of thevIPSs 400 and carries out integrated security control of the whole cloud infrastructure, and then sends security controls and relevant security policies for coping with intrusion to eachvIPS 400. Furthermore, thecloud ESM system 200 controls operation of thevIPS 400 and sends system management commands for managing environmental variables to thevIPS 400. - The cloud collection information management module contracts the virtualization resource information and security events collected from the vIPS 400 and stores and manages them in the DBMS. In this instance, the aggregation and storing of the collected information means definition of DB schema, aggregation and filtering, diffusion storage and search of the collected high-capacity information, conversion for legacy DB linkage, and so on.
- The cloud security control management module serves to forcedly migrate the malicious virtual machine in a logical/physical manner, to apply security control against a policy change after recognizing an information change of the virtual machine, and to send and manage security control commands to the vIPS 400 through the
cloud agent 300. - The cloud security control management module logically (change of the VM zone) and physically (movement to a specific virtualized system) migrates a target which is detected as a malicious virtual machine. In addition, the cloud security control management module recognizes the live migration of the virtual machine and the change of the VM zone of the virtual machine, and then, promptly applies policies which are changed by the migration and the VM zone change.
- The potentially malicious virtual machine inspection module serves to trace and distinguish a potentially malicious virtual machine in relation with the virtualization resource information and security events collected from the vIPS 400.
- Trace of the potentially malicious virtual machine means to trace a suspicious virtual machine and to discriminate it as a potentially malicious virtual machine candidate. Discrimination of the potentially malicious virtual machine means to precisely analyze the potentially malicious virtual machine candidate and to judge whether or not it is a malicious virtual machine.
- The cloud security event analysis and security state monitoring module serves to analyze a virtualization security state, a change in virtualzied resources, attack correlation, and information of virtual network traffic conditions in relation with the virtualized resource information and security events collected from the
vIPS 400. - The cloud security policy management and virtual machine zone (VM zone) security management module serves to send and manage the cloud security policies, which will be applied to the
vIPS 400, and the VM zone policies for security management of the VM zone to the cloud agent in order to collect information of virtualized resources and detect and cope with virtualized attacks. - The DBMS (DB management system) serves to store input and output information, policy information and analysis results of each of the modules of the
cloud ESM system 200. - The
vSwitch 500 is an OpenFlow-based software switch existing inside a hypervisor for communication between the virtual machines. ThevSwitch 500 blocks intruder's traffics according to blocking rules transferred from thevIPS 400. - The
vIPS 400 is a hypervisor-based intrusion prevention platform, and controls an NIPS (Network-based IPS) service, a stateful firewall service, and an HIPS (Host-based IPS) service of a higher level and provides an interface for providing information necessary for carrying out an intrusion detection and an interface which receives detected results. Therefore, the vIPS provides not only the network-based IPS service, the host-based IPS service and the firewall service but also IPS services which can easily substitute and utilize other IPSs or firewalls. - As shown in
FIG. 3 , thevIPS 400 according to the preferred embodiment of the present invention includes a virtualized system internal information collection andanalysis module 410, an intrusionresponse processing module 420, a policy andsignature management module 430, an intrusion preventionsystem control module 440, alogging module 445, anintegrity verification module 450, acallback processing module 455, a detection service interface module 470, an environmentalsetup management module 475, an administrator account management andauthentication module 465, anexternal interface module 460, and a hypervisorsecurity API module 480. -
FIG. 3 is a block diagram of the vIPS according to the present invention. - The virtualized system internal information collection and
analysis module 410 acquires internal information of the virtual machine and the hypervisor including network packets of the virtualized system through the hypervisorsecurity API module 480, and provides interpretation of a virtual machine guest OS in connection with the memory contents of the virtual machine. - The intrusion
response processing module 420 requests formation of real time blocking rules according to rules of reactions to attacks or blocking response commands. The intrusionresponse processing module 420 carries out correspondence actions according to correspondence policies in relation with intrusion detection. - The policy and
signature management module 430 manages creation, update and deletion of the real time blocking rules. The policy andsignature management module 430 manages attack detection signatures, correspondence policies and rules and firewall policies and rules of the NIPS. - The intrusion prevention
system control module 440 serves to control the entire operations of thevIPS 400 and to control services for intrusion detection, for instance, the stateful firewall service, the NIPS service, the HIPS service, and so on. - The
logging module 445 creates and manages logs. - The
integrity verification module 450 serves to verify integrity of the inside of the virtual machine which is designated by the HIPS or the entire or partial data structure of the hypervisor. - The
callback processing module 455 provides a callback function to help an effective communication of each module inside the vIPS framework and detection of the intrusion detection service. - The detection service interface module 470 manages external detection services and processes communications between the platform and detection services and between the modules inside the platform.
- The environment
setup management module 475 manages environment setup values so that thevIPS 400 always runs according to the newest setup value. All modules inside thevIPS 400 access the environment setup values, for instance, reading, writing, and others, through the environmentsetup management module 475. - The administrator account management and
authentication module 465 manages an administrator's account and carries out authentication of the administrator's account. - The
external interface module 460 provides an interface for sending and receiving policies of the real time blocking rules. Furthermore, theexternal interface module 460 provides an interface for system management and security control of thecloud agent 300 and thevIPS 400 of thecloud ESM system 200. - The hypervisor
security API module 480 sets up or deletes blocking rules of thevSwitch 500. In this instance, thevSwitch 500 organizes devices corresponding to an open vSwitch in a Xen server which is a virtualization platform. - The hypervisor
security API module 480 provides an API which can acquire the internal information of the virtualized system and carry out a security control to cope with the detection by directly accessing the hypervisor. Therefore, the hypervisorsecurity API module 480 provides abstraction of a hypervisor access for a security-related function. - Out of the modules, the virtualized system internal information collection and
analysis module 410, the intrusionresponse processing module 420, the policy andsignature management module 430, the intrusion preventionsystem control module 440, thelogging module 445, theintegrity verification module 450, and thecallback processing module 455 form the vIPS framework. - The vIPS framework is the aggregation of essential common modules to organize the IPS and the firewall which are the core functions in the hypervisor-based virtualizednetwork/host intrusion prevention system, and provides common functions and structures necessary for the NIPS (Network-based IPS) service, the HIPS (Host-based IPS) service and the stateful firewall service of the higher level to carry out access control, detection and response.
- The services for carrying out intrusion detection includes the NIPS service, the HIPS service and the stateful firewall service, and carries out detection by receiving input information (virtual network packets, virtual machine/hypervisor internal information, and so on) for intrusion detection and access control using the hypervisor-based intrusion prevention platform and sends the detected result to the platform using the vIPS framework.
- The stateful firewall service serves as an engine of a stateful firewall.
- The NIPS service serves as an engine of the network-based IPS.
- The HIPS service serves as an engine of a host-based IPS, and includes a rootkit detection module and a virtual machine abnormal behavior detection module in a lower level. It is preferable that the lower-level modules of the HIPS service be developed based on signature.
-
FIG. 4 is a flow chart of a method for controlling a virtual network with a security function according to a first preferred embodiment of the present invention. - The hypervisor-based virtual
network controlling system 100 with the security function according to the preferred embodiment of the present invention enhances intrusion prevention performance by previously blocking attacking traffics in the network level before an application of a DPI (Deep Packet Inspection). - The
vIPS 400 according to the first preferred embodiment of the present invention analyzes and detects malicious behaviors according to signature-based detection and checks an intruder's IP (Internet Protocol). Therefore, this embodiment is independently carried out according to different blocking rules in eachvIPS 400 inside the virtualnetwork controlling system 100. - As shown in
FIG. 4 , first, when any malicious behavior is detected according to the signature-based detection, thevIPS 400 creates real time blocking rules (S10˜S20). ThevIPS 400 sends the real time blocking rules of a flow rule type to the vSwitch 500 (S30). - Then, the
vSwitch 500 blocks the intruder's traffics according to the blocking rules sent from thevIPS 400 in advance (S40). ThevSwitch 500 carries out traffic blocking during a designated period of time (hereinafter, called ‘blocking time’) according to the blocking rules. After that, when the blocking time is lapsed, thevIPS 400 checks whether or not the traffic blocking was carried out actually during the blocking time (S50˜S60). - If the traffic blocking was not carried out actually during the blocking time, the
vIPS 400 deletes the created blocking rules and terminates the corresponding traffic blocking (S70). - On the contrary, if the traffic blocking was carried out actually during the blocking time, the
vIPS 400 extends the blocking time based on the present state to which the blocking rules were applied (S80), and then, the steps (S30 to S60) are repeated. -
FIG. 5 is a flow chart of a method for controlling a virtual network with a security function according to a second preferred embodiment of the present invention. - The
vIPS 400 according to the second preferred embodiment of the present invention checks the intruder's IP (Internet Protocol) by carrying out malicious behavior analysis and detection according to correlation analysis procedures of thecloud ESM system 200. Therefore, this embodiment is carried out according to the same blocking rules in allvIPSs 400 inside the virtualnetwork controlling system 100. - As shown in
FIG. 5 , when a doubtful traffic or attack pattern is detected, thevIPS 400 according to the second preferred embodiment of the present invention creates an attack detection-related security alert (common event format), and sends it to the cloud ESM system 200 (S110˜S120). - The
cloud ESM system 200 receives the attack detection-related event format from thevIPSs 400 organizing the virtualnetwork controlling system 100. - When the attack detection-related event format is received, the
cloud ESM system 200 analyzes the traffic or attack pattern detected in thevIPS 400 through the correlation analysis (S130). Moreover, a security administrator of thesystem 200 determines a real time blocking reaction (security policy) against the detected traffic or attack, based on the analyzed results (S140). After that, thesystem 200 sends the determined blocking reaction command to thevIPS 400. - When the blocking reaction command is received from the
cloud ESM system 200, thevIPS 400 creates real time blocking rules according to the blocking reaction command (S170). Additionally, thevIPS 400 sends the created real time blocking rules of the flow rule type to thevSwitch 500. - The
vSwitch 500 blocks the intruder's traffic according to the blocking rules sent from thevIPS 400. ThevSwitch 500 carries out traffic blocking for a predetermined period of time according to the blocking rules like the vSwitch of the first preferred embodiment (S190). After that, when the blocking time is lapsed, thevIPS 400 checks whether or not the traffic blocking was carried out actually during the blocking time (S200˜S210). - If the traffic blocking was not carried out actually during the blocking time, the
vIPS 400 deletes the created blocking rules and terminates the corresponding traffic blocking (S220). - On the contrary, if the traffic blocking was carried out actually during the blocking time, the
vIPS 400 extends the blocking time based on the present state to which the blocking rules were applied (S230), and then, the steps (S150 to S180) are repeated. -
FIG. 6 is an exemplary view of a method for controlling a virtual network with a security function according to a third preferred embodiment of the present invention. - The
vIPS 400 according to the third preferred embodiment of the present invention expands security to an SDN (Software-Defined Network) using a network flow control through an open flow. - As shown in
FIG. 6 , when a doubtful traffic or attack pattern is detected, thevIPS 400 according to the third preferred embodiment of the present invention creates an attack detection-related security alert (common event format), and sends it to thecloud ESM system 200. - The
cloud ESM system 200 receives the attack detection-related event format from thevIPSs 400 organizing the virtualnetwork controlling system 100. - When the attack detection-related event format is received, the
cloud ESM system 200 analyzes the traffic or attack pattern detected in thevIPS 400 through the correlation analysis. Moreover, a security administrator of thesystem 200 determines a real time blocking reaction (security policy) against the detected traffic or attack, based on the analyzed results. After that, thesystem 200 sends the determined blocking reaction command to thevIPS 400. - When the blocking reaction command is received from the
cloud ESM system 200, thevIPS 400 creates real time blocking rules according to the blocking reaction command. Additionally, thevIPS 400 sends the created real time blocking rules of the flow rule type to thevSwitch 500. In addition, thevIPS 400 sends the real time blocking rules to an SDN controller (network OS) of an SDN network. - The
vIPS 400 according to this embodiment carries out blocking against malicious network traffics even in the SDN by sending the real time blocking rules to the SDN network. - As shown in
FIG. 6 , in this embodiment, security of thevirtual network system 100 with the security function is expanded (linked) to the SDN. - While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those of ordinary skill in the art that various changes and modifications may be made therein without departing from the technical idea and scope of the present invention and all or some of the exemplary embodiment described in the present invention can be selectively combined. Therefore, it will be also understood by those of ordinary skill in the art that the technical and protective scope of the present invention is defined by the technical idea and scope of the claims of the present invention.
- The system and method for controlling the virtual network with the security function according to the present invention reduce the number of packets to which the IPS carries out the signature matching inspection through the DPI test by diffusing blocking against the previously detected intruder by the network level, so as to enhance performance of the virtualized network IPS.
- The
vIPS 400 according to the first preferred embodiment of the present invention shares intruder information detected in the single virtualized system. That is, thevIPS 400 sends the intruder information detected in the single virtualized system to vIPSs running in another virtualized system so as to provide an early response or blocking to harmful traffics. - The
vIPS 400 according to the second preferred embodiment of the present invention can provide an early response against the detected intruder through the cloud security correlation analysis. - That is, the
vIPS 400 sends the intruder information detected through the correlation analysis of thecloud ESM system 200 to other vIPSs and makes the vIPSs block the detected intruder in the vSwitch level, such that the vIPS 40 can previously cope with or block attacks or harmful traffics which are difficult to detect in the single vIPS level.
Claims (7)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020140047994A KR101535502B1 (en) | 2014-04-22 | 2014-04-22 | System and method for controlling virtual network including security function |
KR10-2014-0047994 | 2014-04-22 |
Publications (2)
Publication Number | Publication Date |
---|---|
US9166988B1 US9166988B1 (en) | 2015-10-20 |
US20150304344A1 true US20150304344A1 (en) | 2015-10-22 |
Family
ID=53792435
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/263,035 Expired - Fee Related US9166988B1 (en) | 2014-04-22 | 2014-04-28 | System and method for controlling virtual network including security function |
Country Status (2)
Country | Link |
---|---|
US (1) | US9166988B1 (en) |
KR (1) | KR101535502B1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017165005A1 (en) * | 2016-03-22 | 2017-09-28 | Symantec Corporation | Protecting dynamic and short-lived virtual machine instances in cloud environments |
CN107896191A (en) * | 2017-11-27 | 2018-04-10 | 深信服科技股份有限公司 | A kind of virtual secure component based on container is across cloud system and method |
US20180367377A1 (en) * | 2016-03-02 | 2018-12-20 | New H3C Technologies Co., Ltd | Signature rule loading |
US11546266B2 (en) * | 2016-12-15 | 2023-01-03 | Arbor Networks, Inc. | Correlating discarded network traffic with network policy events through augmented flow |
Families Citing this family (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9619168B2 (en) | 2013-11-08 | 2017-04-11 | Empire Technology Development Llc | Memory deduplication masking |
US9940458B2 (en) * | 2014-08-07 | 2018-04-10 | Empire Technology Development Llc | Flag based threat detection |
US9497207B2 (en) * | 2014-08-15 | 2016-11-15 | International Business Machines Corporation | Securing of software defined network controllers |
US11533255B2 (en) * | 2014-11-14 | 2022-12-20 | Nicira, Inc. | Stateful services on stateless clustered edge |
US9560078B2 (en) | 2015-02-04 | 2017-01-31 | Intel Corporation | Technologies for scalable security architecture of virtualized networks |
US9967288B2 (en) | 2015-11-05 | 2018-05-08 | International Business Machines Corporation | Providing a common security policy for a heterogeneous computer architecture environment |
KR102216061B1 (en) * | 2015-11-25 | 2021-02-16 | 에스케이텔레콤 주식회사 | Apparatus and method for controlling security of communication between virtual machines |
CN105591815A (en) * | 2015-12-10 | 2016-05-18 | 北京匡恩网络科技有限责任公司 | Network control method for power supply relay device of cloud testing platform |
CN105681314A (en) * | 2016-01-29 | 2016-06-15 | 博雅网信(北京)科技有限公司 | Cloud environment security scanner and method |
WO2017155280A2 (en) * | 2016-03-08 | 2017-09-14 | 주식회사 케이티 | Security system for sdn/nfv-based ip call service and method for operating security system |
CN105897728B (en) * | 2016-04-27 | 2022-06-17 | 江苏警官学院 | Anti-virus system based on SDN |
CN106330603A (en) * | 2016-08-22 | 2017-01-11 | 上海国云信息科技有限公司 | Connection detection method and system, client side, and DPI equipment |
US10769152B2 (en) | 2016-12-02 | 2020-09-08 | Cisco Technology, Inc. | Automated log analysis |
KR102088308B1 (en) | 2017-01-24 | 2020-03-12 | 한국전자통신연구원 | Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv |
KR101826828B1 (en) * | 2017-08-16 | 2018-03-22 | 주식회사 마크베이스 | System and method for managing log data |
US11265291B2 (en) * | 2017-08-25 | 2022-03-01 | Red Hat, Inc. | Malicious packet filtering by a hypervisor |
US10616099B2 (en) | 2017-08-28 | 2020-04-07 | Red Hat, Inc. | Hypervisor support for network functions virtualization |
US10742607B2 (en) * | 2018-02-06 | 2020-08-11 | Juniper Networks, Inc. | Application-aware firewall policy enforcement by data center controller |
EP3525407B1 (en) * | 2018-02-08 | 2020-09-23 | ADVA Optical Networking SE | Device and method of forwarding data packets in a virtual switch of a software-defined wide area network environment |
KR102492788B1 (en) | 2018-03-12 | 2023-01-30 | 주식회사 케이티 | Devices and method for building group networks in Software Definition Data Center |
US11102296B2 (en) * | 2018-04-30 | 2021-08-24 | International Business Machines Corporation | Big bang approach in datacenter migrations |
KR20210003261A (en) * | 2018-05-29 | 2021-01-11 | 엘지전자 주식회사 | Vehicle intrusion detection and prevention system |
US10826943B2 (en) | 2018-08-21 | 2020-11-03 | At&T Intellectual Property I, L.P. | Security controller |
CN109947534B (en) * | 2019-03-12 | 2022-12-27 | 中山大学 | Cloud security function scheduling system based on SDN |
CN110175451A (en) * | 2019-04-23 | 2019-08-27 | 国家电网公司华东分部 | A kind of method for safety monitoring and system based on electric power cloud |
US11709716B2 (en) | 2019-08-26 | 2023-07-25 | Red Hat, Inc. | Hardware offload support for an operating system offload interface using operation code verification |
US11558402B2 (en) * | 2019-10-28 | 2023-01-17 | Cisco Technology, Inc. | Virtual switch-based threat defense for networks with multiple virtual network functions |
US11799761B2 (en) | 2022-01-07 | 2023-10-24 | Vmware, Inc. | Scaling edge services with minimal disruption |
US11962564B2 (en) | 2022-02-15 | 2024-04-16 | VMware LLC | Anycast address for network address translation at edge |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100596386B1 (en) * | 2003-12-05 | 2006-07-03 | 한국전자통신연구원 | Method for dynamic filtering IP fragment attack fragment |
KR100728277B1 (en) * | 2005-05-17 | 2007-06-13 | 삼성전자주식회사 | System and method for dynamic network security |
US8224761B1 (en) * | 2005-09-01 | 2012-07-17 | Raytheon Company | System and method for interactive correlation rule design in a network security system |
US7805752B2 (en) * | 2005-11-09 | 2010-09-28 | Symantec Corporation | Dynamic endpoint compliance policy configuration |
US20090178131A1 (en) * | 2008-01-08 | 2009-07-09 | Microsoft Corporation | Globally distributed infrastructure for secure content management |
US8719936B2 (en) * | 2008-02-01 | 2014-05-06 | Northeastern University | VMM-based intrusion detection system |
US8443440B2 (en) * | 2008-04-05 | 2013-05-14 | Trend Micro Incorporated | System and method for intelligent coordination of host and guest intrusion prevention in virtualized environment |
US9069599B2 (en) * | 2008-06-19 | 2015-06-30 | Servicemesh, Inc. | System and method for a cloud computing abstraction layer with security zone facilities |
US8977750B2 (en) * | 2009-02-24 | 2015-03-10 | Red Hat, Inc. | Extending security platforms to cloud-based networks |
US8910278B2 (en) * | 2010-05-18 | 2014-12-09 | Cloudnexa | Managing services in a cloud computing environment |
US20120297483A1 (en) * | 2011-05-16 | 2012-11-22 | General Electric Company | Systems, methods, and apparatus for network intrusion detection based on monitoring network traffic |
US9047441B2 (en) * | 2011-05-24 | 2015-06-02 | Palo Alto Networks, Inc. | Malware analysis system |
US8839404B2 (en) * | 2011-05-26 | 2014-09-16 | Blue Coat Systems, Inc. | System and method for building intelligent and distributed L2-L7 unified threat management infrastructure for IPv4 and IPv6 environments |
US9792430B2 (en) * | 2011-11-03 | 2017-10-17 | Cyphort Inc. | Systems and methods for virtualized malware detection |
US8990948B2 (en) * | 2012-05-01 | 2015-03-24 | Taasera, Inc. | Systems and methods for orchestrating runtime operational integrity |
US9548962B2 (en) * | 2012-05-11 | 2017-01-17 | Alcatel Lucent | Apparatus and method for providing a fluid security layer |
WO2013177316A2 (en) * | 2012-05-22 | 2013-11-28 | Xockets IP, LLC | Efficient packet handling, redirection, and inspection using offload processors |
US8990942B2 (en) * | 2013-02-18 | 2015-03-24 | Wipro Limited | Methods and systems for API-level intrusion detection |
US9326185B2 (en) * | 2013-03-11 | 2016-04-26 | Seven Networks, Llc | Mobile network congestion recognition for optimization of mobile traffic |
-
2014
- 2014-04-22 KR KR1020140047994A patent/KR101535502B1/en active IP Right Grant
- 2014-04-28 US US14/263,035 patent/US9166988B1/en not_active Expired - Fee Related
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180367377A1 (en) * | 2016-03-02 | 2018-12-20 | New H3C Technologies Co., Ltd | Signature rule loading |
EP3425868A4 (en) * | 2016-03-02 | 2019-03-06 | New H3C Technologies Co., Ltd. | Signature rule loading |
US11831493B2 (en) * | 2016-03-02 | 2023-11-28 | New H3C Technologies Co., Ltd. | Signature rule loading |
WO2017165005A1 (en) * | 2016-03-22 | 2017-09-28 | Symantec Corporation | Protecting dynamic and short-lived virtual machine instances in cloud environments |
US11546266B2 (en) * | 2016-12-15 | 2023-01-03 | Arbor Networks, Inc. | Correlating discarded network traffic with network policy events through augmented flow |
CN107896191A (en) * | 2017-11-27 | 2018-04-10 | 深信服科技股份有限公司 | A kind of virtual secure component based on container is across cloud system and method |
Also Published As
Publication number | Publication date |
---|---|
US9166988B1 (en) | 2015-10-20 |
KR101535502B1 (en) | 2015-07-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9166988B1 (en) | System and method for controlling virtual network including security function | |
EP3362938B1 (en) | Automated construction of network whitelists using host-based security controls | |
US10009381B2 (en) | System and method for threat-driven security policy controls | |
US9294442B1 (en) | System and method for threat-driven security policy controls | |
US9774568B2 (en) | Computer security architecture and related computing method | |
US9507935B2 (en) | Exploit detection system with threat-aware microvisor | |
Tupakula et al. | Intrusion detection techniques for infrastructure as a service cloud | |
US20180212995A1 (en) | Decoy and deceptive data object technology | |
US10826933B1 (en) | Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints | |
WO2016082501A1 (en) | Method, apparatus and system for processing cloud application attack behaviours in cloud computing system | |
US20140317737A1 (en) | Hypervisor-based intrusion prevention platform and virtual network intrusion prevention system | |
US10320833B2 (en) | System and method for detecting creation of malicious new user accounts by an attacker | |
US20070266433A1 (en) | System and Method for Securing Information in a Virtual Computing Environment | |
CN109379347B (en) | Safety protection method and equipment | |
Liu et al. | An integrated architecture for IoT malware analysis and detection | |
US20200311231A1 (en) | Anomalous user session detector | |
US11048770B2 (en) | Adaptive response generation on an endpoint | |
CN106469275A (en) | Virtual machine virus method and device | |
KR102088308B1 (en) | Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv | |
CN105704087A (en) | Device for realizing network security management based on virtualization and management method | |
CN110659478B (en) | Method for detecting malicious files preventing analysis in isolated environment | |
Zhang et al. | Xen-based virtual honeypot system for smart device | |
EP3243313B1 (en) | System and method for monitoring a computer system using machine interpretable code | |
Khan et al. | A Deep Study on security vulnerabilities in virtualization at cloud computing | |
CN115941365A (en) | Protection method for terminal network security, all-in-one machine and server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: KOREA INTERNET & SECURITY AGENCY, KOREA, REPUBLIC Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SHIN, YOUNGSANG;LEE, SEULGI;HWANG, TONGWOOK;AND OTHERS;REEL/FRAME:032767/0916 Effective date: 20140424 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20191020 |