CN103870749A - System and method for implementing safety monitoring of virtual machine system - Google Patents
System and method for implementing safety monitoring of virtual machine system Download PDFInfo
- Publication number
- CN103870749A CN103870749A CN201410104267.5A CN201410104267A CN103870749A CN 103870749 A CN103870749 A CN 103870749A CN 201410104267 A CN201410104267 A CN 201410104267A CN 103870749 A CN103870749 A CN 103870749A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- safety
- strategy
- user
- enhancing module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45504—Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a system and a method for implementing safety monitoring of a virtual machine system. According to the invention, a safety enhancing module is arranged for each virtual machine in the virtual machine system, a safety monitoring strategy aiming at the virtual machines is set and according to the safety monitoring strategy, the virtual machines are subjected to safety monitoring, wherein the safety monitoring strategy comprises safety strategies and security plug-ins; the safety strategies can be formed by autonomous safety strategies configured by user virtual machines and a global safety strategy configured by a management virtual machine; a safety function is uniformly configured to the security plug-ins; and the user virtual machines can carry out optional configuration as required. By the system and the method for implementing safety monitoring of the virtual machine system, which are disclosed by the invention, safety monitoring can be carried out according to individual requirements of the virtual machines and a safety monitoring function of a virtual machine monitor is reduced, so that the structure of the virtual machine system is enabled to be simple and the integral virtual machine system is more safe and reliable.
Description
Technical field
The present invention relates to dummy machine system field, particularly a kind of safety monitoring system and method that realizes dummy machine system.
Background technology
Intel Virtualization Technology allows to arrange many virtual machines with physical computer function on a physical computer, these virtual machines can be worked as real physical computer, on every virtual machine, there is operating system, many virtual machines on Same Physical computing machine can concurrent working, work between each virtual machine is separate, and the collapse of one of them virtual machine can not have influence on other virtual machines.
Intel Virtualization Technology is shared by resource, greatly promoted the utilization factor of resource, and promoted the development of cloud computing, physical machine beyond the clouds arranges the mode of multiple virtual machines, can allow various places personnel to share a physical computer, farthest carry out resource sharing.
Intel Virtualization Technology does not need operating system to do any change just to may operate on virtual machine, existing application program is also transplanted among virtual machine easily, this also makes virtual machine be easy to allow developer accept, and virtual machine can also provide the functions such as backup and reduction, makes it more welcome.
Fig. 1 is the dummy machine system structural representation of prior art, comprising: a virtual machine monitor and multiple virtual machine, wherein,
Virtual machine monitor, for supervising the hardware resource of physical computer, is respectively multiple virtual machines the hardware resource of virtual machine is provided, and the authority of multiple virtual machines is set respectively, and the isolation between multiple virtual machines is set;
Virtual machine for according to the setting of virtual machine monitor, moves according to set authority on distributed corresponding virtualized hardware resource;
In this system, the set authority of virtual machine monitor is: managing virtual machines and user virtual machine.
Managing virtual machines, except having the function of user virtual machine, can also be managed other user virtual machine, such as to the opening and closing of controlling other user virtual machine, controls other user virtual machine and has how many internal memories etc.In actual applications, managing virtual machines is mainly system manager and has.User virtual machine is exactly common virtual machine, operation system on virtualized hardware resource, executive utility under operating system.
The virtualized hardware resource arranging on virtual machine can operation system, carries out various functions.In order to narrate conveniently, the operating system that operates in managing virtual machines is called to MOS, the operating system that operates in user virtual machine is called to operating system of user.
In this system, virtual machine monitor need to provide virtualized hardware resource to virtual machine, but also the authority of virtual machine is set, and prevents that virtual machine from accessing unauthorized hardware resource, guarantees safety.Therefore, virtual machine monitor must can be controlled the data interaction between virtual machine and hardware resource.Traditional security strategy is that each instruction that virtual machine monitor is carried out virtual machine detects, if there is disable instruction, does not move execution.This mode can cause the efficiency of virtual machine execution instruction lower, so a kind of high efficiency security strategy is suggested.
This high efficiency security strategy is: virtual machine monitor is that each virtual machine arranges a corresponding configuration file, and this configuration file arranges while being virtual machine activation, and configuration file comprises hardware resource access rule and a call back function.Wherein, hardware resource access rule shows that virtual machine allows the hardware resource address realm of access, the interrupt number that virtual machine operation is used etc.In the time of virtual machine activation, when virtual machine operation, move this configuration file, whether the instruction that monitoring virtual machine is carried out meets the hardware resource access rule in configuration file, if do not met, the call back function calling in configuration file is carried out.This call back function is provided with the corresponding processing mode of various context information, closes the processing mode of virtual machine or allows virtual machine to access some hardware resource etc. such as adopting.
Can find out, virtual machine monitor is the core cell in dummy machine system, conventionally runs on the highest weight limit layer of this system.Along with the various increases in demand of virtual machine, the function that virtual machine monitor carries also sharply increases.How in dummy machine system, equilibrium function and security also become a great problem.In reality, for the driving to market interest, often have precedence over and in dummy machine system, add function, and ignore the potential safety hazard that it may bring.
In order to ensure the security of virtual machine, set security strategy mainly contains two objects: one is to prevent external attack virtual machine, and another is to prevent that virtual machine from attacking others.For dummy machine system supvr, these two demand for security no less importants, for the user of virtual machine, its demand for security more lays particular emphasis on the former.At present, dummy machine system only allows for all virtual machines unified security strategy is set, and can not security strategy be set respectively according to virtual machine individual character is required, so the mode of this security strategy setting cannot meet each virtual machine sexual demand.
Summary of the invention
In view of this, the invention provides a kind of safety monitoring system, this system that realizes dummy machine system can carry out security monitoring according to virtual machine individual demand, reduces the security monitoring function of monitor of virtual machine.
The present invention also provides a kind of method for safety monitoring of realizing dummy machine system, and the method can be carried out security monitoring according to virtual machine individual demand, reduces the security monitoring function of monitor of virtual machine.
For achieving the above object, technical scheme of the invention process is specifically achieved in that
A safety monitoring system of realizing dummy machine system, comprising: a virtual machine monitor, a managing virtual machines, multi-user virtual machine and a safety enhancing module, wherein,
Virtual machine monitor, distributes hardware resource and access rule is set for being respectively managing virtual machines, user virtual machine and safety enhancing module;
Managing virtual machines, for moving on distributed hardware resource, mutual with user virtual machine and safety enhancing module respectively according to access rule;
User virtual machine, for moving on distributed hardware resource, mutual with managing virtual machines and safety enhancing module respectively according to access rule;
Safety enhancing module, arranges security monitoring strategy for respective user virtual machine, according to security monitoring strategy supervisory user virtual machine or after starting, the monitor event of user virtual machine is processed.
Described security monitoring strategy comprises global safety strategy, discretionary security strategy or/and have the safety insert of various security functions, wherein,
Described managing virtual machines, also for arranging by described virtual machine monitor the global safety strategy of respective user virtual machine at safety enhancing module;
Described user virtual machine, also for arranging by described virtual machine monitor the discretionary security strategy of correspondence self user virtual machine at safety enhancing module;
Described user virtual machine, also for being arranged on safety enhancing module by selected safety insert by described virtual machine monitor.
Described global safety strategy or discretionary security strategy are set configuration file, comprise hardware resource access rule and adjust back the call back function of safety enhancing module by virtual machine monitor, this configuration file is arranged on to described user virtual machine operation, supervisory user virtual machine is carried out event, when meeting after the Event triggered of hardware resource access rule, call call back function by described virtual machine monitor, start on corresponding described safety enhancing module event handling.
Described virtual machine monitor comprises: system service module, virtual machine configuration module and scheduling virtual machine module, wherein,
System service module, the request command sending for receiving user virtual machine, managing virtual machines or safety enhancing module, arranges the security monitoring strategy in safety enhancing module according to institute's reception request command;
Virtual machine configuration module, for the request command receiving according to system service module, to user virtual machine and/or safety enhancing module distribution or renewal hardware resource;
Scheduling virtual machine module, when the event handling that need to move user virtual machine for safety enhancing module, the startup of carrying out between user virtual machine and safety enhancing module is switched.
Realize a method for safety monitoring for dummy machine system, safety enhancing module is set in dummy machine system, the method also comprises:
In safety enhancing module, respective user virtual machine arranges security monitoring strategy;
Safety enhancing module is processed the monitor event of user virtual machine according to security monitoring strategy supervisory user virtual machine or after starting.
Described security monitoring strategy comprises global safety strategy, discretionary security strategy or/and have the safety insert of various security functions, wherein,
Global safety strategy is that the managing virtual machines in dummy machine system arranges by the virtual machine monitor in dummy machine system;
Discretionary security strategy is that user virtual machine arranges by virtual machine monitor;
Described safety insert is selected to arrange by virtual machine monitor by user virtual machine.
Described global safety strategy or discretionary security strategy are set configuration file, comprise that hardware resource access rule and one adjust back the call back function of safety enhancing module by virtual machine monitor, this configuration file is arranged on to user virtual machine operation, the event that supervisory user virtual machine is carried out, when meeting after the Event triggered of hardware resource access rule, call call back function by virtual machine monitor, start on corresponding safety enhancing module described monitor event is processed.
As can be seen from the above scheme, the present invention arranges safety enhancing module for each virtual machine in dummy machine system, is provided with the security monitoring strategy for virtual machine, according to security monitoring strategy, virtual machine is carried out to security monitoring.Wherein, security monitoring strategy comprises security strategy and safety insert, the global safety strategy of the discretionary security strategy that security strategy can be configured by user virtual machine and managing virtual machines configuration, and safety insert is the unified security function arranging, user virtual machine can as required, be carried out option and installment.Because arranging respectively security monitoring strategy to each virtual machine in dummy machine system targetedly, set safety increase module carries out security monitoring, so can carry out security monitoring according to virtual machine individual demand, reduce the security monitoring function of monitor of virtual machine, further make the self structure of dummy machine system become succinctly, whole dummy machine system is more safe and reliable.
Accompanying drawing explanation
Fig. 1 is the dummy machine system structural representation of prior art;
The safety monitoring system structural representation of realizing dummy machine system that Fig. 2 provides for the embodiment of the present invention;
The physical arrangement schematic diagram of the dummy machine system that Fig. 3 provides for the embodiment of the present invention;
The method for safety monitoring process flow diagram of realizing dummy machine system that Fig. 4 provides for the embodiment of the present invention;
The method flow diagram that the user virtual machine that Fig. 5 provides for the embodiment of the present invention starts;
The method flow diagram of the configuration global safety strategy that Fig. 6 provides for the embodiment of the present invention;
The method flow diagram of the configuration discretionary security strategy that Fig. 7 provides for the embodiment of the present invention;
The safety enhancing module that Fig. 8 provides for the embodiment of the present invention obtains the method flow diagram of supervision authority;
The workflow diagram of the safety enhancing module that Fig. 9 provides for the embodiment of the present invention.
Embodiment
For making object of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
The present invention is in order to carry out security monitoring according to virtual machine individual demand, reduce the security monitoring function of monitor of virtual machine, further make the self structure of dummy machine system become succinct, whole dummy machine system is more safe and reliable, adopt in dummy machine system, for each virtual machine, safety enhancing module has been set, be provided with the security monitoring strategy for virtual machine, according to security monitoring strategy, virtual machine carried out to security monitoring.Wherein, security monitoring strategy comprises security strategy and safety insert, and security strategy can be configured by user virtual machine and managing virtual machines, and safety insert is the unified security monitoring information arranging, and user virtual machine can as required, be carried out option and installment.
Fig. 2 is the safety monitoring system structural representation of realizing dummy machine system that the embodiment of the present invention provides, and comprising: a virtual machine monitor, a managing virtual machines, multi-user virtual machine and a safety enhancing module, wherein,
Virtual machine monitor, distributes hardware resource and access rule is set for being respectively managing virtual machines, user virtual machine and safety enhancing module;
Managing virtual machines, for moving on distributed hardware resource, mutual with user virtual machine and safety enhancing module respectively according to access rule;
User virtual machine, for moving on distributed hardware resource, mutual with managing virtual machines and safety enhancing module respectively according to access rule;
Safety enhancing module, arranges security monitoring strategy for respective user virtual machine, according to security monitoring strategy supervisory user virtual machine or after starting, the monitor event of user virtual machine is processed.
In this system, described security monitoring strategy comprises global safety strategy, discretionary security strategy or/and have the safety insert of various security functions, wherein,
Described managing virtual machines, also for arranging by described virtual machine monitor the global safety strategy of respective user virtual machine at safety enhancing module;
Described user virtual machine, also for arranging by described virtual machine monitor the discretionary security strategy of correspondence self user virtual machine at safety enhancing module;
Described user virtual machine, also for being arranged on safety enhancing module by selected safety insert by described virtual machine monitor.
In this system, security function can be realized in safety insert independently, the safety insert which kind of type safety enhancing module comprises can configure.Such as, what a certain safety insert was realized is network invasion monitoring function, what a certain safety insert was realized is fixed disk data enciphering function.If user virtual machine does not need fixed disk data enciphering function, corresponding safety enhancing module only includes the safety insert of network invasion monitoring function, and does not comprise another safety insert, and like this, the security of safety enhancing module has just improved.
In this system, described security strategy is set configuration file, comprise that hardware resource access rule and one adjust back the call back function of safety enhancing module by virtual machine monitor, this configuration file is arranged on to user virtual machine operation, the event that supervisory user virtual machine is carried out, when meeting after the Event triggered of hardware resource access rule, call call back function by virtual machine monitor, start on corresponding safety enhancing module monitor event processing.
In this system, safety enhancing module is the application program of moving in the user virtual machine operating system of user virtual machine, or is arranged in user virtual machine for independent one section of application program.
In this system, virtual machine monitor is positioned at the highest weight limit layer of whole dummy machine system, manage all hardware resources, also controlling the access between safety enhancing module, user virtual machine and managing virtual machines, these access rules are arranged by virtual machine monitor.Specifically arrange and can be: between safety enhancing module corresponding to user virtual machine, do not allow mutual access; Between user virtual machine, do not allow mutual access; Safety enhancing module can be accessed its corresponding user virtual machine, namely the operating system of user in its corresponding user virtual machine.
In this system, described virtual machine monitor comprises: system service module, virtual machine configuration module and scheduling virtual machine module, wherein,
System service module, for reception request command, this request command is that user virtual machine, managing virtual machines or safety enhancing module send, when user virtual machine or managing virtual machines send, may require to revise security monitoring strategy, when safety enhancing module sends, some event of user virtual machine corresponding to possible Request Interception; According to institute's reception request command, the security monitoring strategy in safety enhancing module is set;
Virtual machine configuration module, for the request command receiving according to system service module, to user virtual machine and/or safety enhancing module distribution or renewal hardware resource;
Scheduling virtual machine module, when the event handling that need to move user virtual machine for safety enhancing module, the startup of carrying out between user virtual machine and safety enhancing module is switched.
The explanation of giving one example, the request command that whether has malicious traffic stream in Sampling network data is sent to system service module by user virtual machine, after system service module receives, the security strategy that user virtual machine is arranged, this security strategy is filtering fallacious flow rule, send to safety enhancing module setting by the matched character string of malicious traffic stream, this request command is sent to virtual machine configuration module, virtual machine configuration module carries out hardware resource configuration to user virtual machine, configuration file is set, comprise that the network input/output port that user virtual machine is used monitors.In the time that user virtual machine is passed through used network input/output port, call back function in the configuration file arranging is by scheduling virtual machine module schedules, start safety enhancing module, safety enhancing module detects flow according to the security strategy arranging, if the flow safety detecting, notify scheduling virtual machine module, scheduling virtual machine module restarts user virtual machine operation.
For another example explanation, managing virtual machines is attacked in order to require user virtual machine other machines not to be produced to distributed denial of service (DDOS), the security monitoring strategy of user virtual machine newly-built linking number per second is set, send to safety enhancing module by virtual machine monitor, safety enhancing module carries out Network Traffic Monitoring according to this security monitoring strategy to user virtual machine.
In this system, managing virtual machines can manage user virtual machine, be responsible for establishment and the destruction of user virtual machine, be responsible for user virtual machine and be provided with how much hardware hardware resource when, user virtual machine, for user application provides the running environment of operating system of user, proposes its demand for security to dummy machine system.
The physical arrangement schematic diagram of the dummy machine system that Fig. 3 provides for the embodiment of the present invention, as shown in the figure, this physical arrangement has four layers, is respectively hardware layer, virtual machine monitor layer, virtual machine layer and application layer, wherein,
Hardware layer comprises the hardware resources such as central processing unit (CPU), internal memory, hard disk or network interface card; Virtual machine monitor layer comprises virtual machine monitor, specifically comprises system service module, virtual machine configuration module and scheduling virtual machine module; Virtual machine layer comprises managing virtual machines, user virtual machine and safety enhancing module; Application layer comprises the supervisory routine of managing virtual machines and the user application of user virtual machine etc.In this physical arrangement, safety enhancing module is also positioned at virtual machine layer, the operating system of user of its status and user virtual machine is in same level, its security monitoring to user virtual machine is given by virtual machine monitor layer, that is to say, just because of the operation of virtual machine monitor, the operating system of user of safety enhancing module ability calling party virtual machine, for user virtual machine provides security monitoring.
Fig. 4, for the method for safety monitoring process flow diagram of realizing dummy machine system that the embodiment of the present invention provides, arranges safety enhancing module in dummy machine system, and its concrete steps are:
Step 402, safety enhancing module are processed the monitor event of user virtual machine according to security monitoring strategy supervisory user virtual machine or after starting.
In the method, security monitoring strategy comprises global safety strategy, discretionary security strategy and has the safety insert of various security functions, wherein,
Global safety strategy is that managing virtual machines arranges by virtual machine monitor, or/and discretionary security strategy is that user virtual machine arranges by virtual machine monitor, or/and described safety insert is selected to arrange by virtual machine monitor by user virtual machine.
In the method, described global safety strategy or discretionary security strategy are set configuration file, comprise that hardware resource access rule and one adjust back the call back function of safety enhancing module by virtual machine monitor, this configuration file is arranged on to user virtual machine operation, each event that supervisory user virtual machine is carried out, when meeting after the Event triggered of hardware resource access rule, call call back function by virtual machine monitor, start on corresponding safety enhancing module monitor event is processed.
The method flow diagram that the user virtual machine that Fig. 5 provides for the embodiment of the present invention starts, comprises and starts the operating system of user of user virtual machine and start safety enhancing module corresponding to user virtual machine, and its concrete steps comprise:
Management software in the MOS of step 501, managing virtual machines is prepared the image file of operating system of user;
Management software in the MOS of step 502, managing virtual machines is carried in the image file of operating system of user in the internal memory of dummy machine system;
The image file of the safety enhancing module in step 507, running memory, starts safety enhancing module.
The method flow diagram of the configuration global safety strategy that Fig. 6 provides for the embodiment of the present invention, its concrete steps are:
This global safety strategy is sent to the system service module in virtual machine monitor by step 602, managing virtual machines;
System service module in step 603, virtual machine monitor starts safety enhancing module;
The method flow diagram of the configuration discretionary security strategy that Fig. 7 provides for the embodiment of the present invention, its concrete steps are:
This discretionary security strategy is sent to the system service module in virtual machine monitor by step 702, managing virtual machines;
System service module in step 703, virtual machine monitor starts safety enhancing module;
After safety enhancing module has configured the security monitoring strategy of user virtual machine, these strategies do not have real coming into force.Safety enhancing module also needs with virtual machine monitor mutual, obtains the supervision authority in security monitoring strategy, and these security monitoring strategies could really be activated.Such as, security monitoring strategy need to be monitored the network of user virtual machine, safety enhancing module must have the authority of the Internet Transmission of the user virtual machine of reading, and specifically, will obtain exactly network input/output port to user virtual machine and the monitoring of interrupt number.The safety enhancing module that Fig. 8 provides for the embodiment of the present invention obtains the method flow diagram of supervision authority, and its concrete steps are:
This request of obtaining is sent to the processing of virtual machine configuration module by the system service module of step 802, virtual machine monitor;
After the configuration of security monitoring strategy, safety enhancing module has obtained supervision authority, just can normally work, the workflow diagram of the safety enhancing module that Fig. 9 provides for the embodiment of the present invention, in the time that user virtual machine is carried out some event, such as reading network input/output port, set configuration file can detect, and call its call back function, and this call back function calls corresponding safety enhancing module by virtual machine monitor event is processed, and its concrete steps are:
After step 905, safety enhancing module are finished dealing with, send request and return to user virtual machine normal mode of operation to virtual machine monitor;
Can find out from above-mentioned narration, the present invention, by corresponding safety enhancing module being set for each operating system of user, having solved user and has controlled safe demand from main control security monitoring and the managing virtual machines overall situation.Specifically, first, user virtual machine can independently arrange security strategy, bring into play the enthusiasm of user virtual machine on Prevention-Security, the managing virtual machines overall situation arranges security strategy, has both guaranteed that user virtual machine is not attacked, and guarantees that again user virtual machine can not attack other machines; Secondly, user virtual machine can arrange required feature card according to demand oneself, simple and convenient and assurance security; Finally, independent between set safety enhancing module, one of them security is destroyed, can not affect the safety of whole dummy machine system.
Further, because safety enhancing module of the present invention is not to be arranged in virtual machine monitor, so even if safety enhancing module has security breaches, also can not affect the security of virtual machine monitor.
More than lift preferred embodiment; the object, technical solutions and advantages of the present invention are further described; institute is understood that; the foregoing is only preferred embodiment of the present invention; not in order to limit the present invention; within the spirit and principles in the present invention all, any modification of doing, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.
Claims (7)
1. a safety monitoring system of realizing dummy machine system, is characterized in that, comprising: a virtual machine monitor, a managing virtual machines, multi-user virtual machine and a safety enhancing module, wherein,
Virtual machine monitor, distributes hardware resource and access rule is set for being respectively managing virtual machines, user virtual machine and safety enhancing module;
Managing virtual machines, for moving on distributed hardware resource, mutual with user virtual machine and safety enhancing module respectively according to access rule;
User virtual machine, for moving on distributed hardware resource, mutual with managing virtual machines and safety enhancing module respectively according to access rule;
Safety enhancing module, arranges security monitoring strategy for respective user virtual machine, according to security monitoring strategy supervisory user virtual machine or after starting, the monitor event of user virtual machine is processed.
2. the system as claimed in claim 1, is characterized in that, described security monitoring strategy comprises global safety strategy, discretionary security strategy or/and have the safety insert of various security functions, wherein,
Described managing virtual machines, also for arranging by described virtual machine monitor the global safety strategy of respective user virtual machine at safety enhancing module;
Described user virtual machine, also for arranging by described virtual machine monitor the discretionary security strategy of correspondence self user virtual machine at safety enhancing module;
Described user virtual machine, also for being arranged on safety enhancing module by selected safety insert by described virtual machine monitor.
3. system as claimed in claim 2, it is characterized in that, described global safety strategy or discretionary security strategy are set configuration file, comprise hardware resource access rule and adjust back the call back function of safety enhancing module by virtual machine monitor, this configuration file is arranged on to described user virtual machine operation, supervisory user virtual machine is carried out event, when meeting after the Event triggered of hardware resource access rule, call call back function by described virtual machine monitor, start on corresponding described safety enhancing module event handling.
4. the system as claimed in claim 1, is characterized in that, described virtual machine monitor comprises: system service module, virtual machine configuration module and scheduling virtual machine module, wherein,
System service module, the request command sending for receiving user virtual machine, managing virtual machines or safety enhancing module, arranges the security monitoring strategy in safety enhancing module according to institute's reception request command;
Virtual machine configuration module, for the request command receiving according to system service module, to user virtual machine and/or safety enhancing module distribution or renewal hardware resource;
Scheduling virtual machine module, when the event handling that need to move user virtual machine for safety enhancing module, the startup of carrying out between user virtual machine and safety enhancing module is switched.
5. a method for safety monitoring of realizing dummy machine system, is characterized in that, safety enhancing module is set in dummy machine system, and the method also comprises:
In safety enhancing module, respective user virtual machine arranges security monitoring strategy;
Safety enhancing module is processed the monitor event of user virtual machine according to security monitoring strategy supervisory user virtual machine or after starting.
6. method as claimed in claim 5, is characterized in that, described security monitoring strategy comprises global safety strategy, discretionary security strategy or/and have the safety insert of various security functions, wherein,
Global safety strategy is that the managing virtual machines in dummy machine system arranges by the virtual machine monitor in dummy machine system;
Discretionary security strategy is that user virtual machine arranges by virtual machine monitor;
Described safety insert is selected to arrange by virtual machine monitor by user virtual machine.
7. method as claimed in claim 6, it is characterized in that, described global safety strategy or discretionary security strategy are set configuration file, comprise that hardware resource access rule and one adjust back the call back function of safety enhancing module by virtual machine monitor, this configuration file is arranged on to user virtual machine operation, the event that supervisory user virtual machine is carried out, when meeting after the Event triggered of hardware resource access rule, call call back function by virtual machine monitor, start on corresponding safety enhancing module described monitor event is processed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410104267.5A CN103870749B (en) | 2014-03-20 | 2014-03-20 | A kind of safety monitoring system and method for realizing dummy machine system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410104267.5A CN103870749B (en) | 2014-03-20 | 2014-03-20 | A kind of safety monitoring system and method for realizing dummy machine system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103870749A true CN103870749A (en) | 2014-06-18 |
| CN103870749B CN103870749B (en) | 2017-11-07 |
Family
ID=50909273
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410104267.5A Expired - Fee Related CN103870749B (en) | 2014-03-20 | 2014-03-20 | A kind of safety monitoring system and method for realizing dummy machine system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103870749B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104363230A (en) * | 2014-11-14 | 2015-02-18 | 山东乾云启创信息科技有限公司 | Method for preventing flood attacks in desktop virtualization |
| CN104461683A (en) * | 2014-11-07 | 2015-03-25 | 华为技术有限公司 | Verification method, device and system for virtual machine illegal configuration |
| CN104767741A (en) * | 2015-03-24 | 2015-07-08 | 杭州安恒信息技术有限公司 | Calculation service separating and safety protecting system based on light virtual machine |
| CN105224387A (en) * | 2015-09-07 | 2016-01-06 | 浪潮集团有限公司 | A kind of security deployment method of virtual machine under cloud computing |
| CN105871942A (en) * | 2015-01-19 | 2016-08-17 | ***通信集团公司 | IaaS management platform and method |
| CN106598694A (en) * | 2016-09-23 | 2017-04-26 | 浪潮电子信息产业股份有限公司 | Virtual machine safety monitoring mechanism based on container |
| CN106775929A (en) * | 2016-11-25 | 2017-05-31 | 中国科学院信息工程研究所 | A kind of virtual platform safety monitoring method and system |
| CN106844144A (en) * | 2016-12-29 | 2017-06-13 | 广州凯耀资产管理有限公司 | A kind of secure virtual machine monitoring method |
| CN108536524A (en) * | 2018-03-13 | 2018-09-14 | Oppo广东移动通信有限公司 | Resource regeneration method, device, terminal and storage medium |
| CN110516431A (en) * | 2019-08-29 | 2019-11-29 | 北京浪潮数据技术有限公司 | Method, system, equipment and the storage medium of dynamic configuration virtual machine operations permission |
| CN112737690A (en) * | 2017-02-28 | 2021-04-30 | 华为技术有限公司 | Optical line terminal OLT equipment virtualization method and related equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102707985A (en) * | 2011-03-28 | 2012-10-03 | 中兴通讯股份有限公司 | Access control method and system for virtual machine system |
| CN102811239A (en) * | 2011-06-03 | 2012-12-05 | 中兴通讯股份有限公司 | Virtual machine system and safety control method thereof |
| CN103067356A (en) * | 2012-12-12 | 2013-04-24 | 北京启明星辰信息技术股份有限公司 | System and method for business virtual machine safety guaranteeing |
| CN103178988A (en) * | 2013-02-06 | 2013-06-26 | 中电长城网际***应用有限公司 | Method and system for monitoring virtualized resources with optimized performance |
| CN103605613A (en) * | 2013-11-21 | 2014-02-26 | 中标软件有限公司 | Method and system for dynamically adjusting virtual-machine memory in cloud computing environment |
-
2014
- 2014-03-20 CN CN201410104267.5A patent/CN103870749B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102707985A (en) * | 2011-03-28 | 2012-10-03 | 中兴通讯股份有限公司 | Access control method and system for virtual machine system |
| CN102811239A (en) * | 2011-06-03 | 2012-12-05 | 中兴通讯股份有限公司 | Virtual machine system and safety control method thereof |
| CN103067356A (en) * | 2012-12-12 | 2013-04-24 | 北京启明星辰信息技术股份有限公司 | System and method for business virtual machine safety guaranteeing |
| CN103178988A (en) * | 2013-02-06 | 2013-06-26 | 中电长城网际***应用有限公司 | Method and system for monitoring virtualized resources with optimized performance |
| CN103605613A (en) * | 2013-11-21 | 2014-02-26 | 中标软件有限公司 | Method and system for dynamically adjusting virtual-machine memory in cloud computing environment |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104461683A (en) * | 2014-11-07 | 2015-03-25 | 华为技术有限公司 | Verification method, device and system for virtual machine illegal configuration |
| CN104461683B (en) * | 2014-11-07 | 2017-11-24 | 华为技术有限公司 | A kind of method of calibration that virtual machine illegally configures, apparatus and system |
| CN104363230A (en) * | 2014-11-14 | 2015-02-18 | 山东乾云启创信息科技有限公司 | Method for preventing flood attacks in desktop virtualization |
| CN104363230B (en) * | 2014-11-14 | 2018-01-12 | 山东乾云启创信息科技股份有限公司 | A kind of method that flood attack is protected in desktop virtualization |
| CN105871942A (en) * | 2015-01-19 | 2016-08-17 | ***通信集团公司 | IaaS management platform and method |
| CN105871942B (en) * | 2015-01-19 | 2019-03-22 | ***通信集团公司 | A kind of IaaS management platform and method |
| CN104767741A (en) * | 2015-03-24 | 2015-07-08 | 杭州安恒信息技术有限公司 | Calculation service separating and safety protecting system based on light virtual machine |
| CN104767741B (en) * | 2015-03-24 | 2018-03-06 | 杭州安恒信息技术有限公司 | A kind of calculating service separation and safety system based on light-duty virtual machine |
| CN105224387A (en) * | 2015-09-07 | 2016-01-06 | 浪潮集团有限公司 | A kind of security deployment method of virtual machine under cloud computing |
| CN106598694A (en) * | 2016-09-23 | 2017-04-26 | 浪潮电子信息产业股份有限公司 | Virtual machine safety monitoring mechanism based on container |
| CN106775929A (en) * | 2016-11-25 | 2017-05-31 | 中国科学院信息工程研究所 | A kind of virtual platform safety monitoring method and system |
| CN106775929B (en) * | 2016-11-25 | 2019-11-26 | 中国科学院信息工程研究所 | A kind of virtual platform safety monitoring method and system |
| CN106844144A (en) * | 2016-12-29 | 2017-06-13 | 广州凯耀资产管理有限公司 | A kind of secure virtual machine monitoring method |
| CN112737690B (en) * | 2017-02-28 | 2022-05-13 | 华为技术有限公司 | Optical line terminal OLT equipment virtualization method and related equipment |
| US11336973B2 (en) | 2017-02-28 | 2022-05-17 | Huawei Technologies Co., Ltd. | Optical line terminal OLT device virtualization method and related device |
| CN112737690A (en) * | 2017-02-28 | 2021-04-30 | 华为技术有限公司 | Optical line terminal OLT equipment virtualization method and related equipment |
| CN108536524A (en) * | 2018-03-13 | 2018-09-14 | Oppo广东移动通信有限公司 | Resource regeneration method, device, terminal and storage medium |
| CN110516431B (en) * | 2019-08-29 | 2022-02-18 | 北京浪潮数据技术有限公司 | Method, system, equipment and storage medium for dynamically configuring virtual machine operation authority |
| CN110516431A (en) * | 2019-08-29 | 2019-11-29 | 北京浪潮数据技术有限公司 | Method, system, equipment and the storage medium of dynamic configuration virtual machine operations permission |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103870749B (en) | 2017-11-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103870749A (en) | System and method for implementing safety monitoring of virtual machine system | |
| US10341387B2 (en) | Methods and systems for applying security policies in a virtualization environment using a security instance | |
| KR101535502B1 (en) | System and method for controlling virtual network including security function | |
| US10176020B2 (en) | Dynamic management of computing platform resources | |
| EP2940615B1 (en) | Method and apparatus for isolating management virtual machine | |
| EP2724244B1 (en) | Native cloud computing via network segmentation | |
| TWI620126B (en) | Method and computer-readable storage medium for expansion of services for a virtual data center guest computer system | |
| US11295008B2 (en) | Graphics processing unit accelerated trusted execution environment | |
| US10666572B2 (en) | Dynamic management of computing platform resources | |
| US10223170B2 (en) | Dynamic management of computing platform resources | |
| JP2016524257A5 (en) | ||
| US10257166B2 (en) | Guest netfilter protection by virtual machine function | |
| US10289853B2 (en) | Secure driver platform | |
| CN102147763A (en) | Method, system and computer for recording weblog | |
| JP2015524128A5 (en) | ||
| US9652223B2 (en) | Method and apparatus for executing integrated application program | |
| CN103996003A (en) | Data wiping system in virtualization environment and method thereof | |
| US10250595B2 (en) | Embedded trusted network security perimeter in computing systems based on ARM processors | |
| US11190359B2 (en) | Device and system for accessing a distributed ledger | |
| CN105303102A (en) | Secure access method for virtual machine and virtual machine system | |
| KR102088308B1 (en) | Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv | |
| TW202121211A (en) | Method and system for detecting web shell using process information | |
| CN104102524A (en) | Method for realizing virtual secure element (VSE) | |
| RU2638000C1 (en) | Method of monitoring execution system of programmable logic controller | |
| Nimgaonkar et al. | Ctrust: A framework for secure and trustworthy application execution in cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20171107 Termination date: 20180320 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |