Summary of the invention
Main purpose of the present invention, is to provide a kind of tool to attack high in the clouds system and the means of defence thereof of preventing mechanism, can be in the time that main frame be attacked, and produce new safety regulation and the main frame of being attacked is re-started to deployment, the attack being suffered to get rid of main frame.
For reaching above-mentioned purpose, the invention provides a kind of high in the clouds system of tool attack preventing mechanism, comprising:
One main frame, is provided with a detection procedure, monitors every data of this main frame, and this main frame triggers an event in the time that these data of any one exceed a threshold value;
One monitoring server, connects this main frame, judges according to this event whether this main frame is attacked, and externally sends a warning message in the time that definite this main frame is attacked; And
One security centre's server, connects this monitoring server and this main frame, receives this warning message of this monitoring server;
Wherein, this security centre's server analyze this warning message and produce a renewal after safety regulation, and with safety regulation after this renewal, this main frame is re-started to deployment.
The present invention also provides the attack guarding method of a kind of high in the clouds system, the monitoring server that wherein this high in the clouds system comprises a main frame, is connected with this main frame, and the security centre's server being connected with this main frame and this monitoring server, this attack guarding method comprises:
A) this main frame is monitored every data by a detection procedure;
B) in the time having these data of any one to exceed a threshold value, trigger an event;
C) this monitoring server judges according to this event whether this main frame is attacked;
D) this monitoring server produces a warning message and notifies this security centre's server in the time that definite this main frame is attacked;
E) this security centre's server receives this warning message of this monitoring server, analyzes according to this this main frame and attacked by which kind of, and produce the rear safety regulation of a renewal according to analysis result; And
F) this security centre's server according to this renewal after safety regulation this main frame is re-started to deployment.
The present invention also provides a kind of tool to attack the high in the clouds system of preventing mechanism, comprising:
One main frame, one detection procedure is installed, monitors every data of this main frame, and this main frame internal operation there is a local side safety regulation, to carry out the security protection of this main frame and to set a threshold value, this main frame triggers an event in the time that these data of any one exceed this threshold value;
One monitoring server, connects this main frame, judges according to this event whether this main frame is attacked, and externally sends a warning message in the time that definite this main frame is attacked;
One security centre's server, connects this monitoring server and this main frame, receives this warning message of this monitoring server, analyzes according to this this main frame and attacked by which kind of, and produce the rear safety regulation of a renewal according to analysis result; And
One knowledge base, connects this security centre's server, stores safety regulation after this renewal that this security centre server produces;
Wherein, this security centre's server with this renewal after safety regulation this main frame is re-started to deployment, to upgrade this local side safety regulation of this main frame internal operation.
The present invention contrasts effect that prior art can reach and is, main frame is in the time of every data of monitoring oneself, and the phenomenon of being attacked if find that there is, can notify security centre's server via monitoring server.Thus, security centre's server can be analyzed main frame and attacked by what kind of, and to get rid of this attack as object, produces a new safety regulation, then re-starts deployment take this new safety regulation as main frame.Because new safety regulation is to give birth to because attacking, therefore, after main frame redeploys with new safety regulation, can effectively get rid of this attack, this attack is produced to protection effect.Thus, contribute to promote in fact the fail safe of whole high in the clouds system.
Embodiment
Hereby with regard to a preferred embodiment of the present invention, coordinate graphicly, be described in detail as follows.
Head refers to Fig. 1, is the system architecture diagram of a preferred embodiment of the present invention.The present invention mainly discloses a kind of high in the clouds system of tool attack preventing mechanism, as shown in the figure, this high in the clouds system mainly comprises a monitoring server 1 (management server), security centre's server 2 (security center), a knowledge base 3 (knowledge base) and at least one main frame 4 (node).In the present embodiment, those main frames 4 can be various entity machine (Physical Machine, PM), as the computing end points main frame 41 (computing node) of entity, storage end points main frame 42 (storage node) or the network switch 43 (switch), or, also can be various virtual machine (Virtual Machine, VM), as virtual endpoint main frame (virtual node) or virtual switch (virtual switch) etc., be not limited.For convenience of narration, will, in specification, illustrate with single this main frame 4 below, be not limited with one but the quantity of this main frame 4 is real.
This main frame 4 is mainly the corresponding role who serves as in this high in the clouds system, thinks that client provides service.This monitoring server 1 connects this main frame 4, to monitor the running situation of this main frame 4, when this main frame 4 produces when abnormal, can return to this monitoring server 1, by this monitoring server 1 determine whether this main frame 4 attacked and produce abnormal.
The attack of indication in the present embodiment, mainly refer to virus or hacker's attack, and those attacks generally can cause the external throughput (throughput) of for example this main frame 4 to rise suddenly, or the inner implanted wooden horse of certain file and cause access rate abnormal etc.Once above-mentioned condition is returned to this monitoring server 1, what this monitoring server 1 can judge this main frame 4 has been subjected to attack really.
After this monitoring server 1 thinks that this main frame 4 has been subjected to attack, can, according to the information that monitored at that time, notify this security centre's server 2 in event (even) mode, carry out event analysis and assessment and processing by this security centre's server 2.The money peace core that this security centre's server 2 is whole high in the clouds system, in the time that this security centre's server 2 is received the event notice of this monitoring server 1, the corresponding data that can provide according to it, via algorithm evaluation, to analyze this main frame 4 be to be subjected to any attack.Thus, this security centre's server 2 can be according to a set of settling mode of the instant generation of analysis result, and this main frame 4 of being attacked is re-started to the deployment (re-deployment) of money safety, thus, make this main frame 4 after redeploying, get rid of the attack being originally subjected to new money safety.
It is worth mentioning that, this security centre's server 2, all can be by its analysis result after analyzing each time, and the settling mode producing according to analysis result is all stored in this knowledge base 3.Thus, in the time having new main frame to be activated in this high in the clouds system, can directly dispose with up-to-date money safety, with make new main frame can protect other main frames before the attack that suffered.
The continuous Fig. 2 that refers to is the rack schematic diagram of the high in the clouds machine room of a preferred embodiment of the present invention.In the present embodiment, this monitoring server 1, this security centre's server 2, this knowledge base 3 and this main frame 4 in this high in the clouds system, all can be arranged among the same rack 5 of high in the clouds machine room, connect by the entity connecting line of the network switch in this rack 5 (figure does not indicate) each other.Moreover, in the present embodiment take single this rack 5 in the machine room of high in the clouds as example, in the middle of other embodiment, this monitoring server 1, this security centre's server 2, this knowledge base 3 and this main frame 4 also can be arranged at the different racks in the machine room of same high in the clouds, and are connected to each other by network each other.But, these are only a preferred embodiment of the present invention, should be as limit.
Consulting Fig. 3, is the system block diagrams of a preferred embodiment of the present invention.After this main frame 4 starts, be the deployment action (deployment) of accepting this monitoring server 1, thus, a detection procedure 40 and a local side safety regulation 400 be mounted in this main frame 4.This main frame 4 these local side safety regulations 400 of operation, carry out security protection thus, and set respectively the threshold value of a correspondence for every data of this main frame 4.It is worth mentioning that, this local side safety regulation 400 that this monitoring server 1 is disposed this main frame 4, mainly can be a kind of firewall rule, to make this main frame 4 can protect various contingent malicious attack, but is not limited.
This main frame 4 more carrys out self-monitoring by this detection procedure 40, to monitor every data of this main frame 4, and for example access rate of the utilization rate of external throughput (throughput), CPU, hard-disk capacity, temperature, file etc.In the time that this detection procedure 40 monitors that the data that find that there is any one exceed this threshold value that this local side safety regulation 400 sets, the event that will trigger produces, and return is to this monitoring server 1.
More specifically, this detection procedure 40 is disposed and is mounted in this main frame 4 by this monitoring server 1, and therefore this main frame main 4 can be returned this monitoring server 1 by this detection procedure 40.This main frame 4 can, in the time of this Event triggered, produce an event related data (that is, exceeding the related data of this item number certificate of this threshold value), and this event related data be returned to this monitoring server 1 simultaneously.
In the time that this event is triggered, this monitoring server 1 can be according to this event, judges whether this main frame 4 is subjected to attack, or for no other reason than that other problems and produce the unstable of data.More specifically, this monitoring server 1 can be in internal operation one notification rule 10, and this monitoring server 1 is analyzed this received event related data by this notification rule 10, thus, judges whether this main frame 4 is attacked really.
If this event is to cause because of other factors, this monitoring server 1 can be carried out corresponding start, if and judge that this main frame 4 is attacked really, this monitoring server 1 can produce a warning message according to this event related data, and notifies this security centre's server 2 with event mode.More specifically, this monitoring server 1 can, after analyzing, judge whether to meet the notice standard that this notification rule 10 is formulated, and in the time meeting, send this warning message to notify this security centre's server 2, wherein in this warning message, comprised this event related data.
The notice that this security centre's server 2 is received this monitoring server 1 (, receive this warning message) after, can assess this event, analyze according to this this main frame 4 and be subjected to which kind of attack, and, produce safety regulation 30 after a renewal according to analysis result again, and be stored in this knowledge base 3.More specifically, this security centre's server 2 can be in internal operation one attack analysis algorithm 20, this security centre's server 2 is mainly analyzed this event related data by this attack analysis algorithm 20, draw thus the attack mode that this main frame 4 suffers, and then develop a corresponding settling mode.And, produce safety regulation 30 after this renewal by this settling mode.
Finally, this security centre's server 2 according to this renewal after safety regulation 30 this main frame 4 of being attacked is re-started to deployment, thus this local side safety regulation 400 of these main frame 4 inside is updated to a new version.Technical characterictic of the present invention is, after this renewal, safety regulation 30 is attacks that suffer for this main frame 4 and producing, therefore after this main frame 4 has been disposed this renewal, after safety regulation 30, can get rid of easily this attack, there is in fact sizable benefit for administrative staff.It is worth mentioning that, after this renewal, safety regulation 30 mainly can be a kind of firewall rule, in order to make this main frame 4 can protect various contingent attacks, but is not limited.
For instance, when this attack is external attack, this security centre's server 2 can calculate according to this event related data the source (source address) of this attack, in safety regulation 30, stops the access action in this source thus after this renewal.Again for example, if this attack is for internaling attack, it is which program or file are at offensive attack that this security centre's server 2 also can calculate according to this event related data, thus after this renewal in safety regulation 30, isolate this program or file, make it cannot harass other programs or the file in this main frame 4, and when this main frame 4 idle (idle) again by it deletion.But, the foregoing is only a preferred embodiments of the present invention, this security centre's server 2 is real can analyze different results with regard to different attack patterns, and then produces safety regulation 30 after this different renewals, should be as limit.
Moreover, except this main frame 4 of being attacked, this security centre's server 2 also can be according to safety regulation 30 after this renewal, All hosts in this high in the clouds system is re-started to deployment, thus, prevent other main frame in this high in the clouds system to be subjected to identical attack, therefore can reach effective preventing mechanism.
Continue please refer to Fig. 4 and Fig. 5, the deployment flow chart and the safety regulation that are respectively a preferred embodiment of invention are upgraded flow chart.Head refers to Fig. 4, set up high in the clouds of the present invention system, and first administrative staff need shilling this main frame 4 start shooting (step S10).More specifically, if this main frame 4 is an entity machine, administrative staff can start shooting by the online mode that starts (wake on lan), or the entity starting key (figure does not indicate) of directly pressing on this main frame 4 is started shooting; If this main frame 4 is a virtual machine, administrative staff can pass through the virtual machine generating mode of standard, produce this main frame 4.
Then, this monitoring server 1 can be learnt the existence of this main frame 4, and disposes this corresponding detection procedure 40 (step S12) for this main frame 4, thus, is that this main frame 4 carries out self-monitoring by this detection procedure 40.And, this monitoring server 1 more can be this main frame 4 and disposes this required local side safety regulation 400 (step S14), thus, allow these main frame 4 these local side safety regulations 400 of operation to carry out security protection (S16), and set the threshold value of every data of this main frame 4 according to this local side safety regulation 400.After this step S16, this main frame 4 formally becomes the corresponding role in this high in the clouds system of the present invention.
Then as shown in Figure 5, when this main frame 4 has been deployed after this local side safety regulation 400, this main frame 4 can further propose inquiry (step S20) according to this local side safety regulation 400 to this security centre's server 2, and, inquire about whether existing this renewal by this security centre's server 2 after safety regulation 30 produce (step S22).More specifically, this main frame 4 can MD5 or the mode of Hash table come to propose inquiry to this security centre's server 2, to confirm the version of this local side safety regulation 400, with the new and old relationship of the version of the safety regulation in this knowledge base 3.
If safety regulation 30 produces after after these security centre's server 2 inquiries, discovery not yet has this renewal, represent the safety regulation that this local side safety regulation 400 is latest edition, therefore this main frame 4 and this security centre's server 2 do not do any action.In this knowledge base 3, have safety regulation 30 after this renewal if find after 2 inquiries of this security centre's server, Ze Gai security centre server 2 can re-start deployment (step S24) to this main frame 4 by safety regulation 30 after this renewal.Thus, upgrade the version of this local side safety regulation 400 in this main frame 4, to allow this main frame 4 may operate in best protection state.
The continuous Fig. 6 that refers to is the attack notice flow chart of a preferred embodiment of the present invention.First, this main frame 4 carries out self-monitoring (step S30) by this detection procedure 40 of inside, thus, obtain the every data of this main frame 4 own, the such as access rate of throughput, CPU usage, the rotation speed of hard disk, hard-disk capacity, temperature, humidity, each program or file etc.Then the data that, regularly judge whether any one exceed the threshold value (step S32) that this local side safety regulation 400 sets.If all data are all correct, do not exceed the phenomenon of this threshold value, this main frame 4 does not do any action, and continues to carry out self-monitoring by this detection procedure 40.
Moreover in the time having the data of any one to exceed this threshold value, this main frame 4 triggers an event and starts, and automatically returns this monitoring server 1 (step S34).More specifically, this main frame 4 can be in the time that this Event triggered starts, this event related data (that is, exceeding the related data of this item number certificate of this threshold value) is returned to this monitoring server 1, to make this monitoring server 1 can carry out detailed analysis simultaneously.
After this event is triggered, this monitoring server 1 is mainly to receive this event related data (step S36) that this main frame 4 is returned, and, this notification rule 10 according to internal operation is analyzed this event related data (step S38), thus, judge whether this main frame 4 is subjected to attack (step S40) really.Do not reach if this monitoring server 1 is analyzed rear discovery the notice standard that this notification rule 10 is formulated, represent that this main frame 4 is not attacked, but cause the unstable of data because of other factors.In this situation, this monitoring server 1 can be carried out corresponding action (such as record data or notify administrative staff etc.), but can not notify this security centre's server 2.
But, if this monitoring server 1 after analyzing, find this main frame 4 be subjected to really attack, this monitoring server 1 can be notified this security centre's server 2 (step S42) with this warning message.More specifically, this monitoring server 1 is mainly to produce this warning message according to this event related data, to notify this security centre's server 2, thus, Ling Gai security centre server 2 can pass through this event related data, and the pattern of attacking is carried out to detailed analysis.
Then please refer to Fig. 7, be the attack protection flow chart of a preferred embodiment of the present invention.When this, main frame 4 is doubtful while being attacked, can return this monitoring server 1, and in the time that this monitoring server 1 is confirmed being attacked really of this main frame 4, can notify this security centre's server 2.This security centre's server 2 receives this warning message (step S50) of this monitoring server 1, and, analyze this main frame 4 and attacked by which kind of.More specifically, this security centre's server 2 is analyzed this event related data (step S52) by this attack analysis algorithm 20 of internal operation, analyze thus the pattern of this attack, then produce safety regulation 30 (step S54) after this renewal according to analysis result.That is to say, after this renewal, safety regulation 30 is the safety regulations according to originally, adds that the settling mode drawing after analysis upgrades to form, and therefore adopts safety regulation 30 after this renewal, and reality can effectively be got rid of this attack.
After this step S54, this security centre's server 2 re-starts deployment (step S56) by safety regulation 30 after this renewal to this main frame 4 of being attacked.And as mentioned above, safety regulation 30 is given birth to because attacking after this renewal, therefore after safety regulation 30, can get rid of easily this attack after this main frame 4 has been disposed this renewal, and then make the running of this main frame 4 and every data recover normal.It is worth mentioning that, except this main frame 4 of being attacked, this security centre's server 2 more can, by safety regulation 30 after this renewal, all re-start deployment (step S58) to the All hosts in this high in the clouds system.Such benefit is, after this renewal, safety regulation 30 has increased the protection method to this attack, therefore safety regulation 30 after the All hosts in this high in the clouds system is all disposed this renewal, and those main frames can not suffered the attack that this main frame 4 once suffered.That is to say, for other main frame, can effectively reach in fact the effect of prevention.
By System and method for of the present invention, as long as the arbitrary main frame in this high in the clouds system is subjected to attack, and this attack is notified this security centre's server 2 via this monitoring server 1, analyzed by this security centre's server 2, and pin analysis result produces after this renewal after safety regulation 30, as long as the All hosts in the system of high in the clouds all accepts to redeploy, and move safety regulation 30 after this renewal, the All hosts in this high in the clouds system, neither can be subject to the impact of same attack mode again.
Consulting Fig. 8, is the system block diagrams of another preferred embodiment of the present invention.In the middle of previous embodiment, this knowledge base 3 is mainly take a separate server in this high in the clouds system as example, serves as the role of safety regulation 30 after this renewal of storage, and connects this security centre's server 2 by entity connecting line or network.But in the present embodiment, this high in the clouds system also can provide another security centre's server 2 ', this security centre's server 2 ' inside provides a memory cell, and serves as this knowledge base 3 in this high in the clouds system with this memory cell.In the middle of the present embodiment, this high in the clouds system needn't provide extra property server to come as this knowledge base 3 again, therefore can effectively save the quantity of server.But, above are only another instantiation of the present invention, this knowledge base 3 by entity independently server serve as, or be integrated with this security centre's server 2 ', should be required depending on the reality of high in the clouds system, should be as limit.
Consulting Fig. 9, is the protection sequential flow chart of a preferred embodiment of the present invention.In the system of high in the clouds of the present invention, first need dispose this detection procedure 40 (step S60) for this all main frames 4 by this monitoring server 1, and, then dispose this local side safety regulation 400 (step S62) by this monitoring server 1 for this all main frames 4.Then, this main frame 4, according to this local side safety regulation 400, inquires whether this security centre's server 2 is latest edition (step S64), and then, if latest edition, this security centre's server 2 can be replied this main frame 4 for latest edition; And if safety regulation 30 produces after having this renewal in this knowledge base 3, Ze Gai security centre server 2 can be this main frame 4 and re-starts deployment, this local side safety regulation 400 is upgraded to safety regulation 30 (step S66) after this renewal.
After this main frame 4 starts, continue self-monitoring by this detection procedure 40, with every data (step S68) of this main frame 4 of sensing.And in the time having any one data to exceed the threshold value that this local side safety regulation 400 formulates, the event that triggers starts, and returns this monitoring server 1 (step S70).This monitoring server 1 is accepted after return, first analyze for this event, judge whether this main frame 4 suffers to attack (step S72), and in the time that definite this main frame 4 is attacked, notify this security centre's server 2 (step S74) with this warning message.
This security centre's server 2 receives after this warning message, attack mode is analyzed, and according to analysis result, produce safety regulation 30 (step S76) after this renewal, and safety regulation 30 after this renewal is stored in this knowledge base 3 (step 78), thus existing safety regulation in this knowledge base 3 is upgraded to safety regulation 30 after this renewal.Finally, this security centre's server 2 according to this renewal after safety regulation 30, this main frame 4 of being attacked is re-started to deployment (step S80), thus, upgrade this local side safety regulation 400 of these main frame 4 inside, and then make this local side safety regulation 400 after upgrading can get rid of the attack that this main frame 4 is suffered, to make this main frame 4 recover stably to operate.And after this step S80, this main frame 4 still continues to carry out self-monitoring by this detection procedure 40, to monitor that next time possible attack produces.
The foregoing is only preferred embodiments of the present invention, non-ly therefore limit to the scope of the claims of the present invention, therefore such as use the equivalence that content of the present invention is done to change, be all in like manner all contained in scope of the present invention, close and give Chen Ming.