CN104753952A - Intrusion detection and analysis system on basis of service data flow of virtual machines - Google Patents
Intrusion detection and analysis system on basis of service data flow of virtual machines Download PDFInfo
- Publication number
- CN104753952A CN104753952A CN201510172157.7A CN201510172157A CN104753952A CN 104753952 A CN104753952 A CN 104753952A CN 201510172157 A CN201510172157 A CN 201510172157A CN 104753952 A CN104753952 A CN 104753952A
- Authority
- CN
- China
- Prior art keywords
- module
- data
- intrusion detection
- service network
- virtual service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention provides an intrusion detection and analysis system on the basis of service data flow of virtual machines. The intrusion detection and analysis system comprises a data acquisition module, an intrusion detection module, a communication interface, an alarm response module and a safety management module. The data acquisition module is used for acquiring audit data when access request operation is started; the intrusion detection module is used for analyzing the acquired audit data and detecting the audit data to determine whether the audit data are intrusion events or not; the intrusion detection module and the data acquisition module are bidirectionally communicated with each other via the communication interface; an intrusion detection system can generate alarm information by the aid of the alarm response module when the intrusion events occur, and the alarm information is transmitted to the safety management module by the aid of the alarm response module, so that the alarm information can be visually displayed; the safety management module is used for combining and scheduling forecasting methods, transmitting access control strategies, the forecasting methods and alarm correlation information to the intrusion detection module, transmitting response strategies to the alarm response module and receiving safety update information transmitted by the alarm response module.
Description
Technical field
The present invention is specifically related to a kind of intrusion detection analytical system based on virtual machine business data flow.
Background technology
Recently, information attack serious threat is to the stability of network.These are attacked and utilize interconnected, the interaction characteristic of network, and quickly, and attack technology is more and more brilliant for the speed of propagation, and attack means becomes increasingly complex.Traditional information safety system is fire compartment wall, intruding detection system (IDS) etc. such as, there is wretched insufficiency in network attack forecast, usually just responds after these attacks cause heavy damage.
Most of traditional intruding detection system adopts method identification Network Based or Host Based and attack response.These systems usually adopt two class intrusion detection means, i.e. abnormal intrusion detection and feature intrusion detection.Abnormality detection be by detect with can the deviation of the acceptance action, be namely considered to invade when User Activity and normal behaviour have during gross differences; Feature detection, collects the behavioural characteristic of abnormal operation, sets up relevant feature database, and when detecting that user or system action and feature match, system just thinks that this behavior is invasion.Host Intrusion Detection System system, by analyzing host event daily record, system call and security audit record etc., to find, extracting attack characteristic sum abnormal behaviour; And based-wed CL be Network Based on data traffic find, extracting attack pattern and abnormal behaviour.And in most cases, invader utilizes the leak of application system and unsafe configuration to carry out intrusion system, application layer attack can utilize the defence back door, border of validated user to carry out intrusion system, and therefore, above-mentioned two kinds of IDS systems are difficult to detect this kind of attack.Therefore a kind of intrusion detection analytical system based on virtual machine business data flow is needed badly to solve the problem.
Summary of the invention
The object of the invention is to for the deficiencies in the prior art, a kind of intrusion detection analytical system based on virtual machine business data flow is provided, can should solve the problem well based on the intrusion detection analytical system of virtual machine business data flow.
For reaching above-mentioned requirements, the technical scheme that the present invention takes is: provide a kind of intrusion detection analytical system based on virtual machine business data flow, should comprise based on the intrusion detection analytical system of virtual machine business data flow:
Data acquisition module, when starting for access request operation, gathers Audit data;
Intrusion detection module, whether for analyzing the Audit data of collection, detecting it is intrusion event;
Communication interface, carries out both-way communication for intrusion detection module and data acquisition module;
Alarm response module, when occurring for intrusion event, intruding detection system generates warning message, and sends to safety management module to carry out visual display;
Safety management module, comprise safety database, communication interface, data dispatch, data analysis engine and man-machine interface, for carrying out combined schedule to forecasting procedure, access control policy, forecasting procedure, alarm association information are sent to intrusion detection module, and response policy is sent to alarm response module, receive the security update information that alarm response module sends;
Virtual service network (VSN), comprise a virtual service network controller (VSNC), it is adapted to the resource controlling virtual service network, and perform on each customer traffic wanting to be transmitted by above-mentioned data transport network and control by the license of user, described data transport network is a VPN (virtual private network) (VPN), and it is adapted to as virtual service network provides a data transmission capacity ensured; Described virtual service network controller (VSNC) is adapted to manage (VSN SLA).
The advantage that should have based on the intrusion detection analytical system of virtual machine business data flow is as follows:
(1) application-specific scene is adopted to detect the motivation of user as data source, not only can be used for detecting invasion and abnormal behaviour, can also process internal attack, the system failure, hardware are degenerated, abnormal environment condition and unexpected misuse operation etc., are highly suitable for the Prevention-Security of industrial control field;
(2) flexible architecture based on access control mechanisms and mixing invasion forecast is adopted, adopt dynamic intrusion detection strategy, instead of constant built-in algorithm, considerably increase the robustness of system, fine-grained intrusion behavior is detected and becomes possibility, can the attack of detection of complex, improve the accuracy rate of intrusion detection;
(3) adopt based on application scenarios self-adaptative adjustment Predictive strategy, possibility according to network attack or attack carrys out dynamic conditioning defence policies, this strategy is exactly choose suitable information, activate or close specific policy entry as assessment scene, for adjusting the access to application target, this security strategy can complete the detection to some real-time attack methods, improves the accuracy rate of intrusion detection.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide further understanding of the present application, form a application's part, use identical reference number to represent same or analogous part in the drawings, the schematic description and description of the application, for explaining the application, does not form the improper restriction to the application.In the accompanying drawings:
Fig. 1 schematically shows the structural representation of the intrusion detection analytical system based on virtual machine business data flow according to the application's embodiment.
Embodiment
For making the object of the application, technical scheme and advantage clearly, below in conjunction with drawings and the specific embodiments, the application is described in further detail.
In the following description, quoting of " embodiment ", " embodiment ", " example ", " example " etc. is shown that the embodiment of so description or example can comprise special characteristic, structure, characteristic, character, element or limit, but not each embodiment or example must comprise special characteristic, structure, characteristic, character, element or limit.In addition, reuse phrase " embodiment according to the application " although be likely refer to identical embodiment, and not necessarily refers to identical embodiment.
For the sake of simplicity, eliminate in below describing and well known to a person skilled in the art some technical characteristic.
Should comprise based on the intrusion detection analytical system of virtual machine business data flow:
Data acquisition module 1, when starting for access request operation, gathers Audit data, and carries out simple process to data, make it meet system interface requirement.In order to carry out effectively and Intrusion analysis accurately, need to formulate effective data collection strategy to reduce atypia data, to reduce data bulk, strengthening the real-time of network analysis.Data acquisition is mainly in order to describe different application occasion typical user behavior profile feature, some following features can be adopted to carry out self-adapting data selection: temporal characteristics, there is different behavioural characteristics different application scenarios at different time points, can analytical system time response be passed through, utilize the time being more conducive to collect suspicious actions to carry out Data Collection; System load, according to system load situation, takes different data collection strategys; Access identity, the behavior of special user is more likely intrusion behavior, as new user, does not trust user, guest user etc.; The type of access rights, the type of specific operation also will be paid close attention to, as system closedown etc.Each Audit data can be endowed a special label, this label is used for Audit data and specific grader or forecasting procedure to connect, and the security strategy of system can carry out Dynamic controlling by label to data;
Intrusion detection module 3, for analyzing the Audit data of collection, whether detect it is intrusion event, comprise standardized module 34, the data of collecting due to data acquisition module 1 are not structurized data sets, be not suitable for the process of grader, therefore need standardized module 34 to carry out standardization to the Audit data gathered, be converted to the data format that data analysing method can identify; Data preprocessing module 33, data preprocessing module 33 is according to access control policy and related application scene information, the minority key character of Audit data is extracted in available data centralization, system produces different output according to the label that each Audit data stores, so just can carry out the adaptively selected of feature, process of data preprocessing can periodically carry out by off-line; Forecast module 32, for the strategy of the feature extracted according to data preprocessing module 33 and coding, the forecasting procedure of application combination is forecast event behavior, determines whether suspicious intrusion event.Decision-making module 31, in conjunction with suspected attack event and alarm association information, determines whether this event is intrusion event;
Communication interface 2, carries out both-way communication for intrusion detection module 3 and data acquisition module 1;
Alarm response module 5, when occurring for intrusion event, intruding detection system generates warning message, and sends to safety management module 4 to carry out visual display;
Safety management module 4, comprise safety database 41, communication interface 42, data dispatch 43 and data analysis engine 44 and man-machine interface 45, for carrying out combined schedule to forecasting procedure, access control policy, forecasting procedure, alarm association information are sent to intrusion detection module 3, and response policy is sent to alarm response module 5, receive the security update information that warning corresponding module sends;
Virtual service network, comprise a virtual service network controller (VSNC), it is adapted to the resource controlling described virtual service network, and perform on each customer traffic wanting to be transmitted by above-mentioned data transport network and control by the license of user, data transport network is a VPN (virtual private network) (VPN), and it is adapted to as virtual service network provides a data transmission capacity ensured; Virtual service network controller (VSNC) is adapted to manage (VSN SLA).
It the virtual service network (VSN) of multiple interconnection should be comprised based on the intrusion detection analytical system of virtual machine business data flow, each virtual service network is associated with a data transport network, each virtual service network (VSN) is adapted to provide service quality (QoS) to ensure to aggregate data stream, and each virtual service network comprises a virtual service network controller (VSNC), be adapted to the resource controlling described virtual service network, and perform in each data flow wanting to be transmitted by above-mentioned data transport network and control by the license of user, and each virtual service network has the availability agreement providing quality of service guarantee between the terminal use of described telecommunication system.
Should be owned by business supplier (SP) based on each virtual service network of the intrusion detection analytical system of virtual machine business data flow, business supplier rents transmission capacity from the network provisioning person (NP) having the transit area corresponding with described data transport network.
The virtual service network controller be associated should be had based on each business supplier of the intrusion detection analytical system of virtual machine business data flow, be adapted to by by based on flow, controlling from execute permission on the arrival data flow request of terminal use, and data flow request is being forwarded to the virtual service network controller having peer protocol predetermined other business supplier with aforementioned business supplier.
Operation principle: data source sends access request, data acquisition module 1 gathers Audit data, and carries out simple process to data, makes it meet system interface requirement.The Audit data of collection to be converted to by standardized module 34 data format that data analysing method can identify by data preprocessing module 33, and according to the access control policy in policy library and related application scene information, extract the minority key character of Audit data in available data centralization.The feature that forecast module 32 extracts according to data preprocessing module 33 and coding strategy, the forecasting procedure of application combination detects event behavior.Decision-making module 31, in conjunction with suspicious intrusion event and alarm association information, determines whether this event is suspicious intrusion event.The suspicious intrusion event that decision-making module 31 generates activates dynamic credible metric module, by the integrality of checking system process, module, obtains a result.Decision-making module 31 result of module 32 and the result of dynamic credible metric module according to weather report again, in conjunction with the security strategy of policy library, determines whether this event is intrusion event; Decision-making module 31 result is generated report to the police or report reporting to user, or result is issued policy library and carries out dynamically updating of policy library, result is sent to update module simultaneously, upgrade invasion property data base and adjustment normal behaviour outline data storehouse.Safety management module 4 pairs of forecasting procedures carry out combined schedule, access control policy, forecasting procedure, alarm association information are sent to intrusion detection module 3, and response policy is sent to alarm response module 5, receive the security update information that warning corresponding module sends.After safety management module 4 receives warning message, determine alert levels, identify safety means level, attack source is followed the tracks of, warning and record of the audit are saved in journal file, and according to security incident result, safety database 41, safety regulation/strategy are upgraded.
The above embodiment only represents several execution mode of the present invention, and it describes comparatively concrete and detailed, but can not be interpreted as limitation of the scope of the invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to scope.Therefore protection scope of the present invention should be as the criterion with described claim.
Claims (5)
1., based on an intrusion detection analytical system for virtual machine business data flow, it is characterized in that, comprising:
Data acquisition module, when starting for access request operation, gathers Audit data;
Intrusion detection module, whether for analyzing the Audit data of collection, detecting it is intrusion event;
Communication interface, carries out both-way communication for intrusion detection module and data acquisition module;
Alarm response module, when occurring for intrusion event, intruding detection system generates warning message, and sends to safety management module to carry out visual display;
Safety management module, comprise safety database, communication interface, data dispatch, data analysis engine and man-machine interface, for carrying out combined schedule to forecasting procedure, access control policy, forecasting procedure, alarm association information are sent to intrusion detection module, and response policy is sent to alarm response module, receive the security update information that alarm response module sends;
Virtual service network (VSN), comprise a virtual service network controller (VSNC), it is adapted to the resource controlling virtual service network, and perform on each customer traffic wanting to be transmitted by above-mentioned data transport network and control by the license of user, described data transport network is a VPN (virtual private network) (VPN), and it is adapted to as virtual service network provides a data transmission capacity ensured; Described virtual service network controller (VSNC) is adapted to manage (VSN SLA).
2. the intrusion detection analytical system based on virtual machine business data flow according to claim 1, it is characterized in that: the virtual service network (VSN) comprising multiple interconnection, each described virtual service network (VSN) is associated with a data transport network, each described virtual service network (VSN) is adapted to provide service quality (QoS) to ensure to aggregate data stream, and each described virtual service network (VSN) comprises a virtual service network controller (VSNC).
3. the intrusion detection analytical system based on virtual machine business data flow according to claim 1, it is characterized in that: each virtual service network (VSN) is owned by business supplier (SP), and described business supplier (SP) rents transmission capacity from the network provisioning person (NP) having the transit area corresponding with described data transport network.
4. the intrusion detection analytical system based on virtual machine business data flow according to claim 3, it is characterized in that: each business supplier (SP) has the virtual service network controller be associated, be adapted to by by based on flow, controlling from execute permission on the arrival data flow request of terminal use, and described data flow request is being forwarded to the virtual service network controller having peer protocol predetermined other business supplier with aforementioned business supplier.
5. the intrusion detection analytical system based on virtual machine business data flow according to claim 1, is characterized in that: described intrusion detection module comprises standardized module, data preprocessing module, forecast module and decision-making module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510172157.7A CN104753952A (en) | 2015-04-13 | 2015-04-13 | Intrusion detection and analysis system on basis of service data flow of virtual machines |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510172157.7A CN104753952A (en) | 2015-04-13 | 2015-04-13 | Intrusion detection and analysis system on basis of service data flow of virtual machines |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104753952A true CN104753952A (en) | 2015-07-01 |
Family
ID=53593056
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510172157.7A Pending CN104753952A (en) | 2015-04-13 | 2015-04-13 | Intrusion detection and analysis system on basis of service data flow of virtual machines |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104753952A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106022129A (en) * | 2016-05-17 | 2016-10-12 | 北京江民新科技术有限公司 | File data characteristic extraction method and device and virus characteristic detection system |
| CN107196930A (en) * | 2017-05-12 | 2017-09-22 | 苏州优圣美智能***有限公司 | Method, system and the mobile terminal of computer network abnormality detection |
| CN109462621A (en) * | 2019-01-10 | 2019-03-12 | 国网浙江省电力有限公司杭州供电公司 | Network safety protective method, device and electronic equipment |
| CN109995794A (en) * | 2019-04-15 | 2019-07-09 | 深信服科技股份有限公司 | A kind of security protection system, method, equipment and storage medium |
| CN110149303A (en) * | 2019-03-27 | 2019-08-20 | 李登峻 | A kind of network safety pre-warning method and early warning system of Party school |
| CN113127904A (en) * | 2021-04-26 | 2021-07-16 | 北京中启赛博科技有限公司 | Intelligent optimization system and method for access control strategy |
| CN115174193A (en) * | 2022-06-30 | 2022-10-11 | 北京炼石网络技术有限公司 | Method, device and equipment for detecting data security intrusion based on GA algorithm |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1449162A (en) * | 2001-12-20 | 2003-10-15 | 阿尔卡塔尔公司 | Telecommunications system employing virtual service network architecture |
| CN102546638A (en) * | 2012-01-12 | 2012-07-04 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
| US20130077628A1 (en) * | 2011-09-28 | 2013-03-28 | Avaya Inc. | Method to route multicast data in spb network by establishing the virtual pim adjacency across the spb networks in a single pim domain |
| CN103812768A (en) * | 2014-01-26 | 2014-05-21 | 蓝盾信息安全技术股份有限公司 | High-performance network data processing platform system |
-
2015
- 2015-04-13 CN CN201510172157.7A patent/CN104753952A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1449162A (en) * | 2001-12-20 | 2003-10-15 | 阿尔卡塔尔公司 | Telecommunications system employing virtual service network architecture |
| US20130077628A1 (en) * | 2011-09-28 | 2013-03-28 | Avaya Inc. | Method to route multicast data in spb network by establishing the virtual pim adjacency across the spb networks in a single pim domain |
| CN102546638A (en) * | 2012-01-12 | 2012-07-04 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
| CN103812768A (en) * | 2014-01-26 | 2014-05-21 | 蓝盾信息安全技术股份有限公司 | High-performance network data processing platform system |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106022129A (en) * | 2016-05-17 | 2016-10-12 | 北京江民新科技术有限公司 | File data characteristic extraction method and device and virus characteristic detection system |
| CN106022129B (en) * | 2016-05-17 | 2019-02-15 | 北京江民新科技术有限公司 | Data characteristics extracting method, device and the virus characteristic detection system of file |
| CN107196930A (en) * | 2017-05-12 | 2017-09-22 | 苏州优圣美智能***有限公司 | Method, system and the mobile terminal of computer network abnormality detection |
| CN107196930B (en) * | 2017-05-12 | 2019-11-29 | 苏州优圣美智能***有限公司 | The method of computer network abnormality detection |
| CN109462621A (en) * | 2019-01-10 | 2019-03-12 | 国网浙江省电力有限公司杭州供电公司 | Network safety protective method, device and electronic equipment |
| CN110149303A (en) * | 2019-03-27 | 2019-08-20 | 李登峻 | A kind of network safety pre-warning method and early warning system of Party school |
| CN109995794A (en) * | 2019-04-15 | 2019-07-09 | 深信服科技股份有限公司 | A kind of security protection system, method, equipment and storage medium |
| CN113127904A (en) * | 2021-04-26 | 2021-07-16 | 北京中启赛博科技有限公司 | Intelligent optimization system and method for access control strategy |
| CN115174193A (en) * | 2022-06-30 | 2022-10-11 | 北京炼石网络技术有限公司 | Method, device and equipment for detecting data security intrusion based on GA algorithm |
| CN115174193B (en) * | 2022-06-30 | 2023-08-15 | 北京炼石网络技术有限公司 | Data security intrusion detection method, device and equipment based on GA algorithm |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104753952A (en) | Intrusion detection and analysis system on basis of service data flow of virtual machines | |
| CN102546638B (en) | Scene-based hybrid invasion detection method and system | |
| US10367844B2 (en) | Systems and methods of network security and threat management | |
| KR101501669B1 (en) | Behavior detection system for detecting abnormal behavior | |
| CN101309180B (en) | Security network invasion detection system suitable for virtual machine environment | |
| CN101252441B (en) | Acquired safety control method and system based on target capable of setting information safety | |
| CN101951384B (en) | Distributed security domain logic boundary protection method | |
| CN112766672A (en) | Network security guarantee method and system based on comprehensive evaluation | |
| KR102433928B1 (en) | System for Managing Cyber Security of Autonomous Ship | |
| Gao et al. | An intrusion detection method based on machine learning and state observer for train-ground communication systems | |
| CN112787836A (en) | Information security network topology and method for implementing information security | |
| Hamad et al. | Red-Zone: Towards an Intrusion Response Framework for Intra-vehicle System. | |
| CN111614639A (en) | Network security analysis method based on boundary theory | |
| CN101848117A (en) | Illegal external connection monitoring method and system thereof | |
| CN101867571A (en) | Intelligent network intrusion defensive system based on collaboration of a plurality of mobile agents | |
| Salehie et al. | Adaptive security and privacy in smart grids: A software engineering vision | |
| CN113382076A (en) | Internet of things terminal security threat analysis method and protection method | |
| KR20130033161A (en) | Intrusion detection system for cloud computing service | |
| CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing | |
| RU2737229C1 (en) | Protection method of vehicle control systems against intrusions | |
| EP2911362B1 (en) | Method and system for detecting intrusion in networks and systems based on business-process specification | |
| KR20200054495A (en) | Method for security operation service and apparatus therefor | |
| CN112217791A (en) | Network security situation sensing system based on video monitoring data center | |
| CN112291263A (en) | Data blocking method and device | |
| EP3054435B1 (en) | System and method of preventing hijacking of security systems and components |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150701 |