CN119966903B - Distributed virtual machine network flow auditing method and system - Google Patents
Distributed virtual machine network flow auditing method and systemInfo
- Publication number
- CN119966903B CN119966903B CN202510066621.8A CN202510066621A CN119966903B CN 119966903 B CN119966903 B CN 119966903B CN 202510066621 A CN202510066621 A CN 202510066621A CN 119966903 B CN119966903 B CN 119966903B
- Authority
- CN
- China
- Prior art keywords
- mirror
- strategy
- dvr
- net
- agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明特别涉及一种分布式虚拟机网络流量审计方法与系统。该分布式虚拟机网络流量审计方法,管理员提交镜像策略配置请求,Neutron服务器对镜像策略进行解析,生成RPC任务,并将生成的镜像策略数据下发到对应计算节点的DVR‑net‑mirror‑agent;DVR‑net‑mirror‑agent解析镜像策略数据,校验端口信息,根据镜像策略数据生成OVS镜像规则,调用OVS接口配置流量镜像规则;OVS对指定的源端口流量进行镜像操作;审计虚机接收到镜像流量后,进行实时的流量监控和分析,根据分析结果生成审计报告,提供给管理员进行后续处理。该分布式虚拟机网络流量审计方法与系统,实现了高效、实时的虚拟机网络流量镜像和监控,能够动态调整策略,满足多样化的应用需求,显著提升了数据中心的安全性和管理效率。
The present invention particularly relates to a distributed virtual machine network traffic auditing method and system. In the distributed virtual machine network traffic auditing method, an administrator submits a mirroring policy configuration request, a Neutron server parses the mirroring policy, generates an RPC task, and sends the generated mirroring policy data to the DVR‑net‑mirror‑agent of the corresponding computing node; the DVR‑net‑mirror‑agent parses the mirroring policy data, verifies the port information, generates an OVS mirroring rule based on the mirroring policy data, and calls the OVS interface to configure the traffic mirroring rule; the OVS performs a mirroring operation on the specified source port traffic; after the audit virtual machine receives the mirrored traffic, it performs real-time traffic monitoring and analysis, generates an audit report based on the analysis results, and provides it to the administrator for subsequent processing. The distributed virtual machine network traffic auditing method and system realizes efficient and real-time virtual machine network traffic mirroring and monitoring, can dynamically adjust policies, meet diverse application requirements, and significantly improve the security and management efficiency of the data center.
Description
Technical Field
The invention relates to the technical field of information, in particular to a distributed virtual machine network flow auditing method and system.
Background
In recent years, the widespread use of cloud computing and virtualization technologies, distributed network environments have become the mainstream. With the large scale cloud of user traffic, various non-traffic type devices within traditional data centers are also gradually virtualized and migrated to the cloud. Such as Web application firewall WAF (Web Application Firewall), border firewall, DPI (DEEP PACKET Inspection) device, log audit device, and the like. After the equipment is virtualized, a user can dynamically create and deploy the equipment on line in the user VPC according to the self requirements of the cloud computing management console, and then specific business flow is pulled to one or more non-business type equipment, so that the purposes of safety protection, online behavior audit, daily monitoring and the like are realized.
However, the service drainage method based on the route or policy route in the conventional data center cannot work normally under a large-scale cloud computing platform based on the full-distributed routing architecture. This is because under the fully distributed routing architecture, the operations of SNAT/DNAT of the elastic cloud server in the north-south direction of traffic when entering and exiting the VPC need to be performed symmetrically, i.e. on the VPC virtual router on the physical node where the elastic cloud server is located. The problem is that when the source elastic cloud server of the drainage chain and the non-service type virtual device are located in different physical nodes, the traffic paths of the ingress and egress VPCs and the source and destination IP addresses in the messages are not aligned, which can cause that the security type device cannot normally establish a session and communication cannot normally establish.
The transparent drainage scheme based on the full-flow table proposed by the OpenStack community aiming at DVR (Distributed Virtual Router) architecture forms huge invasiveness to the two-layer forwarding logic of the data plane, related flow tables need to be issued aiming at all source elastic cloud servers, and when the user elastic cloud servers are added and deleted, a large amount of interaction between the control plane and the data plane is caused, so that the expandability is poor, and a large-scale scene cannot be supported.
In such environments, conventional traffic mirroring techniques are difficult to accommodate for the complexity and dynamics of the distributed network environment. Based on the above situation, the invention provides a distributed virtual machine network flow auditing method and system.
Disclosure of Invention
The invention provides a simple and efficient distributed virtual machine network flow auditing method and system for overcoming the defects of the prior art.
The invention is realized by the following technical scheme:
a distributed virtual machine network flow auditing method comprises the following steps:
Step S1, an administrator logs in a Neutron server through a Web interface or a command line tool, submits a mirror image strategy configuration request through a Neutron API interface, designates a source port (a mirrored virtual machine port) and a target port (a port of an audit virtual machine), and verifies the submitted strategy request by the Neutron server to ensure that a port ID in the request is legal and exists;
S2, after receiving the mirror strategy request, the Neutron server analyzes the mirror strategy, extracts a source port ID and a target port ID, stores the mirror strategy in a database, and ensures the persistence of the mirror strategy;
Step S3, establishing RPC connection between the Neutron server and the DVR-net-manager-agent of each computing node, generating an RPC task according to a mirroring strategy, and issuing generated mirroring strategy data comprising a source port ID and a target port ID to the DVR-net-manager-agent of the corresponding computing node through an RPC interface;
Step S4, after the DVR-net-minor-agent receives the mirror strategy, sending a confirmation message to the Neutron server, analyzing mirror strategy data, checking port information, generating an OVS mirror rule according to the mirror strategy data, calling an OVS interface to configure a flow mirror rule, and feeding back information whether the configuration is successful to the Neutron server;
s5, after the mirror strategy configuration is completed, the OVS performs mirror operation on the designated source port flow according to mirror rules issued by the DVR-net-mirror-agent;
And S6, after the auditing virtual machine receives the mirror image flow, carrying out real-time flow monitoring and analysis, generating an auditing report according to an analysis result, and providing the auditing report for an administrator to carry out subsequent processing.
An administrator updates the existing mirror strategy through an API interface, and the updating process is as follows:
step S1.1.1, submit update request
An administrator submits a mirror strategy updating request and modifies a source port or a target port;
step S1.1.2, policy resolution and storage
The Neutron server analyzes the mirror strategy updating request and updates the mirror strategy record in the database;
step S1.1.3, issuing update strategy
Issuing the updated strategy to DVR-net-mirror-agent of each computing node through an RPC interface;
the manager deletes the mirror strategy through the API interface, and the deleting process is as follows:
Step S1.2.1, submitting a delete request
An administrator submits a mirror strategy deleting request and designates strategy IDs to be deleted;
step S1.2.2, policy resolution and deletion
The Neutron server analyzes the mirror strategy deleting request and deletes the corresponding mirror strategy record from the database;
Step S1.2.3, issuing a delete instruction
Transmitting a deleting instruction to DVR-net-mirror-agent of each computing node through an RPC interface;
step S1.2.4, clear OVS rule
After receiving the deleting instruction, the DVR-net-mirror-agent calls the OVS interface to clear the corresponding mirror rule.
In step S3, the Neutron server continuously monitors the state of the DVR-net-mirror-agent on each computing node to ensure the validity of the policy execution, and the monitoring process is as follows:
Step S3.1, state monitoring
The method comprises the steps of customizing a timing task, and periodically obtaining state information of each DVR-net-mirror-agent through an RPC interface;
Step S3.2, failure detection
Detecting that the DVR-net-mirror-agent on a certain node is abnormal through a heartbeat mechanism, or triggering a fault processing flow when abnormal information reported to a neutral server by the DVR-net-mirror-agent on the certain node is received;
Step S3.3, failure recovery
And (3) custom designing a fault handling mechanism, and re-issuing a strategy or notifying an administrator to perform manual intervention according to the fault condition.
In the step S3.3, when detecting a DVR-net-mirror-agent failure, the Neutron server triggers a failure handling mechanism as follows:
Step S3.3.1 restart agent
Attempting to automatically restart the DVR-net-minor-agent on the failed node;
Step S3.3.2, re-issuing policy
The mirror strategy is issued again, so that the agent can continue to execute the established mirror task after recovery;
step S3.3.3 notifying the administrator
If the automatic recovery fails, a fault notification is sent to an administrator, and manual intervention is required;
Step S3.3.4, data backup and restore
In order to ensure that the system can quickly recover when a fault occurs, a timing task is customized, and a Neutron server periodically backs up mirror image strategy data;
In the fault recovery process, policy data is recovered from the backup to ensure that the system can quickly recover to a pre-fault state.
In the step S4, after receiving the mirroring policy, the DVR-net-mirror-agent performs the following steps:
step S4.1, analyzing the policy data
The DVR-net-mirror-agent analyzes the received strategy data and extracts a source port ID and a target port ID;
Step S4.2, checking Port information
Verifying the validity of the port ID, and ensuring that a source port and a target port exist in the OVS of the local computing node;
step S4.3, generating OVS mirror image rule
Generating a corresponding OVS mirror rule according to the policy data;
Step S4.4, calling OVS interface
Configuring a flow mirror rule through a command line interface or an API of the OVS;
step S4.5, feeding back the execution result
The DVR-net-minor-agent feeds back the execution result to the Neutron server, wherein the information comprises whether the configuration is successful or not.
In step S5, the OVS performs mirroring operation on the specified source port traffic according to the mirroring rule issued by the DVR-net-mirror-agent, and specifically includes the following steps:
Step S5.1, flow Capture
Capturing network traffic emanating from a source port;
step S5.2, traffic replication
Copying and transmitting the captured traffic to a target port, namely a port of the audit virtual machine;
step S5.3, traffic forwarding
And the mirror image flow is ensured to be forwarded to the audit virtual machine under the condition that normal communication of the source virtual machine is not affected.
In the step S6, after the audit virtual machine receives the mirror image flow, the audit virtual machine performs real-time flow monitoring and analysis, and specifically includes the following steps:
step S6.1, flow Capture
Capturing in real-time mirrored traffic received from the target port using a traffic capture tool;
Step S6.2, flow analysis
Analyzing the captured flow, and detecting potential network security threats and abnormal behaviors according to the custom rules;
S6.3, generating an audit report
And generating an audit report according to the analysis result, and providing the audit report for an administrator for subsequent processing.
A distributed virtual machine network traffic auditing system, comprising:
The DVR-net-mirror-agent is distributed on each computing node and is responsible for receiving and implementing the mirror strategy issued from the neutral server, and the DVR-net-mirror-agent interacts with the OVS to realize the flow mirror function;
The Neutron server communicates with the DVR-net-mirror-agent through an API interface, receives a mirror strategy configuration request of an administrator, and issues a mirror strategy to the DVR-net-mirror-agent of each computing node through an RPC interface;
OVS (Open vSwitch), a virtual switch running on each computing node is responsible for forwarding network traffic between virtual machines and realizing traffic mirroring according to the configuration of DVR-net-mirror-agent;
the virtual machine is used for receiving and analyzing the mirror image flow and is responsible for monitoring and auditing network activities by receiving the mirror image flow;
the northbound interface is responsible for providing a restful interface for creating, modifying, deleting and viewing user-defined flow images for the cloud computing management platform or the third party platform;
The configuration database is used for recording the related information of the service drainage chain created by the user;
The flow mirror configuration management module is responsible for realizing the creation, modification and deletion of a flow mirror rule, calling the related functions of the interconnection sub-network management module to create an interconnection sub-network for each nonfunctional virtual device, and calling the virtual network flow mirror management module;
The virtual network flow mirror image management module is responsible for creating a strategy route item by calling a related interface and issuing the strategy route item to the OVS to realize flow traction of a data plane;
The OVS flow management module is a multi-layer virtual switch, supports standard management interfaces and protocols, allows a network control plane to define flow forwarding behaviors in a programming mode, is responsible for forwarding flows, and mirrors the flows on ports to ips of audit virtual machines through commands, and allows users to capture copies of the flows on the switch and send the copies to designated ports or interfaces for further analysis or processing.
The distributed virtual machine network flow auditing equipment is characterized by comprising a memory and a processor, wherein the memory is used for storing a computer program, and the processor is used for realizing the method steps when executing the computer program.
A readable storage medium, characterized in that the readable storage medium has stored thereon a computer program which, when executed by a processor, realizes the above-mentioned method steps.
The distributed virtual machine network flow auditing method and system have the beneficial effects that by means of distributed deployment of DVR-net-minor-agent and flexible configuration of mirror image strategies, efficient and real-time virtual machine network flow mirror image and monitoring are realized, the performance bottleneck and delay problems of the existing centralized monitoring system are overcome, the strategies can be dynamically adjusted, diversified application requirements are met, and real-time analysis and audit of network flow are realized through audit virtual machines, so that the safety and management efficiency of a data center are remarkably improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a distributed virtual machine network traffic auditing method according to the present invention.
Detailed Description
In order to enable those skilled in the art to better understand the technical solution of the present invention, the following description will make clear and complete description of the technical solution of the present invention in combination with the embodiments of the present invention. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
The distributed virtual machine network flow auditing method comprises the following steps:
Step S1, an administrator logs in a Neutron server through a Web interface or a command line tool, submits a mirror image strategy configuration request through a Neutron API interface, designates a source port (a mirrored virtual machine port) and a target port (a port of an audit virtual machine), and verifies the submitted strategy request by the Neutron server to ensure that a port ID in the request is legal and exists;
S2, after receiving the mirror strategy request, the Neutron server analyzes the mirror strategy, extracts a source port ID and a target port ID, stores the mirror strategy in a database, and ensures the persistence of the mirror strategy;
Step S3, establishing RPC connection between the Neutron server and the DVR-net-manager-agent of each computing node, generating an RPC task according to a mirroring strategy, and issuing generated mirroring strategy data comprising a source port ID and a target port ID to the DVR-net-manager-agent of the corresponding computing node through an RPC interface;
Step S4, after the DVR-net-mirror-agent receives the mirror strategy, a confirmation message is sent to the Neutron server, reliability of strategy transmission is ensured, mirror strategy data is analyzed, port information is checked, an OVS mirror rule is generated according to the mirror strategy data, an OVS interface is called to configure the flow mirror rule, and whether configuration is successful or not is fed back to the Neutron server;
s5, after the mirror strategy configuration is completed, the OVS performs mirror operation on the designated source port flow according to mirror rules issued by the DVR-net-mirror-agent;
And S6, after the auditing virtual machine receives the mirror image flow, carrying out real-time flow monitoring and analysis, generating an auditing report according to an analysis result, and providing the auditing report for an administrator to carry out subsequent processing.
The control plane is also responsible for the management and maintenance of the mirror image strategy, and ensures the stable operation of the system and the dynamic adjustment of the strategy.
An administrator updates the existing mirror strategy through an API interface, and the updating process is as follows:
step S1.1.1, submit update request
An administrator submits a mirror strategy updating request and modifies a source port or a target port;
step S1.1.2, policy resolution and storage
The Neutron server analyzes the mirror strategy updating request and updates the mirror strategy record in the database;
step S1.1.3, issuing update strategy
Issuing the updated strategy to DVR-net-mirror-agent of each computing node through an RPC interface;
the manager deletes the mirror strategy through the API interface, and the deleting process is as follows:
Step S1.2.1, submitting a delete request
An administrator submits a mirror strategy deleting request and designates strategy IDs to be deleted;
step S1.2.2, policy resolution and deletion
The Neutron server analyzes the mirror strategy deleting request and deletes the corresponding mirror strategy record from the database;
Step S1.2.3, issuing a delete instruction
Transmitting a deleting instruction to DVR-net-mirror-agent of each computing node through an RPC interface;
step S1.2.4, clear OVS rule
After receiving the deleting instruction, the DVR-net-mirror-agent calls the OVS interface to clear the corresponding mirror rule.
In step S3, the Neutron server continuously monitors the state of the DVR-net-mirror-agent on each computing node to ensure the validity of the policy execution, and the monitoring process is as follows:
Step S3.1, state monitoring
The method comprises the steps of customizing a timing task, and periodically obtaining state information of each DVR-net-mirror-agent through an RPC interface;
Step S3.2, failure detection
Detecting that the DVR-net-mirror-agent on a certain node is abnormal through a heartbeat mechanism, or triggering a fault processing flow when abnormal information reported to a neutral server by the DVR-net-mirror-agent on the certain node is received;
Step S3.3, failure recovery
And (3) custom designing a fault handling mechanism, and re-issuing a strategy or notifying an administrator to perform manual intervention according to the fault condition.
And a perfect fault processing mechanism is custom designed on the control plane so as to ensure high availability and stability of the system.
Through a state monitoring mechanism, the Neutron server can detect the running state of the DVR-net-mirror-agent on each computing node in real time.
And a heartbeat mechanism, namely periodically sending heartbeat messages to a Neutron server by the DVR-net-minor-agent, and reporting the self state.
And reporting the exception information to a Neutron server when the DVR-net-minor-agent detects that the DVR-net-minor-agent runs abnormally or can not configure the OVS rule.
In the step S3.3, when detecting a DVR-net-mirror-agent failure, the Neutron server triggers a failure handling mechanism as follows:
Step S3.3.1 restart agent
Attempting to automatically restart the DVR-net-minor-agent on the failed node;
Step S3.3.2, re-issuing policy
The mirror strategy is issued again, so that the agent can continue to execute the established mirror task after recovery;
step S3.3.3 notifying the administrator
If the automatic recovery fails, a fault notification is sent to an administrator, and manual intervention is required;
Step S3.3.4, data backup and restore
In order to ensure that the system can quickly recover when a fault occurs, a timing task is customized, and a Neutron server periodically backs up mirror image strategy data;
in the fault recovery process, policy data is recovered from the backup if necessary to ensure that the system can quickly recover to a pre-fault state.
In the step S4, after receiving the mirroring policy, the DVR-net-mirror-agent performs the following steps:
step S4.1, analyzing the policy data
The DVR-net-mirror-agent analyzes the received strategy data and extracts a source port ID and a target port ID;
Step S4.2, checking Port information
Verifying the validity of the port ID, and ensuring that a source port and a target port exist in the OVS of the local computing node;
step S4.3, generating OVS mirror image rule
Generating a corresponding OVS mirror rule according to the policy data;
Step S4.4, calling OVS interface
Configuring a flow mirror rule through a command line interface or an API of the OVS;
step S4.5, feeding back the execution result
The DVR-net-minor-agent feeds back the execution result to the Neutron server, wherein the information comprises whether the configuration is successful or not.
In step S5, the OVS performs mirroring operation on the specified source port traffic according to the mirroring rule issued by the DVR-net-mirror-agent, and specifically includes the following steps:
Step S5.1, flow Capture
Capturing network traffic emanating from a source port;
step S5.2, traffic replication
Copying and transmitting the captured traffic to a target port, namely a port of the audit virtual machine;
step S5.3, traffic forwarding
And the mirror image flow is ensured to be smoothly forwarded to the audit virtual machine under the condition that normal communication of the source virtual machine is not affected.
In the step S6, after the audit virtual machine receives the mirror image flow, the audit virtual machine performs real-time flow monitoring and analysis, and specifically includes the following steps:
step S6.1, flow Capture
Capturing in real-time mirrored traffic received from the destination port using a traffic capture tool (e.g., tcpdump, wireshark, etc.);
Step S6.2, flow analysis
Analyzing the captured flow, and detecting potential network security threats and abnormal behaviors according to the custom rules;
S6.3, generating an audit report
And generating a detailed audit report according to the analysis result, and providing the detailed audit report for an administrator for subsequent processing.
The distributed virtual machine network flow auditing system comprises:
the DVR-net-mirror-agent is distributed on each computing node and is responsible for receiving and implementing the mirror strategy issued from the neutral server, and interacts with the OVS to realize the flow mirror function;
The Neutron server communicates with the DVR-net-mirror-agent through an API interface, receives a mirror strategy configuration request of an administrator, and issues a mirror strategy to the DVR-net-mirror-agent of each computing node through an RPC interface;
OVS (Open vSwitch, open virtual switching standard), which is a virtual switch running on each computing node, responsible for forwarding network traffic between virtual machines and implementing traffic mirroring according to the configuration of DVR-net-mirror-agent;
the virtual machine is used for receiving and analyzing the mirror image flow and is responsible for monitoring and auditing network activities by receiving the mirror image flow;
the north interface is responsible for providing a series of restful interfaces for creating, modifying, deleting and viewing user-defined flow images for the cloud computing management platform or the third party platform;
The configuration database is used for recording the related information of the service drainage chain created by the user;
The flow mirror configuration management module is responsible for realizing the creation, modification and deletion of a flow mirror rule, calling the related functions of the interconnection sub-network management module to create an interconnection sub-network for each nonfunctional virtual device, and calling the virtual network flow mirror management module;
The virtual network flow mirror image management module is responsible for creating a strategy route item by calling a related interface and issuing the strategy route item to the OVS to realize flow traction of a data plane;
the OVS traffic management module is a multi-layer virtual switch supporting standard management interfaces and protocols allowing the network control plane to programmatically define traffic forwarding behavior, responsible for traffic forwarding, mirroring traffic on ports to the ip of the auditing virtual machine by command, traffic mirroring (traffic mirroring) is an important feature that allows users to capture copies of traffic on the switch and send them to designated ports or interfaces for further analysis or processing.
The distributed virtual machine network flow auditing device comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor is used for realizing the method steps when executing the computer program.
The readable storage medium has stored thereon a computer program which, when executed by a processor, implements the above-described method steps.
Compared with the prior art, the distributed virtual machine network flow auditing method and system have the following characteristics:
1) Distributed deployment and extensibility
By deploying DVR-net-mirror-agents on each computing node, distributed deployment and efficient traffic mirroring are achieved, and this architecture enables:
And the system expandability is improved, namely, the system can linearly expand along with the increase of the computing nodes, and is not limited by single-point performance bottlenecks.
And the centralized processing load is reduced, each computing node independently processes the local flow mirror image, and the performance bottleneck and network delay caused by centralized processing are avoided.
The system stability is enhanced, the distributed architecture reduces the risk of single-point faults, and the overall reliability and stability of the system are improved.
2) Flexible mirror policy configuration
An administrator can flexibly configure and modify the mirror strategy through an API interface, so that the requirements of different application scenes are met. This flexibility brings about various advantages:
Dynamic adjustment capability-according to the change of business requirement and security policy, the manager can adjust the mirror strategy at any time without stopping or restarting the system.
And the flow mirror image can be carried out aiming at a specific virtual machine or port, so that the accurate flow monitoring and auditing are realized.
And the method supports various network environments and use scenes, such as security audit, fault removal, performance monitoring and the like.
3) Real-time monitoring and fast response
The audit virtual machine can receive and analyze the mirror image flow in real time, and timely discover and process potential network security threats and performance problems. This real-time nature brings the following effects:
And the real-time threat detection is carried out, namely the mirror image flow is analyzed in real time, the network attack and the abnormal behavior are detected rapidly, and the safety of the system is improved.
And the fault is rapidly positioned, namely, network faults and performance bottlenecks can be rapidly positioned through real-time monitoring of mirror image flow, and the fault processing time is shortened.
And the network performance is optimized, namely the flow is monitored in real time, network congestion and performance bottlenecks are identified and solved, and the network performance of the data center is optimized.
4) Efficient policy management and maintenance
Providing a perfect policy management and maintenance mechanism, ensuring effective execution of the mirror policy and stable operation of the system, and specific advantages include:
and the automatic management is realized by automatically issuing and updating the mirror image strategy through the RPC interface, so that the manual intervention is reduced, and the management efficiency is improved.
And (3) continuously monitoring and recovering faults, namely continuously monitoring the DVR-net-minor-agent state on each computing node by using the Neutron server, and timely finding and processing the faults to ensure high availability of the system.
And the data backup and recovery, namely the mirror image strategy data is backed up regularly, so that the strategy configuration can be recovered rapidly in the fault recovery process, and the reliability of the system is ensured.
5) Optimizing resource utilization
By processing traffic mirroring independently on each computing node, resources can be more efficiently utilized:
The network bandwidth occupation is reduced, namely the flow mirror image is completed in the local computing node, and the bandwidth occupation of the cross-node flow forwarding is reduced.
And the consumption of computing resources, namely that DVR-net-minor-agent and OVS are operated at the local node, is reduced, and the computing resource load of the centralized processing node is reduced.
6) Enhanced data security and compliance
Through real-time flow mirroring and analysis, data safety and compliance can be remarkably improved:
and the compliance audit supports real-time monitoring and recording of key service flow, and can meet the requirements of data safety and compliance.
Sensitive data protection, namely, the sensitive data leakage and illegal access behaviors can be timely discovered and prevented through flow mirroring and analysis.
7) Easy to integrate and deploy
Based on mature open source components (such as OVS and Neutron), easy integration into existing cloud computing and virtualization environments:
and the open source ecological system utilizes the open source community resources of the OVS and the Neutron, so that the development and maintenance cost is reduced.
And the system can be rapidly deployed and online by using standardized API interfaces and deployment tools, so that the project period is shortened.
The above examples are only one of the specific embodiments of the present invention, and the ordinary changes and substitutions made by those skilled in the art within the scope of the technical solution of the present invention should be included in the scope of the present invention.
Claims (10)
1. A distributed virtual machine network flow auditing method is characterized by comprising the following steps:
step S1, an administrator logs in a Neutron server through a Web interface or a command line tool, submits a mirror image strategy configuration request through a Neutron API interface, designates a source port and a target port, and verifies the submitted strategy request to ensure that the port ID in the request is legal and exists;
S2, after receiving the mirror strategy request, the Neutron server analyzes the mirror strategy, extracts a source port ID and a target port ID, stores the mirror strategy in a database, and ensures the persistence of the mirror strategy;
Step S3, establishing RPC connection between the Neutron server and the DVR-net-manager-agent of each computing node, generating an RPC task according to a mirroring strategy, and issuing generated mirroring strategy data comprising a source port ID and a target port ID to the DVR-net-manager-agent of the corresponding computing node through an RPC interface;
Step S4, after the DVR-net-minor-agent receives the mirror strategy, sending a confirmation message to the Neutron server, analyzing mirror strategy data, checking port information, generating an OVS mirror rule according to the mirror strategy data, calling an OVS interface to configure a flow mirror rule, and feeding back information whether the configuration is successful to the Neutron server;
s5, after the mirror strategy configuration is completed, the OVS performs mirror operation on the designated source port flow according to mirror rules issued by the DVR-net-mirror-agent;
And S6, after the auditing virtual machine receives the mirror image flow, carrying out real-time flow monitoring and analysis, generating an auditing report according to an analysis result, and providing the auditing report for an administrator to carry out subsequent processing.
2. The method for auditing the network traffic of the distributed virtual machine according to claim 1, wherein an administrator updates an existing mirroring policy through an API interface, and the updating process is as follows:
step S1.1.1, submit update request
An administrator submits a mirror strategy updating request and modifies a source port or a target port;
step S1.1.2, policy resolution and storage
The Neutron server analyzes the mirror strategy updating request and updates the mirror strategy record in the database;
step S1.1.3, issuing update strategy
Issuing the updated strategy to DVR-net-mirror-agent of each computing node through an RPC interface;
the manager deletes the mirror strategy through the API interface, and the deleting process is as follows:
Step S1.2.1, submitting a delete request
An administrator submits a mirror strategy deleting request and designates strategy IDs to be deleted;
step S1.2.2, policy resolution and deletion
The Neutron server analyzes the mirror strategy deleting request and deletes the corresponding mirror strategy record from the database;
Step S1.2.3, issuing a delete instruction
Transmitting a deleting instruction to DVR-net-mirror-agent of each computing node through an RPC interface;
step S1.2.4, clear OVS rule
After receiving the deleting instruction, the DVR-net-mirror-agent calls the OVS interface to clear the corresponding mirror rule.
3. The method for auditing network traffic of distributed virtual machines according to claim 1, wherein in step S3, the Neutron server continuously monitors the states of DVR-net-mirror-agents on each computing node to ensure the effectiveness of policy execution, and the monitoring process is as follows:
Step S3.1, state monitoring
The method comprises the steps of customizing a timing task, and periodically obtaining state information of each DVR-net-mirror-agent through an RPC interface;
Step S3.2, failure detection
Detecting that the DVR-net-mirror-agent on a certain node is abnormal through a heartbeat mechanism, or triggering a fault processing flow when abnormal information reported to a neutral server by the DVR-net-mirror-agent on the certain node is received;
Step S3.3, failure recovery
And (3) custom designing a fault handling mechanism, and re-issuing a strategy or notifying an administrator to perform manual intervention according to the fault condition.
4. The method for auditing network traffic of distributed virtual machine according to claim 3, wherein in step S3.3, when detecting DVR-net-minor-agent failure, the Neutron server triggers a failure handling mechanism, comprising step S3.3.1, restarting the proxy
Attempting to automatically restart the DVR-net-minor-agent on the failed node;
Step S3.3.2, re-issuing policy
The mirror strategy is issued again, so that the agent can continue to execute the established mirror task after recovery;
step S3.3.3 notifying the administrator
If the automatic recovery fails, a fault notification is sent to an administrator, and manual intervention is required;
Step S3.3.4, data backup and restore
In order to ensure that the system can quickly recover when a fault occurs, a timing task is customized, and a Neutron server periodically backs up mirror image strategy data;
In the fault recovery process, policy data is recovered from the backup to ensure that the system can quickly recover to a pre-fault state.
5. The method for auditing network traffic of a distributed virtual machine according to claim 1, wherein in the step S4, after receiving the mirroring policy, the DVR-net-mirror-agent performs the following steps:
step S4.1, analyzing the policy data
The DVR-net-mirror-agent analyzes the received strategy data and extracts a source port ID and a target port ID;
Step S4.2, checking Port information
Verifying the validity of the port ID, and ensuring that a source port and a target port exist in the OVS of the local computing node;
step S4.3, generating OVS mirror image rule
Generating a corresponding OVS mirror rule according to the policy data;
Step S4.4, calling OVS interface
Configuring a flow mirror rule through a command line interface or an API of the OVS;
step S4.5, feeding back the execution result
The DVR-net-minor-agent feeds back the execution result to the Neutron server, wherein the information comprises whether the configuration is successful or not.
6. The method for auditing the network traffic of the distributed virtual machine according to claim 1, wherein in the step S5, the OVS performs mirroring operation on the designated source port traffic according to mirroring rules issued by the DVR-net-mirror-agent, and the method specifically comprises the following steps:
Step S5.1, flow Capture
Capturing network traffic emanating from a source port;
step S5.2, traffic replication
Copying and transmitting the captured traffic to a target port, namely a port of the audit virtual machine;
step S5.3, traffic forwarding
And the mirror image flow is ensured to be forwarded to the audit virtual machine under the condition that normal communication of the source virtual machine is not affected.
7. The method for auditing network traffic of distributed virtual machines according to claim 1, wherein in the step S6, after the auditing virtual machine receives the mirror image traffic, the auditing virtual machine monitors and analyzes the traffic in real time, and specifically comprises the following steps:
step S6.1, flow Capture
Capturing in real-time mirrored traffic received from the target port using a traffic capture tool;
Step S6.2, flow analysis
Analyzing the captured flow, and detecting potential network security threats and abnormal behaviors according to the custom rules;
S6.3, generating an audit report
And generating an audit report according to the analysis result, and providing the audit report for an administrator for subsequent processing.
8. A system based on the distributed virtual machine network traffic auditing method according to any one of claims 1-7, characterized by comprising:
The DVR-net-mirror-agent is distributed on each computing node and is responsible for receiving and implementing the mirror strategy issued from the neutral server, and the DVR-net-mirror-agent interacts with the OVS to realize the flow mirror function;
The Neutron server communicates with the DVR-net-mirror-agent through an API interface, receives a mirror strategy configuration request of an administrator, and issues a mirror strategy to the DVR-net-mirror-agent of each computing node through an RPC interface;
The OVS is a virtual switch running on each computing node and responsible for forwarding network traffic among virtual machines, and realizing traffic mirroring according to the configuration of DVR-net-minor-agent;
the virtual machine is used for receiving and analyzing the mirror image flow and is responsible for monitoring and auditing network activities by receiving the mirror image flow;
the northbound interface is responsible for providing a restful interface for creating, modifying, deleting and viewing user-defined flow images for the cloud computing management platform or the third party platform;
The configuration database is used for recording the related information of the service drainage chain created by the user;
The flow mirror configuration management module is responsible for realizing the creation, modification and deletion of a flow mirror rule, calling the related functions of the interconnection sub-network management module to create an interconnection sub-network for each nonfunctional virtual device, and calling the virtual network flow mirror management module;
The virtual network flow mirror image management module is responsible for creating a strategy route item by calling a related interface and issuing the strategy route item to the OVS to realize flow traction of a data plane;
The OVS flow management module is a multi-layer virtual switch, supports standard management interfaces and protocols, allows a network control plane to define flow forwarding behaviors in a programming mode, is responsible for forwarding flows, and mirrors the flows on ports to ips of audit virtual machines through commands, and allows users to capture copies of the flows on the switch and send the copies to designated ports or interfaces for further analysis or processing.
9. A distributed virtual machine network flow auditing device is characterized by comprising a memory and a processor, wherein the memory is used for storing a computer program, and the processor is used for realizing the method according to any one of claims 1-7 when executing the computer program.
10. A readable storage medium, characterized in that the readable storage medium has stored thereon a computer program which, when executed by a processor, implements the method according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510066621.8A CN119966903B (en) | 2025-01-16 | 2025-01-16 | Distributed virtual machine network flow auditing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510066621.8A CN119966903B (en) | 2025-01-16 | 2025-01-16 | Distributed virtual machine network flow auditing method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN119966903A CN119966903A (en) | 2025-05-09 |
| CN119966903B true CN119966903B (en) | 2025-09-30 |
Family
ID=95587179
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202510066621.8A Active CN119966903B (en) | 2025-01-16 | 2025-01-16 | Distributed virtual machine network flow auditing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119966903B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110519262A (en) * | 2019-08-26 | 2019-11-29 | 赛尔网络有限公司 | A kind of traffic statistics analysis system and method based on BGP Route Distinguisher |
| CN117527758A (en) * | 2023-11-17 | 2024-02-06 | 天翼云科技有限公司 | Virtual IP implementation method based on Openstack |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106982244B (en) * | 2016-12-30 | 2020-10-23 | 中国银联股份有限公司 | Method and device for realizing packet mirroring of dynamic traffic in cloud network environment |
| CN118921379A (en) * | 2024-06-14 | 2024-11-08 | 中国电信股份有限公司 | Flow mirroring method, switch, controller, electronic device and storage medium |
-
2025
- 2025-01-16 CN CN202510066621.8A patent/CN119966903B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110519262A (en) * | 2019-08-26 | 2019-11-29 | 赛尔网络有限公司 | A kind of traffic statistics analysis system and method based on BGP Route Distinguisher |
| CN117527758A (en) * | 2023-11-17 | 2024-02-06 | 天翼云科技有限公司 | Virtual IP implementation method based on Openstack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN119966903A (en) | 2025-05-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8819486B2 (en) | Fault tolerant routing in a non-hot-standby configuration of a network routing system | |
| US9674268B2 (en) | System and method for providing data and application continuity in a computer system | |
| US7577720B2 (en) | Migration method for software application in a multi-computing architecture, method for carrying out functional continuity implementing said migration method and multi-computing system provided therewith | |
| CN110784400B (en) | N: 1 method, system and standby service gateway for redundancy of stateful application gateway | |
| US20050283445A1 (en) | System and method of enterprise systems and business impact management | |
| US20030126240A1 (en) | Method, system and computer program product for monitoring objects in an it network | |
| Dixit et al. | AIM-SDN: Attacking information mismanagement in SDN-datastores | |
| CN105847237A (en) | Safety management method and device based on NFV (Network Function Virtualization) | |
| US7817564B2 (en) | Method and system for handling fault messages in a network | |
| CN111600953B (en) | Method for realizing distributed deployment based on honeypot system | |
| US20060230309A1 (en) | System for remote fault management in a wireless network | |
| CN111314443A (en) | Node processing method, device and device and medium based on distributed storage system | |
| Schroeder | A state-of-the-art distributed system: Computing with BOB | |
| Tomás et al. | Disaster recovery layer for distributed OpenStack deployments | |
| CN111385134B (en) | Access device dynamic migration method and device access platform | |
| CN120263558A (en) | An adaptive distributed network threat detection and response system and method | |
| Mahajan et al. | Jury: Validating controller actions in software-defined networks | |
| JP6555721B2 (en) | Disaster recovery system and method | |
| CN119966903B (en) | Distributed virtual machine network flow auditing method and system | |
| US10237122B2 (en) | Methods, systems, and computer readable media for providing high availability support at a bypass switch | |
| CN118921264A (en) | Cloud service disaster recovery method, cloud service system, storage medium and program product | |
| CN121151403A (en) | A server access control system | |
| CN117857119A (en) | Method for realizing automatic bypass by cloud firewall | |
| Hong et al. | Building a robust and economical internet testbed: 6planetlab | |
| CN120104255A (en) | A method, device, equipment and storage medium for high availability of virtual machines |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |