[go: up one dir, main page]

TWI520002B - Protection Method and System of Cloud Virtual Network Security - Google Patents

Protection Method and System of Cloud Virtual Network Security Download PDF

Info

Publication number
TWI520002B
TWI520002B TW103136238A TW103136238A TWI520002B TW I520002 B TWI520002 B TW I520002B TW 103136238 A TW103136238 A TW 103136238A TW 103136238 A TW103136238 A TW 103136238A TW I520002 B TWI520002 B TW I520002B
Authority
TW
Taiwan
Prior art keywords
virtual
cloud
virtual network
packet
module
Prior art date
Application number
TW103136238A
Other languages
Chinese (zh)
Other versions
TW201616386A (en
Inventor
Jhen Li Wang
Tien Hao Tsai
Yen Chung Chen
Hsiu Fen Hsieh
Tsung Yi Lin
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed filed Critical
Priority to TW103136238A priority Critical patent/TWI520002B/en
Priority to CN201510094249.8A priority patent/CN104717212B/en
Application granted granted Critical
Publication of TWI520002B publication Critical patent/TWI520002B/en
Publication of TW201616386A publication Critical patent/TW201616386A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Description

雲端虛擬網路安全之防護方法與系統 Cloud virtual network security protection method and system

本發明係關於一種雲端虛擬網路安全之防護方法與系統,建置於雲端虛擬網路控制器之虛擬網路安全模組,可集中化監聽虛擬主機網路流量並阻擋惡意攻擊,為雲端平台上之虛擬主機提供網路安全保護,且採用軟體式防護模組可降低雲端平台系統建構成本。 The invention relates to a cloud virtual network security protection method and system, and a virtual network security module built in a cloud virtual network controller, which can centrally monitor virtual host network traffic and block malicious attacks, and is a cloud platform. The virtual host on the network provides network security protection, and the software protection module can reduce the construction of the cloud platform system.

過往防護IP偽造攻擊和MAC偽造攻擊,仰賴網際網路實體網路設備管控和作業系統層級的防護,步驟繁瑣無法彈性管控,且無法有效判別偽造攻擊的來源;而一般實體主機的防火牆工具僅能保護單一主機的安全方法,且建置於雲端平台底層防火牆,僅能防護自身雲端平台虛擬網路,以至於無法有效防護整體虛擬網路之安全 In the past, protection against IP forgery attacks and MAC forgery attacks relied on Internet physical network device management and operation system level protection. The steps were cumbersome and could not be flexibly controlled, and the source of forgery attacks could not be effectively identified. The general entity host firewall tool can only A secure method for protecting a single host, and built on the underlying firewall of the cloud platform, can only protect the virtual network of its own cloud platform, so as to effectively protect the security of the entire virtual network.

本案發明人鑑於上述習用方式所衍生的各項缺點,乃亟思加以改良創新,並經多年苦心孤詣潛心研究後,終於成功研發完成本雲端虛擬網路安全之防護方法與系統。 In view of the shortcomings derived from the above-mentioned conventional methods, the inventors of the present invention have improved and innovated, and after years of painstaking research, they finally succeeded in researching and developing the protection methods and systems for the virtual network security of the cloud.

本發明之目的係建置於雲端虛擬網路控制器之虛擬網路安全模組,可集中化監聽虛擬主機網路流量並阻擋惡 意攻擊,為雲端平台上之虛擬主機提供網路安全保護,且採用軟體式防護模組可降低雲端平台系統建構成本。 The purpose of the invention is to build a virtual network security module of the cloud virtual network controller, which can centrally monitor the virtual host network traffic and block the evil. The intentional attack provides network security protection for the virtual host on the cloud platform, and the software protection module can reduce the construction of the cloud platform system.

一種雲端虛擬網路安全之防護系統,其中係包括 一雲端虛擬化資源管控系統,係透過一防護應用程式介面傳輸合法的虛擬主機資料;該防護應用程式介面,係採Restful API控管一雲端虛擬網路安全模組,傳輸安全的該虛擬主機資料;該雲端虛擬網路安全模組,係根據合法該虛擬主機資料防護虛擬主機間的媒體存取控制位址(Media Access Control Address,MAC)偽造攻擊、網際網路協定位址(Internet Protocol Address,IP)偽造攻擊和位址解析協定(Address Resolution Protocol,ARP)偽造攻擊;一雲端虛擬平台,係包含該雲端虛擬交換器,以接收該派送模組所傳遞之資料。 A cloud virtual network security protection system, which includes A cloud virtualization resource management system transmits legitimate virtual host data through a protection application interface; the protection application interface adopts a Restful API to control a cloud virtual network security module to transmit the secure virtual host data. The cloud virtual network security module protects the Media Access Control Address (MAC) forgery attack and the Internet Protocol Address (Internet Protocol Address) according to the virtual host data protection virtual host. IP) forged attacks and Address Resolution Protocol (ARP) forgery attacks; a cloud virtual platform that includes the cloud virtual switch to receive data transmitted by the dispatch module.

其雲端虛擬網路安全模組,其中另包括:虛擬主 機資料模組,係儲存該雲端虛擬化資源管控系統允許的合法該虛擬主機資料;媒體存取控制位址(Media Access Control Address,MAC)偽造防護分析模組,係依據該虛擬主機資料模組之該虛擬主機資料,分析虛擬網路流量,並防護虛擬主機間的MAC偽造攻擊;網際網路協定位址(Internet Protocol Address,IP)偽造防護分析模組,係依據該虛擬主機資料模組之該虛擬主機資料,分析虛擬網路流量,並防護虛擬主機間的IP偽造攻擊;位址解析協定(Address Resolution Protocol,ARP)偽造防護分析模組,係依據該虛擬主機資料模組之該虛擬主機資料,分析虛擬網路流量,並防護虛擬主機間的ARP偽造攻擊;派送模組,係將惡意封包阻擋規則透過網路通訊協定(OpenFlow)技術經由派送至雲端虛擬交換器。 Its cloud virtual network security module, which also includes: virtual master The machine data module stores the legal virtual host data allowed by the cloud virtualization resource management system; the media access control address (MAC) forged protection analysis module is based on the virtual host data module The virtual host data analyzes the virtual network traffic and protects the MAC forgery attack between the virtual hosts; the Internet Protocol Address (IP) forged protection analysis module is based on the virtual host data module The virtual host data analyzes the virtual network traffic and protects the IP forgery attack between the virtual hosts; the Address Resolution Protocol (ARP) forged protection analysis module is based on the virtual host of the virtual host data module. Data, analyze virtual network traffic, and protect against ARP forgery attacks between virtual hosts; dispatch module, which sends malicious packet blocking rules to the cloud virtual switch via OpenFlow technology.

一種雲端虛擬網路安全之防護方法,其步驟包 括:步驟一、接收網路封包;步驟二、辦別封包類型,分類為IP封包、ARP封包、以及IP和ARP以外的封包三類型;步驟三、當為IP封包處理時,將依序判斷虛擬網路介面資源是否正確、IP位址是否正確、MAC位址是否正確,若依序判斷都是為正確,則結束判斷,代表安全,但若於任一判斷中出現為否時,則直接進入派送惡意封包阻擋規則中進行處理;步驟四、當為ARP封包處理時,將依序判斷虛擬網路介面資源是否正確、MAC位址是否正確、ARP發送資訊是否正確,若依序判斷都是為正確,則結束判斷,代表安全,但若於任一判斷中出現為否時,則直接進入派送惡意封包阻擋規則中進行處理;步驟五、當為IP和ARP以外的封包處理時,將依序判斷虛擬網路介面資源是否正確、MAC位址是否正確,若依序判斷都是為正確,則結束判斷,代表安全,但若於任一判斷中出現為否時,則直接進入派送惡意封包阻擋規則中進行處理;步驟六、當上述派送惡意封包阻擋規則後,則結束判斷。 A method for protecting cloud virtual network security, its step package Including: Step 1: Receive network packet; Step 2: Check the packet type, classify it as IP packet, ARP packet, and packet type other than IP and ARP; Step 3: When processing IP packet, it will be judged sequentially Whether the virtual network interface resource is correct, the IP address is correct, and the MAC address is correct. If the order judgment is correct, the judgment is terminated, which means security, but if it appears in any judgment, it is directly In the process of sending a malicious packet blocking rule, the process is as follows: Step 4: When processing the ARP packet, it is determined whether the virtual network interface resource is correct, the MAC address is correct, and the ARP sending information is correct. If it is correct, it ends the judgment and represents security. However, if it is no in any judgment, it will directly enter the delivery malicious packet blocking rule for processing; in step 5, when it is processed for packets other than IP and ARP, it will be Determine whether the virtual network interface resource is correct and the MAC address is correct. If the order judgment is correct, the judgment is terminated, which means security, but if it appears in any judgment If no, it will directly enter the delivery malicious packet blocking rule for processing; Step 6. When the above-mentioned malicious packet blocking rule is sent, the judgment is ended.

本發明所提供一種雲端虛擬網路安全之防護方法與系統,與其他習用技術相互比較時,更具備下列優點: The invention provides a cloud virtual network security protection method and system, and has the following advantages when compared with other conventional technologies:

1.本發明提供之系統於雲端虛擬網路控制器加入雲端虛擬網路安全模組,透過OpenFlow技術集中化監聽虛擬網路,動態進行封包惡意攻擊偵測與阻擋,提供雲端平台虛擬化主機資安防護。 1. The system provided by the present invention joins the cloud virtual network security module in the cloud virtual network controller, centrally monitors the virtual network through OpenFlow technology, dynamically detects and blocks malicious attacks, and provides cloud platform virtualization host resources. Security protection.

2.本發明提供之系統可與雲端虛擬化資源管控系統介接,由雲端虛擬化資源管控系統統一提供安全防護功能,於啟用後動態偵測封包並設置安全防護規則於雲端虛擬交換器,避免虛擬主機遭受攻擊。 2. The system provided by the invention can be interfaced with the cloud virtualization resource management system, and the cloud virtualization resource management system uniformly provides security protection functions. After the activation, the packet is dynamically detected and the security protection rules are set in the cloud virtual switch to avoid The virtual host is under attack.

3.本發明提供之系統可防護ARP偽造攻擊、IP偽造攻擊、MAC偽造攻擊和以其為攻擊手法的衍生攻擊,增進雲端平台虛擬網路安全性。 3. The system provided by the present invention can protect against ARP forgery attacks, IP forgery attacks, MAC forgery attacks, and derivative attacks using the same as attacks, and improve the security of the cloud platform virtual network.

4.本發明提供之系統為軟體式的雲端虛擬網路安全模組,建置於虛擬網路控制器,即可於啟用後提供虛擬主機間的防護,不須額外架設硬體設備,降低安全機制建置成本。 4. The system provided by the present invention is a soft cloud virtual network security module, which is built on a virtual network controller, and can provide protection between virtual hosts after being enabled, without additional hardware devices, and reducing security. Mechanism construction costs.

100‧‧‧雲端虛擬化資源控管系統 100‧‧‧Cloud Virtualization Resource Control System

110‧‧‧防護應用程式介面 110‧‧‧Protective application interface

120‧‧‧雲端虛擬網路安全模組 120‧‧‧Cloud virtual network security module

121‧‧‧虛擬主機資料模組 121‧‧‧Virtual Host Data Module

122‧‧‧MAC偽造防護分析模組 122‧‧‧MAC forgery protection analysis module

123‧‧‧IP偽造防護分析模組 123‧‧‧IP forgery protection analysis module

124‧‧‧ARP偽造防護分析模組 124‧‧‧ARP forgery protection analysis module

125‧‧‧派送模組 125‧‧‧delivery module

130‧‧‧雲端虛擬網路控制器 130‧‧‧Cloud virtual network controller

140‧‧‧雲端虛擬平台 140‧‧‧Cloud Virtual Platform

141‧‧‧雲端虛擬交換器 141‧‧‧Cloud Virtual Switch

150‧‧‧虛擬主機 150‧‧‧Web Hosting

S310~S360‧‧‧虛擬網路流量動態分析流程 S310~S360‧‧‧Virtual network traffic dynamic analysis process

請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效;有關附圖為:圖1為本發明雲端虛擬網路安全之防護方法與系統之架構圖;圖2為本發明雲端虛擬網路安全之防護方法與系統之雲端虛擬網路安全模組架構圖;圖3為本發明雲端虛擬網路安全之防護方法與系統之虛擬網路流量動態分析圖。 Please refer to the detailed description of the present invention and the accompanying drawings, which can further understand the technical content of the present invention and the purpose of the present invention. FIG. 1 is a structural diagram of a method and system for protecting a cloud virtual network security according to the present invention. 2 is a cloud virtual network security module architecture diagram of a cloud virtual network security protection method and system according to the present invention; FIG. 3 is a virtual network traffic dynamic analysis diagram of a cloud virtual network security protection method and system according to the present invention; .

為了使本發明的目的、技術方案及優點更加清楚明白,下面結合附圖及實施例,對本發明進行進一步詳細說明。應當理解,此處所描述的具體實施例僅用以解釋本發明,但並不用於限定本發明。 The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

以下,結合附圖對本發明進一步說明:請參閱圖1所示,為本發明雲端虛擬網路安全防護系統之架構圖,雲端虛擬化資源管控系統100透過呼叫防護應用程式介面110控制安全防護系統功能,並傳送雲端虛擬化資源管控系統100允許的合法虛擬機IP位址、MAC位址和虛擬網路資源至雲端虛擬網路安全模組120,則可於虛擬主機150網路通訊時,根據合法的雲端虛擬主機150資料進行網路封包動態分析並阻擋惡意偽造封包的傳送,以防止媒體存取控制位址(Media Access Control Address,MAC)偽造攻擊、網際網路協定位址(Internet Protocol Address,IP)偽造攻擊、位址解析協定(Address Resolution Protocol,ARP)偽造攻擊以及其攻擊之延伸的危害,保護雲端虛擬平台140與雲端虛擬主機150間的網路安全。 The present invention is further described with reference to the accompanying drawings. Referring to FIG. 1 , which is a structural diagram of a cloud virtual network security protection system according to the present invention, the cloud virtualization resource management system 100 controls the security protection system function through the call protection application interface 110. And transmitting the legal virtual machine IP address, the MAC address, and the virtual network resource allowed by the cloud virtualization resource management system 100 to the cloud virtual network security module 120, which can be legally used when the virtual host 150 communicates with the network. The cloud virtual host 150 data dynamically analyzes the network packet and blocks the transmission of the malicious forged packet to prevent the Media Access Control Address (MAC) forgery attack, the Internet Protocol Address (Internet Protocol Address, IP) fortification attacks, Address Resolution Protocol (ARP) forgery attacks, and the extension of their attacks, to protect the network security between the cloud virtual platform 140 and the cloud virtual host 150.

請參閱圖2所示,為本發明雲端虛擬網路安全防護系統之雲端虛擬網路安全模組架構圖,包含雲端虛擬平台140、雲端虛擬化資源管控系統100、雲端虛擬主機150、雲端虛擬網路控制器130、防護應用程式介面110、雲端虛擬網路安全模組120與雲端虛擬交換器141,雲端虛擬網路安全模組120其中包含虛擬主機資料模組121、MAC偽造防護分析模組122、IP偽造防護分析模組123、ARP偽造防護分析模組124和派送模組125,其中雲端虛擬平台150可為Xen雲端平台(XenServer)和Xen雲端平台(Xen Cloud Platform,XCP)。 Referring to FIG. 2, the cloud virtual network security module architecture diagram of the cloud virtual network security protection system of the present invention includes a cloud virtual platform 140, a cloud virtualization resource management system 100, a cloud virtual host 150, and a cloud virtual network. The path controller 130, the protection application interface 110, the cloud virtual network security module 120 and the cloud virtual switch 141, the cloud virtual network security module 120 includes a virtual host data module 121 and a MAC forgery protection analysis module 122. The IP forgery protection analysis module 123, the ARP forgery protection analysis module 124, and the delivery module 125, wherein the cloud virtual platform 150 can be a Xen cloud platform (XenServer) and a Xen cloud platform (XCP).

雲端虛擬交換器141建置於雲端虛擬平台140以管理虛擬網路流量的傳輸與導向,經由雲端虛擬網路控制器130與雲端虛擬網路安全模組120處理虛擬主機間的網路流量,而雲端虛擬化資源管控系統100透過防護應用程式介面 110控制安全模組功能的啟用與關閉,並傳輸合法的虛擬主機資料至虛擬主機資料模組121,為虛擬主機提供網路安全防護。 The cloud virtual switch 141 is built in the cloud virtual platform 140 to manage the transmission and orientation of the virtual network traffic, and the cloud virtual network controller 130 and the cloud virtual network security module 120 process the network traffic between the virtual hosts. Cloud virtualization resource management system 100 through the protection application interface 110 controls the enabling and disabling of the security module function, and transmits the legitimate virtual host data to the virtual host data module 121 to provide network security protection for the virtual host.

雲端虛擬主機150間進行網路通訊行為時,會動 態觸發雲端虛擬網路安全模組120其中的MAC偽造防護分析模組122、IP偽造防護分析模組123和ARP偽造防護分析模組124,根據虛擬主機資料模組121中的合法虛擬主機資料,進行虛擬網路流量動態分析以阻擋ARP偽造攻擊、IP偽造攻擊和MAC偽造攻擊。 When the cloud virtual host 150 performs network communication behavior, it will move. The state-initiated cloud virtual network security module 120 includes a MAC forgery protection analysis module 122, an IP forgery protection analysis module 123, and an ARP forgery protection analysis module 124. According to the legal virtual host data in the virtual host data module 121, Dynamic analysis of virtual network traffic to block ARP forgery attacks, IP forgery attacks, and MAC forgery attacks.

本機制之MAC偽造防護分析模組122、IP偽造防 護分析模組123和ARP偽造防護分析模組124處理後會對於惡意封包內容產生惡意封包阻擋規則,利用派送模組125透過網路通訊協定(OpenFlow)將規則下至雲端虛擬交換器141,防護雲端虛擬主機150網路。 The MAC forgery protection analysis module 122 of this mechanism, IP forgery prevention The protection analysis module 123 and the ARP forgery protection analysis module 124 process the malicious packet blocking rule for the malicious packet content, and use the delivery module 125 to down-regulate the rule to the cloud virtual switch 141 through the network communication protocol (OpenFlow). Cloud virtual host 150 network.

當雲端平台駭客發起攻擊,駭客攻擊封包將流經 雲端虛擬交換器141,並交由雲端虛擬網路控制器130與雲端虛擬網路安全模組120統一控制封包流向,而雲端虛擬網路安全模組120將依據不同類型封包進行分析與判斷並進行MAC偽造防護分析、IP偽造防護分析和ARP偽造防護分析後,經由派送模組125派送惡意封包阻擋規則至雲端虛擬交換器141,阻擋駭客惡意攻擊。 When the cloud platform hacker launches an attack, the hacker attack packet will flow through The cloud virtual switch 141 is connected to the cloud virtual network controller 130 and the cloud virtual network security module 120 to control the packet flow direction, and the cloud virtual network security module 120 analyzes and judges according to different types of packets and performs After the MAC forgery protection analysis, the IP forgery protection analysis, and the ARP forgery protection analysis, the malicious packet blocking rule is sent to the cloud virtual switch 141 via the delivery module 125 to block the malicious attack by the hacker.

雲端虛擬化資源管控系統100透過防護應用程式 介面110的含狀態傳輸應用程式介面(Representational State Transfer,Restful API)控制雲端虛擬網路安全模組120,於開啟防護功能時傳送允許的合法虛擬機IP位址、MAC位址和虛擬網路資源至雲端虛擬網路安全模組120之虛擬主機資料模 組121,當虛擬主機150進行網路通訊,雲端虛擬網路控制器130透過OpenFlow網路通訊協定的網路控制技術接收虛擬網路流量封包,並觸發MAC偽造防護分析模組122、IP偽造防護分析模組123和ARP偽造防護分析模組124進行分析,請參閱圖3所示,為本發明雲端虛擬網路安全防護系統之虛擬網路流量動態分析圖,其步驟如下:步驟一、S310接收網路封包;步驟二、S320封包類型,分類為IP封包、ARP封包、以及IP和ARP以外的封包三類型;步驟三、S330 IP封包處理,當IP封包處理時,將依序判斷S331虛擬網路介面資源是否正確、S332 IP位址是否正確、S333 MAC位址是否正確,若依序判斷都是為正確,則結束判斷,代表安全,但若於任一判斷中出現為否(不正確)時,則直接進入S360派送惡意封包阻擋規則中;步驟四、S340 ARP封包處理,當ARP封包處理時,將依序判斷S341虛擬網路介面資源是否正確、S342 MAC位址是否正確、S343 ARP發送資訊是否正確,若依序判斷都是為正確,則結束判斷,代表安全,但若於任一判斷中出現為否(不正確)時,則直接進入S360派送惡意封包阻擋規則中;步驟五、S350 IP和ARP以外的封包處理,當IP和ARP以外的封包處理時,將依序判斷S351虛擬網路介面資源是否正確、S352 MAC位址是否正確,若依序判斷都是為正確,則結束判斷,代表安全,但若於任一判斷中出現為否(不正確)時,則直接 進入S360派送惡意封包阻擋規則中;步驟六、當上述S360派送惡意封包阻擋規則後,則結束判斷。 Cloud virtualization resource management system 100 through the protection application The Representational State Transfer (Restful API) of the interface 110 controls the cloud virtual network security module 120 to transmit the allowed legal virtual machine IP address, MAC address and virtual network resources when the protection function is enabled. Virtual host data model to the cloud virtual network security module 120 Group 121, when the virtual host 150 performs network communication, the cloud virtual network controller 130 receives the virtual network traffic packet through the network control technology of the OpenFlow network protocol, and triggers the MAC forgery protection analysis module 122 and IP forgery protection. The analysis module 123 and the ARP forgery protection analysis module 124 perform analysis. Referring to FIG. 3, the virtual network traffic dynamic analysis diagram of the cloud virtual network security protection system of the present invention is as follows: Step 1: S310 receives Network packet; Step 2, S320 packet type, classified into IP packet, ARP packet, and packet type other than IP and ARP; Step 3, S330 IP packet processing, when IP packet processing, S331 virtual network will be judged in order Whether the channel interface resource is correct, the S332 IP address is correct, and the S333 MAC address is correct. If the order judgment is correct, the judgment is terminated, which means security, but if it appears in any judgment, it is not (incorrect). At the time, the S360 is directly sent to the malicious packet blocking rule; in step 4, the S340 ARP packet processing, when the ARP packet is processed, the S341 virtual network interface resource is sequentially determined. Whether it is correct, whether the S342 MAC address is correct, and whether the S343 ARP sends the information correctly. If the judgment is correct in the order, the judgment is terminated, which means security, but if it is no (incorrect) in any judgment, then Directly enter the S360 to send the malicious packet blocking rule; Step 5, S350 IP and ARP packet processing, when the IP and ARP packets are processed, it will determine whether the S351 virtual network interface resource is correct and the S352 MAC address is Correct, if the order is judged to be correct, the judgment ends, representing safety, but if it appears in any judgment is no (incorrect), then directly Enter S360 to send the malicious packet blocking rule; Step 6. After the S360 sends the malicious packet blocking rule, the judgment is ended.

由上述步驟可知,分別針對不同類型封包進行處理並辨別封包資訊是否被偽造,於MAC偽造防護分析模組會根據合法的虛擬網路介面資源和MAC位址,動態分析虛擬網路流量並防護虛擬主機間的MAC偽造攻擊;於IP偽造防護分析模組會根據合法的虛擬網路介面資源、IP位址和MAC位址,分析並防護IP偽造攻擊;於ARP偽造防護分析模組會根據合法的虛擬網路介面資源、ARP深層封包資訊和MAC位址,分析並防護ARP偽造攻擊,當判斷為惡意偽造封包時,會將惡意封包阻擋規則透過派送模組,基於OpenFlow技術派送至雲端虛擬平台的雲端虛擬交換器,雲端虛擬交換器則可經由定義好之流量(flow)表作為判斷封包傳輸資料路徑的依據,將視為有危害的封包予以丟棄,避免虛擬主機遭受攻擊,增進雲端平台虛擬網路安全性。 According to the above steps, the different types of packets are processed separately to identify whether the packet information is forged. The MAC forgery protection analysis module dynamically analyzes the virtual network traffic and protects the virtual according to the legal virtual network interface resource and the MAC address. MAC forgery attacks between hosts; the IP forgery protection analysis module analyzes and protects IP forgery attacks based on legitimate virtual network interface resources, IP addresses, and MAC addresses; the ARP forgery protection analysis module is based on legal The virtual network interface resource, the ARP deep packet information, and the MAC address address analyze and protect the ARP forgery attack. When it is determined that the packet is maliciously forged, the malicious packet blocking rule is sent to the cloud virtual platform based on the OpenFlow technology through the delivery module. The cloud virtual switch, the cloud virtual switch can use the defined flow table as the basis for judging the packet transmission data path, discarding the packets that are regarded as harmful, avoiding the virtual host from being attacked, and improving the cloud platform virtual network. Road safety.

而雲端虛擬化資源管控系統透過防護應用程式介面的Restful API欲關閉防護功能時,傳送防護停止的虛擬主機資料至雲端虛擬網路安全模組之虛擬主機資料模組,則虛擬主機進行網路通訊時則不受防護,使系統管理者可靈活管控雲端虛擬網路安全。 When the cloud virtualization resource management system wants to disable the protection function through the Restful API of the protection application interface, the virtual host data of the cloud protection virtual network module is transmitted to the virtual host data module of the cloud virtual network security module, and the virtual host performs network communication. It is unprotected, giving system administrators the flexibility to manage cloud virtual network security.

上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

綜上所述,本案不僅於技術思想上確屬創新,並 具備習用之傳統方法所不及之上述多項功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請貴局核准本件發明專利申請案,以勵發明,至感德便。 In summary, this case is not only innovative in terms of technical thinking, but also The above-mentioned multiple functions that are beyond the traditional methods of conventional use have fully complied with the statutory invention patent requirements of novelty and progressiveness. If you apply in accordance with the law, you are requested to approve the application for the invention patent to encourage invention.

100‧‧‧雲端虛擬化資源控管系統 100‧‧‧Cloud Virtualization Resource Control System

110‧‧‧防護應用程式介面 110‧‧‧Protective application interface

120‧‧‧雲端虛擬網路安全模組 120‧‧‧Cloud virtual network security module

121‧‧‧虛擬主機資料模組 121‧‧‧Virtual Host Data Module

122‧‧‧MAC偽造防護分析模組 122‧‧‧MAC forgery protection analysis module

123‧‧‧IP偽造防護分析模組 123‧‧‧IP forgery protection analysis module

124‧‧‧ARP偽造防護分析模組 124‧‧‧ARP forgery protection analysis module

125‧‧‧派送模組 125‧‧‧delivery module

130‧‧‧雲端虛擬網路控制器 130‧‧‧Cloud virtual network controller

140‧‧‧雲端虛擬平台 140‧‧‧Cloud Virtual Platform

141‧‧‧雲端虛擬交換器 141‧‧‧Cloud Virtual Switch

150‧‧‧虛擬主機 150‧‧‧Web Hosting

Claims (3)

一種雲端虛擬網路安全之防護系統,其中係包括:一雲端虛擬化資源管控系統,係透過一防護應用程式介面傳輸合法的虛擬主機資料;該防護應用程式介面,係採含狀態傳輸應用程式介面(Representational State Transfer,Restful API)控管一雲端虛擬網路安全模組,傳輸安全的該虛擬主機資料;該雲端虛擬網路安全模組,係為該虛擬主機資料防護虛擬主機間的媒體存取控制位址(Media Access Control Address,MAC)偽造攻擊、網際網路協定位址(Internet Protocol Address,IP)偽造攻擊和位址解析協定(Address Resolution Protocol,ARP)偽造攻擊:一雲端虛擬平台,係包含該雲端虛擬交換器,以接收該派送模組所傳遞之資料。 A cloud virtual network security protection system, comprising: a cloud virtualization resource management system, which transmits legal virtual host data through a protection application interface; the protection application interface adopts a state transmission application interface (Representational State Transfer, Restful API) controls a cloud virtual network security module to transmit the secure virtual host data; the cloud virtual network security module protects the virtual host between the virtual host and the media access Media Access Control Address (MAC) forgery attacks, Internet Protocol Address (IP) forgery attacks, and Address Resolution Protocol (ARP) forgery attacks: a cloud-based virtual platform The cloud virtual switch is included to receive the data transmitted by the dispatch module. 如申請專利範圍第1項所述之雲端虛擬網路安全之防護系統,其中該雲端虛擬網路安全模組,其中另包括:虛擬主機資料模組,係儲存該雲端虛擬化資源管控系統允許的合法該虛擬主機資料;媒體存取控制位址(Media Access Control Address,MAC)偽造防護分析模組,係依據該虛擬主機資料模組之該虛擬主機資料,分析虛擬網路流量,並防護虛擬主機間的MAC偽造攻擊;網際網路協定位址(Internet Protocol Address,IP)偽造防護分析模組,係依據該虛擬主機資料模組之該虛擬主機資料,分析虛擬網路流量,並防護虛擬主機間的IP偽 造攻擊;位址解析協定(Address Resolution Protocol,ARP)偽造防護分析模組,係依據該虛擬主機資料模組之該虛擬主機資料,分析虛擬網路流量,並防護虛擬主機間的ARP偽造攻擊;派送模組,係將惡意封包阻擋規則透過網路通訊協定(OpenFlow)技術經由派送至雲端虛擬交換器。 The cloud virtual network security protection system described in claim 1, wherein the cloud virtual network security module further includes: a virtual host data module, which is configured to store the cloud virtualization resource management system. Legitimate the virtual host data; the Media Access Control Address (MAC) forged protection analysis module analyzes the virtual network traffic according to the virtual host data of the virtual host data module, and protects the virtual host The MAC forgery attack; the Internet Protocol Address (IP) forgery protection analysis module analyzes the virtual network traffic according to the virtual host data of the virtual host data module, and protects the virtual host room. IP pseudo An address resolution protocol (ARP) forging protection analysis module is configured to analyze virtual network traffic according to the virtual host data of the virtual host data module, and protect against ARP forgery attacks between virtual hosts; The delivery module sends malicious packet blocking rules to the cloud virtual switch via OpenFlow technology. 一種雲端虛擬網路安全之防護方法,其步驟包括:步驟一、接收網路封包;步驟二、辦別封包類型,係分類為IP封包、ARP封包、以及IP和ARP以外的封包三類型;步驟三、當係為該IP封包處理時,將依序判斷虛擬網路介面資源是否正確、IP位址是否正確、MAC位址是否正確,若依序判斷都是為正確,則結束判斷,代表安全,但若於任一判斷中出現為否時,則直接進入派送惡意封包阻擋規則中進行處理;步驟四、當係為該ARP封包處理時,將依序判斷虛擬網路介面資源是否正確、MAC位址是否正確、ARP發送資訊是否正確,若依序判斷都是為正確,則結束判斷,代表安全,但若於任一判斷中出現為否時,則直接進入派送惡意封包阻擋規則中進行處理;步驟五、當係為該IP和ARP以外的封包處理時,將依序判斷虛擬網路介面資源是否正確、MAC位址是否正確,若依序判斷都是為正確,則結束判斷,代表安全,但若於任一判斷中出現為否時,則直接 進入派送惡意封包阻擋規則中進行處理;步驟六、當上述該派送惡意封包阻擋規則後,則結束判斷。 A cloud virtual network security protection method includes the following steps: Step 1: Receive a network packet; Step 2: Check a packet type, which is classified into an IP packet, an ARP packet, and a packet type other than IP and ARP; 3. When the IP packet is processed, it will judge whether the virtual network interface resource is correct, the IP address is correct, and the MAC address is correct. If the order is judged to be correct, the judgment is terminated, indicating security. However, if it is no in any judgment, it will directly enter the dispatching malicious packet blocking rule for processing; in step 4, when the ARP packet is processed, it will judge whether the virtual network interface resource is correct or not. If the address is correct and the ARP sends the information correctly, if the judgment is correct, the judgment is terminated, which means security. However, if it is no in any judgment, it will directly enter the delivery malicious packet blocking rule for processing. Step 5: When the packet is processed by the IP and ARP, the virtual network interface resource is correctly determined and the MAC address is correct. If it is correct, it ends the judgment and represents safety. However, if it appears in any judgment, it is directly Into the delivery malicious packet blocking rule for processing; step six, when the above-mentioned malicious packet blocking rule is sent, the judgment is ended.
TW103136238A 2014-10-21 2014-10-21 Protection Method and System of Cloud Virtual Network Security TWI520002B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
TW103136238A TWI520002B (en) 2014-10-21 2014-10-21 Protection Method and System of Cloud Virtual Network Security
CN201510094249.8A CN104717212B (en) 2014-10-21 2015-03-03 Protection method and system for cloud virtual network security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW103136238A TWI520002B (en) 2014-10-21 2014-10-21 Protection Method and System of Cloud Virtual Network Security

Publications (2)

Publication Number Publication Date
TWI520002B true TWI520002B (en) 2016-02-01
TW201616386A TW201616386A (en) 2016-05-01

Family

ID=53416175

Family Applications (1)

Application Number Title Priority Date Filing Date
TW103136238A TWI520002B (en) 2014-10-21 2014-10-21 Protection Method and System of Cloud Virtual Network Security

Country Status (2)

Country Link
CN (1) CN104717212B (en)
TW (1) TWI520002B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI644235B (en) * 2017-04-13 2018-12-11 國立政治大學 Wearable instant interaction system
CN107634953A (en) * 2017-09-22 2018-01-26 国云科技股份有限公司 A method to prevent container network ARP spoofing
US10841281B2 (en) * 2018-03-26 2020-11-17 Kuo Chiang Methods for preventing or detecting computer attacks in a cloud-based environment and apparatuses using the same
CN110932925A (en) * 2019-10-31 2020-03-27 苏州浪潮智能科技有限公司 Method and system for testing stability of server BMC (baseboard management controller) network
TWI728901B (en) * 2020-08-20 2021-05-21 台眾電腦股份有限公司 Network connection blocking method with dual-mode switching
TWI785374B (en) * 2020-09-01 2022-12-01 威聯通科技股份有限公司 Network Malicious Behavior Detection Method and Switching System Using It
CN112346823B (en) * 2021-01-07 2021-05-04 广东睿江云计算股份有限公司 Cloud host data protection method and system
CN114221928A (en) * 2021-11-05 2022-03-22 济南浪潮数据技术有限公司 A kind of defense method, system, device and storage medium for IP conflict of management network

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110072487A1 (en) * 2009-09-23 2011-03-24 Computer Associates Think, Inc. System, Method, and Software for Providing Access Control Enforcement Capabilities in Cloud Computing Systems
TWI474189B (en) * 2012-07-31 2015-02-21 Chunghwa Telecom Co Ltd Automatic file encryption and decryption system
CN103916376A (en) * 2013-01-09 2014-07-09 台达电子工业股份有限公司 Cloud system with attack protection mechanism and its protection method
CN103500305A (en) * 2013-09-04 2014-01-08 中国航天科工集团第二研究院七〇六所 System and method for malicious code analysis based on cloud computing
CN103595826B (en) * 2013-11-01 2016-11-02 国云科技股份有限公司 Method for preventing IP and MAC of virtual machine from being forged

Also Published As

Publication number Publication date
TW201616386A (en) 2016-05-01
CN104717212B (en) 2018-05-11
CN104717212A (en) 2015-06-17

Similar Documents

Publication Publication Date Title
TWI520002B (en) Protection Method and System of Cloud Virtual Network Security
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
CN110266639B (en) System and method for endpoint hardware assisted network firewall in a secure environment
TWI532344B (en) Determine if the firewall will block specific network packets without using the network
CA3021285C (en) Methods and systems for network security
US20180241771A1 (en) Unobtrusive and Dynamic DDoS Mitigation
JP2016514295A5 (en)
CN106657019A (en) Network security protection method and device
CN104917653A (en) Virtual flow monitoring method based on cloud platform and device thereof
WO2019083991A1 (en) Programmable hardware based data encryption and decryption systems and methods
CN104468624A (en) SDN controller, routing/switching device and network defending method
CN106797378B (en) Apparatus and method for controlling a communication network
CN104994094B (en) Virtual platform safety protecting method based on virtual switch, device and system
CN107612890B (en) Network monitoring method and system
JP2023522742A (en) Deep packet analysis
CN104702560A (en) Method and device for preventing message attack
CN104113559A (en) Method for resisting tcp full-link attack
CN107835145A (en) The method and distributed system of a kind of anti-replay-attack
CN104506559B (en) DDoS defense system and method based on Android system
US9961104B2 (en) Side channel attack deterrence in networks
CN102986194B (en) Network security processing method, system and network interface card
JP6310822B2 (en) Virtual machine resource management system, method and program
CN106790310B (en) Method and system for integrating distributed denial of service attack protection and load balancing
CN104660584A (en) Trojan virus analysis technique based on network conversation
CN108111461A (en) Realize method, apparatus, gateway and the system of virtual machine Access Management Access network

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees