Intrusion prevention method applied to cloud virtual network, device, network device and system

[0032] In the embodiment of the present invention, the network traffic generated by cloud resources is monitored, and the monitored network traffic data is stored in a log file; when it is determined that the network traffic data in the log file matches the Snort rule, an alarm is generated Information; parse the alarm information, and generate an OpenFlow rule item based on the parsed data, and send the OpenFlow rule item to OVS; the OpenFlow rule item is used for OVS to update the flow table.

[0033] The present invention will be further described in detail below in conjunction with the drawings and specific embodiments.

[0034] figure 1 It is a flowchart of the intrusion prevention method in the cloud virtual network according to the embodiment of the present invention, such as figure 1 As shown, the method includes:

[0035] Step 101: Monitor the network traffic generated by cloud resources, and store the monitored network traffic data in a log file;

[0036] In the embodiment of the present invention, the cloud resource may be: a virtual machine and so on.

[0037] Step 102: When it is determined that the network traffic data in the log file matches the Snort rule, generate an alarm message;

[0038] Step 103: Parse the alarm information, generate an OpenFlow rule item based on the parsed data, and send the OpenFlow rule item to the OVS; the OpenFlow rule item is used for the OVS to update the flow table.

[0039] The embodiment of the present invention uses a combination of Software Defined Network (SDN) and an intrusion detection system to implement an intrusion prevention system, and OpenFlow rule items can be flexibly set according to network requirements, so that the generated flow table is effective for the available flow in the network. Isolation enables a flexible, efficient, and dynamic defense against network attacks.

[0040] In an embodiment of the present invention, after the update of the flow table, the method further includes:

[0041] When the network traffic that matches the entry in the updated traffic table is monitored, the network traffic is processed at a line speed on the data plane of the OVS.

[0042] In an embodiment of the present invention, before the monitoring network traffic, the method further includes:

[0043] The network traffic generated by the cloud resource is transmitted to the OVS; for example, the network traffic can be transmitted via a virtual interface (VIF) connected to the virtual bridge of the OVS.

[0044] In the embodiment of the present invention, the method for generating alarm information includes:

[0045] When it is determined that there is network traffic data in the log file that matches the Snort rule, an alarm message in JSON format corresponding to the network traffic data is generated.

[0046] In the embodiment of the present invention, the data obtained after analyzing the alarm information includes at least:

[0047] Attack type, source IP address, destination IP address, TCP port.

[0048] The embodiment of the present invention also provides an intrusion prevention device in a cloud virtual network, such as figure 2 As shown, the device includes: a traffic monitoring module 201, an alarm module 202, an analysis module 203, and a rule generation module 204; among them,

[0049] The traffic monitoring module 201 is used to monitor network traffic generated by cloud resources, and store the network traffic data obtained from the monitoring in a log file;

[0050] In the embodiment of the present invention, the cloud resource may be: a virtual machine and so on.

[0051] The alarm module 202 is configured to generate alarm information when determining that the network traffic data in the log file matches the Snort rule;

[0052] The analysis module 203 is configured to analyze the alarm information;

[0053] The rule generation module 204 is configured to generate an OpenFlow rule item based on the data parsed by the parsing module 203, and send the OpenFlow rule item to OVS; the OpenFlow rule item is used for OVS to update the flow table.

[0054] The embodiment of the present invention uses a combination of Software Defined Network (SDN) and an intrusion detection system to implement an intrusion prevention system, and OpenFlow rule items can be flexibly set according to network requirements, so that the generated flow table is effective for the available flow in the network. Isolation enables a flexible, efficient, and dynamic defense against network attacks.

[0055] In the embodiment of the present invention, the method for the alarm module 202 to generate alarm information includes:

[0056] When it is determined that there is network traffic data in the log file that matches the Snort rule, an alarm message in JSON format corresponding to the network traffic data is generated.

[0057] In the embodiment of the present invention, the data obtained after analyzing the alarm information includes at least:

[0058] Attack type, source IP address, destination IP address, TCP port.

[0059] In an embodiment of the present invention, the device further includes: a traffic processing module 205;

[0060] The traffic monitoring module 201 is also used for notifying the traffic processing module 205 when the network traffic that matches the entry in the updated flow table is monitored; accordingly,

[0061] The traffic processing module 205 is configured to process the network traffic at the line speed on the data plane of the OVS after receiving the notification from the traffic monitoring module 201.

[0062] In an embodiment of the present invention, the device further includes: a traffic transmission module 206, configured to transmit the network traffic generated by the cloud resource to the OVS.

[0063] In the embodiment of the present invention, the traffic transmission module 206 may be a virtual bridge of the OVS and a virtual interface (VIF) connected to the virtual bridge.

[0064] The embodiment of the present invention also provides a network device, and the network device includes the intrusion prevention device in the cloud virtual network described above.

[0065] The embodiment of the present invention also provides an intrusion prevention system in a cloud virtual network. The system includes the aforementioned network device and several virtual machines.

[0066] image 3 It is an architecture diagram of another embodiment of the intrusion prevention method in the cloud virtual network of the present invention, such as image 3 As shown, the embodiment of the present invention can be implemented based on the virtualization server XenServer. There are two types of domains in the XenServer cloud operating system, namely: DOM 0 and DOM U. Wherein, the DOM 0 is a management domain, and the DOM U is a user domain. One of the DOM U can be set to be dedicated to the storage controller and logs, and the other DOM U can be used to host the user's virtual machine (VM). All DOM U resources are managed by the DOM 0, and hardware must be accessed through the DOM 0.

[0067] image 3 In the figure, the OVS shown is a pure software switch that implements OpenFlow. OVS is usually implemented in the management domain or privilege domain of the cloud computing system. In the embodiment of the present invention, OVS is implemented locally in the DOM 0 of the XenServer cloud computing system. Communication between different virtual machines (VMs) in the same physical server only needs to be managed and forwarded through OVS. Each DOM 0 in XenServer runs a user space process (traffic path) and a kernel space module (fast path).

[0068] In the user space, there are two modules, ovsdb server and OVS-SwitchD. The ovsdb server is a log-based database that maintains a switch-level configuration; the OVS-SwitchD module is the core of the OVS, which supports multiple independent data channels. Such as image 3 As shown in the figure, the OVS-SwitchD can communicate with the ovsdb server through the management protocol, communicate with the controller through the OpenFlow protocol, and communicate with the kernel module through the network link.

[0069] In the kernel space, the kernel performs operations such as packet switching, search and forwarding, tunnel encapsulation and decapsulation. Each virtual interface (VIF) on each virtual machine corresponds to a virtual interface or port of OVS, and different virtual interfaces connected to the same data channel are considered to be on the same switch.

[0070] The Snort agent can be implemented by DOM 0 (privileged domain) or DOMU (non-privileged domain) based on the XenServer-based virtualization architecture. In the embodiment of the present invention, the Snort agent can be set in DOM 0, so that the Snort agent can detect the data channel in OVS. All log information generated by the Snort agent is output to a CSV file, so that the controller can be accessed in real time.

[0071] The controller provides a centralized view and control of the cloud virtual network. The controller consists of three main parts: SDNIPS daemon, alarm interpreter and rule generator, image 3 Not shown in. Wherein, the function of the SDNIPS daemon is the same as figure 2 The alarm module 202 described in the above is similar, and is mainly used to collect alarm data generated by the Snort agent in the DOM 0, such as the controlled SDN device OVS. The SDNIPS daemon is implemented in the format of a JSON message, the alarm data is stored in the JSON message, and the JSON server runs on the controller side. The function of the alarm interpreter is the same as figure 2 The parsing module 203 described in the above is similar, used for parsing alarms and capturing suspicious traffic. The parsed original alarm data can be: attack type, source IP address, destination IP address, TCP port, etc. The information that has been parsed and filtered is passed to the rule generator, and the OpenFlow rule item is generated by the rule generator and injected into the OpenFlow device (OVS) to reconfigure the network.

[0072] Figure 4 It is a flow chart of implementing an intrusion prevention method in a cloud virtual network according to another embodiment of the present invention, such as Figure 4 Shown, including:

[0073] Step 401: Cloud resources, such as: virtual machines generate network traffic;

[0074] Step 402: Network traffic is transmitted to OVS from the VIF connected to the virtual bridge of OVS;

[0075] The virtual bridge can be regarded as a virtual switch, and all VIFs connected to the same virtual bridge belong to the same network.

[0076] Step 403: The Snort proxy detects network traffic through the virtual bridge;

[0077] This is more effective than using SPAN port mirroring technology to detect network traffic. The SPAN port mirroring technology replicates all traffic on a designated port and forwards the traffic to a dedicated port for monitoring by a traffic detection tool.

[0078] Step 404: When it is determined that the traffic that matches the Snort rule appears in the log file, an alarm message in JSON format is generated;

[0079] Step 405: Parse the alarm information;

[0080] After parsing, the following necessary information can be obtained, such as: attack type, source IP address, destination IP, TCP port, etc.

[0081] Step 406: Generate OpenFlow rule items and push them to OVS to update the flow table.

[0082] In this way, subsequent suspicious traffic matching the entries in the updated traffic table will be effectively processed at the line speed on the OVS data plane.

[0083] Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Therefore, the present invention may adopt the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may be in the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, optical storage, etc.) containing computer-usable program codes.

[0084] The present invention is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated for use In the process Figure one Process or multiple processes and/or boxes Figure one A device with functions specified in a block or multiple blocks.

[0085] These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device is implemented in the process Figure one Process or multiple processes and/or boxes Figure one Functions specified in a box or multiple boxes.

[0086] These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. Instructions are provided to implement the process Figure one Process or multiple processes and/or boxes Figure one Steps of functions specified in a box or multiple boxes.

[0087] The foregoing descriptions are only preferred embodiments of the present invention, and are not used to limit the protection scope of the present invention.