[0019] Hereinafter, exemplary embodiments disclosed in the present invention will be described in more detail with reference to the accompanying drawings. Although the drawings show exemplary embodiments of the present disclosure, it should be understood that the present disclosure may be implemented in various forms and should not be limited by the embodiments set forth herein. On the contrary, these embodiments are provided to enable a thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.
[0020] Such as figure 1 As shown, the system structure diagram corresponding to the virtual machine security monitoring method of the present invention is shown. The virtual machine network includes: external network, hardware layer, operating system layer, and virtual machine layer; the virtual machine system is composed of hardware layer, operating system layer, and virtual machine layer; the virtual machine system is connected to the external network; the operating system runs with virtual In the machine monitor, there are multiple virtual machines running in the virtual machine layer.
[0021] Corresponding to the virtual machine network system, a virtual machine security monitoring method is provided, which includes the following steps:
[0022] S1. Configure operating parameters of a virtual machine network, where the virtual machine network includes a virtual machine system and an external network; the virtual machine system includes a virtual machine monitor and at least one virtual machine;
[0023] S2, configure the security monitoring strategy of the virtual machine monitor;
[0024] S3, capture data packets communicated between virtual machines or between virtual machines and external networks;
[0025] S4: Parse the data packet, perform security control on the corresponding virtual machine according to the security monitoring policy, and display the monitoring process and results on the client page.
[0026] Because the virtual machine network system is configured with a security strategy, it overcomes the single monitoring method of the traditional virtual machine system and has higher security performance. And the security policy can be adjusted dynamically, which is more flexible. At the same time, artificial intelligence algorithms such as neural networks can also be used for training and optimization. It should be noted that the above-mentioned security policies all provide different kinds of optimization methods, and one or more of them can be used in the present invention.
[0027] As an implementation manner, the security policy in step S2 is specifically: establishing an intrusion detection domain, setting a policy module, and configuring multiple security policies in the policy module, the policy module is connected to the policy framework, and the policy framework is used for Respond to the request of the operating system interface. The strategy module contains a strategy library, strategy decision points and strategy execution points. The policy decision point is used to respond to policy events and lock the corresponding policy rules; complete the status and resource validity check; convert the policy rules stored in the policy library into a format executable by the device. The policy enforcement points are distributed on various network nodes, and are responsible for executing corresponding policy management operations according to the policies received from the policy decision points, and at the same time reporting the results of the policy execution to the policy decision points. Among them, the strategy is divided into two ways, outsourcing and supply.
[0028] As an implementation manner, step S3 specifically includes: using the network counter group to monitor the data packets of the virtual switch port; in the virtual switch stack, check and check the data packets communicated between virtual machines or between virtual machines and external networks. capture.
[0029] As an implementation manner, the monitoring is specifically a monitoring method that combines internal monitoring based on the security drive of the virtual machine kernel and external monitoring based on the monitoring points in the virtual machine manager. The internal and external monitoring method specifically includes: starting an external monitoring program, and the external monitoring program starts the automation program; the external monitoring program monitors the automation program; the automation program starts the internal monitoring program and executes Thread; the execution thread is monitored by the internal monitoring program.
[0030] As an implementation manner, a hook mechanism is used to capture the data packet; specifically: creating a global hook, adding the global hook to a global shared data variable, and creating a hook executable program to capture the data packet. The monitoring unit can grab the data packets in the monitor kernel network stack through the hook mechanism. For example, the open source virtualization software based on the Linux kernel open source virtualization platform has its own hook mechanism, such as Xen and KVM. Hook mechanism based on Netfilter. Therefore, the method can be applied to a variety of Kaiyuan virtualization software, and the process of capturing data packets can be performed in a loop.
[0031] As an implementation manner, the security control in step S4 is specifically one or more of memory protection, kernel code protection, and access control. In the above security control process, a shadow page can be established to confuse the attack code and direct malicious operations to the shadow page when the malicious code attacks the system, effectively avoiding malicious tampering and copying of the normal running code.
[0032] As an implementation mode, the security policy in step S2 is specifically as follows: establish a finite automatic state machine for the data of the normal process in the system, use the system to call the related function as the state, and then monitor the data packets of the detected process, and set the system Call the related function to compare with the state in the finite state machine, if it matches, the current process is safe, otherwise the current process has been infected. The finite automatic state machine has a limited number of states, and each state can be transitioned to zero or more states. The input string determines which state to perform the transition. By establishing a finite automatic state machine for the data of the normal process in the system, the effective monitoring of data packets is realized.
[0033] The present invention is used to manage the virtual machine by establishing a security strategy associated with the virtual machine system, which effectively solves the problems of the virtual machine occupying too much memory and causing the system to jam; and it is equipped with multiple security strategies and establishes a hook mechanism The data packets of the virtual machine are captured, and the monitoring method that combines internal monitoring and external monitoring is adopted, which greatly improves the efficiency of virtual machine monitoring and ensures the safe and efficient operation of the virtual machine system.
[0034] Although the embodiments of the present invention have been described above, it should be understood that they are presented by way of example only and not limitation. Therefore, the width and scope of the preferred embodiment should not be limited by any of the exemplary embodiments described above, but should only be defined according to the following claims and their equivalents.