[0037] In order to clearly illustrate the technical features of the solution, the present invention will be described in detail below through specific embodiments and in conjunction with the accompanying drawings. The following disclosure provides many different embodiments or examples for implementing different structures of the invention. In order to simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in different instances. This repetition is for the purpose of simplicity and clarity and does not in itself indicate a relationship between the various embodiments and/or arrangements discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and processes are omitted from the present invention to avoid unnecessarily limiting the present invention.
[0038] like figure 1 As shown, the method for protecting virtual machine security under virtual platform network isolation of the present invention includes the following steps:
[0039] S1, obtain a list of online threat intelligence to form a threat intelligence database;
[0040] S2, after receiving the process collection instruction issued by the QGA monitoring module, the virtual machine collects the current running process information of the virtual machine through the qemu-ga module, forms a process list, and calculates the hash of each process file in the process list. value, and return the hash value to the QGA monitor module;
[0041] S2, check whether the hash value exists in the threat intelligence database, and if so, add the process information to the virtual machine vulnerability information table;
[0042] S4, the security management center issues an alarm prompt according to the virtual machine vulnerability information table.
[0043] like figure 2 As shown, the specific implementation process of step S1 is: S11, forming an online threat intelligence list through the online threat intelligence tool of the online threat intelligence tool; S12, normalizing the captured online threat intelligence list to form unified data Format; S13, import the normalized data into the threat intelligence database for subsequent detection of whether the process in the virtual machine is a virus or a Trojan.
[0044] The data in the threat intelligence database includes threat intelligence source, threat intelligence acquisition time, threat object name, object characteristic value, and threat object description.
[0045] like image 3 As shown, in step S2, the QGA monitoring module issues a process instruction based on the monitoring strategy, and the QGA monitoring module first performs parameter analysis for the received strategy to determine whether the monitoring strategy is manually triggered collection or periodic collection. The selection parameters of the strategy are distinguished by the flag bit. If the flag bit is 0, it is periodic collection, and the detection period is S; if the flag bit is 1, it is manually triggered collection.
[0046] If the collection is triggered manually, the QGA monitoring module immediately sends an instruction to the qemu-ga module and waits for the return message from the qemu-ga module;
[0047] If it is collected periodically, the QGA module checks whether the current cycle detection time is up. If so, it sends an instruction to the qemu-ga module. If not, it waits for the next cycle time. or as per image 3 As shown, wait for the S duration first, and judge whether the cycle waiting time has expired. If not, continue to wait. If so, send an instruction to the qemu-ga module and wait for the return message from the qemu-ga module.
[0048] like Figure 4 As shown, after the qemu-ga module receives the process collection instruction, it obtains the currently running progress list, calculates the hash value of the file corresponding to the process: SHA256 value, and constructs the return message to the QGA monitoring module. The QGA monitoring module will return the hash value The value is transmitted to the virtual machine security management component, and vulnerability detection is performed in the virtualization management platform.
[0049] In step S3, the process and hash value traversal is performed in the virtualization management platform to check whether the hash value of the process file corresponding to each process is in the threat intelligence database; if the current process file hash value and all threat intelligence features in the threat intelligence database If the values are different, continue to traverse the next process; if the current process file hash value is the same as a threat intelligence feature value in the threat intelligence database, add the process information to the virtual machine vulnerability information table, and then continue to traverse the next process process until the end of the traversal. Determine whether the virtual machine vulnerability information table is empty, if not, it means that there is a process privacy virus or Trojan horse in the virtual machine, then the virtual machine vulnerability information table will be sent to the security management center, and the security management center will list the vulnerability information table. The information in is displayed, and the administrator is notified by email.
[0050] The data in the virtual machine vulnerability information table includes the name of the threat object, the source of obtaining threat intelligence, the time of obtaining threat intelligence, the process name, the hash value of the process, the IP of the virtual machine where the process is located, the UUID of the virtual machine where the process is located, the IP of the host where the virtual machine is located, and The UUID of the host where the virtual machine is located.
[0051] like Figure 5 As shown, the system for protecting virtual machine security under virtual platform network isolation according to the present invention includes a virtualization management platform, a virtual machine, a virtual machine information monitoring component, a virtual machine security management component and a security management center component.
[0052] The virtual machine information monitoring component monitors the running process list of the virtual machine on the host machine by using the QGA technology. The virtual machine information monitoring component includes a QGA monitoring module and a qemu-ga module that communicate with each other. The QGA monitoring module issues a process collection command to the qemu-ga module; the qemu-ga module collects information about the current running process of the virtual machine based on the command, forming a Process list, and calculate the hash value of each process file in the process list, and return the hash value to the QGA monitor module.
[0053] The virtual machine security management component obtains the hash value, and checks whether the hash value exists in the threat intelligence database, and if so, adds the process information to the virtual machine vulnerability information table.
[0054] The security management center component issues an alarm prompt according to the virtual machine vulnerability information table.
[0055] The virtual machine information monitoring component further includes a monitoring policy management module, where the monitoring policy management module is configured to issue the monitoring policy to the QGA monitoring module.
[0056] The virtual machine security management component further includes a threat intelligence acquisition module, a threat intelligence processing module and a policy formulation module.
[0057] The threat intelligence acquisition module captures online threat intelligence through online intelligence tools to form an online threat intelligence list; the threat intelligence processing module normalizes the online threat intelligence list to form a unified data format, and the normalized data Import threat intelligence library.
[0058] The policy formulation module is responsible for formulating policies for virtual machines to collect process information.
[0059] Although the specific embodiments of the present invention have been described above in conjunction with the accompanying drawings, they do not limit the scope of protection of the present invention. Those skilled in the art should understand that on the basis of the technical solutions of the present invention, those skilled in the art do not need to pay creative work. Various modifications or deformations that can be made are still within the protection scope of the present invention.
