Method and system for protecting safety of virtual machine under virtual platform network isolation

A network isolation and virtual platform technology, applied in the field of virtual machine security protection, can solve the problem that the virtual machine cannot be managed by the virtualization management platform, and achieve the effect of ensuring information security

Active Publication Date: 2020-06-09
SUZHOU LANGCHAO INTELLIGENT TECH CO LTD
5 Cites 0 Cited by

AI-Extracted Technical Summary

Problems solved by technology

[0004] The present invention provides a method and system for protecting the security of a virtual machine under network isolation of a virtual platform, which is used to solve the e...
View more

Abstract

The invention provides a method and system for protecting virtual machine safety under virtual platform network isolation. The method comprises the steps: obtaining an online threat information list,and forming a threat information library; after receiving a process collection instruction issued by the QGA monitoring module, the virtual machine collects current running process information of thevirtual machine through the qemu-ga module to form a process list, calculates a hash value of each process file in the process list, and returns the hash value to the QGA monitoring module; checking whether the hash value exists in the threat intelligence library or not, If yes, adding the process information into a virtual machine vulnerability information table; and the safety management centergives an alarm prompt according to the virtual machine vulnerability information table. Under the condition of network isolation, the data interaction between the virtualization management platform and the virtual machine is formed through the QGA monitoring module and the qemu-ga module, the safety management of the virtualization management platform on the virtual machine is realized, and the information safety of the virtual machine is ensured.

Application Domain

Software simulation/interpretation/emulation

Technology Topic

VirtualizationThreat intelligence +9

Image

  • Method and system for protecting safety of virtual machine under virtual platform network isolation
  • Method and system for protecting safety of virtual machine under virtual platform network isolation
  • Method and system for protecting safety of virtual machine under virtual platform network isolation

Examples

  • Experimental program(1)

Example Embodiment

[0037] In order to clearly illustrate the technical features of the solution, the present invention will be described in detail below through specific embodiments and in conjunction with the accompanying drawings. The following disclosure provides many different embodiments or examples for implementing different structures of the invention. In order to simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in different instances. This repetition is for the purpose of simplicity and clarity and does not in itself indicate a relationship between the various embodiments and/or arrangements discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and processes are omitted from the present invention to avoid unnecessarily limiting the present invention.
[0038] like figure 1 As shown, the method for protecting virtual machine security under virtual platform network isolation of the present invention includes the following steps:
[0039] S1, obtain a list of online threat intelligence to form a threat intelligence database;
[0040] S2, after receiving the process collection instruction issued by the QGA monitoring module, the virtual machine collects the current running process information of the virtual machine through the qemu-ga module, forms a process list, and calculates the hash of each process file in the process list. value, and return the hash value to the QGA monitor module;
[0041] S2, check whether the hash value exists in the threat intelligence database, and if so, add the process information to the virtual machine vulnerability information table;
[0042] S4, the security management center issues an alarm prompt according to the virtual machine vulnerability information table.
[0043] like figure 2 As shown, the specific implementation process of step S1 is: S11, forming an online threat intelligence list through the online threat intelligence tool of the online threat intelligence tool; S12, normalizing the captured online threat intelligence list to form unified data Format; S13, import the normalized data into the threat intelligence database for subsequent detection of whether the process in the virtual machine is a virus or a Trojan.
[0044] The data in the threat intelligence database includes threat intelligence source, threat intelligence acquisition time, threat object name, object characteristic value, and threat object description.
[0045] like image 3 As shown, in step S2, the QGA monitoring module issues a process instruction based on the monitoring strategy, and the QGA monitoring module first performs parameter analysis for the received strategy to determine whether the monitoring strategy is manually triggered collection or periodic collection. The selection parameters of the strategy are distinguished by the flag bit. If the flag bit is 0, it is periodic collection, and the detection period is S; if the flag bit is 1, it is manually triggered collection.
[0046] If the collection is triggered manually, the QGA monitoring module immediately sends an instruction to the qemu-ga module and waits for the return message from the qemu-ga module;
[0047] If it is collected periodically, the QGA module checks whether the current cycle detection time is up. If so, it sends an instruction to the qemu-ga module. If not, it waits for the next cycle time. or as per image 3 As shown, wait for the S duration first, and judge whether the cycle waiting time has expired. If not, continue to wait. If so, send an instruction to the qemu-ga module and wait for the return message from the qemu-ga module.
[0048] like Figure 4 As shown, after the qemu-ga module receives the process collection instruction, it obtains the currently running progress list, calculates the hash value of the file corresponding to the process: SHA256 value, and constructs the return message to the QGA monitoring module. The QGA monitoring module will return the hash value The value is transmitted to the virtual machine security management component, and vulnerability detection is performed in the virtualization management platform.
[0049] In step S3, the process and hash value traversal is performed in the virtualization management platform to check whether the hash value of the process file corresponding to each process is in the threat intelligence database; if the current process file hash value and all threat intelligence features in the threat intelligence database If the values ​​are different, continue to traverse the next process; if the current process file hash value is the same as a threat intelligence feature value in the threat intelligence database, add the process information to the virtual machine vulnerability information table, and then continue to traverse the next process process until the end of the traversal. Determine whether the virtual machine vulnerability information table is empty, if not, it means that there is a process privacy virus or Trojan horse in the virtual machine, then the virtual machine vulnerability information table will be sent to the security management center, and the security management center will list the vulnerability information table. The information in is displayed, and the administrator is notified by email.
[0050] The data in the virtual machine vulnerability information table includes the name of the threat object, the source of obtaining threat intelligence, the time of obtaining threat intelligence, the process name, the hash value of the process, the IP of the virtual machine where the process is located, the UUID of the virtual machine where the process is located, the IP of the host where the virtual machine is located, and The UUID of the host where the virtual machine is located.
[0051] like Figure 5 As shown, the system for protecting virtual machine security under virtual platform network isolation according to the present invention includes a virtualization management platform, a virtual machine, a virtual machine information monitoring component, a virtual machine security management component and a security management center component.
[0052] The virtual machine information monitoring component monitors the running process list of the virtual machine on the host machine by using the QGA technology. The virtual machine information monitoring component includes a QGA monitoring module and a qemu-ga module that communicate with each other. The QGA monitoring module issues a process collection command to the qemu-ga module; the qemu-ga module collects information about the current running process of the virtual machine based on the command, forming a Process list, and calculate the hash value of each process file in the process list, and return the hash value to the QGA monitor module.
[0053] The virtual machine security management component obtains the hash value, and checks whether the hash value exists in the threat intelligence database, and if so, adds the process information to the virtual machine vulnerability information table.
[0054] The security management center component issues an alarm prompt according to the virtual machine vulnerability information table.
[0055] The virtual machine information monitoring component further includes a monitoring policy management module, where the monitoring policy management module is configured to issue the monitoring policy to the QGA monitoring module.
[0056] The virtual machine security management component further includes a threat intelligence acquisition module, a threat intelligence processing module and a policy formulation module.
[0057] The threat intelligence acquisition module captures online threat intelligence through online intelligence tools to form an online threat intelligence list; the threat intelligence processing module normalizes the online threat intelligence list to form a unified data format, and the normalized data Import threat intelligence library.
[0058] The policy formulation module is responsible for formulating policies for virtual machines to collect process information.
[0059] Although the specific embodiments of the present invention have been described above in conjunction with the accompanying drawings, they do not limit the scope of protection of the present invention. Those skilled in the art should understand that on the basis of the technical solutions of the present invention, those skilled in the art do not need to pay creative work. Various modifications or deformations that can be made are still within the protection scope of the present invention.

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.

Similar technology patents

Wireless remote communication method and wireless remote communication device

PendingCN109615840AGuaranteed to workEnsure information security
Owner:北方通用电子集团有限公司

Information coding structure based on circumference arrangement step array

ActiveCN106778990AEnsure information securityincrease flexibility
Owner:杭州泓林科技有限公司

Banking outlet customer behavior analysis method and device

PendingCN114707556AEnsure information security
Owner:BANK OF CHINA

Two-factor authentication method, system and device based on encryption lock device

PendingCN113987452AMake sure the dongle is lostEnsure information security
Owner:西安震有信通科技有限公司

Gateway protection method and device, computer equipment and storage medium

InactiveCN110995658AGuaranteed not to be tampered withEnsure information security
Owner:SWIFTPASS TECH CO LTD

Classification and recommendation of technical efficacy words

  • Ensure information security

Data transmission method and device of virtual network interface card

ActiveCN105939239AEnsure information securityImprove reliability
Owner:HANGZHOU DPTECH TECH

Screen recording method, screen recording device and terminal

InactiveCN107958168Aavoid being leakedEnsure information security
Owner:GUANGDONG OPPO MOBILE TELECOMM CORP LTD

Smart home equipment binding method and system, smart home equipment and mobile terminal

ActiveCN110572305AEnsure information securityimprove security
Owner:GREE ELECTRIC APPLIANCES INC OF ZHUHAI

Reading method and device for verification information

ActiveCN105207775APrevent stealing authentication informationEnsure information security
Owner:BEIJING QIHOO TECH CO LTD

Group signature-based supervisible block chain transaction privacy protection method and system

PendingCN113761582AEnsure information security
Owner:SHANDONG COMP SCI CENTNAT SUPERCOMP CENT IN JINAN
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products