Virtual target out-of-band data acquisition method based on virtual peripheral, medium and device

Abstract

The application provides a virtual target out-of-band data acquisition method based on a virtual peripheral, a medium and a device, and the method comprises the following steps: writing collected data based on a front-end driver in a virtual target; reading peripheral data based on a virtual machine interrupt event in a host system; and isolating, converging and forwarding data based on a target field multi-task space. The application does not need to build a separate acquisition network for the virtual target, and the acquisition flow is transmitted through an out-of-band channel, so that the business flow and the acquisition flow are effectively isolated, and the related business requirements of the target field are met. The acquisition flow is isolated, converged and forwarded in the host end based on the target field multi-task space.

Description

Technical Field

[0001] This invention relates to the field of network security technology, and more specifically, to a method, medium, and device for out-of-band data acquisition of virtual targets based on virtual peripherals. Background Technology

[0002] Cyber ​​ranges are crucial infrastructure for network attack and defense drills, supporting cyberspace technology verification, and network risk assessment. They are of paramount value for cultivating cybersecurity talent and for learning and researching cyberspace confrontation. Data acquisition is one of the core capabilities of a cyber range, forming the basis for range business data analysis and intelligent decision-making. Research reveals that current mainstream data acquisition methods employ a data acquisition control center and an agent program structure embedded with virtual targets. On one hand, this relies on in-band data transmission, requiring the establishment of a separate acquisition network for each virtual target within the range. This fails to effectively isolate business traffic from acquisition traffic within the range scenario, impacting the overall simulation of cyberspace. On the other hand, it struggles to meet the range's business requirements, such as data isolation for multi-task space acquisition traffic. Summary of the Invention

[0003] The present invention aims to provide a method, medium and device for out-of-band data acquisition of virtual targets based on virtual peripherals, so as to achieve effective isolation between the service traffic and the acquisition traffic of virtual targets in the network range, improve the simulation of the network space range and meet the service-related needs of the range.

[0004] This invention provides a method for acquiring out-of-band data of a virtual target based on a virtual peripheral, comprising:

[0005] Writing data collected from a virtual target based on a front-end driver;

[0006] Data reading from backend peripherals in the host system based on virtual machine interrupt events;

[0007] Data isolation, aggregation, and forwarding based on the multi-task space of the test range.

[0008] Furthermore, the writing of the collected data based on the front-end driver into the virtual target includes:

[0009] Start the virtual target; the virtual machine monitor program will simulate a virtual peripheral for the virtual target.

[0010] The virtual target identifies virtual peripherals, loads the corresponding front-end drivers for the virtual peripherals, and creates a shared memory circular buffer for data exchange with the virtual machine monitor program.

[0011] The agent program within the virtual target opens the virtual peripheral and writes data through system calls, and the front-end driver writes the IO data into the shared memory circular buffer;

[0012] The front-end driver triggers a virtual machine interrupt event.

[0013] Furthermore, the backend peripheral data reading based on virtual machine interrupt events in the host system includes:

[0014] The virtual machine monitor program acts as the backend for virtual peripherals, registering virtual peripheral I / O callback functions and mapping virtual peripherals to socket files named with virtual target IDs on the host machine, which are called virtual peripheral sockets.

[0015] When the virtual machine monitor detects a virtual machine interrupt event, and the interrupt event is a virtual peripheral I / O event, the virtual peripheral I / O callback function is called to obtain I / O data from the shared memory circular buffer of the virtual peripheral.

[0016] The virtual machine monitor sends data to the virtual peripheral socket buffer.

[0017] Furthermore, the data isolation, aggregation, and forwarding based on the multi-task space of the test range includes:

[0018] The data aggregation program negotiates a connection with the data acquisition and control center and receives range task groups from the data acquisition and control center.

[0019] The data aggregation program listens to virtual peripheral socket groups of all virtual machines on the host machine based on the target range task groups and virtual machine IDs.

[0020] When the data aggregation program detects a readable event of a virtual peripheral socket, it reads the data, preprocesses it, groups it according to the target range task, aggregates and forwards the data to the corresponding task's data domain in the data acquisition and control center.

[0021] The present invention also provides a computer terminal storage medium storing computer terminal executable instructions, which are used to execute the above-described method for acquiring out-of-band data of a virtual target based on a virtual peripheral.

[0022] The present invention also provides a computing device, comprising:

[0023] At least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform the above-described virtual target out-of-band data acquisition method based on virtual peripherals.

[0024] In summary, due to the adoption of the above technical solution, the beneficial effects of the present invention are:

[0025] This invention designs a method for out-of-band data acquisition of virtual targets based on virtual peripherals. It eliminates the need to build a separate acquisition network for the virtual targets. The acquisition traffic is transmitted through the out-of-band channel, effectively isolating business traffic and acquisition traffic, while meeting the relevant business needs of the target range. The acquisition traffic is isolated, aggregated and forwarded in the target range multi-task space on the host machine. Attached Figure Description

[0026] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings in the embodiments will be briefly described below. It should be understood that the following drawings only show some embodiments of the present invention and should not be regarded as a limitation on the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0027] Figure 1 This is a flowchart of a virtual target out-of-band data acquisition method based on virtual peripherals in an embodiment of the present invention.

[0028] Figure 2 This is a schematic diagram of out-of-band transmission based on virtual peripherals in an embodiment of the present invention.

[0029] Figure 3 This is a schematic diagram illustrating the execution of the host-side data aggregation program in an embodiment of the present invention. Detailed Implementation

[0030] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. The components of the embodiments of the present invention described and shown in the accompanying drawings can generally be arranged and designed in various different configurations.

[0031] Therefore, the following detailed description of the embodiments of the invention provided in the accompanying drawings is not intended to limit the scope of the claimed invention, but merely to illustrate selected embodiments of the invention. All other embodiments obtained by those skilled in the art based on the embodiments of the invention without inventive effort are within the scope of protection of the invention.

[0032] Example

[0033] like Figure 1 As shown, this embodiment proposes a method for out-of-band data acquisition of virtual targets based on virtual peripherals, including:

[0034] (1) Writing data collected from the virtual target based on the front-end driver;

[0035] This invention implements the front-end driver for the virtual peripheral, which needs to be pre-embedded into the virtual target; such as Figure 2 As shown, the specific steps for writing data collected from the virtual target based on the front-end driver are as follows:

[0036] S11, Start the virtual target; the virtual machine monitor program simulates a virtual peripheral for the virtual target.

[0037] S12, the virtual target identifies the virtual peripheral, loads the front-end driver for the virtual peripheral, and creates a shared memory circular buffer for data exchange with the virtual machine monitor program.

[0038] S13, the agent program inside the virtual target opens the virtual peripheral and writes data through system calls, and the front-end driver writes the IO data into the shared memory circular buffer;

[0039] S14, the front-end driver triggers a virtual machine interrupt event.

[0040] (2) Reading backend peripheral data based on virtual machine interrupt events in the host system;

[0041] S21, the virtual machine monitor program acts as the backend of the virtual peripheral device, registers the virtual peripheral IO callback function, and maps the virtual peripheral device to a socket file named with the virtual target ID on the host machine, which is called a virtual peripheral socket.

[0042] S22, when the virtual machine monitor detects a virtual machine interrupt event, and the interrupt event is a virtual peripheral I / O event, the virtual peripheral I / O callback function is called to obtain I / O data from the shared memory circular buffer of the virtual peripheral;

[0043] S23, the virtual machine monitor sends data to the virtual peripheral socket buffer.

[0044] (3) Data isolation, aggregation and forwarding based on the multi-task space of the test range;

[0045] like Figure 3 As shown, this invention implements a host-side data aggregation program responsible for data isolation, aggregation, and forwarding based on the multi-task space of the test range:

[0046] S31, the data aggregation program negotiates a connection with the data acquisition and control center and receives range task groups from the data acquisition and control center;

[0047] S32, the data aggregation program listens to the virtual peripheral socket groups of all virtual machines on the host machine according to the target range task group and virtual machine ID;

[0048] S33: When the data aggregation program detects a readable event of the virtual peripheral socket, it reads the data, preprocesses it, groups it according to the target range task, aggregates and forwards the data to the data domain of the corresponding task in the data acquisition and control center.

[0049] It is evident that data acquisition is one of the core fundamental capabilities of a network range. It refers to the collection of real-time data from virtual targets within the large-scale, complex network topology environment of a network range. This data supports range operations and attack / defense data analysis, enabling intelligent decision-making and providing crucial information for range network security. This invention designs an out-of-band data acquisition method for virtual targets based on virtual peripherals. It eliminates the need to build a separate acquisition network for virtual targets. Acquisition traffic is transmitted through out-of-band channels, effectively isolating service traffic from acquisition traffic while simultaneously meeting the range's relevant business needs. At the host machine, acquisition traffic is isolated, aggregated, and forwarded within the range's multi-task space.

[0050] Furthermore, in some embodiments, a computer terminal storage medium is proposed, storing computer terminal executable instructions for executing the virtual target out-of-band data acquisition method based on virtual peripherals as described in the preceding embodiments. Examples of computer storage media include magnetic storage media (e.g., floppy disks, hard disks, etc.), optical recording media (e.g., CD-ROMs, DVDs, etc.) or memory such as memory cards, ROMs, or RAMs. The computer storage medium can also be distributed across a network-connected computer system, for example, as an application store.

[0051] Furthermore, in some embodiments, a computing device is proposed, comprising: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform the virtual target out-of-band data acquisition method based on virtual peripherals as described in the foregoing embodiments. Examples of computing devices include PCs, tablet computers, smartphones, or PDAs.

[0052] The above description is merely a preferred embodiment of the present invention and is not intended to limit the invention. Various modifications and variations can be made to the present invention by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.

Claims

1. A method for out-of-band data acquisition of a virtual target based on virtual peripherals, characterized in that, include: Writing data collected from a virtual target based on a front-end driver; Data reading from backend peripherals in the host system based on virtual machine interrupt events; Data isolation, aggregation, and forwarding based on the multi-task space of the test range: The data aggregation program negotiates a connection with the data acquisition and control center and receives the test range task groups from the data acquisition and control center; the data aggregation program listens for virtual peripheral socket groups of all virtual machines on the host machine according to the test range task groups and virtual machine IDs; when the data aggregation program detects a readable event of a virtual peripheral socket, it reads the data, preprocesses it, and aggregates and forwards the data in groups to the data domain of the corresponding task in the data acquisition and control center according to the test range task groups.

2. The method for acquiring out-of-band data of a virtual target based on a virtual peripheral according to claim 1, characterized in that, The data acquisition and writing based on the front-end driver in the virtual target includes: Start the virtual target; the virtual machine monitor program will simulate a virtual peripheral for the virtual target. The virtual target identifies virtual peripherals, loads the corresponding front-end drivers for the virtual peripherals, and creates a shared memory circular buffer for data exchange with the virtual machine monitor program. The agent program within the virtual target opens the virtual peripheral and writes data through system calls, and the front-end driver writes the IO data into the shared memory circular buffer; The front-end driver triggers a virtual machine interrupt event.

3. The method for acquiring out-of-band data of a virtual target based on a virtual peripheral according to claim 2, characterized in that, The backend peripheral data reading based on virtual machine interrupt events in the host system includes: The virtual machine monitor program acts as the backend for virtual peripherals, registering virtual peripheral I / O callback functions and mapping virtual peripherals to socket files named with virtual target IDs on the host machine, which are called virtual peripheral sockets. When the virtual machine monitor detects a virtual machine interrupt event, and the interrupt event is a virtual peripheral I / O event, the virtual peripheral I / O callback function is called to obtain I / O data from the shared memory circular buffer of the virtual peripheral. The virtual machine monitor sends data to the virtual peripheral socket buffer.

4. A computer terminal storage medium storing computer terminal executable instructions, characterized in that, The computer terminal can execute instructions for performing the out-of-band data acquisition method for virtual targets based on virtual peripherals as described in any one of claims 1-3.

5. A computing device, characterized in that, include: At least one processor; The at least one processor is also connected in communication with a memory, wherein the memory stores instructions that can be executed by the at least one processor to enable the at least one processor to perform the virtual target out-of-band data acquisition method based on a virtual peripheral as described in any one of claims 1-3.

Images