[go: up one dir, main page]

CN103178988B - The monitoring method and system of the virtual resources that a kind of performance optimizes - Google Patents

The monitoring method and system of the virtual resources that a kind of performance optimizes Download PDF

Info

Publication number
CN103178988B
CN103178988B CN201310048933.3A CN201310048933A CN103178988B CN 103178988 B CN103178988 B CN 103178988B CN 201310048933 A CN201310048933 A CN 201310048933A CN 103178988 B CN103178988 B CN 103178988B
Authority
CN
China
Prior art keywords
security
module
event
monitoring
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn - After Issue
Application number
CN201310048933.3A
Other languages
Chinese (zh)
Other versions
CN103178988A (en
Inventor
陈幼雷
张雅哲
张大鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CEC CYBERSPACE GREAT WALL Co Ltd
Original Assignee
CEC CYBERSPACE GREAT WALL Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CEC CYBERSPACE GREAT WALL Co Ltd filed Critical CEC CYBERSPACE GREAT WALL Co Ltd
Priority to CN201310048933.3A priority Critical patent/CN103178988B/en
Publication of CN103178988A publication Critical patent/CN103178988A/en
Application granted granted Critical
Publication of CN103178988B publication Critical patent/CN103178988B/en
Withdrawn - After Issue legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to the monitoring system method and system of the virtual resources that a kind of performance optimizes, the system of physical server and the runnability of guest virtual machine and guest virtual machine is first called event in virtual machine monitor layer and is monitored by the method, and according to the physical server monitored and the runnability of guest virtual machine, according to priority and security strategy, the system of described monitoring is called event at secure virtual machine and carry out data process, after data process, send control instruction call event for the operation calling virtual resources with control system.The monitoring system method and system of the virtual resources that performance involved in the present invention optimizes, can effectively monitoring system overall operation and safe condition, and good Consumer's Experience can be reached.

Description

一种性能优化的虚拟化资源的监控方法和系统A performance-optimized monitoring method and system for virtualized resources

技术领域technical field

本发明涉及虚拟化技术和信息安全技术领域,特别是一种性能优化的虚拟化资源的监控方法和系统。The invention relates to the field of virtualization technology and information security technology, in particular to a performance-optimized monitoring method and system for virtualized resources.

背景技术Background technique

虚拟化技术是一种在IT界广泛使用的技术,由于云计算技术的大规模使用,虚拟化技术,特别是服务器虚拟化技术正在快速发展并迅速改变着IT的面貌,并从根本上改变着人们的计算方式。通过将物理资源虚拟化,可以将服务器资源分配给多个虚拟机,虚拟化支持不同的应用,甚至不同的操作系统在同一台服务器上运行。通过和云计算技术结合,可以提供灵活的配置手段、快速的部署模式并能够节约计算资源。Virtualization technology is a technology widely used in the IT industry. Due to the large-scale use of cloud computing technology, virtualization technology, especially server virtualization technology, is developing rapidly and rapidly changing the face of IT, and fundamentally changing the How people count. By virtualizing physical resources, server resources can be allocated to multiple virtual machines. Virtualization supports different applications and even different operating systems running on the same server. By combining with cloud computing technology, it can provide flexible configuration methods, fast deployment mode and save computing resources.

然而,在带来巨大的优点的同时,虚拟化技术也带来了不同于传统安全模式的很大的安全风险。物理资源的虚拟化后,一台物理服务器上可能运行着多台虚拟机。实际的计算资源(CPU、内存、磁盘、网络等)通过虚拟化形成虚拟化资源而被不同的虚拟机所共用。因此实际使用过程中,不同的虚拟机实际上在共用同一个物理服务器资源,只是对它们而言,以为是在独享系统资源,整个资源共享使用过程由虚拟化模块(如Xen等虚拟机监视器)来调度。一旦攻击者利用其漏洞侵入系统,虚拟化模块就能影响其上运行的所有虚拟机,进而威胁运行在虚拟机上的所有应用和用户数据,因此针对虚拟机的安全防护至关重要。虚拟化技术带来了新的安全威胁主要有:虚拟化资源的隔离问题:在多租户环境下,同一云平台内可能运行着不同租户的不同业务系统,租户的资源面临着被其它租户非法访问的威胁,同时某一租户的恶意或误操作等安全事故有可能会扩大影响到同一云平台的其它租户业务系统,对其它租户造成安全威胁;虚拟机管理层(VMM)安全问题:由于虚拟机管理层运行于比虚拟机更高的级别,因此对虚拟机管理层的攻击,就威胁到了运行于同一物理服务器之上的所有虚拟机;虚拟机逃逸问题:如果在虚拟机里运行的恶意程序绕过虚拟机本身的安全机制,获得了虚拟机管理层或物理服务器的某些权限,就对同一物理服务器之上的所有虚拟机产生了威胁;虚拟网络安全风险:云计算环境下,由于虚拟网络资源的广泛应用,传统的网络边界变得模糊。传统的安全设备,如防火墙、IDS、IPS等,只能部署于物理边界,无法对同一物理计算机上虚拟机之间的通信进行细粒度访问控制,如果攻击行为发自云平台内某一虚拟机,就能绕过所有的网络边界防护措施,从内部对其它虚拟机进行攻击,严重时可能威胁到整个虚拟网络甚至云计算平台的安全运行。However, while bringing great advantages, virtualization technology also brings great security risks different from traditional security models. After virtualization of physical resources, multiple virtual machines may run on one physical server. Actual computing resources (CPU, memory, disk, network, etc.) are shared by different virtual machines through virtualization to form virtualized resources. Therefore, in the actual use process, different virtual machines are actually sharing the same physical server resources, but for them, they think that they are exclusively sharing system resources, and the entire resource sharing process is monitored by virtualization modules (such as virtual machines such as Xen) device) to schedule. Once an attacker exploits its vulnerabilities to intrude into the system, the virtualization module can affect all virtual machines running on it, thereby threatening all applications and user data running on the virtual machines. Therefore, the security protection for virtual machines is very important. The new security threats brought by virtualization technology mainly include: Isolation of virtualized resources: In a multi-tenant environment, different business systems of different tenants may run on the same cloud platform, and the resources of tenants may be illegally accessed by other tenants. At the same time, a tenant’s malicious or misoperation and other security incidents may expand and affect other tenants’ business systems on the same cloud platform, posing a security threat to other tenants; virtual machine management layer (VMM) security issues: due to the virtual machine The management layer runs at a higher level than the virtual machine, so the attack on the virtual machine management layer threatens all virtual machines running on the same physical server; the problem of virtual machine escape: if the malicious program running in the virtual machine Bypassing the security mechanism of the virtual machine itself and obtaining certain permissions of the virtual machine management layer or physical server will pose a threat to all virtual machines on the same physical server; virtual network security risks: in the cloud computing environment, due to virtual With the wide application of network resources, traditional network boundaries become blurred. Traditional security devices, such as firewalls, IDS, IPS, etc., can only be deployed on physical boundaries, and cannot perform fine-grained access control on communications between virtual machines on the same physical computer. If an attack originates from a virtual machine on the cloud platform , can bypass all network border protection measures, and attack other virtual machines from the inside, which may threaten the safe operation of the entire virtual network and even the cloud computing platform in severe cases.

已有的虚拟化技术自身的隔离机制只能解决基本的应用程序运行环境隔离,并不能防止程序访问越界或非法访问。而这种实际的物理资源的共享往往会造成数据更容易被非法访问,比如不同虚拟机的程序在公用同一块缓存时,一旦其中一个虚拟机的程序被恶意代码利用,就很容易造成另一个虚拟机的数据被非法访问或泄露。The isolation mechanism of the existing virtualization technology can only solve the basic isolation of the application program running environment, and cannot prevent program access from cross-border or illegal access. And this sharing of actual physical resources often makes data easier to be illegally accessed. For example, when programs of different virtual machines share the same cache, once one of the programs of the virtual machine is exploited by malicious code, it is easy to cause another The data of the virtual machine is illegally accessed or leaked.

目前现有的解决思路是通过在虚拟机监视器层部署安全应用来监控上层客户虚拟机的安全行为,对其系统调用进行拦截,同时在系统内部署安全虚拟机,将拦截的系统调用进行安全分析并根据安全策略进行实时响应,决定将此系统调用放行或拦截。这种解决方案可以解决大部分的虚拟机安全问题,但是其主要的缺点就是安全虚拟机和客户虚拟机会同时请求使用系统资源,二者对虚拟化资源的请求使用成正比关系。如果客户虚拟机业务繁忙,需要进行大量系统调用,安全虚拟机就要同时进行大量的实时安全处理任务,这样就造成了安全虚拟机和客户虚拟机争夺系统资源的状况,成倍的加剧整体资源紧张,造成物理服务器整体性能急剧下降,从而带来不好的客户体验。为了释放系统资源,只能强行减少或关闭安全虚拟机部分安全功能,故带来安全性的损失。At present, the existing solution is to monitor the security behavior of the upper-layer client virtual machine by deploying a security application on the virtual machine monitor layer, and intercept its system calls. Analyze and respond in real time according to the security policy, and decide to allow or block this system call. This solution can solve most of the virtual machine security problems, but its main disadvantage is that the security virtual machine and the guest virtual machine request the use of system resources at the same time, and the two requests for virtualization resources are directly proportional to each other. If the guest virtual machine is busy and needs to make a large number of system calls, the security virtual machine must simultaneously perform a large number of real-time security processing tasks, which causes the security virtual machine and the guest virtual machine to compete for system resources, doubling the overall resources The tension caused the overall performance of the physical server to drop sharply, which brought a bad customer experience. In order to release system resources, some security functions of the security virtual machine can only be forcibly reduced or turned off, thus causing a loss of security.

发明内容Contents of the invention

本发明针对现有监控客户虚拟机安全的技术存在安全虚拟机和客户虚拟机争夺资源造成系统性能下降进而使得客户体验差以及产生安全性损失的问题,提供一种性能优化的虚拟化资源的监控方法,可以有效的监控系统整体运行及安全状态,并能够达到良好的用户体验。本发明还涉及一种性能优化的虚拟化资源的监控系统。The present invention aims at the problem that the security virtual machine and the client virtual machine compete for resources in the existing technology of monitoring the security of the client virtual machine, resulting in system performance degradation, poor client experience and security loss, and provides a performance-optimized monitoring of virtualized resources The method can effectively monitor the overall operation and security status of the system, and can achieve a good user experience. The invention also relates to a performance-optimized virtualized resource monitoring system.

本发明的技术方案如下:Technical scheme of the present invention is as follows:

一种性能优化的虚拟化资源的监控方法,其特征在于,先在虚拟机监视器层对物理服务器和客户虚拟机的运行性能以及客户虚拟机的系统调用事件进行监控,并根据监控到的物理服务器和客户虚拟机的运行性能,在安全虚拟机按照优先级和安全策略对所述监控的系统调用事件进行数据处理,在数据处理后发出控制指令以控制系统调用事件针对调用虚拟化资源的操作。A performance-optimized monitoring method for virtualized resources, characterized in that the operating performance of a physical server and a client virtual machine and system call events of a client virtual machine are first monitored at a virtual machine monitor layer, and based on the monitored physical For the running performance of the server and client virtual machines, the security virtual machine performs data processing on the monitored system call events according to the priority and security policy, and sends control instructions after the data processing to control the operation of the system call events for calling virtualized resources .

在虚拟机监视器层对客户虚拟机的系统调用事件进行监控得到事件数据,对物理服务器和客户虚拟机的运行性能进行监控得到性能监控数据,所述性能监控数据提供对系统调用事件进行数据处理的一种安全策略。In the virtual machine monitor layer, the system call event of the client virtual machine is monitored to obtain event data, and the operating performance of the physical server and the client virtual machine is monitored to obtain performance monitoring data, and the performance monitoring data provides data processing for the system call event a security policy.

在监控得到事件数据后,先对所述事件数据进行语义转换处理,将所述事件数据从低级语义转换为高级语义,在语义转换处理后再对事件数据进行数据处理。After the event data is obtained through monitoring, semantic conversion processing is performed on the event data first, and the event data is converted from low-level semantics to high-level semantics, and then data processing is performed on the event data after semantic conversion processing.

对监控的系统调用事件进行数据处理包括调度处理、实时数据处理以及日志和报警处理,所述调度处理是对事件数据进行优先级判断和调度,对低优先级的事件数据进行日志和报警处理,对高优先级的事件数据进行实时数据处理。The data processing of the monitored system call event includes scheduling processing, real-time data processing, and log and alarm processing. The scheduling processing is to perform priority judgment and scheduling on event data, and perform log and alarm processing on low priority event data. Real-time data processing for high-priority event data.

所述高优先级的事件数据通过安全监测模块进行分析并根据安全策略进行实时数据处理,并在实时数据处理后发出控制指令以控制系统调用事件针对调用虚拟化资源的操作;The high-priority event data is analyzed by the security monitoring module and real-time data processing is performed according to the security policy, and a control instruction is issued after the real-time data processing to control the operation of the system call event for calling virtualized resources;

和/或,所述日志和报警处理是对低优先级的事件数据先进行日志记录,再通过安全监测模块进行事后审查,并根据安全策略进行报警处理。And/or, the log and alarm processing is to record the low-priority event data firstly, and then conduct post-event review through the security monitoring module, and perform alarm processing according to the security policy.

一种性能优化的虚拟化资源的监控系统,其特征在于,包括相互连接的安全事件监控和响应模块以及数据处理模块,所述安全事件监控和响应模块设置在虚拟机监视器层,用于对物理服务器和客户虚拟机的运行性能以及客户虚拟机的系统调用事件进行监控,并将监控信息发送至数据处理模块;所述数据处理模块设置于安全虚拟机,用于根据监控到的物理服务器和客户虚拟机的运行性能,按照优先级和安全策略对所述系统调用事件进行数据处理,并在数据处理后向安全事件监控和响应模块发出控制指令以控制系统调用事件针对调用虚拟化资源的操作。A performance-optimized monitoring system for virtualized resources is characterized in that it includes an interconnected security event monitoring and response module and a data processing module, and the security event monitoring and response module is set at the virtual machine monitor layer for monitoring The operating performance of the physical server and the client virtual machine and the system call event of the client virtual machine are monitored, and the monitoring information is sent to the data processing module; According to the operating performance of the client virtual machine, data processing is performed on the system call event according to the priority and security policy, and after data processing, a control instruction is sent to the security event monitoring and response module to control the operation of the system call event for invoking virtualized resources .

所述安全事件监控和响应模块包括安全事件监控模块、安全事件响应模块和性能监控模块,所述安全事件监控模块对客户虚拟机的系统调用事件进行监控得到事件数据并将所述事件数据发送至数据处理模块,所述性能监控模块对物理服务器和客户虚拟机的运行性能进行监控得到性能监控数据,所述性能监控数据提供给数据处理模块进行数据处理的一种安全策略,所述安全事件响应模块接收数据处理模块发出的控制指令并做出响应。The security event monitoring and response module includes a security event monitoring module, a security event response module and a performance monitoring module, the security event monitoring module monitors the system call event of the client virtual machine to obtain event data and sends the event data to A data processing module, the performance monitoring module monitors the operating performance of the physical server and the client virtual machine to obtain performance monitoring data, and the performance monitoring data is provided to the data processing module for a security strategy for data processing, and the security event response The module receives the control instruction sent by the data processing module and makes a response.

所述数据处理模块包括依次连接的语义处理模块、核心处理模块和安全策略模块,所述核心处理模块分别与安全策略模块、性能监控模块和安全事件响应模块相连;所述语义处理模块与安全事件监控模块相连,用于对所述事件数据进行语义转换处理,将所述事件数据从低级语义转换为高级语义,在语义转换处理后输入至核心处理模块;所述核心处理模块依据安全策略模块中的安全策略以及性能监控模块得到的性能监控数据对事件数据进行数据处理,并在数据处理后向安全事件响应模块发出控制指令。The data processing module includes a sequentially connected semantic processing module, a core processing module and a security policy module, and the core processing module is respectively connected to a security policy module, a performance monitoring module and a security event response module; the semantic processing module is connected to a security event The monitoring module is connected to perform semantic conversion processing on the event data, convert the event data from low-level semantics to high-level semantics, and input it to the core processing module after semantic conversion processing; the core processing module is based on the security policy module The security policy and the performance monitoring data obtained by the performance monitoring module perform data processing on the event data, and send control instructions to the security event response module after the data processing.

所述核心处理模块包括调度处理模块、实时数据处理模块以及日志和报警处理模块,所述实时数据处理模块以及日志和报警处理模块分别与调度处理模块相连,所述调度处理模块分别与性能监控模块和语义处理模块相连,所述实时数据处理模块以及日志和报警处理模块均与安全策略模块相连,所述实时数据处理模块与安全事件响应模块相连;所述调度处理模块对事件数据进行优先级判断和调度处理,所述实时数据处理模块对高优先级的事件数据进行实时数据处理并在实时数据处理后向安全事件响应模块发出控制指令,所述日志和报警处理模块对低优先级的事件数据进行日志和报警处理。The core processing module includes a scheduling processing module, a real-time data processing module and a log and an alarm processing module, and the real-time data processing module and a log and an alarm processing module are respectively connected with the scheduling processing module, and the scheduling processing module is respectively connected with the performance monitoring module Connected to the semantic processing module, the real-time data processing module and the log and alarm processing module are connected to the security policy module, the real-time data processing module is connected to the security event response module; the scheduling processing module performs priority judgment on event data and scheduling processing, the real-time data processing module performs real-time data processing on high-priority event data and sends control instructions to the security event response module after real-time data processing, and the log and alarm processing module processes low-priority event data Perform log and alarm processing.

所述实时数据处理模块以及日志和报警处理模块均通过一个或多个安全监测模块与安全策略模块相连;所述实时数据处理模块对高优先级的事件数据通过安全监测模块进行分析并根据安全策略进行实时数据处理;The real-time data processing module and the log and alarm processing module are all connected to the security policy module through one or more security monitoring modules; the real-time data processing module analyzes the high-priority event data through the security monitoring module and according to the security policy Real-time data processing;

和/或,所述日志和报警处理模块对低优先级的事件数据先进行日志记录,再通过安全监测模块进行事后审查,并根据安全策略进行报警处理;And/or, the log and alarm processing module first records the low-priority event data, and then conducts subsequent review through the security monitoring module, and performs alarm processing according to the security policy;

和/或,所述安全监测模块为入侵检测模块和/或入侵防御模块和/或文件访问控制模块。And/or, the security monitoring module is an intrusion detection module and/or an intrusion prevention module and/or a file access control module.

本发明的技术效果如下:Technical effect of the present invention is as follows:

本发明涉及一种性能优化的虚拟化资源的监控方法,先在虚拟机监视器层对物理服务器和客户虚拟机的运行性能以及客户虚拟机的系统调用事件进行监控,可以有效的监护物理服务器和客户虚拟机的运行及安全状态,同时根据监控到的物理服务器和客户虚拟机的运行性能,通过安全虚拟机按照优先级和安全策略对所述监控的系统调用事件进行数据处理,并在数据处理后发出控制指令以控制系统调用事件针对调用虚拟化资源的操作。通过监控物理服务器和客户虚拟机的运行性能得到物理服务器和客户虚拟机的运行状态,即得到系统是在繁忙或空闲状态,进而对客户虚拟机的系统调用事件即安全事件按照优先级和安全策略进行调度,并发出控制指令控制虚拟化资源(即硬件资源)的操作,比如可以在系统繁忙和空闲时对安全事件采取不同的数据处理方式,在系统繁忙时只对优先级比较高的安全事件优先进行实时数据处理,对优先权比较低的安全事件进行如先记录再在系统空闲时事后审查处理等方式处理,能够有效避免安全虚拟机和客户虚拟机争夺系统资源的情形,同时也可避免因为资源紧张而丢弃处理大量安全事件,造成系统安全性下降的情况。本发明所述性能优化的虚拟化资源的监控方法,使得整体的虚拟化资源达到合理分配调整,避免了物理服务器整体性能下降的问题,能够达到良好的用户体验;而且无需减少或关闭安全虚拟机的安全功能,避免了安全性损失,提高了安全虚拟机的系统安全性能。The present invention relates to a performance-optimized monitoring method for virtualized resources. Firstly, the operating performance of the physical server and the client virtual machine and the system call event of the client virtual machine are monitored at the virtual machine monitor layer, which can effectively monitor the physical server and the client virtual machine. The operation and security status of the client virtual machine, and at the same time, according to the monitored operating performance of the physical server and the client virtual machine, data processing is performed on the monitored system call events through the security virtual machine according to the priority and security policy, and in the data processing Afterwards, a control instruction is issued to control the operation of the system call event for invoking virtualized resources. Obtain the running status of the physical server and the client virtual machine by monitoring the operating performance of the physical server and the client virtual machine, that is, whether the system is busy or idle, and then the system call event of the client virtual machine, that is, the security event, according to the priority and security policy Scheduling and issuing control instructions to control the operation of virtualized resources (that is, hardware resources). For example, different data processing methods can be adopted for security events when the system is busy and idle, and only security events with higher priority can be processed when the system is busy. Real-time data processing is prioritized, and security events with relatively low priority are recorded first and then reviewed and processed afterwards when the system is idle, which can effectively avoid the situation where security virtual machines and customer virtual machines compete for system resources, and can also avoid A large number of security events are discarded due to resource constraints, resulting in a decrease in system security. The performance-optimized monitoring method of virtualized resources in the present invention enables the overall virtualized resources to be allocated and adjusted reasonably, avoids the problem of overall performance degradation of physical servers, and can achieve good user experience; and does not need to reduce or shut down safe virtual machines The security function avoids the loss of security and improves the system security performance of the security virtual machine.

本发明所述性能优化的虚拟化资源的监控方法,安全虚拟机按照优先级和安全策略对所述监控的系统调用事件进行数据处理,具体包括进行调度处理、实时数据处理以及日志和报警处理,通过调度处理对事件数据进行优先级判断和调度,并结合了安全策略以及监测的物理服务器的运行性能和客户虚拟机的运行性能,物理服务器和客户虚拟机的运行性能也可以作为安全策略之一,在调度处理后,对低优先级的事件数据进行日志和报警处理,对高优先级的事件数据进行实时数据处理,并在实时数据处理后发出控制指令以控制系统调用事件针对调用虚拟化资源的操作。能够更加明确地根据物理服务器和客户虚拟机的运行状态对安全事件进行调度数据处理,严格避免安全虚拟机和客户虚拟机同时请求使用系统虚拟化资源造成在资源紧张的问题,增强了安全虚拟机的安全性能,进一步加强了客户体验。In the performance-optimized virtualized resource monitoring method of the present invention, the security virtual machine performs data processing on the monitored system call event according to the priority and security policy, specifically including scheduling processing, real-time data processing, and log and alarm processing, Priority judgment and scheduling of event data through scheduling processing, combined with security policies and the operating performance of the monitored physical server and customer virtual machine, the operating performance of physical servers and customer virtual machines can also be used as one of the security policies , after scheduling processing, log and alarm processing is performed on low-priority event data, real-time data processing is performed on high-priority event data, and control instructions are issued after real-time data processing to control system call events for invoking virtualized resources operation. It can more clearly schedule data processing of security events according to the running status of physical servers and customer virtual machines, strictly avoid the problem of resource shortage caused by simultaneous requests of security virtual machines and customer virtual machines to use system virtualization resources, and enhance security virtual machines. The safety performance further enhances the customer experience.

本发明所涉及的性能优化的虚拟化资源的监控系统,在虚拟机监视器层设置安全事件监控和响应模块,对物理服务器的运行性能以及客户虚拟机的运行性能和系统调用事件实施监控手段,能够有效的监护物理服务器和客户虚拟机运行及安全状态,同时在安全虚拟机内设置数据处理模块,根据安全事件监控和响应模块监控到的物理服务器和客户虚拟机的运行性能,对客户虚拟机的系统调用事件(或者称为安全事件)按照优先级和安全策略对进行数据处理,并在数据处理后向安全事件监控和响应模块发出控制指令以控制系统调用事件针对调用虚拟化资源的操作,这样可有效避免安全虚拟机和客户虚拟机争夺系统资源的情形,同时也不会漏掉安全事件,可以做到高级别安全事件实时监控优先处理,低级别安全事件事后处理的功能。The performance-optimized monitoring system for virtualized resources involved in the present invention sets a security event monitoring and response module at the virtual machine monitor layer, implements monitoring means for the operating performance of the physical server, the operating performance of the client virtual machine, and the system call event, It can effectively monitor the operation and security status of physical servers and customer virtual machines. At the same time, a data processing module is set in the security virtual machine. According to the operating performance of the physical server and customer virtual machines monitored by the security event monitoring and response module, the customer virtual machines System call events (or called security events) process data according to priority and security policies, and send control instructions to the security event monitoring and response module after data processing to control the operation of system call events for invoking virtualized resources. This can effectively avoid the situation where the security virtual machine and the client virtual machine compete for system resources, and at the same time, security events will not be missed. It can achieve real-time monitoring of high-level security events and priority processing, and the function of post-processing of low-level security events.

附图说明Description of drawings

图1是本发明性能优化的虚拟化资源的监控系统的结构示意图。FIG. 1 is a schematic structural diagram of a performance-optimized virtualized resource monitoring system of the present invention.

图2是图1中的安全事件监控和响应模块的优选结构示意图。FIG. 2 is a schematic diagram of a preferred structure of the security event monitoring and response module in FIG. 1 .

图3是图1中的数据处理模块的优选结构示意图。FIG. 3 is a schematic diagram of a preferred structure of the data processing module in FIG. 1 .

图4是本发明性能优化的虚拟化资源的监控系统的优选结构示意图。FIG. 4 is a schematic diagram of a preferred structure of a performance-optimized virtualized resource monitoring system of the present invention.

图5是图4所示的本发明性能优化的虚拟化资源的监控系统的工作流程图。FIG. 5 is a working flowchart of the performance-optimized virtualized resource monitoring system shown in FIG. 4 of the present invention.

图6是本发明性能优化的虚拟化资源的监控方法的流程图。FIG. 6 is a flow chart of the performance-optimized virtualized resource monitoring method of the present invention.

图7是本发明性能优化的虚拟化资源的监控方法的优选流程图。FIG. 7 is a preferred flow chart of the performance-optimized virtualized resource monitoring method of the present invention.

具体实施方式detailed description

下面结合附图对本发明进行说明。The present invention will be described below in conjunction with the accompanying drawings.

本发明涉及一种性能优化的虚拟化资源的监控系统,其结构示意图如图1所示,逻辑上包括两个部件,即包括相互连接的安全事件监控和响应模块以及数据处理模块。安全事件监控和响应模块设置在虚拟机监视器层,用于对物理服务器和客户虚拟机的运行性能以及客户虚拟机的系统调用事件进行监控,并将监控信息发送至数据处理模块,该监控信息包括物理服务器和客户虚拟机的运行性能的监控信息和客户虚拟机的系统调用事件的监控信息。进一步讲,各台客户虚拟机可能有相同或不同的操作系统,每台客户虚拟机会存在多个应用发生客户虚拟机的硬件资源(CPU、内存、硬盘、网络等)调用的情形,部署于虚拟机监视器层的安全事件监控和响应模块提供对系统(由物理服务器与其客户虚拟机构成)的性能监控功能,以及对客户虚拟机的各类系统调用的拦截、监控和处理响应功能。安全事件监控和响应模块负责收集监控物理服务器的运行性能和客户虚拟机的运行性能,即监控系统整体运行性能,并可以将性能监控数据发送至数据处理模块供其做调度处理的策略之一,如图所示的性能监控数据流③。安全事件监控和响应模块在监控到客户虚拟机对虚拟化资源进行访问的系统调用事件后将监控信息发送给数据处理模块,并根据数据处理模块的控制,对系统调用事件进行响应,如图所示的事件数据流①。数据处理模块设置于安全虚拟机,用于按照优先级和安全策略对所述系统调用事件进行数据处理,并在数据处理后向安全事件监控和响应模块发出控制指令以控制系统调用事件针对调用虚拟化资源的操作,进一步讲,部署于安全虚拟机上的数据处理模块,提供对安全事件进行处理和安全控制的功能。在接收到安全事件监控和响应模块的事件数据流后,数据处理模块进行处理,根据安全策略和处理结果对安全事件监控和响应模块发出控制指令,如图所示的控制流②。The present invention relates to a performance-optimized monitoring system for virtualized resources. Its structural schematic diagram is shown in FIG. 1 , and logically includes two components, that is, a security event monitoring and response module and a data processing module connected to each other. The security event monitoring and response module is set at the virtual machine monitor layer, and is used to monitor the operating performance of the physical server and the client virtual machine as well as the system call event of the client virtual machine, and send the monitoring information to the data processing module. It includes the monitoring information of the running performance of the physical server and the guest virtual machine and the monitoring information of the system call event of the guest virtual machine. Furthermore, each guest virtual machine may have the same or different operating systems, and each guest virtual machine may have multiple applications invoked by the hardware resources (CPU, memory, hard disk, network, etc.) of the guest virtual machine. The security event monitoring and response module of the machine monitor layer provides the performance monitoring function of the system (consisting of the physical server and its client virtual machine), as well as the interception, monitoring and processing response functions of various system calls of the client virtual machine. The security event monitoring and response module is responsible for collecting and monitoring the operating performance of physical servers and customer virtual machines, that is, monitoring the overall operating performance of the system, and sending the performance monitoring data to the data processing module for scheduling. The performance monitoring data flow as shown in the figure ③. The security event monitoring and response module sends the monitoring information to the data processing module after monitoring the system call event that the client virtual machine accesses the virtualized resources, and responds to the system call event according to the control of the data processing module, as shown in the figure The event data stream shown in ①. The data processing module is set in the security virtual machine, and is used to process the data of the system call event according to the priority and security policy, and send a control instruction to the security event monitoring and response module after the data processing to control the system call event against the call virtual machine. Furthermore, the data processing module deployed on the security virtual machine provides the functions of processing security events and security control. After receiving the event data flow from the security event monitoring and response module, the data processing module processes it, and sends control instructions to the security event monitoring and response module according to the security policy and processing results, as shown in the control flow ② in the figure.

对于图1所示的性能优化的虚拟化资源的监控系统,其部署于虚拟机监视器层的安全事件监控和响应模块的优选结构如图2所示。安全事件监控和响应模块包括安全事件监控模块、安全事件响应模块和性能监控模块,其中,性能监控模块对物理服务器和客户虚拟机运行的整体性能进行监控得到性能监控数据,性能监控数据可以提供给数据处理模块进行事件调度数据处理的一种安全策略,将性能监控数据发送至数据处理模块,如图所示的性能监控数据流③;安全事件监控模块对客户虚拟机的系统调用事件进行监控得到事件数据并将所述事件数据发送至位于安全虚拟机上的数据处理模块,如图所示的事件数据流①,再根据数据处理模块发出控制流②的控制将此事件交由安全事件响应模块处理或直接放行;安全事件响应模块接收数据处理模块发出的控制指令并做出响应,具体是安全事件响应模块根据数据处理模块发出控制流②的控制指令对接收的系统调用事件进行处理、拒绝或者放行此次系统调用针对虚拟化资源的访问操作,其中,安全响应模块根据控制指令对接收的系统调用事件进行处理可以是对系统调用事件实施模糊控制处理,比如当系统调用事件是文件访问时,数据处理模块发出的控制指令是处理时,安全响应模块可以通过模糊处理来读取文件内容等。For the performance-optimized virtualized resource monitoring system shown in FIG. 1 , the preferred structure of its security event monitoring and response module deployed at the virtual machine monitor layer is shown in FIG. 2 . The security event monitoring and response module includes a security event monitoring module, a security event response module, and a performance monitoring module. The performance monitoring module monitors the overall performance of the physical server and the client virtual machine to obtain performance monitoring data. The performance monitoring data can be provided to A security policy for the data processing module to process event scheduling data, sending performance monitoring data to the data processing module, as shown in the performance monitoring data flow ③; the security event monitoring module monitors the system call events of the client virtual machine to obtain Event data and send the event data to the data processing module located on the security virtual machine, as shown in the event data flow ①, and then send the event to the security event response module according to the control flow ② issued by the data processing module Processing or direct release; the security event response module receives and responds to the control instructions sent by the data processing module, specifically, the security event response module processes, rejects, or Release the access operation of the system call for virtualized resources, wherein the security response module processes the received system call event according to the control instruction, which may be to implement fuzzy control processing on the system call event. For example, when the system call event is a file access, When the control instruction issued by the data processing module is processed, the security response module can read the content of the file through obfuscation processing.

对于图1所示的性能优化的虚拟化资源的监控系统,其部署于安全虚拟机上的数据处理模块的优选结构如图3所示。数据处理模块能够对安全事件进行处理,该数据处理模块采用了优先级调度方法,能够减小因安全功能自身的资源占用而代来的性能损失。数据处理模块包括语义处理模块、核心处理模块、安全策略模块以及一个或多个安全监测模块,核心处理模块和语义处理模块均与安全事件监控和响应模块相连;核心处理模块包括调度处理模块、实时数据处理模块以及日志和报警处理模块,实时数据处理模块以及日志和报警处理模块分别与调度处理模块相连,调度处理模块与语义处理模块相连,调度处理模块和实时数据处理模块均与安全事件监控和响应模块相连;实时数据处理模块以及日志和报警处理模块均通过一个或多个安全监测模块与安全策略模块相连。For the performance-optimized virtualized resource monitoring system shown in FIG. 1 , the optimal structure of the data processing module deployed on the secure virtual machine is shown in FIG. 3 . The data processing module can process security events, and the data processing module adopts a priority scheduling method, which can reduce the performance loss caused by the resource occupation of the security function itself. The data processing module includes a semantic processing module, a core processing module, a security policy module, and one or more security monitoring modules. Both the core processing module and the semantic processing module are connected with the security event monitoring and response module; the core processing module includes a scheduling processing module, a real-time The data processing module and the log and alarm processing module, the real-time data processing module and the log and alarm processing module are respectively connected with the scheduling processing module, the scheduling processing module is connected with the semantic processing module, and the scheduling processing module and the real-time data processing module are connected with the security event monitoring and The response module is connected; the real-time data processing module and the log and alarm processing module are all connected with the security policy module through one or more security monitoring modules.

在图3中,语义处理模块用于对安全事件监控和响应模块监控到的事件数据进行语义转换处理,将所述事件数据从低级语义转换为高级语义,即通过识别安全事件的关联方并涉及虚拟化资源属性和访问环境上下文等进行处理,在语义转换处理后输入至核心处理模块中的调度处理模块。核心处理模块依据事先布置的安全策略模块中的安全策略以及安全事件监控和响应模块得到的性能监控数据对事件数据进行数据处理,并在数据处理后向安全事件监控和响应模块发出控制指令。其中核心处理模块中的调度处理模块根据安全策略以及性能监控数据对事件数据进行优先级判断和调度处理,性能监控模块监控物理服务器的运行性能和客户虚拟机的运行性能分别得到的性能监控数据可以共同作为核心处理模块进行策略处理的依据,将低优先级的安全事件交由日志和报警处理模块进行日志和报警处理,日志和报警处理模块具体工作可以是对低优先级的事件数据先进行日志记录,再待之后物理服务器系统空闲时通过各安全监测模块进行事后审查,如图所示的日志处理数据流⑤,并根据安全策略进行消息报警处理;将高优先级的安全事件交由实时数据处理模块进行实时数据处理,实时数据处理模块实时推送至安全监测模块进行分析,并将分析结果交回实时数据处理模块,如图所示的实时处理数据流④,实时数据处理模块根据安全监测模块的分析结果向安全事件监控和响应模块发出控制指令。调度处理模块除了根据安全策略和语义转换处理结果来判定优先级之外,还可以根据虚拟机监视器层的安全事件监控和响应模块得到的当前运行性能进行评估,并可以动态调整调度安全策略模块中的安全策略,如果物理服务器系统繁忙,则将大部分安全事件只通过日志和报警处理模块进行日志记录和消息报警处理,只实时通过实时数据处理模块处理少数安全级高的安全事件;如果物理服务器系统相对空闲,则可以通过实时数据处理模块适当对更多的安全事件进行实时处理。In Figure 3, the semantic processing module is used to perform semantic conversion processing on the event data monitored by the security event monitoring and response module, and convert the event data from low-level semantics to high-level semantics, that is, by identifying the related parties of the security event and involving Virtualized resource attributes and access environment context are processed, and input to the scheduling processing module in the core processing module after semantic conversion processing. The core processing module processes the event data according to the security policies in the pre-arranged security policy module and the performance monitoring data obtained by the security event monitoring and response module, and sends control instructions to the security event monitoring and response module after data processing. The scheduling processing module in the core processing module performs priority judgment and scheduling processing on the event data according to the security policy and performance monitoring data. The performance monitoring module monitors the operating performance of the physical server and the operating performance of the client virtual machine. Together as the basis for policy processing by the core processing module, low-priority security events are handed over to the log and alarm processing module for log and alarm processing. The specific work of the log and alarm processing module can be to log low-priority event data first Record, and then conduct post-event review through each security monitoring module when the physical server system is idle, as shown in the log processing data flow ⑤, and perform message alarm processing according to the security policy; hand over high-priority security events to real-time data The processing module performs real-time data processing, and the real-time data processing module pushes it to the safety monitoring module for analysis in real time, and returns the analysis results to the real-time data processing module, as shown in the real-time processing data flow ④, the real-time data processing module according to the safety monitoring module The analysis results send control instructions to the security event monitoring and response module. In addition to determining the priority based on the security policy and semantic conversion processing results, the scheduling processing module can also evaluate the current running performance based on the security event monitoring and response module of the virtual machine monitor layer, and can dynamically adjust the scheduling security policy module In the security policy, if the physical server system is busy, most of the security events will be recorded and message alarmed through the log and alarm processing module, and only a small number of security events with high security level will be processed in real time through the real-time data processing module; if the physical If the server system is relatively idle, more security events can be properly processed in real time through the real-time data processing module.

安全监测模块:可以由多个模块组成,如入侵检测模块(IDS模块)、入侵防御模块(IPS模块)、文件访问控制模块等,每个模块侧重不同的安全监测功能。根据监测功能不同,实时处理数据流④所对应的客户虚拟机的输入事件可以是部分事件或全部事件。不同模块可并行对安全事件进行分析处理,将处理结果提交给安全策略模块。安全策略模块:配置安全策略,并作为各种安全监测模块的输入,同时也是核心处理模块中的调度处理模块进行优先级判定的输入。Security monitoring module: It can be composed of multiple modules, such as intrusion detection module (IDS module), intrusion prevention module (IPS module), file access control module, etc. Each module focuses on different security monitoring functions. According to different monitoring functions, the input events of the client virtual machine corresponding to the real-time processing data flow ④ may be some events or all events. Different modules can analyze and process security events in parallel, and submit the processing results to the security policy module. Security policy module: Configure security policies and serve as input for various security monitoring modules, and also for priority determination by the scheduling processing module in the core processing module.

图4是本发明性能优化的虚拟化资源的监控系统的优选结构示意图,该系统采用图2所示的优选的安全事件监控和响应模块,以及图3所示的优选的数据处理模块。安全事件监控和响应模块与数据处理模块之间的具体部件连接如下:语义处理模块与安全事件监控模块相连,用于对安全事件监控模块监控得到的事件数据进行语义转换处理,如图所示的事件数据流①。性能监控模块与调度处理模块相连,用于将性能监控模块监控得到的性能监控数据输送至调度处理模块以作为其调度处理的参考依据,如图所示的性能监控数据流③。实时数据处理模块分别与安全事件监控模块和安全事件响应模块相连,如图所示的控制流②,安全事件监控模块可以根据接收到的控制指令直接放行系统调用事件或交由安全事件响应模块处理,安全事件响应模块可以根据接收到的控制指令对系统调用事件拦截或处理后放行,设置安全事件监控模块和安全事件响应模块均能够接收实时数据处理模块发出的控制指令,能够提高系统运行效率。当然也可以将安全事件监控模块和安全事件响应模块接收控制指令的功能合并,放置在这两个模块的任意一个模块中。FIG. 4 is a schematic diagram of a preferred structure of a performance-optimized monitoring system for virtualized resources in the present invention. The system adopts the preferred security event monitoring and response module shown in FIG. 2 and the preferred data processing module shown in FIG. 3 . The specific components between the security event monitoring and response module and the data processing module are connected as follows: the semantic processing module is connected to the security event monitoring module, and is used to perform semantic conversion processing on the event data monitored by the security event monitoring module, as shown in the figure Event data stream①. The performance monitoring module is connected with the scheduling processing module, and is used to transmit the performance monitoring data monitored by the performance monitoring module to the scheduling processing module as a reference for its scheduling processing, as shown in the performance monitoring data flow ③ in the figure. The real-time data processing module is connected to the security event monitoring module and the security event response module respectively, as shown in the control flow ② in the figure, the security event monitoring module can directly release the system call event according to the received control command or hand it over to the security event response module for processing , the security event response module can intercept or process the system call event according to the received control command and release it. Both the security event monitoring module and the security event response module can receive the control command sent by the real-time data processing module, which can improve the system operation efficiency. Of course, the functions of the security event monitoring module and the security event response module for receiving control instructions can also be combined and placed in any one of the two modules.

图4所述的本发明性能优化的虚拟化资源的监控系统的工作流程如图5所示:The workflow of the monitoring system of the performance-optimized virtualized resource of the present invention described in FIG. 4 is shown in FIG. 5 :

1)、客户虚拟机发出系统调用事件请求,如I/O请求等等,该系统调用事件又可以称为安全事件;1) The client virtual machine sends a system call event request, such as an I/O request, etc., and the system call event can also be called a security event;

2)、安全事件监控模块截获此系统调用,将事件数据交由语义处理模块;2) The security event monitoring module intercepts this system call and hands over the event data to the semantic processing module;

3)、语义处理模块进行安全事件语义转换,将转换后的事件数据交由调度处理模块;3) The semantic processing module performs semantic conversion of security events, and sends the converted event data to the scheduling processing module;

4)、调度处理模块从性能监控模块获取当前系统性能监控数据,同时根据安全策略综合进行调度处理:4) The scheduling processing module obtains the current system performance monitoring data from the performance monitoring module, and at the same time comprehensively performs scheduling processing according to the security policy:

a)、如果是低优先级的安全事件,将此安全事件交由日志和报警处理模块进行日志记录,之后等物理服务器系统空闲时通过安全监测模块读取日志进行事后审查操作;a) If it is a low-priority security event, hand over the security event to the log and alarm processing module for log recording, and then read the log through the security monitoring module for post-mortem review when the physical server system is idle;

b)、如果是高优先级的安全事件,将此安全事件交由实时数据处理模块;b) If it is a high-priority security event, hand over the security event to the real-time data processing module;

5)、实时数据处理模块将此事件推送至各需要的安全监测模块进行实时数据处理;5) The real-time data processing module pushes this event to each required safety monitoring module for real-time data processing;

6)、安全监测模块根据安全策略模块中的安全策略对此安全事件进行安全分析操作,将分析结果交回实时数据处理模块,安全监测模块可能包含多个并行处理的模块,如IDS、IPS、文件访问控制模块等;6). The security monitoring module conducts security analysis on this security event according to the security policy in the security policy module, and returns the analysis results to the real-time data processing module. The security monitoring module may include multiple parallel processing modules, such as IDS, IPS, File access control module, etc.;

7)、实时数据处理模块根据当前安全策略以及安全监测模块的分析结果,做出并下达控制指令给安全事件监控模块和安全事件响应模块;7) The real-time data processing module makes and issues control instructions to the security event monitoring module and the security event response module according to the current security policy and the analysis results of the security monitoring module;

8)、安全事件监控模块根据控制指令进行操作:8) The security event monitoring module operates according to the control instructions:

a)、控制指令为放行,则直接放行此系统调用事件;a) If the control instruction is release, then the system call event is directly released;

b)、控制指令为处理,则将此系统调用事件交由安全事件响应模块处理;b) If the control instruction is processing, the system call event is handed over to the security event response module for processing;

9)、安全事件响应模块根据控制指令进行处理:9) The security incident response module processes according to the control instructions:

a)、控制指令为拦截,则拦截此指令并返回错误信息;a) If the control command is intercepted, then intercept this command and return an error message;

b)、控制指令为处理,则根据处理指令对此系统调用事件进行处理后放行。b) If the control instruction is processing, the system call event is processed according to the processing instruction and then released.

相比于现有的虚拟化安全监控技术,本发明性能优化的虚拟化资源的监控系统系统具有如下优势:不需要在客户虚拟机安装代理,本发明所述系统的组成部件是安装在虚拟机监控器层以及安全虚拟机上;能够兼容不同的安全监测模块,支持第三方的安全扩展功能;根据系统虚拟化资源(或者说硬件资源)使用状况,动态调度安全处理操作,根据优先级将此安全事件选择实时处理或者日志记录操作,可以避免出现安全虚拟机和客户虚拟机抢夺系统虚拟化资源造成的系统性能急剧下降的情况,同时可以等物理服务器系统空闲时再进行安全审查操作,做到高级别安全事件实时监控优先处理,低级别安全事件事后审查的功能,避免系统忙碌时丢弃处理大量安全事件造成的系统安全性下降问题,还可以更有效率的利用系统虚拟化资源,很好的平衡了性能和安全,动态调整监控策略,在确保安全性的前提下,提高了用户体验。Compared with the existing virtualized security monitoring technology, the performance-optimized virtualized resource monitoring system of the present invention has the following advantages: no agent needs to be installed on the client virtual machine, and the components of the system of the present invention are installed on the virtual machine On the monitor layer and the security virtual machine; it can be compatible with different security monitoring modules, and supports third-party security extension functions; according to the usage status of system virtualization resources (or hardware resources), it can dynamically schedule security processing operations, and assign them according to the priority Select real-time processing or log recording operations for security events, which can avoid the sharp decline in system performance caused by security virtual machines and customer virtual machines robbing system virtualization resources. At the same time, security review operations can be performed when the physical server system is idle. Real-time monitoring of high-level security events gives priority to processing, and the function of post-mortem review of low-level security events avoids the problem of system security degradation caused by discarding and processing a large number of security events when the system is busy. It can also use system virtualization resources more efficiently, which is very good It balances performance and security, dynamically adjusts monitoring strategies, and improves user experience while ensuring security.

本发明还涉及一种性能优化的虚拟化资源的监控方法,其流程图如图6所示,先在虚拟机监视器层对物理服务器和客户虚拟机的运行性能以及客户虚拟机的系统调用事件进行监控,监控物理服务器和客户虚拟机的运行性能即监控系统整体性能,根据监控到的系统整体运行性能,在安全虚拟机按照优先级和安全策略对所述监控的系统调用事件进行数据处理,在数据处理后发出控制指令以控制系统调用事件针对调用虚拟化资源的操作。The present invention also relates to a performance-optimized monitoring method for virtualized resources, the flow chart of which is shown in FIG. Monitoring, monitoring the operating performance of the physical server and the client virtual machine is monitoring the overall performance of the system. According to the monitored overall operating performance of the system, the security virtual machine performs data processing on the monitored system call event according to the priority and security policy. After the data is processed, a control instruction is issued to control the operation of the system call event for invoking virtualized resources.

本发明性能优化的虚拟化资源的监控方法,与上述的本发明性能优化的虚拟化资源的监控系统相对应。在虚拟机监视器层对客户虚拟机的系统调用事件进行监控得到事件数据,对物理服务器和客户虚拟机的运行性能进行监控得到性能监控数据,该性能监控数据可以提供对系统调用事件进行数据处理的一种安全策略。优选地,在监控得到事件数据后,先对所述事件数据进行语义转换处理,将所述事件数据从低级语义转换为高级语义,在语义转换处理后再对事件数据进行数据处理。The performance-optimized virtualized resource monitoring method of the present invention corresponds to the above-mentioned performance-optimized virtualized resource monitoring system of the present invention. At the virtual machine monitor layer, monitor the system call events of the customer virtual machine to obtain event data, monitor the operating performance of the physical server and the customer virtual machine to obtain performance monitoring data, and the performance monitoring data can provide data processing for system call events a security policy. Preferably, after the event data is obtained through monitoring, semantic conversion processing is performed on the event data first, and the event data is converted from low-level semantics to high-level semantics, and then data processing is performed on the event data after semantic conversion processing.

在虚拟机监视器层对物理服务器和客户虚拟机的运行性能以及客户虚拟机的系统调用事件进行监控,可以有效的监护物理服务器和客户虚拟机运行及安全状态;再对监控的安全事件按照优先级和安全策略进行数据处理,该数据处理可以包括调度处理、实时数据处理以及日志和报警处理,其中,调度处理是根据安全策略以及性能监控数据对事件数据进行优先级判断和调度处理,对低优先级的事件数据进行日志和报警处理,比如,对低优先级的事件数据先进行日志记录,再通过安全监测模块进行事后审查,并根据安全策略进行报警处理;对高优先级的事件数据进行实时数据处理,比如,高优先级的事件数据通过安全监测模块进行分析并根据安全策略进行实时数据处理,并在实时数据处理后发出控制指令以控制系统调用事件针对调用虚拟化资源的操作。考虑监控物理服务器和客户虚拟机的运行性能得到的性能监控数据,得到物理服务器的运行状态,比如是在繁忙或空闲状态,并得到客户虚拟机的运行及安全状态,进而对系统安全事件调度处理,如果物理服务器系统繁忙,则只对高优先级安全事件进行实时监控,实时推送到安全监测模块进行处理;对低优先级安全事件则记录进日志,待物理服务器系统闲时再由各安全监测模块读取日志进行安全审查。本发明所述监控方法可有效避免安全虚拟机和客户虚拟机争夺系统资源的情形,同时也可避免因为资源紧张而丢弃处理大量安全事件,造成系统安全性下降的情况,达到高级别安全事件实时监控处理,低级别安全事件事后审查的功能。At the virtual machine monitor layer, the operating performance of the physical server and the client virtual machine and the system call events of the client virtual machine are monitored, which can effectively monitor the operation and security status of the physical server and the client virtual machine; then the monitored security events are prioritized The data processing can include scheduling processing, real-time data processing, and log and alarm processing. The scheduling processing is to judge the priority and schedule processing of event data according to security policies and performance monitoring data. Priority event data is logged and alarmed. For example, low-priority event data is logged first, and then the security monitoring module is used for post-event review, and alarm processing is performed according to the security policy; high-priority event data is Real-time data processing, for example, high-priority event data is analyzed by the security monitoring module and real-time data processing is performed according to security policies, and control instructions are issued after real-time data processing to control the operation of system call events for calling virtualized resources. Consider the performance monitoring data obtained by monitoring the operating performance of physical servers and client virtual machines, obtain the operating status of physical servers, such as busy or idle, and obtain the operating and security status of client virtual machines, and then schedule and process system security events , if the physical server system is busy, only high-priority security events will be monitored in real time and pushed to the security monitoring module for processing; low-priority security events will be recorded in the log, and then the security monitoring will be performed when the physical server system is idle. The module reads logs for security review. The monitoring method of the present invention can effectively avoid the situation where the security virtual machine and the client virtual machine compete for system resources, and at the same time, it can also avoid the situation that a large number of security events are discarded and processed due to resource shortage, resulting in a decrease in system security, and achieves real-time monitoring of high-level security events. Monitoring and processing, low-level security event post-mortem review function.

图7是本发明性能优化的虚拟化资源的监控方法的优选流程图。FIG. 7 is a preferred flow chart of the performance-optimized virtualized resource monitoring method of the present invention.

1)、客户虚拟机发出系统调用事件请求,如I/O请求等等,该系统调用事件又可以称为安全事件;1) The client virtual machine sends a system call event request, such as an I/O request, etc., and the system call event can also be called a security event;

2)、通过对安全事件监控截获此系统调用,将安全事件数据进行语义转换处理;2) Intercept the system call by monitoring the security event, and perform semantic conversion processing on the security event data;

3)、语义转换处理后的事件数据进入调度处理;3) The event data after semantic conversion processing enters into scheduling processing;

4)、调度处理从对物理服务器和客户虚拟机的运行性能的监控中获取当前系统性能监控数据,同时根据安全策略综合进行调度处理:4) Scheduling processing Obtain current system performance monitoring data from the monitoring of the operating performance of physical servers and client virtual machines, and comprehensively perform scheduling processing according to security policies:

a)、如果是低优先级的安全事件,将此安全事件进行日志和报警处理,即先日志记录,之后等物理服务器系统空闲时通过安全监测模块读取日志进行事后审查操作;a) If it is a low-priority security event, log and alarm the security event, that is, record the log first, and then read the log through the security monitoring module for post-event review when the physical server system is idle;

b)、如果是高优先级的安全事件,将此安全事件进行实时数据处理;b) If it is a high-priority security event, the security event will be processed in real time;

5)、实时数据处理将此事件推送至各需要的安全监测模块进行实时数据处理;5) Real-time data processing Push this event to each required safety monitoring module for real-time data processing;

6)、安全监测模块根据安全策略对此安全事件进行安全分析操作,安全监测模块可能包含多个并行处理的模块,如IDS、IPS、文件访问控制模块等;6) The security monitoring module performs security analysis on this security event according to the security policy. The security monitoring module may include multiple parallel processing modules, such as IDS, IPS, file access control module, etc.;

7)、根据当前安全策略以及安全监测模块的分析结果,做出并下达控制指令;7) Make and issue control instructions according to the current security strategy and the analysis results of the security monitoring module;

8)、通过控制指令控制系统调用事件针对调用虚拟化资源的操作:8) Control the operation of the system call event to call the virtualization resource through the control instruction:

a)、控制指令为放行,则直接放行此系统调用事件;a) If the control instruction is release, then the system call event is directly released;

b)、控制指令为拦截,则拦截此指令并返回错误信息;b) If the control command is intercepted, then intercept this command and return an error message;

c)、控制指令为处理,则根据处理指令对此系统调用事件进行处理后放行。c) If the control instruction is processing, the system call event is processed according to the processing instruction and then released.

应当指出,以上所述具体实施方式可以使本领域的技术人员更全面地理解本发明创造,但不以任何方式限制本发明创造。因此,尽管本说明书参照附图和实施例对本发明创造已进行了详细的说明,但是,本领域技术人员应当理解,仍然可以对本发明创造进行修改或者等同替换,总之,一切不脱离本发明创造的精神和范围的技术方案及其改进,其均应涵盖在本发明创造专利的保护范围当中。It should be pointed out that the specific embodiments described above can enable those skilled in the art to understand the invention more comprehensively, but do not limit the invention in any way. Therefore, although this specification has described the invention in detail with reference to the accompanying drawings and embodiments, those skilled in the art should understand that the invention can still be modified or equivalently replaced. The technical solutions and their improvements in the spirit and scope should all be included in the protection scope of the invention patent.

Claims (9)

1.一种性能优化的虚拟化资源的监控方法,其特征在于,先在虚拟机监视器层对物理服务器和客户虚拟机的运行性能以及客户虚拟机的系统调用事件进行监控,所述系统调用事件为安全事件;并根据监控到的物理服务器和客户虚拟机的运行性能,在安全虚拟机按照客户虚拟机的安全事件的优先级和安全策略对监控的所述客户虚拟机的安全事件进行数据处理,所述数据处理包括调度处理、实时数据处理以及日志和报警处理,所述调度处理是对安全事件数据进行优先级判断和调度,对低优先级的安全事件数据进行日志和报警处理,对高优先级的安全事件数据进行实时数据处理;在数据处理后发出控制指令以控制系统调用事件针对调用虚拟化资源的操作。1. A monitoring method of a performance-optimized virtualized resource, characterized in that, at the virtual machine monitor layer, the operating performance of the physical server and the client virtual machine and the system call event of the client virtual machine are monitored, and the system call The event is a security event; and according to the monitored operating performance of the physical server and the client virtual machine, the security virtual machine performs data processing on the monitored security event of the client virtual machine according to the priority and security policy of the security event of the client virtual machine Processing, the data processing includes scheduling processing, real-time data processing, and log and alarm processing, the scheduling processing is to perform priority judgment and scheduling on security event data, log and alarm processing on low-priority security event data, and Real-time data processing is performed on high-priority security event data; control instructions are issued after data processing to control the operation of system call events for invoking virtualized resources. 2.根据权利要求1所述的性能优化的虚拟化资源的监控方法,其特征在于,在虚拟机监视器层对客户虚拟机的系统调用事件进行监控得到事件数据,对物理服务器和客户虚拟机的运行性能进行监控得到性能监控数据,所述性能监控数据提供对系统调用事件进行数据处理的一种安全策略。2. the monitoring method of the virtualization resource of performance optimization according to claim 1 is characterized in that, at the virtual machine monitor layer, the system call event of client virtual machine is monitored to obtain event data, and physical server and client virtual machine The running performance of the system is monitored to obtain performance monitoring data, and the performance monitoring data provides a security strategy for data processing of system call events. 3.根据权利要求2所述的性能优化的虚拟化资源的监控方法,其特征在于,在监控得到事件数据后,先对所述事件数据进行语义转换处理,将所述事件数据从低级语义转换为高级语义,在语义转换处理后再对事件数据进行数据处理。3. The monitoring method for performance-optimized virtualized resources according to claim 2, characterized in that, after the event data is obtained through monitoring, the event data is first subjected to semantic conversion processing, and the event data is converted from low-level semantics For high-level semantics, data processing is performed on event data after semantic conversion processing. 4.根据权利要求1所述的性能优化的虚拟化资源的监控方法,其特征在于,所述高优先级的事件数据通过安全监测模块进行分析并根据安全策略进行实时数据处理,并在实时数据处理后发出控制指令以控制系统调用事件针对调用虚拟化资源的操作;4. The method for monitoring virtualized resources with optimized performance according to claim 1, wherein the high priority event data is analyzed by a security monitoring module and processed in real time according to a security policy, and the real-time data After processing, a control instruction is issued to control the operation of the system call event for invoking virtualization resources; 和/或,所述日志和报警处理是对低优先级的事件数据先进行日志记录,再通过安全监测模块进行事后审查,并根据安全策略进行报警处理。And/or, the log and alarm processing is to record the low-priority event data firstly, and then conduct post-event review through the security monitoring module, and perform alarm processing according to the security policy. 5.一种性能优化的虚拟化资源的监控系统,其特征在于,包括相互连接的安全事件监控和响应模块以及数据处理模块,所述安全事件监控和响应模块设置在虚拟机监视器层,用于对物理服务器和客户虚拟机的运行性能以及客户虚拟机的系统调用事件进行监控,所述系统调用事件为安全事件,并将监控信息发送至数据处理模块;所述数据处理模块设置于安全虚拟机,用于根据监控到的物理服务器和客户虚拟机的运行性能,按照客户虚拟机的安全事件的优先级和安全策略对所述客户虚拟机的安全事件进行数据处理,所述数据处理包括对安全事件数据进行优先级判断和调度,对低优先级的安全事件数据进行日志和报警处理,对高优先级的安全事件数据进行实时数据处理;所述数据处理模块在数据处理后向安全事件监控和响应模块发出控制指令以控制系统调用事件针对调用虚拟化资源的操作。5. A monitoring system for performance-optimized virtualized resources, characterized in that it includes an interconnected security event monitoring and response module and a data processing module, and the security event monitoring and response module is arranged on a virtual machine monitor layer, using To monitor the operating performance of the physical server and the client virtual machine and the system call event of the client virtual machine, the system call event is a security event, and the monitoring information is sent to the data processing module; the data processing module is set in the security virtual machine, configured to perform data processing on the security event of the client virtual machine according to the priority and security policy of the security event of the client virtual machine according to the monitored operating performance of the physical server and the client virtual machine, and the data processing includes processing Perform priority judgment and scheduling on security event data, perform log and alarm processing on low priority security event data, and perform real-time data processing on high priority security event data; after data processing, the data processing module sends security event monitoring and the response module sends a control command to control the operation of the system call event on the call virtualization resource. 6.根据权利要求5所述的性能优化的虚拟化资源的监控系统,其特征在于,所述安全事件监控和响应模块包括安全事件监控模块、安全事件响应模块和性能监控模块,所述安全事件监控模块对客户虚拟机的系统调用事件进行监控得到事件数据并将所述事件数据发送至数据处理模块,所述性能监控模块对物理服务器和客户虚拟机的运行性能进行监控得到性能监控数据,所述性能监控数据提供给数据处理模块进行数据处理的一种安全策略,所述安全事件响应模块接收数据处理模块发出的控制指令并做出响应。6. The monitoring system of the virtualized resources of performance optimization according to claim 5, wherein the security event monitoring and response module comprises a security event monitoring module, a security event response module and a performance monitoring module, and the security event The monitoring module monitors the system call event of the client virtual machine to obtain event data and sends the event data to the data processing module, and the performance monitoring module monitors the operating performance of the physical server and the client virtual machine to obtain performance monitoring data. A security strategy for providing the performance monitoring data to the data processing module for data processing, and the security event response module receives and responds to the control instructions sent by the data processing module. 7.根据权利要求6所述的性能优化的虚拟化资源的监控系统,其特征在于,所述数据处理模块包括依次连接的语义处理模块、核心处理模块和安全策略模块,所述核心处理模块分别与安全策略模块、性能监控模块和安全事件响应模块相连;所述语义处理模块与安全事件监控模块相连,用于对所述事件数据进行语义转换处理,将所述事件数据从低级语义转换为高级语义,在语义转换处理后输入至核心处理模块;所述核心处理模块依据安全策略模块中的安全策略以及性能监控模块得到的性能监控数据对事件数据进行数据处理,并在数据处理后向安全事件响应模块发出控制指令。7. the monitoring system of the virtualization resource of performance optimization according to claim 6, it is characterized in that, described data processing module comprises the semantic processing module, core processing module and security policy module connected in sequence, and described core processing module respectively It is connected with the security policy module, the performance monitoring module and the security event response module; the semantic processing module is connected with the security event monitoring module, and is used to perform semantic conversion processing on the event data, and convert the event data from low-level semantics to high-level Semantics, which are input to the core processing module after semantic conversion processing; the core processing module performs data processing on the event data according to the security policy in the security policy module and the performance monitoring data obtained by the performance monitoring module, and reports to the security event after the data processing The response module issues a control command. 8.根据权利要求7所述的性能优化的虚拟化资源的监控系统,其特征在于,所述核心处理模块包括调度处理模块、实时数据处理模块以及日志和报警处理模块,所述实时数据处理模块以及日志和报警处理模块分别与调度处理模块相连,所述调度处理模块分别与性能监控模块和语义处理模块相连,所述实时数据处理模块以及日志和报警处理模块均与安全策略模块相连,所述实时数据处理模块与安全事件响应模块相连;所述调度处理模块对事件数据进行优先级判断和调度处理,所述实时数据处理模块对高优先级的事件数据进行实时数据处理并在实时数据处理后向安全事件响应模块发出控制指令,所述日志和报警处理模块对低优先级的事件数据进行日志和报警处理。8. the monitoring system of the virtualization resource of performance optimization according to claim 7, it is characterized in that, described core processing module comprises scheduling processing module, real-time data processing module and log and alarm processing module, and described real-time data processing module And the log and alarm processing module are respectively connected with the scheduling processing module, the scheduling processing module is respectively connected with the performance monitoring module and the semantic processing module, the real-time data processing module and the log and alarm processing module are all connected with the security policy module, the The real-time data processing module is connected with the security event response module; the scheduling processing module performs priority judgment and scheduling processing on the event data, and the real-time data processing module performs real-time data processing on high-priority event data and performs real-time data processing after real-time data processing. A control instruction is sent to the security event response module, and the log and alarm processing module performs log and alarm processing on low-priority event data. 9.根据权利要求8所述的性能优化的虚拟化资源的监控系统,其特征在于,所述实时数据处理模块以及日志和报警处理模块均通过一个或多个安全监测模块与安全策略模块相连;所述实时数据处理模块对高优先级的事件数据通过安全监测模块进行分析并根据安全策略进行实时数据处理;9. The monitoring system of the virtualized resource of performance optimization according to claim 8, is characterized in that, described real-time data processing module and log and alarm processing module are all connected with security policy module by one or more security monitoring modules; The real-time data processing module analyzes the high-priority event data through the security monitoring module and performs real-time data processing according to the security policy; 和/或,所述日志和报警处理模块对低优先级的事件数据先进行日志记录,再通过安全监测模块进行事后审查,并根据安全策略进行报警处理;And/or, the log and alarm processing module first records the low-priority event data, and then conducts subsequent review through the security monitoring module, and performs alarm processing according to the security policy; 和/或,所述安全监测模块为入侵检测模块和/或入侵防御模块和/或文件访问控制模块。And/or, the security monitoring module is an intrusion detection module and/or an intrusion prevention module and/or a file access control module.
CN201310048933.3A 2013-02-06 2013-02-06 The monitoring method and system of the virtual resources that a kind of performance optimizes Withdrawn - After Issue CN103178988B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310048933.3A CN103178988B (en) 2013-02-06 2013-02-06 The monitoring method and system of the virtual resources that a kind of performance optimizes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310048933.3A CN103178988B (en) 2013-02-06 2013-02-06 The monitoring method and system of the virtual resources that a kind of performance optimizes

Publications (2)

Publication Number Publication Date
CN103178988A CN103178988A (en) 2013-06-26
CN103178988B true CN103178988B (en) 2016-08-03

Family

ID=48638620

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310048933.3A Withdrawn - After Issue CN103178988B (en) 2013-02-06 2013-02-06 The monitoring method and system of the virtual resources that a kind of performance optimizes

Country Status (1)

Country Link
CN (1) CN103178988B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103870749B (en) * 2014-03-20 2017-11-07 中国科学院信息工程研究所 A kind of safety monitoring system and method for realizing dummy machine system
CN104883273B (en) * 2015-05-05 2018-04-27 广州杰赛科技股份有限公司 The processing method and system of service impact model in virtualization services management platform
CN105426758B (en) * 2015-12-18 2018-07-27 北京奇虎科技有限公司 A kind of means of defence and device of virtual machine escape
CN106407078B (en) * 2016-09-26 2019-06-25 中国工商银行股份有限公司 Client performance monitoring device and method based on information exchange
CN106845214A (en) * 2016-12-29 2017-06-13 北京瑞星信息技术股份有限公司 Based on safety protecting method and system under virtualized environment
CN106845215B (en) * 2016-12-30 2020-04-14 北京瑞星网安技术股份有限公司 Safety protection method and device based on virtualization environment
CN107896215A (en) * 2017-11-24 2018-04-10 北京国网富达科技发展有限责任公司 A kind of dispositions method and device of the intruding detection system based on virtual machine
CN109144671A (en) * 2018-08-21 2019-01-04 郑州云海信息技术有限公司 The management method and device of virtual machine in cloud data system
CN110049116A (en) * 2019-04-04 2019-07-23 厦门网宿有限公司 A kind of method and system of intelligent scheduling service request

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102156665A (en) * 2011-04-13 2011-08-17 杭州电子科技大学 Differential serving method for virtual system competition resources
CN102567077A (en) * 2011-12-15 2012-07-11 杭州电子科技大学 Virtualized resource distribution method based on game theory

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399698A (en) * 2007-09-30 2009-04-01 华为技术有限公司 Safety management system, device and method
CN101582788B (en) * 2008-05-12 2011-08-31 北京启明星辰信息技术股份有限公司 Grading processing method and grading processing system for security event
CN101309180B (en) * 2008-06-21 2010-12-08 华中科技大学 A Safe Network Intrusion Detection System Suitable for Virtual Machine Environment
US8121618B2 (en) * 2009-10-28 2012-02-21 Digimarc Corporation Intuitive computing methods and systems

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102156665A (en) * 2011-04-13 2011-08-17 杭州电子科技大学 Differential serving method for virtual system competition resources
CN102567077A (en) * 2011-12-15 2012-07-11 杭州电子科技大学 Virtualized resource distribution method based on game theory

Also Published As

Publication number Publication date
CN103178988A (en) 2013-06-26

Similar Documents

Publication Publication Date Title
CN103178988B (en) The monitoring method and system of the virtual resources that a kind of performance optimizes
Gao et al. Houdini's escape: Breaking the resource rein of linux control groups
US11979428B1 (en) Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints
US9641413B2 (en) Methods and computer program products for collecting storage resource performance data using file system hooks
US9740857B2 (en) Threat-aware microvisor
US10341355B1 (en) Confidential malicious behavior analysis for virtual computing resources
WO2016082501A1 (en) Method, apparatus and system for processing cloud application attack behaviours in cloud computing system
CN102999716B (en) virtual machine monitoring system and method
CN101923507B (en) Universal virtual machine monitoring system based on driving
CN118484267B (en) Cloud computing-based online service computing power optimization method and system
WO2012163217A1 (en) Hardware basic tool-based architecture and method for monitoring performance of virtual system
CN104378387A (en) Method for protecting information security under virtualization platform
CN102929769B (en) Virtual machine internal-data acquisition method based on agency service
CN103365702A (en) System and method for tracking process of lightweight virtual machine under IaaS cloud environment
KR20110083084A (en) Server operating device and method using virtualization
CN104636678A (en) Method and system for controlling terminal device under cloud computing environment
RahimiZadeh et al. Performance evaluation of Web server workloads in Xen‐based virtualized computer system: analytical modeling and experimental validation
CN107608758A (en) A kind of virtual machine file integrality monitoring method and system
KR20180086919A (en) Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv
US11048770B2 (en) Adaptive response generation on an endpoint
Macedo et al. Taming metadata-intensive HPC jobs through dynamic, application-agnostic QoS control
CN111258712B (en) A method and system for protecting virtual machine security under virtual platform network isolation
WO2025077469A1 (en) Security scanning method for cloud computing, related device and storage medium
CN103064730B (en) A kind of two-stage disk-scheduling method of facing cloud computing environment
Wang et al. A novel covert channel detection method in cloud based on XSRM and improved event association algorithm

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
AV01 Patent right actively abandoned
AV01 Patent right actively abandoned
AV01 Patent right actively abandoned

Granted publication date: 20160803

Effective date of abandoning: 20250205

AV01 Patent right actively abandoned

Granted publication date: 20160803

Effective date of abandoning: 20250205