阅读说明：本技术 云计算网络安全服务 (Cloud computing network security service ) 是由 帅仁俊 马力 郭汉 于 2018-06-05 设计创作，主要内容包括：本发明公开了一种云计算网络安全服务,涉及计算机技术领域,该面向健康云的网络安全服务方法针对健康云用户的网络安全需求提供自动、高效的定制化网络安全服务；提供统一日志管理格式,便于进行网络态势分析,提升系统性能；对于健康云的访问控制有更好的伸缩性和健壮性；降低了健康云系统的成本以及维护和管理的复杂性；提高了健康云系统的延迟、吞吐量、丢包率等网络安全服务性能。(The invention discloses a cloud computing network security service, which relates to the technical field of computers, and provides an automatic and efficient customized network security service aiming at the network security requirement of a healthy cloud user by using a healthy cloud-oriented network security service method; a unified log management format is provided, so that network situation analysis is facilitated, and system performance is improved; the method has better flexibility and robustness for the access control of the healthy cloud; the cost of the healthy cloud system and the complexity of maintenance and management are reduced; the network security service performances such as delay, throughput and packet loss rate of the healthy cloud system are improved.)

1. a cloud computing network security service, characterized by: the cloud computing network security service comprises a health cloud platform, the health cloud platform acquires resident health data from the mobile terminal to establish a health file management system, provides health file query service, appointment registration service, health knowledge push service, home health service and health consultation service, the method comprises the steps that big data are intelligently analyzed, a healthy cloud user only needs to fill a security template according to own network security requirements, the security template comprises an IP address and a port number, whether network layer detection, anti-virus detection, anti-spam detection and the like are needed, the security requirements needed to be provided are refined according to needed detection types, the healthy cloud user normalizes the security requirements into the security template and encrypts the security template and submits the security template to a system, and a SPEC analyzer analyzes the security template through SPEC, Mbox state information, Mbox topology and vSwitch information of the cloud user to generate an FMC security path and a security filtering rule; the RouteGen converter converts the FMC security path into a forwarding rule, and safety detection and filtration are carried out on the FMC security path through forwarding flow to the FMC chain; then the MD issues the forwarding rules to the vSwitch, the safety filtering rules are forwarded to the corresponding Mbox, the whole process does not need manual intervention except the later-stage regulation of special rules, the whole process is completely and automatically completed by the system, and the network safety customized service facing the health cloud mainly comprises five components: SMG, SMD, Dom0, service domains, and vSwitch (virtual switch), whenever a service domain is accessed, external or internal traffic needs to pass through the required filtering domain; if the network is attacked, the attack log is stored in the ELMD (log management domain).

2. The cloud computing network security service of claim 1, wherein: the functions of each part of the health cloud-oriented network security customized service are as follows:

(1) The SMG mainly comprises security groups such AS an AS (anti-spam) group, a FW (firewall) group and an AV (anti-virus) group, and is responsible for storing attack logs, statistical information and the like generated by detection and filtration into events and ELMD in the SMD;

(2) MD consists of MD (management domain) and ELMD. Where the ELMD stores and manages events and logs originating from the SMG. The main responsible functions of MD are: create/delete any domain in SMG; issuing a forwarding rule to vSwitch to enable an access service domain flow to pass through a corresponding FMC (safety detection link) for safety detection and filtration; collecting status information (e.g., load, failure) and accepting forwarding information (e.g., traffic) from the vSwitch for each group in the SMG;

(3) Dom0 reduces the rights to not create/start and stop/delete any Domain in SMG, but still maintains the rights to handle and manage any virtual machine in the server Domain, including scheduling by time slice, I/O allocation, etc.;

(4) The Service Domains bear various types of health cloud user services based on the network, such as FTP (file transfer protocol) services, Web services and the like;

(5) And the vSwtich is responsible for receiving the forwarding rule issued by the MD, and forwarding the internal and external flows to detect and filter through the security domain.

3. The cloud computing network security service of claim 2, wherein: the MD mainly comprises a SPEC analyzer and a RouteGen converter, the SPEC analyzer analyzes through state information of cloud users SPEC and Mbox (network equipment), Mbox topology and vSwitch information to generate an FMC safety path and a safety filtering rule, the RouteGen converter converts the FMC safety path into a forwarding rule, the FMC safety path is subjected to safety detection and filtering through a forwarding stream to an FMC chain, finally the MD issues the forwarding rule to the vSwitch, and the safety filtering rule is forwarded to the corresponding Mbox.

4. The cloud computing network security service of claim 1, wherein: the virtual Mbox should have a unified log format, including: after the ELMD receives the logs, a log classifier of the ELMD classifies and stores the logs so as to facilitate subsequent access based on user permission.

Technical Field

The invention relates to the technical field of computers, in particular to cloud computing network security service.

background

in the field of cloud computing, network security is considered one of the most important security issues, which may pose the same fatal threats as data security and privacy disclosure. If the cloud computing security adopts a customized security service strategy, the security level can be self-adapted according to the service type and the security requirement, so that the security requirement of the cloud user service is met, and the consumption of cloud computing resources is reduced.

CloudWatcher mentions a customized cloud computing network security service, fills security requirements according to cloud user services and issues to CloudWatcher, which parses the requirements and forms a customized security service. CloudWatcher only mentions the concept of no specific feasible implementation templates and analysis requirements, no generation of security check chains, and no consideration of Mboxes load balancing, usability and scalability. Chen, Jianyong et al attempt to provide on-demand cloud computing security services, but because the more stringent security requirements require more resources such as security detection time, memory, and bandwidth, it is impractical to apply the most stringent security measures to all cloud computing services, which can seriously impair cloud computing availability or even render it unusable.

The health cloud bears complex network services, the traditional mode adopts a mode of integrating a large amount of Mbox to protect network security, a large amount of equipment can cause high cost, high complexity, low expandability and serious performance bottlenecks, and network attacks among virtual machines cannot be prevented. The health cloud relates to various user types, important information of the users is stored, the privacy of the users needs to be guaranteed not to be disclosed, but a cloud service provider cannot know the network security requirements of the health cloud users and cannot provide customized network security services. And the traditional mode is to adopt a large amount of Mbox to protect the network security, but different types of Mbox have great difference in configuration and management, if the customized network security service is provided in a manual mode, the task can be almost impossible to be completed, and the cost of the Mbox is high, which is not beneficial to large-scale deployment.

Disclosure of Invention

The technical problem to be solved by the invention is to provide a cloud computing network security service, and provide a scheme for configuring, managing and maintaining an Mbox in an automatic and efficient manner, so as to provide a customized network security service for healthy cloud users; meanwhile, the virtual Mbox is fully utilized to replace the Mbox, so that the expenditure of hardware equipment is reduced, the cost is reduced, and the system performance is improved.

In order to achieve the above purpose, the present invention provides the following technical solutions:

The cloud computing network security service comprises a health cloud platform, the health cloud platform acquires resident health data from a mobile terminal to establish a health file management system, provides health file query service, appointment registration service, health knowledge pushing service, home health service, health consultation service and big data intelligent analysis, a health cloud user only needs to fill a security template according to the self network security requirement, the security template comprises an IP address and a port number, and whether network layer detection, anti-virus detection, anti-spam inspection and the like are needed or not, then the security requirement needed to be provided is refined according to the needed inspection type, the health cloud user normalizes the security requirement into a security template and then encrypts and submits the security template to the system, and a SPEC analyzer analyzes through SPEC, Mbox state information, Mbox topology and vSwitch information of the cloud user to generate an FMC security path and a security filtering rule; the RouteGen converter converts the FMC security path into a forwarding rule, and safety detection and filtration are carried out on the FMC security path through forwarding flow to the FMC chain; then the MD issues the forwarding rules to the vSwitch, the safety filtering rules are forwarded to the corresponding Mbox, the whole process does not need manual intervention except the later-stage regulation of special rules, the whole process is completely and automatically completed by the system, and the network safety customized service facing the health cloud mainly comprises five components: SMG, SMD, DomO, service domains, and vSwitch (virtual switch), whenever a service domain is accessed, external or internal traffic needs to pass through the required filtering domain; if the network is attacked, the attack log is stored in the ELMD (log management domain).

Preferably, the functions of each part of the health cloud-oriented network security customization service are as follows:

(1) the SMG mainly comprises security groups such AS an AS (anti-spam) group, a FW (firewall) group and an AV (anti-virus) group, and is responsible for storing attack logs, statistical information and the like generated by detection and filtration into events and ELMD in the SMD;

(2) MD consists of MD (management domain) and ELMD. Where the ELMD stores and manages events and logs originating from the SMG. The main responsible functions of MD are: create/delete any domain in SMG; issuing a forwarding rule to vSwitch to enable an access service domain flow to pass through a corresponding FMC (safety detection link) for safety detection and filtration; collecting status information (e.g., load, failure) and accepting forwarding information (e.g., traffic) from the vSwitch for each group in the SMG;

(3) DomO reduces the rights, cannot create/start and stop/delete any Domain in SMG, but still maintains the rights to handle and manage any virtual machine in the server Domain, including scheduling by time slice, I/O allocation, etc.;

(4) The Service Domains bear various types of health cloud user services based on the network, such as FTP (file transfer protocol) services, Web services and the like;

(5) And the vSwtich is responsible for receiving the forwarding rule issued by the MD, and forwarding the internal and external flows to detect and filter through the security domain.

preferably, the MD mainly includes a SPEC analyzer and a RouteGen converter, the SPEC analyzer generates an FMC security path and a security filtering rule by analyzing SPEC of a cloud user, state information of an Mbox (network device), Mbox topology, and vSwitch information, the RouteGen converter converts the FMC security path into a forwarding rule, performs security detection and filtering by forwarding a stream to an FMC chain, and finally issues the forwarding rule into the vSwitch and forwards the security filtering rule into a corresponding Mbox.

Preferably, the virtual Mbox should have a unified log format, including: after the ELMD receives the logs, a log classifier of the ELMD classifies and stores the logs so as to facilitate subsequent access based on user permission.

The beneficial effect of adopting above technical scheme is:

1. the method comprises the steps of providing automatic and efficient customized network security service aiming at the network security requirement of a healthy cloud user;

2. A unified log management format is provided, so that network situation analysis is facilitated, and system performance is improved;

3. the method has better flexibility and robustness for the access control of the healthy cloud;

4. the cost of the healthy cloud system and the complexity of maintenance and management are reduced;

5. the network security service performances such as delay, throughput and packet loss rate of the healthy cloud system are improved.

drawings

the following describes embodiments of the present invention in further detail with reference to the accompanying drawings.

FIG. 1 is a schematic diagram of a health cloud oriented customized network security service application;

FIG. 2 is a schematic diagram of the overall design of a health cloud-oriented customized network security service;

Fig. 3 is a schematic diagram of a health cloud-oriented customized network security service application.

In the figure, IDS-intrusion detection system, WAF-Web application firewall, UMT-unified threat management, FW-firewall, EDS-encryption and decryption software, AV-antivirus, AS-anti-spam.

Detailed Description

the following describes a preferred embodiment of the cloud computing network security service according to the present invention in detail with reference to the accompanying drawings.

Fig. 1 to 3 show a specific embodiment of the cloud computing network security service:

the user types of the health cloud are largely divided into residents, hospital medical institutions, government health institutions, and third party institutions, each with a different role type. The health cloud platform acquires resident health data from a mobile terminal (such as a sphygmomanometer, a blood glucose meter and the like) to establish a health file management system, and provides health file query service, appointment registration service, health knowledge push service, home health service, health consultation service, big data intelligent analysis and the like, as shown in fig. 1. The health cloud-oriented network security customization service provides customized network security services aiming at different services with different roles.

the health cloud user only needs to fill in a security template according to the network security requirement of the health cloud user, the security template comprises an IP address, a port number and whether network layer detection, anti-virus detection, anti-spam detection and the like are needed, and then the security requirement needed to be provided is refined according to the required detection type. The method comprises the steps that a healthy cloud user normalizes security requirements into a security template and then encrypts the security template and submits the security template to a system, and a SPEC analyzer analyzes the security template through SPEC, Mbox state information, Mbox topology and vSwitch information of the cloud user to generate an FMC security path and a security filtering rule; the RouteGen converter converts the FMC security path into a forwarding rule, and safety detection and filtration are carried out on the FMC security path through forwarding flow to the FMC chain; then the MD issues the forwarding rules to vSwitch and forwards the security filtering rules to the corresponding Mbox. The overall system structure is shown in fig. 2. Except for the later adjustment of special rules, the whole process does not need manual intervention and is completely and automatically completed by the system.

The health cloud-oriented network security customization service mainly comprises five components: SMG, SMD, DomO, service domains, and vSwitch (virtual switch). In order to guarantee the network security of the service domain, whenever the service domain is accessed, external traffic or internal traffic needs to pass through the required filtering domain; if the network is attacked, the attack log is stored in the ELMD (log management domain), as shown in fig. 3.

The functions of the various parts are as follows:

(1) The SMG is mainly composed of security groups such AS an AS (anti-spam) group, a FW (firewall) group, and an AV (anti-virus) group, and is responsible for storing attack logs, statistical information, and the like generated by detection and filtering into events and ELMDs in the SMD.

(2) MD consists of MD (management domain) and ELMD. Where the ELMD stores and manages events and logs originating from the SMG. The main responsible functions of MD are: create/delete any domain in SMG; issuing a forwarding rule to vSwitch to enable an access service domain flow to pass through a corresponding FMC (safety detection link) for safety detection and filtration; collect status information (e.g., load, failure) for each group in the SMG and accept forwarding information (e.g., traffic) from the vSwitch.

(3) DomO reduces the rights, cannot create/start and stop/delete any Domain in SMG, but still maintains the rights to handle and manage any virtual machine in the server Domain, including scheduling by time slice, I/O allocation, etc.

(4) The Service Domains bear various types of health cloud user services based on the network, such as FTP (file transfer protocol) services, Web services and the like.

(5) And the vSwtich is responsible for receiving the forwarding rule issued by the MD, and forwarding the internal and external flows to detect and filter through the security domain.

MD consists primarily of a SPEC analyzer and a RouteGen converter. The SPEC analyzer analyzes through SPEC of cloud users, state information of the Mbox (network equipment), Mbox topology and vSwitch information to generate FMC security paths and security filtering rules. The RouteGen converter converts the FMC security path into forwarding rules, and performs security detection and filtering by forwarding the flow to the FMC chain. And finally, the MD issues the forwarding rules to the vSwitch and forwards the security filtering rules to the corresponding Mbox.

to facilitate identification and standardized management of the virtual Mbox logs, the virtual Mbox should have a unified log format. The method comprises the following steps: log type, Mbox unique identification, event indication, a particular service unique indication, source IP, source port, destination IP, destination port, Protocol, and a detailed description of the log event. After the ELMD accepts the logs, the log classifier of the ELMD classifies and stores the logs so as to facilitate later access based on user authority. For example, a healthy cloud user can only view logs and statistical data thereof generated when own service is attacked, and a cloud service provider can view system logs, audit logs and the like.

the above is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, many variations and modifications can be made without departing from the inventive concept of the present invention, which falls into the protection scope of the present invention.