[go: up one dir, main page]

CN105592088A - Virtual machine flow monitoring method and device, and terminal - Google Patents

Virtual machine flow monitoring method and device, and terminal Download PDF

Info

Publication number
CN105592088A
CN105592088A CN201510992379.3A CN201510992379A CN105592088A CN 105592088 A CN105592088 A CN 105592088A CN 201510992379 A CN201510992379 A CN 201510992379A CN 105592088 A CN105592088 A CN 105592088A
Authority
CN
China
Prior art keywords
virtual machine
traffic
access
policy
monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510992379.3A
Other languages
Chinese (zh)
Inventor
汤迪斌
杨晓东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Beijing Qianxin Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Beijing Qianxin Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201510992379.3A priority Critical patent/CN105592088A/en
Publication of CN105592088A publication Critical patent/CN105592088A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a virtual machine flow monitoring method and device. A virtual machine is internally provided with an agent client which is in connection with a control center. The method comprises: the agent client obtaining the access flow of the virtual machine, and performing monitoring on the access flow according to a preset strategy; and the agent client determining whether to intercept the access flow of the virtual machine according to the monitoring result, wherein the preset strategy is a strategy issued by the control center according to the identification of the virtual machine and corresponding to the virtual machine. The method monitors the access flow of each virtual machine through the agent client in the virtual machine, realizes interactive monitoring between virtual machines or virtual machines of different physical terminals, and improves virtual machine inner data security.

Description

一种虚拟机流量的监控方法及装置、终端Method, device, and terminal for monitoring virtual machine traffic

技术领域technical field

本发明涉及互联网技术领域,尤其涉及一种虚拟机流量的监控方法及装置、终端。The present invention relates to the technical field of the Internet, in particular to a virtual machine flow monitoring method, device, and terminal.

背景技术Background technique

一般企业的物理终端有多个,对外界的入口或出口只有一个,通过在该入口或出口上添加防火墙,进行边界防御,随着计算机和网络应用的日益广泛以及不同领域的业务种类的日益丰富,分布式环境下的虚拟机(虚拟机是指通过软件模拟的方式运行于物理机上面、具有完整硬件系统功能的、运行在一个完全隔离环境中的计算机系统)应运而生。Generally, there are many physical terminals in an enterprise, and there is only one entrance or exit to the outside world. By adding a firewall to the entrance or exit, border defense is carried out. With the increasingly wide application of computers and networks and the increasing variety of business types in different fields , the virtual machine in the distributed environment (a virtual machine refers to a computer system that runs on a physical machine through software simulation, has complete hardware system functions, and runs in a completely isolated environment) came into being.

由于虚拟化多组呼业务,没有传统的边界,因此无法对虚拟机与虚拟机之间或者是不同物理终端的虚拟机之间的交互进行监控,因此会存在企业内部各部门之间的数据被窃取的风险。Due to the virtualization of multi-group call services, there is no traditional boundary, so it is impossible to monitor the interaction between virtual machines or between virtual machines of different physical terminals. Therefore, data between various departments within the enterprise may be risk of theft.

发明内容Contents of the invention

针对现有技术中存在的上述缺陷,提出了解决上述技术问题的一种虚拟机流量的监控方法及装置、终端。Aiming at the above-mentioned defects existing in the prior art, a virtual machine traffic monitoring method, device, and terminal for solving the above-mentioned technical problems are proposed.

第一方面,本发明提供了一种虚拟机流量的监控装置,所述装置设置在所述虚拟机内,并与控制中心连接,所述装置包括:In a first aspect, the present invention provides a virtual machine traffic monitoring device, the device is set in the virtual machine and connected to the control center, the device includes:

获取模块,用于获取所述虚拟机的访问流量;An acquisition module, configured to acquire the access traffic of the virtual machine;

监测模块,用于根据预设策略对所述访问流量进行监测;A monitoring module, configured to monitor the access traffic according to a preset strategy;

确定模块,用于根据监测结果,确定是否拦截所述虚拟机的访问流量;A determining module, configured to determine whether to intercept the access traffic of the virtual machine according to the monitoring result;

其中,所述预设策略为所述控制中心根据所述虚拟机的标识下发的与所述虚拟机的标识对应的策略。Wherein, the preset policy is a policy corresponding to the identity of the virtual machine issued by the control center according to the identity of the virtual machine.

可选的,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量;Optionally, the access traffic of the virtual machine includes traffic for receiving access requests by the virtual machine and traffic for sending access requests by the virtual machine;

相应的,所述监测模块,用于:Correspondingly, the monitoring module is used for:

根据所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量进行监测。Monitoring is performed according to the flow of access requests received by the virtual machine and the flow of access requests sent by the virtual machine.

可选的,所述装置还包括:接收模块,用于接收所述控制中心下发的预设策略。Optionally, the device further includes: a receiving module, configured to receive the preset policy issued by the control center.

可选的,所述检测模块,用于:Optionally, the detection module is used for:

获取所述访问流量的源地址、目的地址和访问信息;Obtain the source address, destination address and access information of the access traffic;

根据所述预设策略对所述访问流量的源地址、目的地址和访问信息进行监测。Monitoring the source address, destination address and access information of the access traffic according to the preset policy.

可选的,所述确定模块,用于:Optionally, the determination module is used for:

在所述虚拟机的访问流量不符合所述预设策略时,拦截所述访问流量。When the access traffic of the virtual machine does not comply with the preset policy, intercept the access traffic.

第二方面,本发明还提供了一种虚拟机流量的监控装置,所述装置与设置在所述虚拟机内的代理客户端相连,所述装置包括:In a second aspect, the present invention also provides a monitoring device for virtual machine traffic, the device is connected to a proxy client set in the virtual machine, and the device includes:

获取模块,用于获取多个虚拟机的访问权限,The acquisition module is used to obtain the access rights of multiple virtual machines,

策略配置模块,用于配置与所述多个虚拟机的访问权限对应的策略,所述策略包括所述虚拟机的标识;A policy configuration module, configured to configure a policy corresponding to the access rights of the plurality of virtual machines, where the policy includes an identifier of the virtual machine;

发送模块,用于根据所述虚拟机的标识,向与所述标识对应的虚拟机内的代理客户端发送与所述标识对应的策略,以使所述代理客户端根据所述策略对所述虚拟机的访问流量进行监控;A sending module, configured to, according to the identifier of the virtual machine, send a policy corresponding to the identifier to a proxy client in the virtual machine corresponding to the identifier, so that the proxy client can implement the policy according to the policy Monitor the access traffic of the virtual machine;

其中,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量。Wherein, the access traffic of the virtual machine includes the traffic of receiving the access request by the virtual machine and the traffic of sending the access request by the virtual machine.

可选的,所述装置还包括:更新模块,用于对已配置的策略进行更新。Optionally, the device further includes: an update module, configured to update the configured policy.

第三方面,本发明还提供了一种虚拟机流量的监控方法,所述虚拟机内设置有代理客户端,所述代理客户端与控制中心连接,所述方法包括:In a third aspect, the present invention also provides a method for monitoring virtual machine traffic, wherein a proxy client is provided in the virtual machine, and the proxy client is connected to a control center, and the method includes:

所述代理客户端获取所述虚拟机的访问流量,根据预设策略对所述访问流量进行监测;The proxy client obtains the access traffic of the virtual machine, and monitors the access traffic according to a preset policy;

所述代理客户端根据监测结果,确定是否拦截所述虚拟机的访问流量;The proxy client determines whether to intercept the access traffic of the virtual machine according to the monitoring result;

其中,所述预设策略为所述控制中心根据所述虚拟机的标识下发的与所述虚拟机的标识对应的策略。Wherein, the preset policy is a policy corresponding to the identity of the virtual machine issued by the control center according to the identity of the virtual machine.

可选的,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量;Optionally, the access traffic of the virtual machine includes traffic for receiving access requests by the virtual machine and traffic for sending access requests by the virtual machine;

相应的,根据预设策略对所述访问流量进行监测,包括:Correspondingly, the access traffic is monitored according to preset policies, including:

所述代理客户端根据所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量进行监测。The proxy client performs monitoring according to the flow of access requests received by the virtual machine and the flow of access requests sent by the virtual machine.

可选的,在获取虚拟机的访问流量之前,所述方法还包括:Optionally, before acquiring the access traffic of the virtual machine, the method further includes:

接收所述控制中心下发的预设策略。Receive the preset policy issued by the control center.

可选的,所述根据预设策略对所述访问流量进行监测,包括:Optionally, the monitoring of the access traffic according to a preset strategy includes:

获取所述访问流量的源地址、目的地址和访问信息;Obtain the source address, destination address and access information of the access traffic;

根据所述预设策略对所述访问流量的源地址、目的地址和访问信息进行监测。Monitoring the source address, destination address and access information of the access traffic according to the preset policy.

可选的,所述根据监测结果,确定是否拦截所述虚拟机的访问流量,包括:Optionally, the determining whether to intercept the access traffic of the virtual machine according to the monitoring results includes:

若所述虚拟机的访问流量不符合所述预设策略,则拦截所述访问流量。If the access traffic of the virtual machine does not comply with the preset policy, intercept the access traffic.

第四方面,本发明还提供了一种虚拟机流量的监控方法,所述虚拟机内设置有代理客户端,所述代理客户端与控制中心连接,所述方法包括:In a fourth aspect, the present invention also provides a virtual machine traffic monitoring method, wherein a proxy client is set in the virtual machine, and the proxy client is connected to a control center, and the method includes:

所述控制中心获取多个虚拟机的访问权限,配置与所述多个虚拟机的访问权限对应的策略,所述策略包括所述虚拟机的标识;The control center obtains the access rights of multiple virtual machines, and configures policies corresponding to the access rights of the multiple virtual machines, where the policies include the identifiers of the virtual machines;

所述控制中心根据所述虚拟机的标识,向与所述标识对应的虚拟机内的代理客户端发送与所述标识对应的策略,以使所述代理客户端根据所述策略对所述虚拟机的访问流量进行监控;The control center, according to the identifier of the virtual machine, sends a policy corresponding to the identifier to the proxy client in the virtual machine corresponding to the identifier, so that the proxy client can implement the policy on the virtual machine according to the policy. Monitor the access traffic of the machine;

其中,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量。Wherein, the access traffic of the virtual machine includes the traffic of receiving the access request by the virtual machine and the traffic of sending the access request by the virtual machine.

可选的,所述控制中心在获取多个虚拟机的访问权限之后,所述方法还包括:Optionally, after the control center obtains the access rights of multiple virtual machines, the method further includes:

对已配置的策略进行更新。Make updates to configured policies.

第五方面,本发明还提供了一种终端,包括虚拟机和上述的装置,所述装置设置在所述虚拟机内。In a fifth aspect, the present invention further provides a terminal, including a virtual machine and the above-mentioned device, where the device is set in the virtual machine.

由上述技术方案可知,本发明提供一种虚拟机流量的监控方法及装置、终端,通过在虚拟机内设置代理客户端,通过各虚拟机内的代理客户端对所在虚拟机的访问流量进行监测,实现了对虚拟机与虚拟机之间或者是不同物理终端的虚拟机之间的交互进行监控,提高了虚拟机内数据的安全。It can be seen from the above technical solution that the present invention provides a virtual machine traffic monitoring method, device, and terminal, by setting a proxy client in the virtual machine, and monitoring the access traffic of the virtual machine through the proxy client in each virtual machine , realizing the monitoring of the interaction between virtual machines or between virtual machines of different physical terminals, and improving the security of data in the virtual machines.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本发明一实施例提供的一种虚拟机流量的监控方法的流程示意图;FIG. 1 is a schematic flowchart of a method for monitoring virtual machine traffic provided by an embodiment of the present invention;

图2为本发明另一实施例提供的一种虚拟机流量的监控方法的流程示意图;FIG. 2 is a schematic flowchart of a method for monitoring virtual machine traffic provided by another embodiment of the present invention;

图3为本发明另一实施例提供的一种虚拟机流量的监控方法的流程示意图;FIG. 3 is a schematic flowchart of a method for monitoring virtual machine traffic provided by another embodiment of the present invention;

图4为本发明一实施例提供的一种虚拟机流量的监控装置的结构示意图;FIG. 4 is a schematic structural diagram of a virtual machine traffic monitoring device provided by an embodiment of the present invention;

图5为本发明另一实施例提供的一种虚拟机流量的监控装置的结构示意图。FIG. 5 is a schematic structural diagram of an apparatus for monitoring virtual machine traffic provided by another embodiment of the present invention.

具体实施方式detailed description

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

图1示出了本发明一实施例提供的一种虚拟机流量的监控方法的流程示意图,如图1所示,该方法中所述虚拟机内设置有代理客户端,所述代理客户端与控制中心连接,所述方法包括:Fig. 1 shows a schematic flowchart of a method for monitoring virtual machine traffic provided by an embodiment of the present invention. As shown in Fig. 1 , in the method, a proxy client is set in the virtual machine, and the proxy client is connected with A control center connection, the method comprising:

101、所述代理客户端获取所述虚拟机的访问流量,根据预设策略对所述访问流量进行监测。101. The proxy client acquires access traffic of the virtual machine, and monitors the access traffic according to a preset policy.

可理解的是,每一虚拟机内均设置有一个代理客户端,该代理客户端与控制中心连接,控制中心根据代理客户端所在的虚拟机向代理客户端推送不同的策略,以通过代理客户端对该代理客户端所在的虚拟机的访问流量进行监控。It is understandable that each virtual machine is provided with a proxy client, which is connected to the control center, and the control center pushes different policies to the proxy client according to the virtual machine where the proxy client is located, so as to pass the proxy client The end monitors the access traffic of the virtual machine where the proxy client is located.

其中该预设策略可以为控制中心向代理客户端发送的。具体的,该代理客户端可以对所在虚拟机的被访问流量以及发起访问的流量进行监控。The preset policy may be sent by the control center to the agent client. Specifically, the proxy client can monitor the accessed traffic of the virtual machine where it resides and the traffic that initiates access.

102、所述代理客户端根据监测结果,确定是否拦截所述虚拟机的访问流量。102. The proxy client determines whether to intercept the access traffic of the virtual machine according to the monitoring result.

其中,所述预设策略为所述控制中心根据所述虚拟机的标识下发的与所述虚拟机的标识对应的策略。Wherein, the preset policy is a policy corresponding to the identity of the virtual machine issued by the control center according to the identity of the virtual machine.

需要说明的是,本实施例中通过在每一虚拟机内均设置有代理客户端,多个代理客户端构成了一个防火墙监控系统,相当于一个防火墙监控系统通过分布式的方式在每一个虚拟机内均部署代理客户端,实现对虚拟机与虚拟机之间的流量监控,相对于现有技术中采用一个防火墙整体对所有虚拟机的流量进行监控,能够将虚拟机与虚拟机之间或者是不同物理终端的虚拟机之间的交互进行监控,提高了虚拟机内数据的安全。It should be noted that, in this embodiment, a proxy client is set in each virtual machine, and multiple proxy clients constitute a firewall monitoring system, which is equivalent to a firewall monitoring system in each virtual machine in a distributed manner. The agent client is deployed in the machine to realize the traffic monitoring between the virtual machines. Compared with the existing technology that uses a firewall to monitor the traffic of all the virtual machines as a whole, it can monitor the traffic between the virtual machines or the virtual machines. It monitors the interaction between virtual machines of different physical terminals, which improves the security of data in the virtual machines.

例如,对于一个公司的行政部门,采用现有技术的方式,通过一个防火墙对其他部门与该行政部门之间的所有虚拟机的访问流量进行监控,但是该防火墙并不能够实现行政部门之间的各虚拟机之间的监控,而本实施例中通过分布式的方式,在每一虚拟机之间均设置代理客户端,相对于现有方式中采用整体式监控能够对部门内部的虚拟机与虚拟机之间的流量进行监控,提高了用户体验。For example, for the administrative department of a company, the access traffic of all virtual machines between other departments and the administrative department is monitored through a firewall, but the firewall cannot realize the communication between the administrative departments. The monitoring between each virtual machine, and in the present embodiment, through the distributed mode, all set agent client between each virtual machine, adopt overall monitoring in the existing mode with respect to the virtual machine and the virtual machine inside the department Traffic between virtual machines is monitored, improving user experience.

每一虚拟机均包括虚拟机的标识,由于代理客户端是设置在每一虚拟机中,因此控制中心在向代理客户端发送策略时,是需要根据虚拟机的标识下发,这样在虚拟机迁移时,例如在某一物理机需要维护时,在另外一台物理机上做替代时,只需要向替代的物理机的虚拟机内的代理客户端发送对应的策略即可,不需要再更换虚拟机,即能够保证策略和虚拟机的同步。Each virtual machine includes the identification of the virtual machine. Since the proxy client is set in each virtual machine, when the control center sends the policy to the proxy client, it needs to issue the policy according to the identification of the virtual machine. In this way, the virtual machine During migration, for example, when a physical machine needs to be maintained and replaced on another physical machine, it is only necessary to send the corresponding policy to the proxy client in the virtual machine of the replaced physical machine, and there is no need to replace the virtual machine. machine, which can ensure the synchronization of policies and virtual machines.

上述方法通过各虚拟机内的代理客户端对所在虚拟机的访问流量进行监测,实现了对虚拟机与虚拟机之间或者是不同物理终端的虚拟机之间的交互进行监控,提高了虚拟机内数据的安全。The above method monitors the access traffic of the virtual machine through the agent client in each virtual machine, realizes the monitoring of the interaction between virtual machines or virtual machines of different physical terminals, and improves the virtual machine data security within.

下面通过具体的实施例对上述方法进行详细说明。The above method will be described in detail below through specific examples.

201、接收所述控制中心下发的预设策略。201. Receive a preset policy issued by the control center.

为了满足企业不同部门的业务需求,往往会为不同部门分配不同数量的虚拟机供其使用。其中多个虚拟机具有各自独立的IP地址以及各自所属的标识。当然该标识可以为部门内部的分组标识,该标识可以对应多个虚拟机,这样预设策略可以直接根据分组标识,向该标识对应的虚拟机下发同样的策略,较简单,且执行效率高;但是对于部门内部领导和下属如果区分精细,或者是每个虚拟机之间需要严控对应的策略,这样该标识就可以理解为每一个虚拟机的标识,也就是标识和虚拟机是一一对应的关系,这样针对每个标识下发预设策略,每个标识对应的预设策略均不同,这样能够实现每一虚拟机之间的流量监控,执行效率虽然不如上述分组标识快,但是能够严控每个虚拟机之间的流量,保障了虚拟机之间流量的安全。本实施例不对上述下发预设策略以及标识的含义进行限定,可以根据具体的情况执行相应的计划。In order to meet the business needs of different departments of the enterprise, different numbers of virtual machines are often allocated to different departments for their use. The multiple virtual machines have their own independent IP addresses and their respective identifiers. Of course, the identifier can be a group identifier within the department, and the identifier can correspond to multiple virtual machines. In this way, the preset policy can directly issue the same policy to the virtual machine corresponding to the identifier based on the group identifier, which is relatively simple and has high execution efficiency. ; However, if the distinction between leaders and subordinates within the department is fine, or the corresponding strategy needs to be strictly controlled between each virtual machine, then the logo can be understood as the logo of each virtual machine, that is, the logo and the virtual machine are one by one Corresponding relationship, in this way, preset policies are issued for each ID, and the preset policies corresponding to each ID are different, so that traffic monitoring between each virtual machine can be realized. Although the execution efficiency is not as fast as the above-mentioned group ID, it can Strictly control the traffic between each virtual machine to ensure the security of the traffic between virtual machines. This embodiment does not limit the meanings of the above-mentioned delivered preset policies and identifiers, and corresponding plans may be implemented according to specific situations.

例如,行政人事部的员工的物理机中的虚拟机之间可以采用分组的方式,财务部的物理机中的虚拟机之间可以采用标识和虚拟机一一对应的方式。For example, the virtual machines in the physical machines of the employees of the administrative personnel department may be grouped, and the virtual machines in the physical machines of the financial department may be in a one-to-one correspondence between identifiers and virtual machines.

202、所述代理客户端获取所述虚拟机的访问流量。202. The proxy client acquires access traffic of the virtual machine.

其中,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量。Wherein, the access traffic of the virtual machine includes the traffic of receiving the access request by the virtual machine and the traffic of sending the access request by the virtual machine.

203、根据预设策略对所述访问流量进行监测。203. Monitor the access traffic according to a preset policy.

上述访问流量可以包括接收访问请求的流量和虚拟机发送访问请求的流量,所述代理客户端根据所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量进行监测。The aforementioned access traffic may include traffic of receiving access requests and traffic of virtual machines sending access requests, and the proxy client monitors according to the traffic of virtual machines receiving access requests and the traffic of virtual machines sending access requests.

具体的,在对访问流量进行监测时,可以通过以下方式,具体包括以下子步骤:Specifically, when monitoring access traffic, the following methods can be used, including the following sub-steps:

2031、获取所述访问流量的源地址、目的地址和访问信息。2031. Obtain the source address, destination address, and access information of the access traffic.

以行政人事部为例进行说明,如果行政经理物理机上的虚拟机中的代理客户端对获取的访问的每一流量均进行监控,获取访问流量的源地址、目的地址和访问信息,具体获取访问请求的源地址可以理解为获取访问请求的来源,例如,技术部的某个物理主机的IP,或者是某个物理机中的虚拟机的标识等;目的地址为访问的文件夹的路径,访问信息为具体访问的文件。Taking the administrative personnel department as an example, if the proxy client in the virtual machine on the administrative manager's physical computer monitors each flow obtained for access, obtains the source address, destination address, and access information of the access traffic, and specifically obtains the access The source address of the request can be understood as the source of the access request, for example, the IP of a physical host in the technical department, or the identity of a virtual machine in a physical machine, etc.; the destination address is the path of the accessed folder, and the access The information is specific to the file being accessed.

2032、根据所述预设策略对所述访问流量的源地址、目的地址和访问信息进行监测。2032. Monitor the source address, destination address, and access information of the access traffic according to the preset policy.

预设策略中包括虚拟机标识,以及与虚拟机标识对应的策略,其中该策略中可以包括与虚拟机标识对应的一些访问权限信息,例如:哪些标识的虚拟机或者哪些物理机的IP可以访问,可以向哪些标识的虚拟机或者哪些物理机的IP访问,可以向哪些标识的虚拟机或者哪些物理机的IP的哪些文件访问,以及允许哪些标识的虚拟机或者哪些物理机的IP访问哪些文件等。The preset policy includes the virtual machine ID and the policy corresponding to the virtual machine ID, where the policy can include some access rights information corresponding to the virtual machine ID, for example: which identified virtual machines or which physical machine IPs can be accessed , which identified virtual machines or which physical machine IPs can be accessed, which identified virtual machines or which physical machine IPs can be accessed, and which identified virtual machines or which physical machine IPs are allowed to access which files Wait.

例如,行政人事部的虚拟机上不允许其他部门的标识的虚拟机和物理机的IP访问任何文件,或者只允许访问与自己信息相关的文件,与自己信息相关的文件包括访问方的人事信息,例如公积金、社保、工资等信息。行政人事部经理的虚拟机上的文件不允许行政人事部部门员工的标识的虚拟机或者物理机IP访问任何文件信息等。这也同样适用于财务部门或者技术部门,防止一些公司财务信息或者公司的技术核心被窃取。For example, the IPs of the virtual machines and physical machines identified by other departments are not allowed to access any files on the virtual machine of the administrative and personnel department, or only allow access to files related to their own information, which include the personnel information of the accessing party , such as provident fund, social security, salary and other information. The files on the virtual machine of the manager of the administrative and human resources department do not allow the virtual machine or physical machine IP of the employee of the administrative and human resources department to access any file information. This is also applicable to the financial department or technical department to prevent some company financial information or the company's technical core from being stolen.

204、所述根据监测结果,确定是否拦截所述虚拟机的访问流量,若否,执行步骤205,若是,则不对虚拟机的访问流量进行拦截。204. According to the monitoring result, determine whether to intercept the access traffic of the virtual machine, if not, perform step 205, and if yes, do not intercept the access traffic of the virtual machine.

205、若所述虚拟机的访问流量不符合所述预设策略,则拦截所述访问流量。205. If the access traffic of the virtual machine does not comply with the preset policy, intercept the access traffic.

上述方法中,代理客户端根据控制中心下发的策略,对所属虚拟机的流量进行监控,其中该方法不依赖于任何平台,例如kvm、xen等,只需要设置代理客户端的虚拟机或者物理机中的虚拟机能够设置代理客户端即可,该方法对虚拟机的监控较方便,只需要控制中心根据虚拟机的标识下发对应的预设策略即可,另外在虚拟机迁移的过程中,由于策略是给代理客户端下发的,而不是给虚拟机下发的,因此,在虚拟机迁移过程中不再需要将策略与虚拟机同步,而是通过向该虚拟机对应的代理客户端重新下发预设策略即可。In the above method, the proxy client monitors the traffic of the virtual machine it belongs to according to the policy issued by the control center. This method does not depend on any platform, such as kvm, xen, etc., and only needs to set the virtual machine or physical machine of the proxy client The virtual machine in the virtual machine can be set as a proxy client. This method is more convenient for the monitoring of the virtual machine. It only needs the control center to issue the corresponding preset policy according to the identity of the virtual machine. In addition, during the migration process of the virtual machine, Since the policy is issued to the proxy client instead of the virtual machine, it is no longer necessary to synchronize the policy with the virtual machine during the migration process of the virtual machine, but to the proxy client corresponding to the virtual machine Just re-send the preset policy.

图3示出了本发明一实施例提供的一种虚拟机流量的监控方法的流程示意图,如图3所示,所述虚拟机内设置有代理客户端,所述代理客户端与控制中心连接,所述方法包括以下步骤:Fig. 3 shows a schematic flow diagram of a method for monitoring virtual machine traffic provided by an embodiment of the present invention. As shown in Fig. 3, a proxy client is set in the virtual machine, and the proxy client is connected to the control center , the method includes the following steps:

301、所述控制中心获取多个虚拟机的访问权限,配置与所述多个虚拟机的访问权限对应的策略,所述策略包括所述虚拟机的标识;301. The control center acquires access rights of multiple virtual machines, and configures policies corresponding to the access rights of the multiple virtual machines, where the policies include identifiers of the virtual machines;

该访问权限可以理解为针对虚拟机的标识获取的标识对应的虚拟机的接收访问请求和发送访问请求的权限。The access right can be understood as the right to receive access requests and send access requests of the virtual machine corresponding to the identifier obtained for the identifier of the virtual machine.

302、所述控制中心根据所述虚拟机的标识,向与所述标识对应的虚拟机内的代理客户端发送与所述标识对应的策略,以使所述代理客户端根据所述策略对所述虚拟机的访问流量进行监控;302. According to the identifier of the virtual machine, the control center sends a policy corresponding to the identifier to the agent client in the virtual machine corresponding to the identifier, so that the agent client can implement the policy corresponding to the identifier according to the policy. Monitor the access traffic of the above virtual machine;

其中,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量。Wherein, the access traffic of the virtual machine includes the traffic of receiving the access request by the virtual machine and the traffic of sending the access request by the virtual machine.

上述方法中控制中心根据虚拟机的标识向虚拟机中的代理客户端发送与虚拟机的标识对应的策略,使得代理客户端根据预设策略对所属的虚拟机的访问流量进行监控,保证了各虚拟机之间的访问流量的安全,对企业内部数据监控起到了一定作用。In the above method, the control center sends the policy corresponding to the identity of the virtual machine to the agent client in the virtual machine according to the identity of the virtual machine, so that the agent client monitors the access traffic of the virtual machine to which it belongs according to the preset policy, ensuring that all The security of the access traffic between virtual machines plays a certain role in the internal data monitoring of the enterprise.

另外,由于不同的虚拟机的访问流量策略有可能会改变,因此,所述控制中心在获取多个虚拟机的访问权限之后,所述方法还包括:对已配置的策略进行更新。保证了每个虚拟机中的代理客户端的预设策略均为最新的策略,提高了监控效率。In addition, since the access traffic policies of different virtual machines may change, after the control center obtains the access rights of multiple virtual machines, the method further includes: updating the configured policies. It is ensured that the preset policy of the agent client in each virtual machine is the latest policy, which improves the monitoring efficiency.

图4示出了本发明实施例提供的一种虚拟机流量的监控装置的结构示意图,如图4所示,所述装置设置在所述虚拟机内,并与控制中心连接,所述装置包括:Fig. 4 shows a schematic structural diagram of a virtual machine flow monitoring device provided by an embodiment of the present invention. As shown in Fig. 4, the device is set in the virtual machine and connected to the control center, and the device includes :

获取模块41,用于获取所述虚拟机的访问流量;An acquisition module 41, configured to acquire the access traffic of the virtual machine;

监测模块42,用于根据预设策略对所述访问流量进行监测;A monitoring module 42, configured to monitor the access traffic according to a preset policy;

确定模块43,用于根据监测结果,确定是否拦截所述虚拟机的访问流量;A determining module 43, configured to determine whether to intercept the access traffic of the virtual machine according to the monitoring result;

其中,所述预设策略为所述控制中心根据所述虚拟机的标识下发的与所述虚拟机的标识对应的策略。Wherein, the preset policy is a policy corresponding to the identity of the virtual machine issued by the control center according to the identity of the virtual machine.

在本实施例的一个优选的实施方式中,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量;In a preferred implementation of this embodiment, the access traffic of the virtual machine includes the traffic of the virtual machine receiving the access request and the traffic of the virtual machine sending the access request;

相应的,所述监测模块,用于:Correspondingly, the monitoring module is used for:

根据所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量进行监测。Monitoring is performed according to the flow of access requests received by the virtual machine and the flow of access requests sent by the virtual machine.

在本实施例的一个优选的实施方式中,所述装置还包括:接收模块,用于接收所述控制中心下发的预设策略。In a preferred implementation manner of this embodiment, the device further includes: a receiving module, configured to receive the preset policy issued by the control center.

在本实施例的一个优选的实施方式中,所述检测模块,用于:In a preferred implementation of this embodiment, the detection module is used for:

获取所述访问流量的源地址、目的地址和访问信息;Obtain the source address, destination address and access information of the access traffic;

根据所述预设策略对所述访问流量的源地址、目的地址和访问信息进行监测。Monitoring the source address, destination address and access information of the access traffic according to the preset policy.

在本实施例的一个优选的实施方式中,所述确定模块,用于:In a preferred implementation of this embodiment, the determination module is configured to:

在所述虚拟机的访问流量不符合所述预设策略时,拦截所述访问流量。When the access traffic of the virtual machine does not comply with the preset policy, intercept the access traffic.

本实施例还提供了一种终端,包括虚拟机和上述的装置,所述装置设置在所述虚拟机内。This embodiment also provides a terminal, including a virtual machine and the above-mentioned device, and the device is set in the virtual machine.

图5示出了本发明实施例提供的一种虚拟机流量的监控装置的结构示意图,其特征在于,所述装置与设置在所述虚拟机内的代理客户端相连,所述装置包括:Fig. 5 shows a schematic structural diagram of a device for monitoring virtual machine traffic provided by an embodiment of the present invention, wherein the device is connected to a proxy client set in the virtual machine, and the device includes:

获取模块51,用于获取多个虚拟机的访问权限,Obtaining module 51, configured to obtain the access rights of multiple virtual machines,

策略配置模块52,用于配置与所述多个虚拟机的访问权限对应的策略,所述策略包括所述虚拟机的标识;A policy configuration module 52, configured to configure a policy corresponding to the access rights of the plurality of virtual machines, where the policy includes the identity of the virtual machine;

发送模块53,用于根据所述虚拟机的标识,向与所述标识对应的虚拟机内的代理客户端发送与所述标识对应的策略,以使所述代理客户端根据所述策略对所述虚拟机的访问流量进行监控;The sending module 53 is configured to, according to the identifier of the virtual machine, send the policy corresponding to the identifier to the proxy client in the virtual machine corresponding to the identifier, so that the proxy client can implement the policy corresponding to the identifier according to the policy. Monitor the access traffic of the above virtual machine;

其中,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量。Wherein, the access traffic of the virtual machine includes the traffic of receiving the access request by the virtual machine and the traffic of sending the access request by the virtual machine.

在本实施例的一个优选的实施方式中,所述装置还包括:更新模块,用于对已配置的策略进行更新。In a preferred implementation manner of this embodiment, the device further includes: an update module, configured to update the configured policy.

需要说明的是,上述装置与上述方法是一一对应的,上述方法中的具体的实施细节同样适用于上述装置,本实施例不再对上述装置的具体实施细节进行详细说明。It should be noted that there is a one-to-one correspondence between the above-mentioned device and the above-mentioned method, and the specific implementation details in the above-mentioned method are also applicable to the above-mentioned device, and the specific implementation details of the above-mentioned device will not be described in detail in this embodiment.

本发明的实施例公开了:Embodiments of the invention disclose:

A1、一种虚拟机流量的监控装置,其特征在于,所述装置设置在所述虚拟机内,并与控制中心连接,所述装置包括:A1. A monitoring device for virtual machine traffic, characterized in that said device is set in said virtual machine and connected to a control center, said device comprising:

获取模块,用于获取所述虚拟机的访问流量;An acquisition module, configured to acquire the access traffic of the virtual machine;

监测模块,用于根据预设策略对所述访问流量进行监测;A monitoring module, configured to monitor the access traffic according to a preset policy;

确定模块,用于根据监测结果,确定是否拦截所述虚拟机的访问流量;A determining module, configured to determine whether to intercept the access traffic of the virtual machine according to the monitoring result;

其中,所述预设策略为所述控制中心根据所述虚拟机的标识下发的与所述虚拟机的标识对应的策略。Wherein, the preset policy is a policy corresponding to the identity of the virtual machine issued by the control center according to the identity of the virtual machine.

A2、根据A1所述的装置,其特征在于,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量;A2. The device according to A1, wherein the access traffic of the virtual machine includes traffic for receiving access requests by the virtual machine and traffic for sending access requests by the virtual machine;

相应的,所述监测模块,用于:Correspondingly, the monitoring module is used for:

根据所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量进行监测。Monitoring is performed according to the flow of access requests received by the virtual machine and the flow of access requests sent by the virtual machine.

A3、根据A1所述的装置,其特征在于,所述装置还包括:接收模块,用于接收所述控制中心下发的预设策略。A3. The device according to A1, further comprising: a receiving module, configured to receive the preset strategy issued by the control center.

A4、根据A1所述的装置,其特征在于,所述检测模块,用于:A4. The device according to A1, wherein the detection module is used for:

获取所述访问流量的源地址、目的地址和访问信息;Obtain the source address, destination address and access information of the access traffic;

根据所述预设策略对所述访问流量的源地址、目的地址和访问信息进行监测。Monitoring the source address, destination address and access information of the access traffic according to the preset policy.

A5、根据A1或4所述的装置,其特征在于,所述确定模块,用于:A5. The device according to A1 or 4, wherein the determination module is used for:

在所述虚拟机的访问流量不符合所述预设策略时,拦截所述访问流量。When the access traffic of the virtual machine does not comply with the preset policy, intercept the access traffic.

B6、一种虚拟机流量的监控装置,其特征在于,所述装置与设置在所述虚拟机内的代理客户端相连,所述装置包括:B6, a kind of monitoring device of virtual machine flow, it is characterized in that, described device is connected with the proxy client that is arranged in described virtual machine, and described device comprises:

获取模块,用于获取多个虚拟机的访问权限,The acquisition module is used to obtain the access rights of multiple virtual machines,

策略配置模块,用于配置与所述多个虚拟机的访问权限对应的策略,所述策略包括所述虚拟机的标识;A policy configuration module, configured to configure a policy corresponding to the access rights of the plurality of virtual machines, where the policy includes an identifier of the virtual machine;

发送模块,用于根据所述虚拟机的标识,向与所述标识对应的虚拟机内的代理客户端发送与所述标识对应的策略,以使所述代理客户端根据所述策略对所述虚拟机的访问流量进行监控;A sending module, configured to, according to the identifier of the virtual machine, send a policy corresponding to the identifier to a proxy client in the virtual machine corresponding to the identifier, so that the proxy client can implement the policy according to the policy Monitor the access traffic of the virtual machine;

其中,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量。Wherein, the access traffic of the virtual machine includes the traffic of receiving the access request by the virtual machine and the traffic of sending the access request by the virtual machine.

B7、根据B6所述的装置,其特征在于,所述装置还包括:更新模块,用于对已配置的策略进行更新。B7. The device according to B6, further comprising: an update module, configured to update the configured policy.

C8、一种虚拟机流量的监控方法,其特征在于,所述虚拟机内设置有代理客户端,所述代理客户端与控制中心连接,所述方法包括:C8, a method for monitoring virtual machine traffic, characterized in that, an agent client is provided in the virtual machine, and the agent client is connected to a control center, and the method includes:

所述代理客户端获取所述虚拟机的访问流量,根据预设策略对所述访问流量进行监测;The proxy client obtains the access traffic of the virtual machine, and monitors the access traffic according to a preset policy;

所述代理客户端根据监测结果,确定是否拦截所述虚拟机的访问流量;The proxy client determines whether to intercept the access traffic of the virtual machine according to the monitoring result;

其中,所述预设策略为所述控制中心根据所述虚拟机的标识下发的与所述虚拟机的标识对应的策略。Wherein, the preset policy is a policy corresponding to the identity of the virtual machine issued by the control center according to the identity of the virtual machine.

C9、根据C8所述的方法,其特征在于,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量;C9. The method according to C8, wherein the access traffic of the virtual machine includes traffic for receiving access requests by the virtual machine and traffic for sending access requests by the virtual machine;

相应的,根据预设策略对所述访问流量进行监测,包括:Correspondingly, the access traffic is monitored according to preset policies, including:

所述代理客户端根据所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量进行监测。The proxy client performs monitoring according to the flow of access requests received by the virtual machine and the flow of access requests sent by the virtual machine.

C10、根据C8所述的方法,其特征在于,在获取虚拟机的访问流量之前,所述方法还包括:C10, according to the method described in C8, it is characterized in that, before obtaining the access flow of virtual machine, described method also comprises:

接收所述控制中心下发的预设策略。Receive the preset policy issued by the control center.

C11、根据C8所述的方法,其特征在于,所述根据预设策略对所述访问流量进行监测,包括:C11. The method according to C8, wherein the monitoring of the access traffic according to a preset policy includes:

获取所述访问流量的源地址、目的地址和访问信息;Obtain the source address, destination address and access information of the access traffic;

根据所述预设策略对所述访问流量的源地址、目的地址和访问信息进行监测。Monitoring the source address, destination address and access information of the access traffic according to the preset policy.

C12、根据C8或11所述的方法,其特征在于,所述根据监测结果,确定是否拦截所述虚拟机的访问流量,包括:C12, according to the method described in C8 or 11, it is characterized in that, according to the monitoring results, determining whether to intercept the access traffic of the virtual machine includes:

若所述虚拟机的访问流量不符合所述预设策略,则拦截所述访问流量。If the access traffic of the virtual machine does not comply with the preset policy, intercept the access traffic.

D13、一种虚拟机流量的监控方法,其特征在于,所述虚拟机内设置有代理客户端,所述代理客户端与控制中心连接,所述方法包括:D13. A method for monitoring virtual machine traffic, characterized in that, an agent client is provided in the virtual machine, and the agent client is connected to a control center, and the method includes:

所述控制中心获取多个虚拟机的访问权限,配置与所述多个虚拟机的访问权限对应的策略,所述策略包括所述虚拟机的标识;The control center obtains the access rights of multiple virtual machines, and configures policies corresponding to the access rights of the multiple virtual machines, where the policies include the identifiers of the virtual machines;

所述控制中心根据所述虚拟机的标识,向与所述标识对应的虚拟机内的代理客户端发送与所述标识对应的策略,以使所述代理客户端根据所述策略对所述虚拟机的访问流量进行监控;The control center, according to the identifier of the virtual machine, sends a policy corresponding to the identifier to the proxy client in the virtual machine corresponding to the identifier, so that the proxy client can implement the policy on the virtual machine according to the policy. Monitor the access traffic of the machine;

其中,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量。Wherein, the access traffic of the virtual machine includes the traffic of receiving the access request by the virtual machine and the traffic of sending the access request by the virtual machine.

D14、根据D13所述的方法,其特征在于,所述控制中心在获取多个虚拟机的访问权限之后,所述方法还包括:D14, according to the method described in D13, it is characterized in that, after the control center obtains the access rights of a plurality of virtual machines, the method also includes:

对已配置的策略进行更新。Make updates to configured policies.

E15、一种终端,其特征在于,包括虚拟机和如A1-5中任一项所述的装置,所述装置设置在所述虚拟机内。E15. A terminal, characterized by comprising a virtual machine and the device according to any one of A1-5, the device being set in the virtual machine.

本发明的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description of the invention, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

类似地,应当理解,为了精简本发明公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释呈反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be appreciated that in the above description of exemplary embodiments of the invention, in order to streamline the present disclosure and to facilitate understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together into a single embodiment , figure, or description of it. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

本领域技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在于该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是互相排斥之处,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and installed in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method or method so disclosed may be used in any combination, except where at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的一种浏览器终端的设备中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all functions of some or all components in a browser terminal device according to an embodiment of the present invention . The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围,其均应涵盖在本发明的权利要求和说明书的范围当中。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. All of them should be covered by the scope of the claims and description of the present invention.

Claims (10)

1.一种虚拟机流量的监控装置,其特征在于,所述装置设置在所述虚拟机内,并与控制中心连接,所述装置包括:1. A monitoring device for virtual machine traffic, characterized in that said device is arranged in said virtual machine and connected with a control center, said device comprising: 获取模块,用于获取所述虚拟机的访问流量;An acquisition module, configured to acquire the access traffic of the virtual machine; 监测模块,用于根据预设策略对所述访问流量进行监测;A monitoring module, configured to monitor the access traffic according to a preset policy; 确定模块,用于根据监测结果,确定是否拦截所述虚拟机的访问流量;A determining module, configured to determine whether to intercept the access traffic of the virtual machine according to the monitoring result; 其中,所述预设策略为所述控制中心根据所述虚拟机的标识下发的与所述虚拟机的标识对应的策略。Wherein, the preset policy is a policy corresponding to the identity of the virtual machine issued by the control center according to the identity of the virtual machine. 2.根据权利要求1所述的装置,其特征在于,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量;2. The device according to claim 1, wherein the access traffic of the virtual machine includes traffic for receiving access requests by the virtual machine and traffic for sending access requests by the virtual machine; 相应的,所述监测模块,用于:Correspondingly, the monitoring module is used for: 根据所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量进行监测。Monitoring is performed according to the flow of access requests received by the virtual machine and the flow of access requests sent by the virtual machine. 3.根据权利要求1所述的装置,其特征在于,所述装置还包括:接收模块,用于接收所述控制中心下发的预设策略。3. The device according to claim 1, further comprising: a receiving module, configured to receive the preset policy issued by the control center. 4.根据权利要求1所述的装置,其特征在于,所述检测模块,用于:4. The device according to claim 1, wherein the detection module is configured to: 获取所述访问流量的源地址、目的地址和访问信息;Obtain the source address, destination address and access information of the access traffic; 根据所述预设策略对所述访问流量的源地址、目的地址和访问信息进行监测。Monitoring the source address, destination address and access information of the access traffic according to the preset policy. 5.根据权利要求1或4所述的装置,其特征在于,所述确定模块,用于:5. The device according to claim 1 or 4, wherein the determination module is configured to: 在所述虚拟机的访问流量不符合所述预设策略时,拦截所述访问流量。When the access traffic of the virtual machine does not comply with the preset policy, intercept the access traffic. 6.一种虚拟机流量的监控装置,其特征在于,所述装置与设置在所述虚拟机内的代理客户端相连,所述装置包括:6. A monitoring device for virtual machine traffic, characterized in that the device is connected to a proxy client provided in the virtual machine, and the device includes: 获取模块,用于获取多个虚拟机的访问权限,The acquisition module is used to obtain the access rights of multiple virtual machines, 策略配置模块,用于配置与所述多个虚拟机的访问权限对应的策略,所述策略包括所述虚拟机的标识;A policy configuration module, configured to configure a policy corresponding to the access rights of the plurality of virtual machines, where the policy includes an identifier of the virtual machine; 发送模块,用于根据所述虚拟机的标识,向与所述标识对应的虚拟机内的代理客户端发送与所述标识对应的策略,以使所述代理客户端根据所述策略对所述虚拟机的访问流量进行监控;A sending module, configured to, according to the identifier of the virtual machine, send a policy corresponding to the identifier to a proxy client in the virtual machine corresponding to the identifier, so that the proxy client can implement the policy according to the policy Monitor the access traffic of the virtual machine; 其中,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量。Wherein, the access traffic of the virtual machine includes the traffic of receiving the access request by the virtual machine and the traffic of sending the access request by the virtual machine. 7.根据权利要求6所述的装置,其特征在于,所述装置还包括:更新模块,用于对已配置的策略进行更新。7. The device according to claim 6, further comprising: an update module, configured to update the configured policy. 8.一种虚拟机流量的监控方法,其特征在于,所述虚拟机内设置有代理客户端,所述代理客户端与控制中心连接,所述方法包括:8. A method for monitoring virtual machine traffic, characterized in that, an agent client is provided in the virtual machine, and the agent client is connected with a control center, and the method comprises: 所述代理客户端获取所述虚拟机的访问流量,根据预设策略对所述访问流量进行监测;The proxy client obtains the access traffic of the virtual machine, and monitors the access traffic according to a preset policy; 所述代理客户端根据监测结果,确定是否拦截所述虚拟机的访问流量;The proxy client determines whether to intercept the access traffic of the virtual machine according to the monitoring result; 其中,所述预设策略为所述控制中心根据所述虚拟机的标识下发的与所述虚拟机的标识对应的策略。Wherein, the preset policy is a policy corresponding to the identity of the virtual machine issued by the control center according to the identity of the virtual machine. 9.一种虚拟机流量的监控方法,其特征在于,所述虚拟机内设置有代理客户端,所述代理客户端与控制中心连接,所述方法包括:9. A method for monitoring virtual machine traffic, characterized in that, an agent client is provided in the virtual machine, and the agent client is connected with a control center, and the method comprises: 所述控制中心获取多个虚拟机的访问权限,配置与所述多个虚拟机的访问权限对应的策略,所述策略包括所述虚拟机的标识;The control center obtains the access rights of multiple virtual machines, and configures policies corresponding to the access rights of the multiple virtual machines, where the policies include the identifiers of the virtual machines; 所述控制中心根据所述虚拟机的标识,向与所述标识对应的虚拟机内的代理客户端发送与所述标识对应的策略,以使所述代理客户端根据所述策略对所述虚拟机的访问流量进行监控;The control center, according to the identifier of the virtual machine, sends a policy corresponding to the identifier to the proxy client in the virtual machine corresponding to the identifier, so that the proxy client can implement the policy on the virtual machine according to the policy. Monitor the access traffic of the machine; 其中,所述虚拟机的访问流量包括所述虚拟机接收访问请求的流量和所述虚拟机发送访问请求的流量。Wherein, the access traffic of the virtual machine includes the traffic of receiving the access request by the virtual machine and the traffic of sending the access request by the virtual machine. 10.一种终端,其特征在于,包括虚拟机和如权利要求1-5中任一项所述的装置,所述装置设置在所述虚拟机内。10. A terminal, characterized by comprising a virtual machine and the device according to any one of claims 1-5, the device being set in the virtual machine.
CN201510992379.3A 2015-12-24 2015-12-24 Virtual machine flow monitoring method and device, and terminal Pending CN105592088A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510992379.3A CN105592088A (en) 2015-12-24 2015-12-24 Virtual machine flow monitoring method and device, and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510992379.3A CN105592088A (en) 2015-12-24 2015-12-24 Virtual machine flow monitoring method and device, and terminal

Publications (1)

Publication Number Publication Date
CN105592088A true CN105592088A (en) 2016-05-18

Family

ID=55931302

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510992379.3A Pending CN105592088A (en) 2015-12-24 2015-12-24 Virtual machine flow monitoring method and device, and terminal

Country Status (1)

Country Link
CN (1) CN105592088A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107360058A (en) * 2017-07-12 2017-11-17 郑州云海信息技术有限公司 A kind of method and device for realizing traffic monitoring
CN107707551A (en) * 2017-10-09 2018-02-16 山东中创软件商用中间件股份有限公司 A kind of method and system of IP access controls
CN108777679A (en) * 2018-05-22 2018-11-09 深信服科技股份有限公司 Flow access relation generation method, device and the readable storage medium storing program for executing of terminal
CN109413110A (en) * 2018-12-19 2019-03-01 武汉思普崚技术有限公司 A kind of method and system of the managing main frame strategy based on firewall policy linkage
CN110198246A (en) * 2018-02-26 2019-09-03 腾讯科技(北京)有限公司 A kind of method and system of traffic monitoring
CN110516431A (en) * 2019-08-29 2019-11-29 北京浪潮数据技术有限公司 Method, system, equipment and the storage medium of dynamic configuration virtual machine operations permission

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7596654B1 (en) * 2006-01-26 2009-09-29 Symantec Operating Corporation Virtual machine spanning multiple computers
CN102043917A (en) * 2010-12-07 2011-05-04 成都市华为赛门铁克科技有限公司 Distributed denial of service (DDOS) attack protection method, device and system for cloud computing system
CN102571698A (en) * 2010-12-17 2012-07-11 中国移动通信集团公司 Access authority control method, system and device for virtual machine
CN102707985A (en) * 2011-03-28 2012-10-03 中兴通讯股份有限公司 Access control method and system for virtual machine system
CN104219260A (en) * 2013-05-30 2014-12-17 中国电信股份有限公司 Method and system for exchanging data between virtual machines in same physical machine and physical host
CN104378387A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Method for protecting information security under virtualization platform
CN104901923A (en) * 2014-03-04 2015-09-09 杭州华三通信技术有限公司 Virtual machine access device and method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7596654B1 (en) * 2006-01-26 2009-09-29 Symantec Operating Corporation Virtual machine spanning multiple computers
CN102043917A (en) * 2010-12-07 2011-05-04 成都市华为赛门铁克科技有限公司 Distributed denial of service (DDOS) attack protection method, device and system for cloud computing system
CN102571698A (en) * 2010-12-17 2012-07-11 中国移动通信集团公司 Access authority control method, system and device for virtual machine
CN102707985A (en) * 2011-03-28 2012-10-03 中兴通讯股份有限公司 Access control method and system for virtual machine system
CN104219260A (en) * 2013-05-30 2014-12-17 中国电信股份有限公司 Method and system for exchanging data between virtual machines in same physical machine and physical host
CN104901923A (en) * 2014-03-04 2015-09-09 杭州华三通信技术有限公司 Virtual machine access device and method
CN104378387A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Method for protecting information security under virtualization platform

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107360058A (en) * 2017-07-12 2017-11-17 郑州云海信息技术有限公司 A kind of method and device for realizing traffic monitoring
CN107707551A (en) * 2017-10-09 2018-02-16 山东中创软件商用中间件股份有限公司 A kind of method and system of IP access controls
CN110198246A (en) * 2018-02-26 2019-09-03 腾讯科技(北京)有限公司 A kind of method and system of traffic monitoring
CN108777679A (en) * 2018-05-22 2018-11-09 深信服科技股份有限公司 Flow access relation generation method, device and the readable storage medium storing program for executing of terminal
CN108777679B (en) * 2018-05-22 2021-09-17 深信服科技股份有限公司 Method and device for generating traffic access relation of terminal and readable storage medium
CN109413110A (en) * 2018-12-19 2019-03-01 武汉思普崚技术有限公司 A kind of method and system of the managing main frame strategy based on firewall policy linkage
CN110516431A (en) * 2019-08-29 2019-11-29 北京浪潮数据技术有限公司 Method, system, equipment and the storage medium of dynamic configuration virtual machine operations permission
CN110516431B (en) * 2019-08-29 2022-02-18 北京浪潮数据技术有限公司 Method, system, equipment and storage medium for dynamically configuring virtual machine operation authority

Similar Documents

Publication Publication Date Title
US11363067B2 (en) Distribution and management of services in virtual environments
CN105592088A (en) Virtual machine flow monitoring method and device, and terminal
US9455960B2 (en) Secure application delivery system with dynamic stitching of network connections in the cloud
US20120297384A1 (en) Virtual Managed Network
CN109379347B (en) Safety protection method and equipment
CN107533608A (en) Credible renewal
CN102571698A (en) Access authority control method, system and device for virtual machine
US10048975B2 (en) Scalable policy management in an edge virtual bridging (EVB) environment
US20150347750A1 (en) Method and apparatus for a scoring service for security threat management
CN109088909B (en) Service gray level publishing method and device based on merchant type
CN109526249A (en) For managing the device and method of the communication interface of communication equipment
CN106911648A (en) One kind is environmentally isolated method and apparatus
US11770704B2 (en) Distance based session roaming
CN103560997A (en) Application program download management method and device and download server
US20230038446A1 (en) System for authenticating a phone number using a phone number certificate
CN106657358A (en) Service proxy method and device for Android applications
US8984129B2 (en) Remote session management
CN104753852A (en) Virtualization platform and security protection method and device
CN108270858A (en) A kind of private cloud framework and its data processing method based on API gateway
CN104811507A (en) IP address acquiring method and IP address acquiring device
CN112688899A (en) In-cloud security threat detection method and device, computing equipment and storage medium
CN117155645A (en) Network sharing permission judging method, device, equipment and storage medium
US10452838B2 (en) Providing joint access to an isolated computer object by both an isolated computer application and a non-isolated computer application
CN103023651B (en) Be used for the method and apparatus of the access of monitoring movable equipment
US10614211B2 (en) Bringing a non-isolated application into an isolation layer with an isolated application

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160518