CN114157458A

Movatterモバイル変換

Info

Publication number: CN114157458A
Application number: CN202111369413.3A
Authority: CN
Inventors: 李明隆
Original assignee: Shenzhen Yishi Huolala Technology Co Ltd
Current assignee: Shenzhen Yishi Huolala Technology Co Ltd
Priority date: 2021-11-18
Filing date: 2021-11-18
Publication date: 2022-03-08
Anticipated expiration: 2041-11-18
Also published as: CN114157458B

Abstract

The application relates to a flow detection method and device, computer equipment and a storage medium used in a hybrid cloud environment. The method comprises the following steps: deploying a traffic collection node for each service site in the first cloud environment, and sending the traffic of each service site to a safety detection machine through each traffic collection node; mirroring the traffic of the second cloud environment to a specified service site through a traffic mirroring function, and sending the traffic of the specified service site to a safety detection machine; sending the flow of the third cloud environment to a safety detection machine through a flow mirroring function; and carrying out safety detection on the received flow through a safety detection machine. The embodiment of the application can integrate the whole set of hybrid cloud monitoring, and simultaneously perform security detection on the cloud traffic and the cloud private traffic.

Description

Flow detection method, device, equipment and medium for hybrid cloud environment

Technical Field

The present application relates to the field of internet security, and in particular, to a method and an apparatus for detecting traffic in a hybrid cloud environment, a computer device, and a storage medium.

Background

With the development of internet technology, networks have become an indispensable part of people's life and work. The Internet user can acquire mass information through a computer network, and conveniently communicates with other users to realize the sharing of information resources. However, the rapid development of computer network technology makes the network environment become more and more complex, and the network security issues, such as software bugs, hacker intrusion, virus trojan, etc., become more and more prominent, which seriously affect the normal activities of people.

As shown in fig. 1, it is an architecture diagram of an ari cloud firewall scheme, and as can be seen from the diagram, the scheme detects traffic at an entrance by placing a cloud firewall at the entrance. The inventors have found that this solution has the following disadvantages:

1) the method is only suitable for detecting the machine cloud flow of the Aliskiren cloud;

2) it is not suitable for flow detection in a trigger-jump scenario (i.e., flow between internal machines).

Disclosure of Invention

In order to overcome the defects or shortcomings, the application provides a flow detection method and device, computer equipment and a storage medium for a hybrid cloud environment.

The present application provides, according to a first aspect, a method for traffic detection in a hybrid cloud environment, which, in one embodiment, comprises:

deploying a traffic collection node for each service site in the first cloud environment, and sending the traffic of each service site to a safety detection machine through each traffic collection node;

mirroring the traffic of the second cloud environment to a specified service site through a traffic mirroring function, and sending the traffic of the specified service site to a safety detection machine;

sending the flow of the third cloud environment to a safety detection machine through a flow mirroring function;

and carrying out safety detection on the received flow through a safety detection machine.

In one embodiment, sending traffic of each service site to a security detection machine through each traffic collection node includes:

and collecting the network card flow of each service site through each flow collection node, packaging the collected network card flow into the flow of a first format, and sending the flow to a safety detection machine.

In one embodiment, sending traffic specifying a service site to a security detection machine includes:

encapsulating the traffic of the specified service site into traffic of a second format;

and sending the traffic in the second format to the security detection machine.

In one embodiment, sending traffic of the third cloud environment to the security detection machine through a traffic mirroring function includes:

starting a flow mirroring function on an exit switch of a third cloud environment;

and sending the flow of the third cloud environment to a safety detection machine through a flow mirroring function.

In one embodiment, after the safety detection of the received traffic by the safety detection machine, the method further comprises:

and when the intrusion is detected, generating alarm information through an alarm system and pushing the alarm information.

In one embodiment, the method further comprises:

when the invasion is high-risk attack, the alarm information is introduced into the business process management system through the alarm system, and the invasion is blocked by the linkage firewall.

and generating a subscription log according to the subscription configuration information, and pushing the subscription log to the message middleware for consumption by the subscriber.

According to a second aspect, the present application provides a traffic detection apparatus for use in a hybrid cloud environment, the apparatus comprising, in one embodiment:

the first traffic access module is used for deploying traffic collection nodes for each service site in the first cloud environment and sending the traffic of each service site to the safety detection machine through each traffic collection node;

the second traffic access module is used for mirroring the traffic of the second cloud environment to the specified service site through a traffic mirroring function and sending the traffic of the specified service site to the security detection machine;

the third flow access module is used for sending the flow of the third cloud environment to the safety detection machine through the flow mirroring function;

and the flow detection module is used for carrying out safety detection on the received flow through a safety detection machine.

According to a third aspect, the present application provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of an embodiment of any of the methods described above when executing the computer program.

The present application provides according to a fourth aspect a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the embodiments of the method of any of the above.

In the embodiment of the application, traffic collection nodes are deployed for all service sites in a first cloud environment, and the traffic of all the service sites is sent to a safety detection machine through all the traffic collection nodes; mirroring the traffic of the second cloud environment to a specified service site through a traffic mirroring function, and sending the traffic of the specified service site to a safety detection machine; sending the flow of the third cloud environment to a safety detection machine through a flow mirroring function; and carrying out safety detection on the received flow through a safety detection machine. The embodiment of the application can integrate the whole set of hybrid cloud monitoring, and simultaneously perform security detection on the cloud traffic and the cloud private traffic.

Drawings

FIG. 1 is a block diagram of a prior art scheme for security detection of traffic;

FIG. 2 is a flow diagram of a method for traffic detection in a hybrid cloud environment, under an embodiment;

FIG. 3 is a flow diagram of traffic processing in one embodiment;

FIG. 4 is a block diagram of a flow detection apparatus for use in a hybrid cloud environment, under an embodiment;

FIG. 5 is a diagram illustrating an internal structure of a computer device according to an embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

The present application provides a method for traffic detection in a hybrid cloud environment, which in one embodiment includes the steps shown in fig. 2, which is described below.

S110: and deploying a traffic collection node for each service site in the first cloud environment, and sending the traffic of each service site to a safety detection machine through each traffic collection node.

What the first cloud environment is may be specifically adjusted according to different application scenarios. Illustratively, the first cloud environment may be the Alice cloud. Each service site may be an EC2(elastic computing cloud, also known as EC2 instance) host for each aristoloc.

The safety detection machine can be a machine with detection software, Suriccata, deployed. Suricata is a free, open source, mature, fast, robust cyber threat detection engine. The Suricata engine is capable of real-time Intrusion Detection (IDS), inline Intrusion Prevention (IPS), Network Security Monitoring (NSM), and offline pcap processing. Suricata uses powerful and broad rules and signature languages to examine network traffic and provides powerful Lua script support to detect complex threats. Integration using existing tools such as SIEMs, Splunk, Logstash/elastic search, Kibana and other databases using standard input and output formats (e.g., YAML and JSON) would be very simple.

S120: mirroring the traffic of the second cloud environment to a specified service site through a traffic mirroring function, and sending the traffic of the specified service site to a safety detection machine;

what the second cloud environment is may be specifically adjusted according to different application scenarios. Illustratively, the second cloud environment may be Amazon cloud (AWS). The designated service site refers to the designated EC2 host.

S130: sending the flow of the third cloud environment to a safety detection machine through a flow mirroring function;

what the third cloud environment is may be specifically adjusted according to different application scenarios. Illustratively, the third cloud environment may be an office network, such as an enterprise-self-deployed office environment.

S140: and carrying out safety detection on the received flow through a safety detection machine.

The security detection can be divided into two types, one is frequency-based detection, and the other is keyword-based detection. The frequency detection is mainly used for detecting blasting login and resource occupation attack, the keyword detection is mainly used for detecting whether the content has the attack, and the absolute matching of the keywords is performed according to the content of the keywords after regular matching.

In the traffic detection method for the hybrid cloud environment provided by this embodiment, traffic collection nodes are deployed for each service site in the first cloud environment, and traffic of each service site is sent to a security detection machine through each traffic collection node; mirroring the traffic of the second cloud environment to a specified service site through a traffic mirroring function, and sending the traffic of the specified service site to a safety detection machine; sending the flow of the third cloud environment to a safety detection machine through a flow mirroring function; and carrying out safety detection on the received flow through a safety detection machine. The method and the device for monitoring the hybrid cloud can integrate the whole set of hybrid cloud monitoring, simultaneously perform safety detection on the cloud upper flow and the cloud lower private flow, and can only support partial model problems in the existing Ariiyun host flow detection monitoring.

In this embodiment, a traffic collection node is deployed for each service site of the first cloud environment, for example, each service site of the airy cloud, that is, a traffic collection node is installed on each EC2 host, and the traffic collection node is used to collect network card traffic of the EC 2.

For the acquired network card traffic, the traffic acquisition node encapsulates the network card traffic into a GRE (Generic Routing Encapsulation) format and sends the GRE format to a security detection machine for security detection.

In one embodiment, sending traffic specifying a service site to a security detection machine includes: encapsulating the traffic of the specified service site into traffic of a second format; and sending the traffic in the second format to the security detection machine.

In this embodiment, a traffic mirroring function is started for a second cloud environment, such as amazon cloud, where a scheme of directly mirroring traffic to a designated EC2 host is used, and then the traffic of the EC2 host is encapsulated into a VxLAN (virtual eXtensible Local Area Network) format and sent to a security detection machine for security detection.

In one embodiment, sending traffic of the third cloud environment to the security detection machine through a traffic mirroring function includes: starting a flow mirroring function on an exit switch of a third cloud environment; and sending the flow of the third cloud environment to a safety detection machine through a flow mirroring function.

In this embodiment, a traffic mirroring function is started for an exit switch of a third cloud environment, for example, an office network, and traffic of the third cloud environment is introduced into the security detection machine through the traffic mirroring function, so that the security detection machine can detect traffic from the office network.

Further, in one embodiment, after the safety detection of the received traffic by the safety detection machine, the method further includes: and when the intrusion is detected, generating alarm information through an alarm system and pushing the alarm information.

In this embodiment, when the received traffic is detected by the security detection machine, if intrusion is detected, the alarm system generates alarm information and pushes the alarm information.

The alarm system may be an ELK (elastic search, logstack, Kibana) based system. When the warning information is pushed, the warning information can be pushed to the relevant user, or a third-party service (for example, a flybook, a cooperation and management platform) can be pushed to the relevant user.

Still further, in one embodiment, the method further comprises: when the invasion is high-risk attack, the alarm information is introduced into the business process management system through the alarm system, and the invasion is blocked by the linkage firewall.

In this embodiment, if it is determined that the attack level of the detected intrusion is a high-risk attack, the alarm information may be further accessed to a Business Process Management system (BPM), the BPM flow is taken, the intrusion is shunted according to the attack level, and the firewall is linked to block the intrusion. In addition, an ELK-based log display system can be used for providing log retrieval and personalized display services for users, and the user requirements are further met.

In another embodiment, after the safety detection of the received traffic by the safety detection machine, the method further comprises: and generating a subscription log according to the subscription configuration information, and pushing the subscription log to the message middleware for consumption by the subscriber.

In this embodiment, the subscriber may refer to other departments or users. For example, other departments may subscribe logs according to their own needs, and relevant logs generated after detection by the security detection machine may be pushed to message middleware, such as kafka, for consumption by other departments.

The following describes a flow detection method for a hybrid cloud environment provided in the above embodiments by an application example.

Referring to fig. 3, the traffic access layer in the figure mainly collects and sends traffic of a hybrid cloud (cloud environment, office environment) to a designated security detection machine; the flow analysis layer mainly adopts a safety detection machine based on Suricata; the safety log analysis layer adopts an ELK-based log display system and an ELK-based log analysis system, and meanwhile, the log information is pushed to a flybook group for notification, and safety event warning is carried out. In particular, the amount of the solvent to be used,

1. the method comprises the following steps that an Ali cloud flow is accessed, an agent uses a packet-agent to be deployed into an EC2 host of each Ali cloud to collect network card flow, and the collected flow is packaged and then sent to a safety detection machine;

2. the method comprises the following steps of performing amazon cloud flow access, directly configuring flow into a specified EC2 host by starting an amazon cloud flow mirror function, packaging the acquired flow and sending the packaged flow to a safety detection machine;

3. the method comprises the steps that office network flow is accessed, and a flow mirroring function is configured on a switch at an inlet and an outlet of an office network, so that the flow is led into a safety detection machine;

4. a detection software Suricata safety detection machine is deployed to perform safety detection on received flow, and logs subscribed by other departments are input into a message middleware kafka, wherein the logs are stored as text logs, and a log compression function is started;

5. the ELK environment is deployed to realize log collection and presentation, and simultaneously alarm a security event (such as intrusion), and push alarm information such as a log of the security event to a corresponding flybook group and a BPM system (i.e. a BPM system in the figure).

6. And (3) shunting the event (the intrusion) according to the alarm event level (the attack level) by the BPM system.

FIG. 2 is a flow diagram that illustrates a method for traffic detection in a hybrid cloud environment, according to an embodiment. It should be understood that, although the steps in the flowchart of fig. 2 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 2 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.

Based on the same inventive concept, the application also provides a flow detection device used in the mixed cloud environment. In this embodiment, as shown in fig. 4, the flow detection apparatus for use in a hybrid cloud environment includes the following modules:

the first traffic access module 110 is configured to deploy traffic collection nodes for each service site in the first cloud environment, and send traffic of each service site to the security detection machine through each traffic collection node;

the second traffic access module 120 is configured to mirror traffic of the second cloud environment to a specified service site through a traffic mirroring function, and send the traffic of the specified service site to the security detection machine;

the third flow access module 130 is configured to send the flow of the third cloud environment to the security detection machine through a flow mirroring function;

and a flow detection module 140, configured to perform security detection on the received flow through a security detection machine.

In the traffic detection device for the hybrid cloud environment provided by this embodiment, traffic collection nodes are deployed for each service site in the first cloud environment, and traffic of each service site is sent to the security detection machine through each traffic collection node; mirroring the traffic of the second cloud environment to a specified service site through a traffic mirroring function, and sending the traffic of the specified service site to a safety detection machine; sending the flow of the third cloud environment to a safety detection machine through a flow mirroring function; and carrying out safety detection on the received flow through a safety detection machine. The method and the device for monitoring the hybrid cloud can integrate the whole set of hybrid cloud monitoring, simultaneously perform safety detection on the cloud upper flow and the cloud lower private flow, and can only support partial model problems in the existing Ariiyun host flow detection monitoring.

In an embodiment, the first traffic access module, when being configured to send traffic of each service site to the security detection machine through each traffic collection node, is specifically configured to collect network card traffic of each service site through each traffic collection node, encapsulate the collected network card traffic into traffic of a first format, and send the traffic to the security detection machine.

In an embodiment, the second traffic access module, when configured to send traffic of a specified service site to the security detection machine, is specifically configured to encapsulate the traffic of the specified service site into traffic of a second format, and send the traffic of the second format to the security detection machine.

In an embodiment, the third traffic access module, when being configured to send traffic of the third cloud environment to the security detection machine through the traffic mirroring function, is specifically configured to start the traffic mirroring function on an egress switch of the third cloud environment, and send the traffic of the third cloud environment to the security detection machine through the traffic mirroring function.

In one embodiment, the flow detection device further comprises an alarm module.

And the alarm module is used for generating alarm information through an alarm system and pushing the alarm information when the intrusion is detected.

Further, in one embodiment, the flow detection device further comprises a blocking module.

And the blocking module is used for introducing the alarm information into the business process management system through the alarm system when the intrusion is a high-risk attack, and blocking the intrusion by linking the firewall.

In one embodiment, the traffic detection apparatus further comprises a subscription log pushing module.

And the subscription log pushing module is used for generating a subscription log according to the subscription configuration information and pushing the subscription log to the message middleware for consumption by the subscriber.

For specific limitations of the traffic detection apparatus used in the hybrid cloud environment, reference may be made to the above limitations of the traffic detection method used in the hybrid cloud environment, and details are not repeated here. The various modules in the flow detection apparatus for a hybrid cloud environment described above may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In one embodiment, a computer device is provided, the internal structure of which may be as shown in FIG. 5. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing data such as flow rate, and the specific stored data can also be referred to as the definition in the above method embodiment. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method for traffic detection in a hybrid cloud environment.

Those skilled in the art will appreciate that the architecture shown in fig. 5 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

The present embodiment also provides a computer device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the steps provided in any of the above method embodiments are implemented.

In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps provided in any of the above-mentioned method embodiments.

It will be understood by those skilled in the art that all or part of the processes of the embodiments of the methods described above can be implemented by a computer program, which can be stored in a non-volatile computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the computer program is executed. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A method for traffic detection in a hybrid cloud environment, the method comprising:

deploying a traffic collection node for each service site in a first cloud environment, and sending the traffic of each service site to a safety detection machine through each traffic collection node;

mirroring the traffic of the second cloud environment to a specified service site through a traffic mirroring function, and sending the traffic of the specified service site to the security detection machine;

sending the traffic of the third cloud environment to the security detection machine through a traffic mirroring function;

and carrying out safety detection on the received flow through the safety detection machine.

2. The method of claim 1, wherein said sending traffic for each of said service sites to a security detection machine via each of said traffic collection nodes comprises:

3. The method of claim 1, wherein sending the traffic for the specified service site to the security detection machine comprises:

packaging the flow of the specified service site into flow of a second format;

and sending the traffic in the second format to the security detection machine.

4. The method of claim 1, wherein sending traffic of a third cloud environment to the security detection machine via a traffic mirroring function comprises:

and sending the flow of the third cloud environment to the safety detection machine through the flow mirroring function.

5. The method of claim 1, wherein the security detection of the received traffic by the security detection machine further comprises:

and when the intrusion is detected, generating alarm information through an alarm system, and pushing the alarm information.

6. The method of claim 5, wherein the method further comprises:

and when the intrusion is a high-risk attack, introducing alarm information into a business process management system through the alarm system, and linking a firewall to block the intrusion.

7. The method of claim 1, wherein the security detection of the received traffic by the security detection machine further comprises:

and generating a subscription log according to the subscription configuration information, and pushing the subscription log to a message middleware for consumption by a subscriber.

8. A flow detection apparatus for use in a hybrid cloud environment, the apparatus comprising:

the first traffic access module is used for deploying traffic collection nodes for each service site in a first cloud environment and sending the traffic of each service site to a safety detection machine through each traffic collection node;

the second traffic access module is used for mirroring the traffic of the second cloud environment to a specified service site through a traffic mirroring function, and sending the traffic of the specified service site to the security detection machine;

the third flow access module is used for sending the flow of the third cloud environment to the safety detection machine through a flow mirroring function;

and the flow detection module is used for carrying out safety detection on the received flow through the safety detection machine.

9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 7 are implemented when the computer program is executed by the processor.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.