System and method for controlling virtual network including security function
First Claim
1. A method for controlling a virtual network with a security function comprising the steps of:
- receiving an attack detection-related security alert (expressed in a common event format) from vIPSs in a virtual network controlling system including a cloud ESM (Enterprise Security Management) system;
analyzing traffic or an attack pattern detected in the vIPS through a correlation analysis by the cloud ESM system when the attack detection-related security alert is received;
determining a real time blocking reaction against the detected traffic or attack in the cloud ESM system on the basis of the analyzed results and sending the blocking reaction command to the vIPS;
creating real time blocking rules by the vIPS according to the blocking reaction command;
sending the real time blocking rules to the vSwitch and blocking the intruder'"'"'s attacking traffic by the vSwitch according to the received blocking rules;
checking whether or traffic blocking was actually carried out during a blocking time when the blocking time is lapsed according to the blocking rules;
deleting the created blocking rules and terminating the corresponding traffic blocking by the vIPS if the traffic blocking was not carried out actually during the blocking time; and
extending the blocking time based on the present state to which the blocking rules were applied and terminating blocking of the corresponding traffic by the vIPS if the traffic blocking was carried out actually during the blocking time,wherein the cloud ESM system comprises;
a cloud collection information management module which stores and manages virtualization resource information and security events collected in the vIPS;
a cloud security event analysis and security state monitoring module which carries out attack correlation analysis in reference to information received from the vIPS; and
a cloud security control management module which forcedly migrates the malicious virtual machine in a logical/physical manner, recognizes a change in information of the virtual machine, and sends a security control command according to a policy change to the vIPS through a cloud agent.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed therein are system and method for controlling a virtual network with a security function which can manage security states of virtual machines in a cloud datacenter, analyze security states of malicious virtual machines, and isolate and treat the malicious virtual machines in order to cope with intrusion of a virtual network under a cloud computing environment. The virtual network controlling system and method reduce the number of packets to which the IPS carries out a signature matching inspection through a DPI test by diffusing blocking against the previously detected intruder by the network level, so as to enhance performance of the virtualized network IPS.
41 Citations
3 Claims
-
1. A method for controlling a virtual network with a security function comprising the steps of:
-
receiving an attack detection-related security alert (expressed in a common event format) from vIPSs in a virtual network controlling system including a cloud ESM (Enterprise Security Management) system; analyzing traffic or an attack pattern detected in the vIPS through a correlation analysis by the cloud ESM system when the attack detection-related security alert is received; determining a real time blocking reaction against the detected traffic or attack in the cloud ESM system on the basis of the analyzed results and sending the blocking reaction command to the vIPS; creating real time blocking rules by the vIPS according to the blocking reaction command; sending the real time blocking rules to the vSwitch and blocking the intruder'"'"'s attacking traffic by the vSwitch according to the received blocking rules; checking whether or traffic blocking was actually carried out during a blocking time when the blocking time is lapsed according to the blocking rules; deleting the created blocking rules and terminating the corresponding traffic blocking by the vIPS if the traffic blocking was not carried out actually during the blocking time; and extending the blocking time based on the present state to which the blocking rules were applied and terminating blocking of the corresponding traffic by the vIPS if the traffic blocking was carried out actually during the blocking time, wherein the cloud ESM system comprises; a cloud collection information management module which stores and manages virtualization resource information and security events collected in the vIPS; a cloud security event analysis and security state monitoring module which carries out attack correlation analysis in reference to information received from the vIPS; and a cloud security control management module which forcedly migrates the malicious virtual machine in a logical/physical manner, recognizes a change in information of the virtual machine, and sends a security control command according to a policy change to the vIPS through a cloud agent. - View Dependent Claims (2, 3)
-
Specification