Mobile Internet security monitoring and protection system in cloud computing mode

Security is the key to the healthy development of mobile internet in cloud computing mode. At present, in the 3G network has become mature, mobile internet services have been widely popularized, more and more network and mobile security problems began to appear.

Especially with the development of 3g/lte and the introduction of cloud computing Application model, the security problem of broadband mobile Internet becomes more complicated, which brings unprecedented challenge to the security of mobile Internet. Cloud computing virtualization, multi-tenant and dynamic introduce a number of new security issues, mainly in data security, privacy protection, content security, operational environment security, risk assessment and security supervision. At the same time, a variety of traditional security issues in the cloud computing and mobile internet increasingly prominent, intrusion, attack and virus behavior is to scale, the trend of the benefits, complications and the intersection of the direction of development. It is difficult to rely on traditional isolation to use a security product or technology to solve network and information security. The security problems of mobile Internet users ' information security protection, virtualized security environment and dynamic security Protection service in cloud computing environment need to be paid attention to.

Wave Communication Information System Co., Ltd. Research and development of "cloud computing model mobile Internet Security Monitoring and protection system" for the cloud computing application model of mobile Internet security issues and key security technology to carry out special research, to build a perfect mobile internet security technology system to achieve large-scale network security monitoring, to protect mobile internet, Business applications and user security.

The system obtained national independent intellectual property rights and a number of invention patents, and has been in Shandong Mobile, Jiangsu Mobile and other provinces and cities to build applications, stable operation, the actual effect is good, can effectively solve the cloud computing architecture and mobile internet business A series of major security issues.

System Overall Technical solution

This system uses the innovative cloud computing model global security depth protection architecture, mainly by the external cloud computing/Internet Security Monitoring Gateway, internal cloud computing/cloud storage security protection, access security monitoring and certification, security Monitoring Center and other components. It provides the risk model of mobile internet in cloud computing application mode, the data security and privacy protection in multi-tenant Cloud Application mode, the security of virtual running environment, the evaluation of cloud computing and terminal security, the overall security system of mobile Internet and the service security system.

The internal cloud computing/cloud storage business system, mobile Internet and its terminal access system, and mobile Internet Security Monitoring Center constitute a deep security active defense system based on global authentication, which is connected with the external cloud computing/Internet through a security gateway.

Figure 1. Global security depth protection system in cloud computing application Mode

Terminal access two-way authentication, authorization inline, access control: For the terminal system may directly through the bypass (WiFi, etc.) and external Internet connection and create complex security problems, security monitoring center and embedded in the terminal security Middleware client, the implementation of the global based technology, The operation of the isolated terminal and the external cloud does not pose a direct threat to the internal network.

Global monitoring, deep security Defense: At the same time, the internal business/data cloud implementation based on global authentication multilevel depth security measures to ensure the security of internal business systems.

Tiered protection of sensitive data, secret room isolation, authorized access, automatic repair: internal business/Data cloud using the technology of layered isolation, authorization access and dynamic encryption based on security reinforcement, the key data and sensitive information are stored in the "secret room" of security isolation, and access to these data must be authorized, authenticated, Temporary keys to ensure the high security of critical sensitive data and privacy information in a multi-tenant, virtual storage environment.

Key technology Innovation

Feature one: Security threat model of mobile internet in cloud computing application model

Based on the research on the omni-directional security threat of broadband mobile internet, cloud computing platform and application, and traditional Internet, this paper constructs a risk system model of mobile Internet in cloud computing application mode.

Figure 2. Security threat model of mobile internet in cloud computing application model

On this basis, using the innovative research results of cloud computing, cloud security and mobile Internet security, we plan and design the security system of mobile internet based on the global security authentication.

Feature two: Based on the cloud operating system data security isolation and transparent storage.

With the support of the lc-os of the wave cloud operating system, a new intelligent virtual storage engine is used to ic-svc the partition security secret room technology to realize the data isolation, hierarchical block storage and data security and transparency transfer. Virtual machines and their data security isolation-set up a dedicated security zone for virtual machines (safe "vault"), data migrations between quarantine zones must be secured through strong security certification and authorization to block data leaks between different virtual machines and their quarantine zones, ensuring the high security of critical data and sensitive data that are placed in a secure quarantine zone.

Figure 3. Data security storage architecture based on cloud operating system

Data domain location secure storage-critical data for high security level requirements and high performance requirements can be placed inside the isolated storage array, secondary key data and general data can be placed on the external storage, and the above data can be disaster-tolerant software to achieve disaster tolerance.

Dynamic and flexible storage management--a powerful and flexible resource scheduling and combined application configuration, can be based on the load situation to achieve business, resource dynamic scheduling, topology based software and hardware resources block configuration, can quickly meet customer dynamic and diverse application needs.

Support large-scale management architecture--multi-level joint management system, can achieve the integration of resources through cascading management, can effectively achieve super mass storage support shared storage and distributed cloud storage combination mode-overcome the problem of pure shared storage mode once downtime will cause all virtual machine business crashes.

Feature three: Deep Security defense technology of virtual storage environment

The virtual storage Depth automatic defense system is constructed by means of global access authentication, security policy matching, data isolation, key data encryption and data intelligent repair. In the face of complex network security behavior, the most effective defense strategy is to apply the network security Defense technology in the whole network, rather than in a single point of network security protection deployment.

Figure 4. Authentication and automatic defense system based on global secure access

Layered security access control: through the effective identification and authentication of the access behavior, to take targeted security policy settings, and the user to carry out mandatory security control, to prevent prevention. For the protection of the key network region data, the global security integration can effectively control the end user's network access behavior by combining the security client and the security linkage device effectively.

Isolation and encryption of sensitive data: In the cloud storage system, the virtual Storage Management engine (ISVC), based on the unified resource storage image and the secret-compartment isolation technology, stores the data to separate regions of different levels and domains. and further encryption of sensitive data, only through the cross authorized users through two-way authentication, can access their own data, thus ensuring the high security of sensitive data. Isvc creates a dedicated topology retrieval view for encrypted data to ensure authorization retrieval of encrypted data.

Multidimensional isolated virtual storage engine (ISVC): ISVC is a modular structure that consists of multiple Cluster nodes consisting of a large storage pool, where several storage devices exist as a single unified logical device that can be accessed by all servers in the system to prevent an isolated island of information from storage devices. The host can also have multiple data paths with virtual engine, multiple path concurrent work.

Resource storage management based on unified Image: Isvc uses a unified topology image based global resource management technology, all devices are the logical image of their physical devices, even if the physical storage changes, the logical image will not change, the storage for the user would become transparent, not the underlying details. Truly implement isolated storage or sharing of files, blocks, and object levels between different stores.

Secure and transparent data migration: Under the unified topology image of ISVC, the transparent isolation protection of the data storage location can be realized. Support Data location control based on user needs, implement multi-layer reinforcement isolation of critical data and sensitive information, and can physically isolate user's data from other customers ' data in the multi-tenant architecture of cloud computing environment.

When Isvc is added to an existing SAN environment, no data migrations are required, ISVC inherits the existing disk configuration intact, so that the application on the server is completely transparent. Once the ISVC is fully configured, it can transparently migrate volumes and data from the original disk to other virtual volumes. All migration processes are transparent to the server, so there is no need to abort the application.

Dynamic encryption and Cross-validation: For key data, sensitive data and privacy information stored in the "secret room" of the safe quarantine zone, the data based on data encryption and dual-factor authentication are used to protect the data from the cloud server unintentionally or maliciously and transmit it to the end user. Make sure that only users who have access to the data can see the data.

Data automatic repair and continuous disaster recovery: the automatic repair (self-healing) function provided by global secure access authentication and automatic defense system, which can automatically restore the damaged system and ensure that most resources are still in normal use even when the system is under constant attack.

Implement topology continuous monitoring and disaster recovery for sensitive data, privacy data, critical services, and ensure the confidentiality of data security and privacy information in the cloud environment

Feature four: cross-authorization dynamic encryption technology based on reinforcement SSR

Using the technology of cross authorization, two-way authentication, real-time key dynamic distribution and key timely destruction based on security strengthening server, the End-to-end encryption protection of the entire access process is carried out, which can not only protect the whole security of data access operation effectively, but also effectively monitor the defense hacker, Trojan, Even the management of the cloud Computing Center's illegal access to sensitive data, peeping, so as to effectively ensure the high security of critical data, sensitive information.

Using the innovative security Reinforcement service of our unit SSR system is based on advanced Rost technology, completely different from the firewall and IDs and other external security technology, but in-depth to the operating system, the database at the bottom of the file, data, processes, registry and services for mandatory access control and integrity testing, At the same time, using the cured Out-of-band authorization key, the dynamic key and cross authentication are carried out for all kinds of applications which are loaded and run, which prevents all kinds of illegal attacks such as viruses, Trojans and hackers.

Figure 5:SSR Key content of dynamic encryption technology

These key support technologies include: Based on the curing SSR encryption control and dynamic cross authentication, strict Out-of-band key authorization control, solidified multi point key reliable management technology, end-to-end stereo security monitoring technology, automatic control traceability tracking technology, intelligent fault-tolerant operation and exception handling technology.

System Application Effect

The system is constructed with global security access authentication, cloud security isolated storage, internal and external cloud application isolation, network security monitoring, terminal access control, key data authorization and other functions of the global depth of protection system, to achieve personalized security services for the customer demand for security services management, to provide customers with differentiated, multidimensional, multi-dimensional, End-to-end security monitoring and protection.

The global depth protection system includes the terminal, to the network, to cloud full coverage of the global overall monitoring framework, key security management, identity authentication, access security control, trust mechanism, application software access security monitoring, application operation security Monitoring, information content identification and filtering, management and control traceability technology and exception handling, Third-party security tools integration, focusing on the mobile internet and cloud applications security operation security Monitoring, security deployment, information security management and protection, security services and so on.

Compared with the traditional internet, mobile Internet is faced with more serious security threats and attacks, such as identity spoofing, Denial-of-service attacks, illegal intrusion, data theft, virus or malicious code attacks, and so on, we need to use various security technologies to provide users with telecom-level security services, so that mobile Internet becomes a controllable and credible network. The main implementation features include the following.

Feature one: Key security management

Key management includes various aspects from the creation of the key to the destruction of the key. It is mainly manifested in management system, protocol and key generation, distribution, replacement and injection. The key management of this project adopts PKI scheme based on X.509 certificate.

Feature two: Access security control based on role authorization and bidirectional authentication

In the mobile internet, the cloud authentication mechanism is used to guarantee the user's identity security, to provide users with single sign-on, to realize mutual authentication between entities, to support the collaborative work of each participant, and to support the security management in dynamic region. Supports the two-factor identification mechanism, two-way authentication is used in Web joins, which ensure that each side of the join is secure, that both the Web application client side and the server side are secure, or that the SSL protocol encrypts the communication line, ensures the confidentiality and integrity of the conversation, prevents the third party from breaking into the conversation, Eliminate the possibility of being deceived and introduce Trojans;

Feature three: Control of network intrusion and abnormal traffic

For intrusion and anomaly of network, we can find out the source of intrusion or the system of intrusion by means of packet analysis, behavior pattern analysis, and then solve these problems through technology or management, so as to prevent network intrusion and abnormal recurrence.

Feature four: Information content identification and filtering technology scheme

Information content recognition and filtering technology is the core technology of mobile Internet content security, the traditional network collector and data packet capture are used to collect information, and the combination of feature matching and keyword filtering is used to filter information, and the information extraction is based on document structure and document feature. , the text is divided into different categories according to the description of the content and characteristics of the description, using the calculation method based on power spectrum to judge the heat of the topic, the sensitivity of the topic is judged by the keyword matching, and the short-term trend is forecasted according to the correlation of the data.

Feature five: Application run security monitoring

Inspection, auditing, authorization and authentication system for application security, legality, etc., including application interface standard, Operation Standard, inspection and audit process, authorization process, authentication method, etc.

The Security monitoring module uses a combination of various forms of monitoring, including system-level process monitoring, application monitoring of the running state, application network traffic monitoring and application anomaly detection.

The monitoring content includes the system resources, network resources, user active degree and so on which the application uses in the operation process, carries on the corresponding processing measure to the exception reference program, guarantees the platform the security.

Feature VI: Trust

Unlike traditional passive security defense measures, trust mechanism is an active network security defense method. Trust is established between users and networks, between network and Third-party application providers, third party applications and users, in order to perceive and evaluate trust status and security posture among users, third party applications and networks, and to establish credit integration systems by means of trust metrics Trust calculation for each user and application to establish a reputation file, through the use of a reasonable trust assessment model to assess the credibility of users and third-party applications, the mobile Internet is established as a trusted network.