CN114036505A - Safety operation and maintenance analysis server, safety operation and maintenance analysis method and computer equipment - Google Patents
Safety operation and maintenance analysis server, safety operation and maintenance analysis method and computer equipment Download PDFInfo
- Publication number
- CN114036505A CN114036505A CN202111303114.XA CN202111303114A CN114036505A CN 114036505 A CN114036505 A CN 114036505A CN 202111303114 A CN202111303114 A CN 202111303114A CN 114036505 A CN114036505 A CN 114036505A
- Authority
- CN
- China
- Prior art keywords
- data
- security
- risk
- module
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The disclosure relates to a security operation and maintenance analysis server, a security operation and maintenance analysis method and computer equipment. The method comprises the following steps: the situation perception module, the central analysis module and the safety processing module; the situation awareness module is used for connecting at least one security system through an application program interface to acquire analysis data in the security system, and the security system comprises: the system comprises a situation awareness system, a log analysis system and a code hosting system; the central analysis module is used for comparing the prestored data without risks with the analysis data to obtain a comparison result; and the safety processing module is used for outputting alarm information and executing risk processing operation under the condition that the comparison result is in a different state. By adopting the method, a plurality of different safety products and information platforms can be butted, the aggregation between the plurality of safety products and the information platforms is realized, the safety risk can be solved quickly, and the final safety event processing result is obtained.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a security operation and maintenance analysis server, a security operation and maintenance analysis method, and a computer device.
Background
With the development of internet technology, more and more enterprises begin to pay attention to the security operation of the enterprises, and then enterprise security construction occurs, and the current enterprise security construction is "static", such as quarter vulnerability scanning, asset information change, and creation of a timed scanning task, wherein a scanning object is often not changed (which is static). In order to solve the defect of static state, safety products of different brands are deployed through a safety team, malicious behaviors and attack events are processed through the safety products of the different brands, and the malicious behaviors and the attack events needing to be processed are adjusted by analyzing results of the malicious behaviors and the attack events processed according to the safety products of the different brands, so that the aim of building enterprise safety in a sustainable and dynamic mode is fulfilled.
However, in the current enterprise security construction, the manufacturer brands of deployed security products are relatively more in source, centralized management is difficult, the devices of the enterprise are difficult to be associated in an aggregation manner, and the information of multiple manufacturer brands cannot be integrated to obtain the final security event processing result.
Disclosure of Invention
In view of the above, it is necessary to provide a security operation and maintenance analysis server, a security operation and maintenance analysis method, and a computer device that can integrate information of multiple manufacturer brands to obtain a final security event processing result.
In a first aspect, the present disclosure provides a secure operation and maintenance analysis server, including: the situation perception module, the central analysis module and the safety processing module;
the situation awareness module is used for connecting at least one security system through an application program interface to acquire analysis data in the security system, and the security system comprises: the system comprises a situation awareness system, a log analysis system and a code hosting system;
the central analysis module is used for comparing the prestored data without risks with the analysis data to obtain a comparison result;
and the safety processing module is used for outputting alarm information and executing risk processing operation under the condition that the comparison result is in a different state.
In one embodiment, analyzing the data comprises: security risk data, security log data, code information data;
the situation awareness module comprises: the system comprises a situation awareness system connecting module, a log analysis system connecting module and a code hosting system connecting module;
situation perception system connection module is used for being connected with situation perception system through situation perception threat data source interface, obtains at least one item of safety risk data in the situation perception system, and safety risk data includes: risk terminal data, risk service data, security event data, security vulnerability data and weak password data;
the log analysis system connection module is used for connecting the log analysis system through a log analysis system interface to acquire safety log data in the log analysis system;
the code hosting system connecting module is used for connecting with the code hosting system through a code hosting system interface and acquiring code information data in the code hosting system through a search statement command.
In one embodiment, the situation awareness module further comprises:
and the security event filtering module is used for filtering the security events through a preset security event filtering rule to obtain the security events with high security risks.
In one embodiment, the method further comprises the following steps: the system comprises a domain name scanning module, a fingerprint identification module and an internal risk identification module;
the domain name scanning module is used for acquiring external resources connected with a host managed by the safety operation and maintenance analysis platform and identifying an IP address and CDN (content delivery network) attribute corresponding to the external resources through a preset internal address library;
the fingerprint identification module is used for determining security risk information existing in a system or service of the host through fingerprint identification;
and the internal risk identification module is used for acquiring port information and services of the corresponding IP of the host managed by the security operation and maintenance analysis platform, identifying the security risk of the weak password and identifying the security vulnerability in the host by a scanning tool.
In one embodiment, the internal risk identification module comprises: the system comprises a vulnerability scanning module, an emergency scanning module, a weak password identification module and a notification module;
the vulnerability scanning module is used for calling a scanning tool and scanning the security vulnerability in the host through the scanning tool;
the emergency scanning module is used for detecting security holes which are not identified by the scanning tool through codes or scripts;
the weak password identification module is used for identifying the weak password security risk in the intranet system accessed through the transmission control protocol according to a preset weak password dictionary library;
and the notification module is used for outputting first notification information under the condition that the security vulnerability in the host is scanned, outputting second notification information under the condition that the security vulnerability which is not identified by the scanning tool is detected through codes or scripts, and outputting third notification information under the condition that the security risk of the weak password exists.
In one embodiment, the internal risk identification module further comprises:
and the weak password risk processing module is used for automatically modifying the password corresponding to the weak password risk if the security risk of the weak password still exists in the intranet system after the first time.
In one embodiment, the difference state includes: a first normal state of difference, a second state of difference, and a third state of difference;
the pre-stored non-risky data includes: security risk data without risk, key field data without risk, and key field data;
the central analysis module comprises: the system comprises a risk information storage module, a safety risk data analysis module, a safety log data analysis module and a code information analysis module;
the risk information storage module is used for storing the security risk data and the key field data which have no risk, and storing the known security risk data and the key field data which have the risk, and the key information data;
the safety risk data analysis module is used for carrying out first comparison on at least one item of safety risk data and safety risk data without risks and outputting a first difference state under the condition that the at least one item of safety risk data is different from the safety risk data without risks;
the safety log data analysis module is used for acquiring key field data in the safety log data and safety log data with risks analyzed by the log analysis system, performing second comparison on the key field data and key field data without risks, and outputting a second difference state under the condition that the key field data are different from the key field data without risks and/or the safety log data with risks are acquired;
the code information analysis module is used for acquiring code information data, performing third comparison on the code information data and the key information data, and outputting a third difference state under the condition that the key information data exists in the code information data.
In one embodiment, the security processing module comprises a first alarm notification module, a second alarm notification module and a risk processing module;
the first alarm notification module is used for outputting vulnerability repair information under the condition that the first notification information and/or the second notification information is/are detected, and outputting weak password repair information under the condition that the third notification information is detected;
the second alarm notification module is used for outputting risk notification information under the condition that the first difference state and/or the second difference state and/or the third difference state are/is detected;
the risk processing module is used for analyzing a first protocol address of the safety risk data corresponding to the first difference state and blocking connection with the first protocol address under the condition that the first difference state is detected;
and the second protocol address is used for analyzing the second protocol address in the key field data corresponding to the first difference state and blocking the connection with the second protocol address under the condition of detecting the second difference state.
In one embodiment, the secure processing module further comprises:
a third alarm notification module for, in case of detecting the first difference status, and in case of at least one item of security risk data being different from the at-risk security risk data,
and/or, in the event that a second differential status is detected, and in the event that the key field data is not the same as the at-risk key field data,
and outputting new risk notification information.
In a second aspect, the present disclosure further provides a security operation and maintenance analysis method, including:
connecting at least one security system via an application program interface to obtain analytical data in the security system, the security system comprising: the system comprises a situation awareness system, a log analysis system and a code hosting system;
comparing the pre-stored data without risk with the analysis data to obtain a comparison result;
and outputting alarm information and executing risk processing operation under the condition that the comparison result is in a different state.
In a third aspect, the present disclosure also provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the above method when executing the computer program.
In a fourth aspect, the present disclosure also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method.
In a fifth aspect, the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of the above method.
The safety operation and maintenance analysis server, the safety operation and maintenance analysis method and the computer equipment are connected with at least one safety system through the application program interface, can be butted with a plurality of different safety products and information platforms to obtain various different information, i.e., analysis data, and further, by comparing pre-stored data that does not present a risk with the analysis data, various information can be associated, thereby realizing the aggregation between a plurality of safety products and the information platform, rapidly finding the potential safety hazards in different scenes, and the specific scene source of the potential safety hazard can be identified through different comparison results and different states, and the safety risk of the potential safety hazard can be known through the alarm information, and then, the risk processing operation is executed by the operation personnel and the safety personnel, so that the safety risk can be solved quickly, and the final safety event processing result is obtained.
Drawings
FIG. 1 is a diagram illustrating an application environment of a security operation and maintenance analysis server in one embodiment;
FIG. 2 is a block diagram illustrating the architecture of a secure operation and maintenance analysis server in one embodiment;
FIG. 3 is a block diagram that schematically illustrates the structure of a situational awareness module in one embodiment;
FIG. 4 is a block diagram illustrating another portion of a secure operation and maintenance analysis server in one embodiment;
FIG. 5 is a flow diagram illustrating a security scan in the security operation and maintenance analysis server in one embodiment;
FIG. 6 is a block diagram that schematically illustrates the structure of an internal risk identification module, in accordance with an embodiment;
FIG. 7 is a block diagram that schematically illustrates the structure of a central analysis module, in accordance with an embodiment;
FIG. 8 is a block diagram that schematically illustrates the architecture of a security processing module, in accordance with an embodiment;
FIG. 9 is a block diagram illustrating an architecture of a security operation and maintenance analysis server according to an embodiment;
FIG. 10 is a schematic flow chart diagram illustrating a security operation and maintenance analysis method according to an embodiment;
FIG. 11 is a flowchart illustrating the step S1002 according to an embodiment;
FIG. 12 is a flowchart illustrating the steps of identifying weak password security risks and security breaches in one embodiment;
FIG. 13 is a flowchart illustrating the step S1004 according to an embodiment;
FIG. 14 is a flowchart illustrating the step S1006 in one embodiment;
FIG. 15 is a diagram showing an internal configuration of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present disclosure more clearly understood, the present disclosure is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the disclosure and are not intended to limit the disclosure.
In the embodiments herein, the term "and/or" is only one kind of association relation describing an associated object, and means that there may be three kinds of relations. For example, a and/or B, may represent: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
It should be noted that the terms "first," "second," "third," and the like in the description and in the claims, and in the drawings described above, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments herein described are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or device that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or device.
At present, with the development of network technology, a plurality of security products for security prevention and control appear, manufacturers of existing deployed security products have relatively many brand sources, are difficult to manage in a centralized manner, are difficult to associate in a gathering manner among devices, and cannot jointly discover and jointly resist hidden malicious behaviors and attack events. And with the rapid rise of new architectures such as microservice, especially the threat behaviors at the host side and the container side lack effective control points: firstly, the flow cannot be effectively controlled; and secondly, a process-level linkage and isolation blocking mechanism is lacked, entities such as malicious processes, malicious files, high-risk accounts and the like in the host and the container cannot be processed, and the safety problem in the host and the container cannot be solved. And the safety work is emergent, which requires that the safety team must have the ability to correlate and analyze the basic information (such as asset information and network equipment information stored in the CMDB), service request, safety equipment event, external threat information and other data of various data at any time, and draw a conclusion quickly according to a certain safety analysis logic.
Therefore, it is urgently needed to use a security management center to link related security products, so that security control points form a control plane, an automatic unified security operation and maintenance management system is formed, and the potential safety hazards can be rapidly analyzed.
To solve the above problem, the present disclosure provides a secure operation and maintenance analysis server 104, which can be applied in the application environment shown in fig. 1. Wherein the security operation and maintenance analysis server 104 communicates with the security system 102 via a network. The data storage system may store data that the secure operation and maintenance analysis server 104 needs to process or invoke. The data storage system may be integrated on the secure operation and maintenance analysis server 104, or may be placed on the cloud or other network server. The safety operation and maintenance analysis server 104 comprises a situation awareness module, a central analysis module, a safety processing module and a situation awareness module, which are connected with at least one server corresponding to the safety system 102 through an application program interface, so as to obtain analysis data in the server corresponding to the safety system 102. The security system 102 may include: the system comprises a situation awareness system, a log analysis system and a code hosting system. The central analysis module compares the data which are stored in the data storage system in advance and have no risk with the analysis data acquired by the situation perception module to obtain a comparison result, the comparison result is sent to the safety processing module, the safety processing module identifies the comparison result, and under the condition that the comparison result is in a different state, the safety processing module outputs alarm information and executes risk processing operation. The security system 102 and the security operation and maintenance analysis server 104 may be implemented by separate servers or a server cluster composed of a plurality of servers, where the servers may include Linux servers, windows servers, and the like.
In one embodiment, as shown in fig. 2, there is provided a secure operation and maintenance analysis server 104, which is described by taking the application environment in fig. 1 as an example of the secure operation and maintenance analysis server 104, and includes: situation awareness module 202, central analysis module 204, security processing module 206, wherein:
a situation awareness module 202, configured to connect to at least one security system through an application program interface, and acquire analysis data in the security system, where the security system includes: situation awareness system, log analysis system, code hosting system.
The application program interface may be generally an api (application Programming interface), some predefined interfaces (such as a function and an http interface), or a convention for linking different components of a software system. Is a set of routines that are used to provide applications and developers access based on certain software or hardware without accessing source code or understanding the details of the internal workings. The security system may typically be a different vendor brand of security product and a website storing data, which may include a situational awareness system, a log analysis system, a code hosting system. The situation awareness system can be a big data security analysis system capable of detecting, early warning and responding to treatment. The log analysis system may be an elk (elastic search logstack kibana) platform, and the log mainly includes a system log, an application log and a security log. The ELK platform can analyze the logs to know the load and the performance safety of the server or the host, so that measures can be taken in time to correct errors, the logs on all the servers are collected and collected, the logs can be retrieved and counted, and the safety log data with risks can be counted. The code hosting system may typically be a code hosting platform such as github, gitee, etc.
Specifically, the situation awareness module 202 accesses an API interface (which needs to be authenticated to access the API interface before access) provided by the situation awareness system through an https (hyper Text Transfer Protocol over secure token layer) Protocol to connect with the situation awareness system, so as to obtain analysis data of the situation awareness system, where the analysis data may include various security risk data. The situation awareness module 202 accesses an API interface provided by the ELK platform through the https protocol to obtain analysis data in the ELK platform, where the analysis data may include various security log data with security risks. The situation awareness module 202 accesses an API interface provided by the code hosting systems such as github and gitee through the https protocol, and obtains analysis data in the code hosting platforms such as github and gitee, where the analysis data may include various code information data of the code.
The http protocol is an http channel which aims at safety, and the safety of the transmission process is ensured through transmission encryption and identity authentication on the basis of http.
It should be noted that, only three security systems are taken as an example here, and the situation awareness module 202 may also be connected to other security systems or devices, such as: the behavior management device, the firewall, the switch, the bastion machine and the like can be connected as long as the API interface accesses the behavior management device, the firewall, the switch, the bastion machine and the like, so that data in the behavior management device, the firewall, the switch, the bastion machine and the like can be acquired.
And the central analysis module 204 is used for comparing the prestored data without risks with the analysis data to obtain a comparison result.
The non-risky data may be various kinds of secure data in general, which may include security risk data without security risk, security log data without security risk, and key information data.
Specifically, data without risk are set, and first comparison is performed on the security risk data acquired from the security risk data without security risk, so that a first comparison result is obtained. And carrying out second comparison on the security log data without risk and the obtained security log data to obtain a second comparison result. And performing third comparison on the key information data and the acquired code information data to obtain a third comparison result. The first, second, and third comparison results may each include a differential state or a non-differential state.
And the safety processing module 206 is configured to output alarm information and execute risk processing operation when the comparison result is in a different state.
Wherein, the alarm information can be different alarms sent to operation and maintenance and security personnel according to the comparison result of different difference states. The risk processing operation can be an operation for processing risks by operation and maintenance personnel and safety personnel according to the alarm information.
Specifically, under the condition that the first comparison result, the second comparison result and the third comparison result are in different states, different alarm information is output, and operation and working personnel are notified to perform different operations for processing risks according to the different alarm information.
Among the above-mentioned safe operation and maintenance analysis server, through at least one safety system of application program interface connection, can dock a plurality of different safety products and information platform, obtain various different information, analysis data promptly, and then compare through the data that do not have the risk of prestoring and analysis data, can associate various different information, thereby realize the polymerization between a plurality of safety products and the information platform, the potential safety hazard in the different scenes that discovery that can be quick exists, and can discern the concrete scene source of this potential safety hazard through different comparison result and difference state, and can learn what kind of safety risk this potential safety hazard is through warning information, and then carry out the risk processing operation through operation and maintenance and security personnel, can be faster solve the safety risk, thereby obtain final security incident treatment result.
In one embodiment, analyzing the data may include: security risk data, security log data, code information data. As shown in fig. 3, the situation awareness module 202 includes: a situation awareness system connection module 302, a log analysis system connection module 304, and a code hosting system connection module 306;
a situation awareness system connecting module 302, configured to connect to the situation awareness system through a situation awareness threat data source interface, and acquire at least one item of security risk data in the situation awareness system, where the security risk data includes: risk terminal data, risk service data, security event data, security hole data, weak password data, and the like.
Wherein, the situation awareness threat data source interface may be an API interface provided by the situation awareness system.
Specifically, the situation awareness system connection module 302 accesses the situation awareness threat data source interface through the https protocol, and further obtains at least one item of security risk data in the situation awareness system.
And the log analysis system connection module 304 is configured to connect with the log analysis system through the log analysis system interface to obtain the security log data in the log analysis platform.
Wherein the log analysis system interface may be an API interface provided in the log analysis system. The safety log data can be network equipment, a system, a service program and the like, and can generate an event record called log when in operation; the record is safety log data, and each row of the safety log data records the description of the relevant operation such as date, time, user and action.
Specifically, the log analysis system connection module 304 accesses the log analysis system interface through the https protocol to obtain the secure log data in the log analysis system. The security log data may include: application logs, security logs, system logs, Scheduler service logs, FTP (File Transfer protocol) logs, WWW logs, DNS server logs, and the like.
The code hosting system connection module 306 is configured to connect to the code hosting system through a code hosting system interface, and obtain code information data in the code hosting system through a search statement command.
Wherein the find statement command may be a dork statement in general. The search function can be implemented by a dork statement. The code hosting system interface may be an API interface provided by a code hosting platform such as github, gitee, etc. The code information data may be code data stored in a code hosting platform such as github, gitee, or the like.
Specifically, the code hosting system connection module 306 accesses code hosting system interfaces of code hosting platforms such as github and gitee through https protocols, and searches and acquires code information data in the code hosting system through dork statements.
In the embodiment, information in different safety systems can be acquired through different connection modules and an https protocol, information safety in different safety systems can be guaranteed, information data under multiple scenes can be acquired, different log data can exist in the safety log data, safety risks can be judged from multiple aspects, and safety risks can be comprehensively identified.
In one embodiment, the situation awareness module 202 further comprises: and the security event filtering module is used for filtering the security event through a preset security event filtering rule to obtain the security event with high security risk.
In particular, since the data volume of the security event is large, the security event filtering rule needs to be set in advance. Presetting the security event filtering rule may include: reserving safety time corresponding to field identification of serious and high-risk fields, Lesog virus attack and mining virus fields, successful host login and the like; and filtering the safety time corresponding to common information such as daily IP scanning, password cracking, directory traversal attack and the like. And obtaining the security event with high security risk after filtering the security event by the security event filtering rule.
In some embodiments, for example, setting to only acquire security events in a lost state or security events in the form of xxx words, the acquired security event record is kept. The xxxx words may be selectively set according to specific needs of those skilled in the art, and are not limited in this embodiment.
In this embodiment, an event with a large security risk can be focused through a preset security event filtering rule, and factors such as a reduction in security risk identification speed due to a large data volume of a security event are reduced.
In one embodiment, as shown in fig. 4, the secure operation and maintenance analysis server further includes: domain name scanning module 208, fingerprint identification module 210, internal risk identification module 212;
the domain name scanning module 208 is configured to acquire an external resource connected to a host managed by the security operation and maintenance analysis platform, identify an IP address and a CDN attribute corresponding to the external resource through a preset internal address library, and access port information and services corresponding to the host through the IP address.
The external resource may include an external server, an external website, and the like. The internal address repository stores domain names and corresponding ip (internet protocol) addresses and cdn (content Delivery network) attributes.
Specifically, the security operation and maintenance analysis platform may be connected to a plurality of hosts or servers to manage the hosts or servers, the domain name scanning module 208 acquires the hosts or servers managed by the security operation and maintenance analysis platform, and further acquires domain name data of external resources connected thereto, and identifies an IP address and a CDN attribute corresponding to the domain name data of the external resources through a preset internal address library.
A fingerprint identification module 210, configured to determine security risk information existing in a system or service of the host through fingerprint identification.
Among other things, fingerprinting can be done for the asset's purpose, mainly for which application software, what version, etc. is currently running on the host or server.
In particular, the fingerprint identification module 210 confirms a possible security risk of corresponding component version information of a system or service running in a host or a server by means of scan identification by maintaining a local fingerprint library.
And the internal risk identification module 212 is used for acquiring port information and services of the corresponding IP of the host managed by the security operation and maintenance analysis platform, identifying security risks of weak passwords and identifying security holes in the host through a scanning tool.
The scanning tool is a tool which can be used for discovering host bugs, detecting a service port operated by a host and returning response packets.
Specifically, whether a host or a server corresponding to the IP exists is detected through information of icmp (internet Control Message protocol), and if so, a syn (synchronization Sequence numbers) of a port tcp (transmission Control protocol) sending a response at a protocol layer requests to confirm port information and corresponding services opened by the IP of the host or the server. If the host or server corresponding to the IP does not exist, the next IP address is detected (for example, 192.168.1.10 does not exist, 192.168.1.11 is detected). SYN: synchronization Sequence Numbers (synchronization Sequence Numbers) are handshake signals used when TCP/IP establishes a connection. When a normal TCP network connection is established between the client and the server, the client first sends out a SYN message, the server indicates that it has received this message using a SYN + ACK reply, and finally the client responds with an ACK message. Such that a reliable TCP connection can be established between the client and the server and data can be transferred between the client and the server. The internal risk identification module 212 identifies weak password security risks in the connected intranet. The internal risk identification module 212 identifies security breaches in the host or server through a scanning tool.
In some embodiments, as shown in fig. 5, the domain name scanning module 208 traverses the set of commonly used segment ports in the internal network through the user data and obtains port opening information that may exist in a single IP or IP end in the internal network, and traverses the set of commonly used segment ports in the external network through the user data and obtains port opening information that may exist in a single IP or IP end in the external network. Then, whether the ports of the single IP or IP end in the intranet and the extranet can be accessed is judged through the internal risk identification module 212, if the ports can be accessed, the internal risk identification module 212 carries out the security risk of the corresponding single IP or IP end weak password and identifies the security vulnerability in the single IP or IP end through a scanning tool, and identifies the security risk through the fingerprint identification module 210, and if the security risk exists, the system timely alarms and informs the related asset attribution personnel to process. And if the safety risk does not exist, ending the process.
In this embodiment, the domain name scanning module 208 scans an IP address and a CDN attribute corresponding to the external resource connected to the host, so that when the host or the server has a security risk or a security vulnerability, the IP address of the external resource connected to the host can be found. And the fingerprint identification module 210 can maintain a local fingerprint library, which has a complete fingerprint library, and when a 0day bug occurs, the possibly affected assets can be quickly checked, so as to perform quick response. The internal risk identification module 212 can identify potential safety hazards in the intranet system, and further conveniently search for safety risks in the intranet.
In one embodiment, as shown in FIG. 6, internal risk identification module 212 includes: vulnerability scanning module 602, emergency scanning module 604, weak password identification module 606, notification module 608, wherein:
the vulnerability scanning module 602 is configured to invoke the scanning tool, and scan the security vulnerabilities in the host through the scanning tool.
Specifically, the vulnerability scanning module 602 calls a scanning tool to scan a security vulnerability in the host through a scanning function, and when the security vulnerability is scanned, the vulnerability is notified.
The emergency scanning module 604 is used to detect security holes that are not identified by the scanning tool through codes or scripts.
Specifically, the purpose of the contingency scanning module 604 is to verify in batch whether the internal host has a new vulnerability through the latest vulnerability. Such as: an external security manufacturer just announces that a serious vulnerability is found, other vulnerability scanning tools do not have the function of adding the vulnerability, and the security vulnerability which is not identified by the scanning tools in the current network equipment or system can be detected by using a simple code or script through the emergency scanning module 604.
The weak password identification module 606 is configured to identify a weak password security risk in the intranet system accessed through the transmission control protocol according to a preset weak password dictionary library.
The weak password dictionary library can be used for frequently using weak password dictionaries when a password dictionary attack is carried out, if the password dictionaries are basically passwords leaked through various large network stations, the password with the highest use frequency is counted to serve as the weak password dictionary library, and the weak password with the use frequency of the first 100 or the first 1000 serves as the weak password dictionary library. The transmission Control protocol may be a tcp (transmission Control protocol) protocol, which is a connection-oriented, reliable transport layer communication protocol based on a byte stream.
Specifically, the weak password identification module 606 accesses the intranet through the TCP protocol of each port of the host or the server, obtains a user name and a corresponding password in the intranet, matches the corresponding password with a preset weak password dictionary library, and if the password in the intranet is matched in the weak password dictionary library, it indicates that there is a weak password security risk, and extracts the password and the corresponding user name.
The notification module 608 is configured to output first notification information when a security vulnerability in the host is scanned, output second notification information when a security vulnerability that is not identified by the scanning tool is detected by the code or the script, and output third notification information when a security risk of a weak password is identified.
Specifically, the notification information may include first notification information, second notification information, and third notification information. The vulnerability scanning module 602 notifies the notification module 608 when a security vulnerability in the host is scanned, and the notification module 608 outputs first notification information. The contingency scanning module 604 notifies the notification module 608 when a security breach not identified by the scanning tool is detected by the code or script, and the notification module 608 outputs a second notification. The weak password identification module 606 notifies the notification module 608 upon identifying that there is a weak password security risk, and the notification module 608 outputs third notification information.
In this embodiment, the vulnerability scanning module 602 can scan security vulnerabilities in a host or a server, and then identify potential safety hazards of the host or the server, when the latest vulnerability which cannot be identified by the vulnerability scanning module 602 occurs, the latest vulnerability which cannot be identified can be scanned by the emergency scanning module 604, so that the security of the host or the server can be further ensured, and factory products and enterprise vulnerability management processes can be docked, so that the vulnerability scanning module can be adapted to various products, and the weak password security risk existing in an intranet system can be identified by the weak password identification module 606, so that the security of passwords in the intranet system can be ensured. And when the condition of different safety risks is identified, the notification module can output different notification information according to different safety risks, so that operation and maintenance personnel or safety personnel can perform different risk processing operations according to different notifications to rapidly solve the risks.
In one embodiment, internal risk identification module 212 further includes: and the weak password risk processing module is used for automatically modifying the password corresponding to the weak password risk if the weak password security risk still exists in the intranet system after the first time.
Specifically, after the first time, if the alarm notification module outputs the third notification information and the weak password identification module 606 can also identify the security risk of the weak password, the weak password risk processing module may automatically modify the password corresponding to the weak password risk and output the modified password.
It should be noted that, at the first time, a person skilled in the art may select settings according to different scenarios, and the settings are not limited in this embodiment.
In one embodiment, the difference state may include: a first normal state of difference, a second state of difference, and a third state of difference. The pre-stored non-risky data may include: security risk data without risk, key field data. As shown in fig. 7, the central analysis module 204 includes: risk information storage module 702, security risk data analysis module 704, security log data analysis module 706, code information analysis module 708, wherein:
the risk information storage module 702 is used to store the non-risky security risk data, the key field data, and the known risky security risk data, the key field data, and the key information data.
The data of the security risk without risk, the data of the key field, the data of the security risk without risk and the data of the key field can be checked and judged according to historical risk conditions, and the data can be comprehensively judged.
The risk information storage module 702 is configured to store non-risky security risk data, non-risky key field data, known risky security risk data, known risky key field data, and key information data.
The security risk data analysis module 704 is configured to perform a first comparison between the at least one item of security risk data and the security risk data without risk, and output a first difference status when the at least one item of security risk data is different from the security risk data without risk.
Specifically, the security risk data analysis module 704 may compare at least one item of security risk data with non-risky security risk data, and if at least one item of security risk data is risky terminal data and risky business data, the non-risky security risk data should also be risky terminal data and risky business data, and perform a first comparison on the risky terminal data and the non-risky terminal data, and the risky business data and the non-risky business data, respectively. If the risky terminal data and the risky terminal without risk and/or the risky service data and the risky service data without risk are different, that is, the first comparison result may be: and if the risk terminal data and the risk terminal without risk and/or the risk service data and the risk service data without risk are different, the safety risk data has safety risk, and a first difference state is output. It should be noted that, in this embodiment, only the risk terminal data and the risk service data are taken as an example, and in an actual situation, as long as any one item of security risk data is different from the security risk data without risk, the first difference state may be output.
The security log data analysis module 706 is configured to obtain key field data in the security log data and security log data with risk analyzed by the log analysis system, perform a second comparison between the key field data and the key field data without risk, and output a second difference state when the key field data is different from the key field data without risk and/or the security log data with risk is obtained.
Specifically, the security log data analysis module 706 may obtain key field data in the security log, such as an IP, a user name, a protocol, a process, and a recording time, perform a second comparison on the same key field data and the key field data without risk, and when any one of the key field data is different from the key field data without risk, the second comparison result may be: the key field data are different from the key field data without risk, and/or the safety log data with risk are obtained, and a second difference state is output. The safety log data analysis module 706 may also directly obtain the safety log data with risk analyzed by the log analysis system, and output a second difference state if the safety log data with risk analyzed by the log analysis system is obtained.
The code information analysis module 708 is configured to obtain the code information data, perform a third comparison between the code information data and the key information data, and output a third difference state when the key information data exists in the code information data.
Specifically, the code information analysis module 708 obtains code information data, and performs a third comparison between the code information data and the key information data, where the key information data may include secret, apikey, token, username and password, core data, staff list information, and the like. When the code information data acquires data corresponding to the key information data, that is, the third comparison result may be: and when the code information data acquires data corresponding to the key information data, proving that the key information data is leaked, further determining whether the key information data is leaked or not by manually checking the key information, and outputting a third difference state under the condition of determining that the key information data is leaked.
In this embodiment, different data are analyzed through different information analysis modules, and different data have the product or the information platform that derive from a plurality of vendors, can synthesize the data of a plurality of platforms and carry out the analysis, output different difference states, can learn because what data produced according to the safety risk that difference state that does not correspond, and then the reason that the location risk that can be faster produced, and then can handle in the host computer, malicious process in the container, entities such as malicious file and high-risk account, the safety problem who exists in the host computer and the container is solved.
In one embodiment, as shown in FIG. 8, the security processing module 206 may include a first alert notification module 802, a second alert notification module 804, and a risk processing module 806, wherein:
the first alarm notification module 802 is configured to output vulnerability repair information when the first notification information and/or the second notification information is detected, and output weak password repair information when the third notification information is detected.
The vulnerability repair information can be information for prompting that a security vulnerability occurs so that the security vulnerability needs to be repaired, and the weak password repair information can be information for prompting that a weak password security risk occurs so that the weak password security risk needs to be repaired.
Specifically, when the first alarm notification module 802 detects the first notification information and/or the second notification information, it is proved that a security vulnerability is identified by the vulnerability scanning module 602 and/or the emergency scanning module 604, and at this time, the security vulnerability needs to be repaired, and vulnerability repair information is output. When the first alarm notification module 802 detects the third notification information, it proves that the weak password security risk occurs, and if the weak password security risk needs to be repaired, the weak password repair information is output.
The second alarm notification module 804 is configured to output the risk notification information when the first difference state, and/or the second difference state, and/or the third difference state is detected.
Specifically, the second alarm notification module 804 outputs the risk notification information when detecting any one of the first difference state, the second difference state, or the third difference state. The second alert notification module 804 outputs the risk notification information when the first difference state and the second difference state are detected. The second alert notification module 804 outputs risk notification information when the first difference state and the third difference state are detected. The second alarm notification module 804 outputs the risk notification information when detecting the second difference state and the third difference state.
The mode of outputting the risk notification information may be to notify the security personnel of the occurrence of the security risk by mail or nail, or may be to notify the security personnel of the occurrence of the security risk by short message, voice, or the like, which is not limited in this embodiment.
The risk processing module 806 is configured to, when a first difference state is detected, analyze a first protocol address of security risk data corresponding to the first difference state, and block a connection with the first protocol address;
and the second protocol address is used for analyzing the second protocol address in the key field data corresponding to the first difference state and blocking the connection with the second protocol address under the condition that the second difference state is detected.
Wherein the first protocol address and the second protocol address may typically be IP addresses.
Specifically, if the risk processing module 806 detects that the first difference state is present, it indicates that a security risk exists in the security risk data, analyzes the security risk data corresponding to the first difference state, and obtains a source and a first IP address of the security risk data. And adding the first IP address into a blacklist, and blocking the connection with the first IP address.
If the risk processing module 806 detects the second difference state, it indicates that there is a security risk in the security log data, analyzes the source of the security risk in the security log and the corresponding second IP address, adds the second IP address to the blacklist, and blocks the connection with the second IP address.
In some embodiments, if a service in a host or a server, such as a web, has a security risk, a source of the security risk and an IP address are obtained, the IP address is added to a waf (web Application firewall) interface, and if the host or the server has a security risk on an external IP port, the IP address is submitted to a hardware firewall to be blocked, so that a process-level linkage and isolation blocking mechanism can be implemented, entities such as a malicious process, a malicious file, a high-risk account, and the like in the host and a container are processed, and security problems in the host/server and in the container are solved.
The Web Application Firewall (WAF) is a product that provides protection for Web applications by executing a series of security policies for http/https.
In one embodiment, the secure processing module 206 further comprises: a third alarm notification module 808 configured to, in case a first differential status is detected, and in case the at least one item of security risk data is not identical to the security risk data at risk,
and/or, in the event that a second differential status is detected, and in the event that the key field data is not the same as the key field data at risk,
and outputting new risk notification information.
Specifically, when the third alarm notification module 808 detects the first difference state and the at least one item of security risk data is different from the at least one item of security risk data having a risk, it indicates that a risk exists and the at least one item of security risk data having a risk, which is pre-stored in the local library, does not store the at least one item of security risk data, adds the at least one item of security risk data to the database, and outputs new risk notification information.
And/or, when the third alarm notification module 808 detects the second difference state and the keyword field data is different from the keyword field data with risk, it indicates that there is risk and the keyword field data with risk pre-stored in the local library does not store the keyword field data, adds the keyword field data into the database, and outputs new risk notification information.
The modules in the secure operation and maintenance analysis server may be implemented wholly or partially by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a component architecture of a secure operation and maintenance server is provided, as shown in figure 9,
by contrast testing, Airflow was chosen as the orchestration engine.
The Airflow is an open-source distributed task scheduling framework, and a workflow with a dependency relationship between upper and lower levels is assembled into a directed acyclic graph.
The required tasks can be arranged by using the DAG of the ariflo, and the tasks corresponding to various security risks are designed to be finally arranged into a playbook, wherein the Airflow has a plurality of natural advantages such as playbook error retry, data chase and the like. To accommodate subsequent Airflow updates, our second development incorporated the Airflow as a plug-in.
Wherein, DAG represents a timing work flow and comprises one or more tasks with dependency relationship. The playbook is a very simple configuration management and multi-host deployment system that, unlike any existing schema, can serve as a basis for deploying complex applications. The Playbook can be configured in a customized manner, can be executed in order according to specified operation steps, and supports a synchronous mode and an asynchronous mode.
The Airflow engine component, using NSQ as worker, can quickly and horizontally expand NSQ to relieve task pressure when the playbook task is heavy, i.e. the safety events processed are more.
The NSQ is an open-source real-time distributed memory message queue written in the Go language.
The Playbook runs functions such as an API to be used, a Playbook function management, and a Playbook event processing through an API module, and mainly uses the GoFrame as a development module of the API.
The GoFrame is a modular, high-performance and enterprise-level Go basic development framework.
The MySQL database is mainly used for providing various data required by the operation of the security operation and maintenance server, such as security risk data and key field data which do not have risks, and storing known security risk data and key field data which have risks, key information data and the like.
The data source interface is mainly used for connecting with different safety systems to acquire various data in the different safety systems.
The ELK cluster mainly stores logs in the security operation and maintenance server, including service logs, logs of security devices, and the like.
The safety operation and maintenance server mainly takes Airflow as an orchestration engine, and the execution of the playbook is realized on the Airflow. The API module manages functions such as a playbook interface and an API interface, and an ELK cluster is used for storing log data of the safety operation and maintenance server. When the playbook outputs the security alarm and calls an API (application program interface) of the API module to create the security risk, the security team processes the security risk on the security operation and maintenance server, and finally the processing result of the security risk is obtained. The process data analyzed through the playbook are reserved, and the safety risk determination is more accurate, the false alarm of the safety risk is less, and the accuracy rate for determining the abnormal condition of the safety risk is high by adjusting the analysis strategy of the playbook and the MySQL database.
In one embodiment, a method for analyzing security operation and maintenance is provided, as shown in fig. 10, the method includes:
s1002, connecting at least one safety system through an application program interface to acquire analysis data in the safety system, wherein the safety system comprises: situation awareness system, log analysis system, code hosting system.
And S1004, comparing the pre-stored data without risks with the analysis data to obtain a comparison result.
And S1006, outputting alarm information and executing risk processing operation under the condition that the comparison result is in the different state.
In one embodiment, analyzing the data includes: security risk data, security log data, code information data. As shown in fig. 11, the obtaining of the analysis data in the security system by connecting at least one security system through the application program interface includes:
s1102, connecting the situation awareness threat data source interface with the situation awareness system to acquire at least one item of security risk data in the situation awareness system, wherein the security risk data comprises: risk terminal data, risk service data, security event data, security vulnerability data, and weak password data.
And S1104, connecting the log analysis system with the log analysis system through the log analysis system interface to acquire the safety log data in the log analysis system.
And S1106, connecting the code hosting system through the code hosting system interface, and acquiring code information data in the code hosting system through a search statement command.
In one embodiment, the acquiring at least one item of security risk data in a situation awareness system by connecting a situation awareness threat data source interface with the situation awareness system includes: and filtering the security event through a preset security event filtering rule to obtain the security event with high security risk.
In one embodiment, the method further comprises: and acquiring external resources connected with a host managed by the security operation and maintenance analysis platform, and identifying the IP address and CDN attribute corresponding to the external resources through a preset internal address library.
The security risk information existing in the system or service of the host is determined by fingerprint identification.
The method comprises the steps of obtaining port information and services of a host managed by a security operation and maintenance analysis platform corresponding to an IP, identifying security risks of weak passwords and identifying security holes in the host through a scanning tool.
In one embodiment, as shown in fig. 12, acquiring port information and services of a host managed by a security operation and maintenance analysis platform corresponding to an IP, identifying security risks of a weak password, and identifying security holes in the host through a scanning tool includes:
and S1202, calling a scanning tool, and scanning the security vulnerability in the host through the scanning tool.
And S1204, identifying the security risk of the weak password in the intranet system accessed by the transmission control protocol according to a preset weak password dictionary library.
And S1206, outputting first notification information when the security vulnerability in the host is scanned.
And S1208, outputting second notification information when the security vulnerability which is not identified by the scanning tool is detected through the codes or the scripts.
And S1210, outputting third notification information when the weak password security risk is identified.
In one embodiment, the method for acquiring port information and services of a host managed by a security operation and maintenance analysis platform corresponding to an IP, identifying security risks of a weak password, and identifying security holes in the host through a scanning tool further includes:
after the first time, if the security risk of the weak password still exists in the intranet system, the password corresponding to the risk of the weak password is automatically modified.
In one embodiment, the difference state includes: a first normal state of difference, a second state of difference, and a third state of difference.
The pre-stored non-risky data includes: security risk data without risk, key field data.
In one embodiment, as shown in fig. 13, comparing the pre-stored risk-free data with the analysis data to obtain a comparison result, includes:
s1302, performing a first comparison between the at least one item of security risk data and the security risk data without risk, and outputting a first difference state when the at least one item of security risk data is different from the security risk data without risk.
And S1304, acquiring key field data in the security log data and the security log data with risks analyzed by the log analysis system, and performing a second comparison between the key field data and the key field data without risks, and outputting a second difference state under the condition that the key field data is different from the key field data without risks and/or the security log data with risks is acquired.
S1306, acquiring the code information data, performing third comparison on the code information data and the key information data, and outputting a third difference state under the condition that the key information data exists in the code information data.
In one embodiment, as shown in fig. 14, in the case that the comparison result is a difference state, outputting the alarm information and performing a risk processing operation includes:
s1402, when the first notification information and/or the second notification information is/are detected, outputting vulnerability repair information.
S1404, in the case where the third notification information is detected, outputting weak password repair information.
S1406, upon detecting the first difference state, and/or the second difference state and/or the third difference state, outputs the risk notification information.
S1408, when the first difference state is detected, analyzing a first protocol address of the security risk data corresponding to the first difference state, and blocking a connection with the first protocol address.
S1410, when the second difference state is detected, analyzing a second protocol address in the key field data corresponding to the first difference state, and blocking connection with the second protocol address.
In one embodiment, in a case that the comparison result is a difference state, outputting the alarm information and performing a risk processing operation, further includes: in case a first differential status is detected and in case said at least one item of security risk data is not identical to said security risk data at risk,
and/or, in the event that a second differential status is detected, and in the event that the key field data is not the same as the key field data at risk,
and outputting new risk notification information.
For a specific implementation of the security operation and maintenance analysis method, reference may be made to the above embodiment of the security operation and maintenance analysis server method, which is not described herein again.
It should be understood that, although the steps in the flowcharts in the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps of the flowcharts in the figures may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a portion of the steps or stages in other steps.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 15. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing the non-risky security risk data and the key field data, and storing the known risky security risk data and the key field data, the key information data and the like. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a secure operation and maintenance analysis method.
Those skilled in the art will appreciate that the architecture shown in fig. 15 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the above-described method embodiments when executing the computer program.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In an embodiment, a computer program product is provided, comprising a computer program which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
It should be noted that, the data (including but not limited to security risk data, security log data, code information data, key field data, etc.) referred to in the present disclosure are all information and data authorized by the user or sufficiently authorized by each party.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, databases, or other media used in the embodiments provided by the present disclosure may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), Magnetic Random Access Memory (MRAM), Ferroelectric Random Access Memory (FRAM), Phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases involved in embodiments provided by the present disclosure may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided in this disclosure may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic, quantum computing based data processing logic, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present disclosure, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for those skilled in the art, various changes and modifications can be made without departing from the concept of the present disclosure, and these changes and modifications are all within the scope of the present disclosure. Therefore, the protection scope of the present disclosure should be subject to the appended claims.
Claims (13)
1. A secure operation and maintenance analysis server, comprising: the situation perception module, the central analysis module and the safety processing module;
the situation awareness module is used for connecting with at least one security system through an application program interface to acquire analysis data in the security system, and the security system comprises: the system comprises a situation awareness system, a log analysis system and a code hosting system;
the central analysis module is used for comparing the prestored data without risks with the analysis data to obtain a comparison result;
and the safety processing module is used for outputting alarm information and executing risk processing operation under the condition that the comparison result is in a difference state.
2. The secure operation and maintenance analysis server of claim 1, wherein the analysis data comprises: security risk data, security log data, code information data;
the situation awareness module comprises: the system comprises a situation awareness system connecting module, a log analysis system connecting module and a code hosting system connecting module;
the situation awareness system connection module is used for being connected with the situation awareness system through a situation awareness threat data source interface to acquire at least one item of security risk data in the situation awareness system, and the security risk data include: risk terminal data, risk service data, security event data, security vulnerability data and weak password data;
the log analysis system connection module is used for connecting with the log analysis system through the log analysis system interface to acquire the safety log data in the log analysis system;
the code hosting system connecting module is used for connecting with the code hosting system through a code hosting system interface and acquiring code information data in the code hosting system through a search statement command.
3. The security operation and maintenance analysis server according to claim 2, wherein the situation awareness module further comprises:
and the security event filtering module is used for filtering the security event through a preset security event filtering rule to obtain the security event with high security risk.
4. The secure operation and maintenance analysis server according to claim 2, further comprising: the system comprises a domain name scanning module, a fingerprint identification module and an internal risk identification module;
the domain name scanning module is used for acquiring external resources connected with a host managed by the safety operation and maintenance analysis platform and identifying an IP address and CDN (content delivery network) attribute corresponding to the external resources through a preset internal address library;
the fingerprint identification module is used for determining security risk information existing in a system or service of the host through fingerprint identification;
the internal risk identification module is used for acquiring port information and services of the corresponding IP of the host managed by the security operation and maintenance analysis platform, identifying security risks of weak passwords and identifying security holes in the host through a scanning tool.
5. The security operation and maintenance analysis server according to claim 4, wherein the internal risk identification module comprises: the system comprises a vulnerability scanning module, an emergency scanning module, a weak password identification module and a notification module;
the vulnerability scanning module is used for calling the scanning tool and scanning the security vulnerability in the host through the scanning tool;
the emergency scanning module is used for detecting security vulnerabilities which are not identified by the scanning tool through codes or scripts;
the weak password identification module is used for identifying the weak password security risk in the intranet system accessed through the transmission control protocol according to a preset weak password dictionary library;
the notification module is used for outputting first notification information under the condition that the security vulnerability in the host is scanned, outputting second notification information under the condition that the security vulnerability which is not identified by the scanning tool is detected through the code or the script, and outputting third notification information under the condition that the security risk of the weak password exists.
6. The security operation and maintenance analysis server according to claim 5, wherein the internal risk identification module further comprises:
and the weak password risk processing module is used for automatically modifying the password corresponding to the weak password risk if the weak password security risk still exists in the intranet system after the first time.
7. The secure operation and maintenance analysis server of claim 5, wherein the difference state comprises: a first normal state of difference, a second state of difference, and a third state of difference;
the pre-stored non-risky data includes: security risk data without risk, key field data without risk, and key field data;
the central analysis module comprises: the system comprises a risk information storage module, a safety risk data analysis module, a safety log data analysis module and a code information analysis module;
the risk information storage module is used for storing the security risk data and the key field data which have no risk, and storing the known security risk data and the key field data which have the risk, and the key information data;
the safety risk data analysis module is used for carrying out first comparison on the at least one item of safety risk data and the safety risk data without risks, and outputting a first difference state under the condition that the at least one item of safety risk data is different from the safety risk data without risks;
the safety log data analysis module is used for acquiring key field data in the safety log data and safety log data with risks analyzed by the log analysis system, performing second comparison on the key field data and the key field data without risks, and outputting a second difference state under the condition that the key field data are different from the key field data without risks and/or the safety log data with risks are acquired;
the code information analysis module is used for acquiring the code information data, performing third comparison on the code information data and the key information data, and outputting a third difference state under the condition that the key information data exists in the code information data.
8. The security operation and maintenance analysis server according to claim 7, wherein the security processing module comprises a first alarm notification module, a second alarm notification module and a risk processing module;
the first alarm notification module is used for outputting vulnerability repair information under the condition that the first notification information and/or the second notification information is detected, and is used for outputting weak password repair information under the condition that the third notification information is detected;
the second alarm notification module is used for outputting risk notification information under the condition that the first difference state and/or the second difference state and/or the third difference state are/is detected;
the risk processing module is used for analyzing a first protocol address of the safety risk data corresponding to a first difference state and blocking connection with the first protocol address under the condition that the first difference state is detected;
and the second protocol address is used for analyzing the second protocol address in the key field data corresponding to the first difference state and blocking the connection with the second protocol address under the condition that the second difference state is detected.
9. The secure operation and maintenance analysis server according to claim 7, wherein the secure processing module further comprises:
a third alarm notification module for, in case a first differential status is detected and in case the at least one item of security risk data is not identical to the at risk security risk data,
and/or, in the event that a second differential status is detected, and in the event that the key field data is not the same as the key field data at risk,
and outputting new risk notification information.
10. A safety operation and maintenance analysis method is characterized by comprising the following steps:
obtaining analysis data in at least one security system connected via an application program interface, the security system comprising: the system comprises a situation awareness system, a log analysis system and a code hosting system;
comparing the pre-stored data without risks with the analysis data to obtain a comparison result;
and outputting alarm information and executing risk processing operation under the condition that the comparison result is in a different state.
11. A computer device comprising a memory storing a computer program and a processor implementing the steps of the method of claim 10 when the processor executes the computer program.
12. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method as claimed in claim 10.
13. A computer program product comprising a computer program which, when being executed by a processor, carries out the steps of the method as claimed in claim 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111303114.XA CN114036505A (en) | 2021-11-05 | 2021-11-05 | Safety operation and maintenance analysis server, safety operation and maintenance analysis method and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111303114.XA CN114036505A (en) | 2021-11-05 | 2021-11-05 | Safety operation and maintenance analysis server, safety operation and maintenance analysis method and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114036505A true CN114036505A (en) | 2022-02-11 |
Family
ID=80136435
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111303114.XA Pending CN114036505A (en) | 2021-11-05 | 2021-11-05 | Safety operation and maintenance analysis server, safety operation and maintenance analysis method and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114036505A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114548820A (en) * | 2022-03-07 | 2022-05-27 | 济南数聚计算机科技有限公司 | Big data wind control method and server for distance education service |
-
2021
- 2021-11-05 CN CN202111303114.XA patent/CN114036505A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114548820A (en) * | 2022-03-07 | 2022-05-27 | 济南数聚计算机科技有限公司 | Big data wind control method and server for distance education service |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11627054B1 (en) | Methods and systems to manage data objects in a cloud computing environment | |
| US11729193B2 (en) | Intrusion detection system enrichment based on system lifecycle | |
| JP6559694B2 (en) | Automatic SDK acceptance | |
| US11979422B1 (en) | Elastic privileges in a secure access service edge | |
| CA2803241C (en) | Automated security assessment of business-critical systems and applications | |
| US9516041B2 (en) | Cyber security analytics architecture | |
| EP1805641B1 (en) | A method and device for questioning a plurality of computerized devices | |
| US10671723B2 (en) | Intrusion detection system enrichment based on system lifecycle | |
| EP3449375B1 (en) | Monitoring of interactions between services | |
| US20180211032A1 (en) | Log information generation apparatus and recording medium, and log information extraction apparatus and recording medium | |
| US11748487B2 (en) | Detecting a potential security leak by a microservice | |
| CN112534432A (en) | Real-time mitigation of unfamiliar threat scenarios | |
| US10491621B2 (en) | Website security tracking across a network | |
| US10248797B1 (en) | Systems and methods for zero-day DLP protection having enhanced file upload processing | |
| CN113614718A (en) | Abnormal user session detector | |
| US11399036B2 (en) | Systems and methods for correlating events to detect an information security incident | |
| EP3767913B1 (en) | Systems and methods for correlating events to detect an information security incident | |
| US10169593B2 (en) | Security systems GUI application framework | |
| CN116915516B (en) | Software cross-cloud delivery method, transfer server, target cloud and storage medium | |
| CN114036505A (en) | Safety operation and maintenance analysis server, safety operation and maintenance analysis method and computer equipment | |
| US10685115B1 (en) | Method and system for implementing cloud native application threat detection | |
| Xu et al. | Identification of ICS security risks toward the analysis of packet interaction characteristics using state sequence matching based on SF-FSM | |
| US20240073238A1 (en) | Method and system for ensuring compliance of computing systems | |
| US11588843B1 (en) | Multi-level log analysis to detect software use anomalies | |
| CN117648100B (en) | Application deployment method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |