Virtualize safety detection method and system
Technical field
The present invention relates to field of computer technology, more particularly to one kind virtualization safety detection method and system.
Background technology
Virtualization, refers to that by virtualization technology be more logical computers by a computer virtual.In a calculating
Multiple logical computers are run simultaneously on machine, each logical computer can run different operating system, and application program is all
It can run and be independent of each other in separate space, so as to significantly improve the operating efficiency of computer.
In existing virtualization safety detection scheme, if more virtual logical computers in same physical machine be present
(virtual machine), it is necessary to set killing server in every virtual machine when carrying out safety detection to the information in more virtual machines,
Information in every virtual machine is subjected to safety detection in respective killing server.
Due to including same or analogous information in every virtual machine, and killing server is also mutually the same, if
More virtual machines carry out safety detection to identical information simultaneously, certainly will add the resource of the physical machine where more virtual machines
Take.
The content of the invention
In view of above-mentioned existing virtualization safety detection method carries out safety to the information in more virtual machines, easily cause
The problem of resource occupation of physical machine is high, it is proposed that the present invention overcomes above mentioned problem or solved at least in part to provide one kind
The certainly virtualization safety detection method and system of above mentioned problem.
According to one aspect of the present invention, there is provided one kind virtualization safety detection method, including:
Light agent client obtains measurement information to be checked, and the measurement information to be checked is sent to caching server by network;
The caching server judges whether to be cached with the measurement information to be checked safety corresponding with the measurement information to be checked
The corresponding relation of rank;
If being not present, the measurement information to be checked is sent to killing server by the caching server by the network
Carry out the safety detection of the measurement information to be checked;The measurement information to be checked is determined according to the testing result of the killing server
Level of security;
If in the presence of determining the level of security of the measurement information to be checked according to the corresponding relation;
Wherein, the light agent client is arranged in virtual machine.
Alternatively, the light agent client obtains measurement information to be checked, including:
An at least virtual machine in physical machine where the light agent client from the light agent client obtains
Measurement information to be checked, wherein, more virtual machines are provided with the physical machine;
And/or
The light agent client is located at least the one of same cluster from the physical machine where the light agent client
Measurement information to be checked is obtained in an at least virtual machine for platform physical machine, wherein, the cluster includes an at least physical machine, every
The physical machine includes an at least virtual machine.
Alternatively, the information to be detected includes fileinfo, website information, access path information, registration table read-write letter
At least one of breath.
Alternatively, the killing server is carried out the step of safety detection of the measurement information to be checked, including:
The killing server obtains the characteristic value of the measurement information to be checked;
The killing server scans the characteristic value by killing engine and carries out safety detection to the measurement information to be checked.
Alternatively, methods described also includes:
If the killing server scans the characteristic value by killing engine and carries out safe inspection to the measurement information to be checked
Survey does not obtain testing result, the private of cluster where the killing server sends the characteristic value to the light agent client
There is cloud server to carry out safety detection, obtain testing result, and the testing result is returned into the killing server.
Alternatively, methods described also includes:
If the privately owned cloud server carries out safety detection to the measurement information to be checked and does not obtain testing result, by institute
State the publicly-owned cloud server that characteristic value is sent to the cluster and carry out safety detection, obtain testing result, and by described in
Testing result returns to the privately owned cloud server, and is returned to the testing result by the privately owned cloud server
The killing server.
Alternatively, cluster is privately owned where the killing server sends the characteristic value to the light agent client
Cloud server carries out safety detection, including:
The killing server sends the characteristic value to the light agent client institute according to default scanning sequency
Safety detection is carried out in the privately owned cloud server of cluster.
Alternatively, in the acquisition testing result, and after the testing result is returned into the killing server, institute
Stating method also includes:
The killing server, which sends the safety detection result into the caching server, to be stored.
Alternatively, methods described also includes:
The privately owned cloud server obtains fresh information according to setting rule from the publicly-owned cloud server, wherein,
Include the corresponding relation of characteristic value that the publicly-owned cloud server regularly updates and level of security in the fresh information;
The privately owned cloud server updates the feature stored in the privately owned cloud server according to the fresh information
Value and the corresponding relation of level of security.
According to another aspect of the present invention, there is provided one kind virtualization safety detecting system, including:Caching server, look into
Kill server and the light agent client being arranged in virtual machine,;Wherein
The light agent client, for obtaining measurement information to be checked, the measurement information to be checked is sent to institute by network
State caching server;
The caching server, it is corresponding with the measurement information to be checked for judging whether to be cached with the measurement information to be checked
The corresponding relation of level of security;If being not present, the measurement information to be checked is sent to by the killing service by the network
Device;If in the presence of determining the level of security of the measurement information to be checked according to the corresponding relation;
The killing server, the measurement information to be checked sent for receiving the caching server, to described to be checked
Measurement information carries out safety detection and obtains testing result;
The caching server, it is additionally operable to determine the measurement information to be checked according to the testing result of the killing server
Level of security.
Alternatively, at least one in the physical machine where the light agent client from the light agent client is virtual
Machine obtains measurement information to be checked, wherein, more virtual machines are provided with the physical machine;
And/or
The light agent client is located at least the one of same cluster from the physical machine where the light agent client
Measurement information to be checked is obtained in an at least virtual machine for platform physical machine, wherein, the cluster includes an at least physical machine, every
The physical machine includes an at least virtual machine.
Alternatively, the information to be detected includes fileinfo, website information, access path information, registration table read-write letter
At least one of breath.
Alternatively, the killing server, including:
Characteristic value acquisition module, for obtaining the characteristic value of the measurement information to be checked;
Safety detection module, safe inspection is carried out to the measurement information to be checked for scanning the characteristic value by killing engine
Survey.
Alternatively, the killing server, in addition to:
Privately owned high in the clouds detection module, if scanning the characteristic value to institute by killing engine for the safety detection module
State measurement information progress safety detection to be checked and do not obtain testing result, the characteristic value is sent to where the light agent client
The privately owned cloud server of cluster carries out safety detection, obtains testing result, and the testing result is returned into the killing
Server.
Alternatively, the killing server, in addition to:
Publicly-owned high in the clouds detection module, if carrying out safety detection to the measurement information to be checked for the privately owned cloud server
Testing result is not obtained, then the publicly-owned cloud server that the characteristic value is sent to the cluster is subjected to safety detection,
Testing result is obtained, and the testing result is returned into the privately owned cloud server, and passes through the privately owned cloud service
The testing result is returned to the killing server by device.
Alternatively, the privately owned high in the clouds detection module sends the characteristic value to described according to default scanning sequency
The privately owned cloud server of cluster carries out safety detection where light agent client.
Alternatively, the killing server, in addition to:
Cache memory module, for obtaining testing result in the privately owned high in the clouds detection module, and by the testing result
After returning to the killing server, the safety detection result is sent into the caching server and stored.
Alternatively, the privately owned cloud server obtains renewal letter according to setting rule from the publicly-owned cloud server
Breath, wherein, pair of characteristic value that the publicly-owned cloud server regularly updates and level of security is included in the fresh information
It should be related to;
The privately owned cloud server updates the feature stored in the privately owned cloud server according to the fresh information
Value and the corresponding relation of level of security.
In existing virtualization safety detection scheme, when carrying out safety detection to the information in more virtual machines simultaneously,
Killing server in every virtual machine starts carries out safety detection to information, adds the resources occupation rate of physical machine.And
According to the secure virtual machine detection scheme of the present invention, light agent client is set in virtual machine, obtained by light agent client
Measurement information to be checked in virtual machine, and the judgement for carrying out level of security is sent to caching server, caching server judges whether
The corresponding relation of measurement information to be checked level of security corresponding with measurement information to be checked is cached with, if in the presence of true according to corresponding relation
The level of security of fixed measurement information to be checked;If being not present, measurement information to be checked is sent to killing server and carries out safety detection, and
Level of security is determined according to safety detection result.
The caching server of measurement information to be checked and the corresponding relation of its level of security is cached with by setting, first with caching
Server is judged, is detected without killing server security, improves the efficiency of safety detection.
Light agent client is arranged in a virtual machine in more virtual machines, only takes up in a virtual machine and is
System resource, reduce the resources occupation rate of physical machine.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area
Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention
Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 is a kind of step flow chart of according to embodiments of the present invention one virtualization safety detection method;
Fig. 2 is a kind of step flow chart of according to embodiments of the present invention two virtualization safety detection method;
Fig. 3 is a kind of structured flowchart of according to embodiments of the present invention three virtualization safety detecting system;
Fig. 4 is a kind of structured flowchart of according to embodiments of the present invention four virtualization safety detecting system.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
Embodiment one
A kind of virtualization safety detection method provided in an embodiment of the present invention is discussed in detail.
Reference picture 1, show a kind of step flow chart of virtualization safety detection method in the embodiment of the present invention.
Virtualization safety detection method in the embodiment of the present invention can apply to include light agent client, buffer service
In system including device and killing server.
Wherein, the light agent client can be arranged in virtual machine, the caching server and the killing service
Device can be arranged in virtual machine or physical machine.For example, the light agent client can be arranged at one in more virtual machines
In platform virtual machine, the caching server and the killing server can be only arranged in a physical machine, or, can also
It is arranged in a virtual machine, alternatively, light agent client, the caching server and the killing server can be with
It is arranged in same virtual machine in more virtual machines, and then without setting in other virtual machines.
The virtualization safety detection method of the present embodiment comprises the following steps:
Step 100, light agent client obtains measurement information to be checked, and the measurement information to be checked is sent to caching by network
Server.
The measurement information to be checked can be derived from same virtual machine, can also be derived from more virtual machines, also
It is to say, the measurement information to be checked in other virtual machines can be obtained by the light agent client in a virtual machine.With passing through
Bottom physical layer transmission measurement information to be checked is compared, and because of the limitation of bottom physical layer in itself, is only capable of transmitting fileinfo, and passes through net
The measurement information to be checked of network transmission, in addition to it can be fileinfo, website information, access path letter can also be included but is not limited to
Breath, registration table reading writing information etc..
Step 102, the caching server judges whether to be cached with the measurement information to be checked and the measurement information pair to be checked
The corresponding relation for the level of security answered;If being not present, step 104 is performed;If in the presence of execution step 106.
The corresponding relation of the corresponding level of security of measurement information to be checked can be cached in caching server.It is for example, slow
Deposit the corresponding relation that the corresponding level of securitys " danger " of measurement information A to be checked are cached with server;Delay in caching server
There is the corresponding relation of the corresponding level of securitys " safety " of measurement information B to be checked.
Step 104, the measurement information to be checked is sent to killing server by the network and entered by the caching server
The safety detection of the row measurement information to be checked;The peace of the measurement information to be checked is determined according to the testing result of the killing server
Full rank.
For example, caching server receives the measurement information C to be checked from light agent client, do not deposited in caching server
In the corresponding relation of level of security corresponding measurement information C to be checked, then caching server sends measurement information C to be checked to killing
Server carries out measurement information C to be checked safety detection, and measurement information C to be checked testing result, caching clothes are obtained by killing server
Business device can determine measurement information C to be checked level of security according to testing result.
That is, the corresponding relation of the corresponding level of security of certain measurement information to be checked is not present in caching server
When, the measurement information to be checked is sent to killing server and carries out safety detection, the inspection obtained by killing server by caching server
Survey the level of security that result judges the measurement information to be checked.
Step 106, the level of security of the measurement information to be checked is determined according to the corresponding relation.
If the corresponding relation of the corresponding level of security of certain measurement information to be checked in caching server be present, directly determine
Go out level of security corresponding to the measurement information to be checked.
In summary, the embodiment of the present invention sets light agent client in virtual machine, is obtained by light agent client empty
Measurement information to be checked in plan machine, and the judgement for carrying out level of security is sent to caching server, caching server judges whether to delay
There is the corresponding relation of measurement information to be checked level of security corresponding with measurement information to be checked, if in the presence of being determined according to corresponding relation
The level of security of measurement information to be checked;If being not present, measurement information to be checked is sent to killing server and carries out safety detection, and root
Level of security is determined according to safety detection result.
The caching server of measurement information to be checked and the corresponding relation of its level of security is cached with by setting, first with caching
Server is judged, is detected without killing server security, improves the efficiency of safety detection.
Light agent client is arranged in a virtual machine in more virtual machines, only takes up in a virtual machine and is
System resource, reduce the resources occupation rate of physical machine.
Embodiment two
A kind of virtualization safety detection method provided in an embodiment of the present invention is discussed in detail.
Reference picture 2, show a kind of step flow chart of virtualization safety detection method in the embodiment of the present invention.
Virtualization safety detection method in the embodiment of the present invention can apply to include light agent client, buffer service
In system including device and killing server.
Wherein, the light agent client can be arranged in virtual machine, the caching server and the killing service
Device can be arranged in virtual machine or in physical machine.For example, the light agent client can be arranged in more virtual machines
In one virtual machine, the caching server and the killing server can be only arranged in a physical machine, or, also may be used
To be arranged in a virtual machine, alternatively, light agent client, the caching server and the killing server can
To be arranged in same virtual machine in more virtual machines, and then without setting in other virtual machines.
The virtualization safety detection method of the present embodiment comprises the following steps:
Step 200, light agent client obtains measurement information to be checked, and the measurement information to be checked is sent to caching by network
Server.
The measurement information to be checked can be derived from same virtual machine, can also be derived from more virtual machines, also
It is to say, the measurement information to be checked in other virtual machines can be obtained by the light agent client in a virtual machine.
Preferably, according to the separate sources of measurement information to be checked, light agent client obtains letter to be detected in the step 200
The process of breath can be:
1), at least virtual machine in the physical machine where the light agent client from the light agent client obtains
Measurement information to be checked is taken, wherein, more virtual machines are provided with the physical machine.
For example, the physical machine W1 where light agent client Q1 includes virtual machine X1 and X2, then light agent client Q1
Measurement information to be checked can be obtained from virtual machine X1 and X2, measurement information to be checked both can be individually obtained from virtual machine X1, again may be used
Individually to obtain measurement information to be checked from virtual machine X2.
And/or
2), the light agent client is located at same cluster at least from the physical machine where the light agent client
Measurement information to be checked is obtained in an at least virtual machine for one physical machine, wherein, the cluster includes an at least physical machine, often
Physical machine described in platform includes an at least virtual machine.
For example, the physical machine W1 where light agent client Q1 is located in cluster J1, cluster J1 also includes physical machine W2, thing
Reason machine W1 includes virtual machine X1 and X2, and physical machine W2 includes virtual machine X3 and X4, then light agent client Q1 can be from virtual machine
Measurement information to be checked is obtained in X1, X2, X3 and X4, measurement information to be checked both can be individually obtained from virtual machine X1, again can be independent
Measurement information to be checked is obtained from virtual machine X2, measurement information to be checked can also be individually obtained from virtual machine X3, it is also possible to single
Measurement information to be checked is solely obtained from virtual machine X4.
The light agent client obtain measurement information to be checked can individually select it is above-mentioned 1) in mode, can also individually select
Select it is above-mentioned 2) in mode, can also simultaneous selection it is above-mentioned 1) and 2) in mode.
Preferably, the measurement information to be checked can include fileinfo, website information, access path information, registration table reading
At least one of write information, the particular content that the embodiment of the present invention treats detection information are not restricted.
Step 202, the caching server judges whether to be cached with the measurement information to be checked and the measurement information pair to be checked
The corresponding relation for the level of security answered;If being not present, step 204 is performed;If in the presence of execution step 206.
The corresponding relation of the corresponding level of security of measurement information to be checked can be cached in caching server.It is for example, slow
Deposit the corresponding relation that the corresponding level of securitys " danger " of measurement information A to be checked are cached with server;Delay in caching server
There is the corresponding relation of the corresponding level of securitys " safety " of measurement information B to be checked.
Step 204, the measurement information to be checked is sent to killing server by the network and entered by the caching server
The safety detection of the row measurement information to be checked;The peace of the measurement information to be checked is determined according to the testing result of the killing server
Full rank.
For example, caching server receives the measurement information C to be checked from light agent client, do not deposited in caching server
In the corresponding relation of level of security corresponding measurement information C to be checked, then caching server sends measurement information C to be checked to killing
Server carries out measurement information C to be checked safety detection, and measurement information C to be checked testing result, caching clothes are obtained by killing server
Business device can determine measurement information C to be checked level of security according to testing result.
That is, the corresponding relation of the corresponding level of security of certain measurement information to be checked is not present in caching server
When, the measurement information to be checked is sent to killing server and carries out safety detection, the inspection obtained by killing server by caching server
Survey the level of security that result judges the measurement information to be checked.
Preferably, the step of killing server carries out the safety detection of the measurement information to be checked in above-mentioned steps 204 can be with
Including:
Step 041, the killing server obtains the characteristic value of the measurement information to be checked.
The characteristic value of the measurement information to be checked is to have the attribute information of uniqueness, killing clothes for identifying measurement information to be checked
Business device, which can treat detection information, calculate etc. operation and obtains characteristic value, and the embodiment of the present invention obtains to be checked to killing server
The technological means of the characteristic value of measurement information is not restricted.
Step 042, the killing server scans the characteristic value by killing engine and the measurement information to be checked is carried out
Safety detection.
The killing engine is the core component of killing server, characteristic value can be scanned using killing engine and
Identification, realize the safety detection for treating detection information.
Preferably, if in above-mentioned steps 042, the killing server scans the characteristic value to described by killing engine
Measurement information to be checked carries out safety detection and does not obtain testing result, then performs step 043.
Step 043, the private of cluster where the killing server sends the characteristic value to the light agent client
There is cloud server to carry out safety detection, obtain testing result, and the testing result is returned into the killing server.
Cluster where the light agent client is provided with privately owned cloud server, and the privately owned cloud server is usual
The physical machine being configured to allow in the cluster and virtual machine connected reference, are stored with privately owned cloud server in the cluster
A large amount of measurement informations to be checked relevant information, including the characteristic value of measurement information to be checked, corresponding level of security etc..
Preferably, in above-mentioned steps 043, the killing server sends the characteristic value to the light agent client
The process that the privately owned cloud server of place cluster carries out safety detection can be:
The killing server sends the characteristic value to the light agent client institute according to default scanning sequency
Safety detection is carried out in the privately owned cloud server of cluster.
If multiple characteristic values for needing transmission to carry out safety detection to privately owned cloud server be present, killing server can
According to default scanning sequency, to send multiple characteristic values to privately owned cloud server and carry out safety detection.
Preferably, in above-mentioned steps 043, described look into is returned in the acquisition testing result, and by the testing result
After killing server, the safety detection result can also be sent and be carried out into the caching server by the killing server
Storage.
It is to add caching clothes that killing server, which sends safety detection result the purpose stored to caching server,
The corresponding relation storehouse of the corresponding level of security of measurement information to be checked, can improve caching server in above-mentioned steps on business device
The efficiency judged in 202.
Preferably, if in above-mentioned steps 043, the privately owned cloud server carries out safety detection to the measurement information to be checked
Testing result is not obtained, then performs step 044.
Step 044, the publicly-owned cloud server that the characteristic value is sent to the cluster is subjected to safety detection, obtained
Testing result is obtained, and the testing result is returned into the privately owned cloud server, and passes through the privately owned cloud server
The testing result is returned into the killing server.
Generally, the safety detection ability of the more publicly-owned cloud server of safety detection ability of privately owned cloud server is weak,
When privately owned cloud server does not obtain testing result, characteristic value is sent to publicly-owned cloud server and carries out safety detection, can be with
Testing result is obtained, then testing result is returned into privately owned cloud server and killing server, follow-up private clound can be increased
Hold the detection success rate of server and killing server.
Preferably, the privately owned cloud server can obtain renewal according to setting rule from the publicly-owned cloud server
Information, wherein, characteristic value and safe level that the publicly-owned cloud server regularly updates can be included in the fresh information
Other corresponding relation.
Preferably, the privately owned cloud server can be updated in the privately owned cloud server according to the fresh information
The characteristic value of storage and the corresponding relation of level of security.
Step 206, the level of security of the measurement information to be checked is determined according to the corresponding relation.
If the corresponding relation of the corresponding level of security of certain measurement information to be checked in caching server be present, directly determine
Go out level of security corresponding to the measurement information to be checked.
In summary, light agent client is set in a virtual machine of the embodiment of the present invention in more virtual machines, delayed
Server and killing server are deposited, the measurement information to be checked in virtual machine is obtained by light agent client, and send to buffer service
Device carries out the judgement of level of security, and caching server judges whether to be cached with measurement information to be checked safety corresponding with measurement information to be checked
The corresponding relation of rank, if in the presence of determining the level of security of measurement information to be checked according to corresponding relation;If being not present, will treat
Detection information sends to killing server and carries out safety detection, and determines level of security according to safety detection result.
The caching server of measurement information to be checked and the corresponding relation of its level of security is cached with by setting, first with caching
Server is judged, is detected without killing server security, improves the efficiency of safety detection.
A virtual machine light agent client, caching server and killing server being arranged in more virtual machines
It is interior, the system resource in a virtual machine is only taken up, reduces the resources occupation rate of physical machine.
Embodiment three
A kind of virtualization safety detecting system provided in an embodiment of the present invention is discussed in detail.
Reference picture 3, show a kind of structured flowchart of virtualization safety detecting system in the embodiment of the present invention.
The system can include:The light agent client 300 being arranged in virtual machine, and the He of caching server 302
Killing server 304;
Wherein, caching server 302 and killing server 304 can be arranged in physical machine or virtual machine.It is for example, described
Light agent client 300 can be arranged in a virtual machine in more virtual machines, the caching server 302 and described looked into
Killing server 304 can be only arranged in a physical machine, or, it can also be arranged in a virtual machine, it is alternatively, described
Light agent client 300, the caching server 302 and the killing server 304 can be arranged in more virtual machines
In same virtual machine, and then without setting in other virtual machines.
The light agent client 300, for obtaining measurement information to be checked, by the measurement information to be checked by network send to
The caching server 302.
The caching server 302, for judging whether to be cached with the measurement information to be checked and the measurement information pair to be checked
The corresponding relation for the level of security answered;If being not present, the measurement information to be checked is sent to by the killing by the network
Server 304;If in the presence of determining the level of security of the measurement information to be checked according to the corresponding relation.
The killing server 304, the measurement information to be checked sent for receiving the caching server 302, to institute
State measurement information progress safety detection to be checked and obtain testing result.
The caching server 302, it is additionally operable to be determined according to the testing result of the killing server 304 described to be detected
The level of security of information.
In summary, the embodiment of the present invention sets light agent client in virtual machine, is obtained by light agent client empty
Measurement information to be checked in plan machine, and the judgement for carrying out level of security is sent to caching server, caching server judges whether to delay
There is the corresponding relation of measurement information to be checked level of security corresponding with measurement information to be checked, if in the presence of being determined according to corresponding relation
The level of security of measurement information to be checked;If being not present, measurement information to be checked is sent to killing server and carries out safety detection, and root
Level of security is determined according to safety detection result.
The caching server of measurement information to be checked and the corresponding relation of its level of security is cached with by setting, first with caching
Server is judged, is detected without killing server security, improves the efficiency of safety detection.
Light agent client is arranged in a virtual machine in more virtual machines, only takes up in a virtual machine and is
System resource, reduce the resources occupation rate of physical machine.
Example IV
A kind of virtualization safety detecting system provided in an embodiment of the present invention is discussed in detail.
Reference picture 4, show a kind of structured flowchart of virtualization safety detecting system in the embodiment of the present invention.
The system can include:The light agent client 400 being arranged in virtual machine, and the He of caching server 402
Killing server 404;Wherein, caching server 402 and killing server 404 can be arranged in physical machine or virtual machine.Example
Such as, the light agent client 400 can be arranged in a virtual machine in more virtual machines, the caching server 402
It can be only arranged in a physical machine with the killing server 404, or, it can also be arranged in a virtual machine, can
Selection of land, light agent client 400, the caching server 402 and the killing server 404 can be arranged at more void
In same virtual machine in plan machine, and then without setting in other virtual machines.
Wherein, the killing server 404 can include:Characteristic value acquisition module 4041, safety detection module 4042 are private
There are high in the clouds detection module 4043, publicly-owned high in the clouds detection module 4044, cache memory module 4045.
The light agent client 400, for obtaining measurement information to be checked, by the measurement information to be checked by network send to
The caching server 402.
Wherein, the measurement information to be checked can include fileinfo, website information, access path information, registration table read-write
At least one of information.
Preferably, at least one in the physical machine where the light agent client 400 from the light agent client 400
Platform virtual machine obtains measurement information to be checked, wherein, more virtual machines are provided with the physical machine.
And/or
The light agent client 400 is located at same cluster from the physical machine where the light agent client 400
Measurement information to be checked is obtained in an at least virtual machine at least one physical machine, wherein, the cluster includes an at least physics
Machine, every physical machine include an at least virtual machine.
The caching server 402, for judging whether to be cached with the measurement information to be checked and the measurement information pair to be checked
The corresponding relation for the level of security answered;If being not present, the measurement information to be checked is sent to by the killing by the network
Server 404;If in the presence of determining the level of security of the measurement information to be checked according to the corresponding relation.
The killing server 404, the measurement information to be checked sent for receiving the caching server 402, to institute
State measurement information progress safety detection to be checked and obtain testing result.
Preferably, the killing server 404 can include:
Characteristic value acquisition module 4041, for obtaining the characteristic value of the measurement information to be checked.
Safety detection module 4042, the measurement information to be checked is pacified for scanning the characteristic value by killing engine
Full inspection is surveyed.
Privately owned high in the clouds detection module 4043, if scanning the spy by killing engine for the safety detection module 4042
Value indicative carries out safety detection to the measurement information to be checked and does not obtain testing result, and the characteristic value is sent to the light agency visitor
The privately owned cloud server of the place cluster of family end 400 carries out safety detection, obtains testing result, and the testing result is returned
To the killing server 404.
Preferably, the privately owned high in the clouds detection module 4043 is according to default scanning sequency, by the characteristic value send to
The privately owned cloud server of the light place cluster of agent client 400 carries out safety detection.
Publicly-owned high in the clouds detection module 4044, if carrying out safety to the measurement information to be checked for the privately owned cloud server
Detection does not obtain testing result, then the publicly-owned cloud server that the characteristic value is sent to the cluster is carried out into safe inspection
Survey, obtain testing result, and the testing result is returned into the privately owned cloud server, and taken by the privately owned high in the clouds
The testing result is returned to the killing server 404 by business device.
Cache memory module 4045, for obtaining testing result in the privately owned high in the clouds detection module 4043, and by described in
After testing result returns to the killing server 404, the safety detection result is sent into the caching server
Stored.
Preferably, the privately owned cloud server obtains renewal letter according to setting rule from the publicly-owned cloud server
Breath, wherein, pair of characteristic value that the publicly-owned cloud server regularly updates and level of security is included in the fresh information
It should be related to.
Preferably, the privately owned cloud server updates in the privately owned cloud server according to the fresh information and stored
Characteristic value and level of security corresponding relation.
The caching server 402, it is additionally operable to be determined according to the testing result of the killing server 404 described to be detected
The level of security of information.
In summary, the embodiment of the present invention sets light agent client in virtual machine, is obtained by light agent client empty
Measurement information to be checked in plan machine, and the judgement for carrying out level of security is sent to caching server, caching server judges whether to delay
There is the corresponding relation of measurement information to be checked level of security corresponding with measurement information to be checked, if in the presence of being determined according to corresponding relation
The level of security of measurement information to be checked;If being not present, measurement information to be checked is sent to killing server and carries out safety detection, and root
Level of security is determined according to safety detection result.
The caching server of measurement information to be checked and the corresponding relation of its level of security is cached with by setting, first with caching
Server is judged, is detected without killing server security, improves the efficiency of safety detection.
A virtual machine light agent client, caching server and killing server being arranged in more virtual machines
It is interior, the system resource in a virtual machine is only taken up, reduces the resources occupation rate of physical machine.
Virtualization safety detection scheme is not consolidated with any certain computer, virtual system or miscellaneous equipment provided herein
There is correlation.Various general-purpose systems can also be used together with teaching based on this.As described above, construction has this hair
Structure required by the system of bright scheme is obvious.In addition, the present invention is not also directed to any certain programmed language.Should
Understand, the content of invention described herein can be realized using various programming languages, and language-specific is done above
Description is to disclose the preferred forms of the present invention.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as right
As claim reflects, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows tool
Thus claims of body embodiment are expressly incorporated in the embodiment, wherein the conduct of each claim in itself
The separate embodiments of the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit requires, summary and accompanying drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in detail in the claims, embodiment claimed it is one of any
Mode it can use in any combination.
The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor
Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice
Microprocessor or digital signal processor (DSP) are realized in virtualization safety detection scheme according to embodiments of the present invention
The some or all functions of some or all parts.The present invention is also implemented as being used to perform method as described herein
Some or all equipment or program of device (for example, computer program and computer program product).Such reality
The program of the existing present invention can store on a computer-readable medium, or can have the form of one or more signal.
Such signal can be downloaded from internet website and obtained, and either be provided or in the form of any other on carrier signal
There is provided.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real
It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.