CN104504330B - Virtualize safety detection method and system - Google Patents

Virtualize safety detection method and system Download PDF

Info

Publication number
CN104504330B
CN104504330B CN201410773774.8A CN201410773774A CN104504330B CN 104504330 B CN104504330 B CN 104504330B CN 201410773774 A CN201410773774 A CN 201410773774A CN 104504330 B CN104504330 B CN 104504330B
Authority
CN
China
Prior art keywords
checked
server
measurement information
killing
safety detection
Prior art date
Application number
CN201410773774.8A
Other languages
Chinese (zh)
Other versions
CN104504330A (en
Inventor
汪圣平
杨晓东
徐锐波
王院生
Original Assignee
北京奇安信科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇安信科技有限公司 filed Critical 北京奇安信科技有限公司
Priority to CN201410773774.8A priority Critical patent/CN104504330B/en
Publication of CN104504330A publication Critical patent/CN104504330A/en
Application granted granted Critical
Publication of CN104504330B publication Critical patent/CN104504330B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Abstract

The invention provides one kind virtualization safety detection method and system, wherein, methods described includes:Light agent client obtains measurement information to be checked, and the measurement information to be checked is sent to caching server by network;The caching server judges whether to be cached with the corresponding relation of the measurement information to be checked level of security corresponding with the measurement information to be checked;If being not present, the measurement information to be checked is sent to the safety detection of the killing server progress measurement information to be checked by the network by the caching server;The level of security of the measurement information to be checked is determined according to the testing result of the killing server;If in the presence of determining the level of security of the measurement information to be checked according to the corresponding relation;Wherein, the light agent client is arranged in virtual machine.The present invention improves the efficiency of safety detection, reduces the resources occupation rate of physical machine.

Description

Virtualize safety detection method and system

Technical field

The present invention relates to field of computer technology, more particularly to one kind virtualization safety detection method and system.

Background technology

Virtualization, refers to that by virtualization technology be more logical computers by a computer virtual.In a calculating Multiple logical computers are run simultaneously on machine, each logical computer can run different operating system, and application program is all It can run and be independent of each other in separate space, so as to significantly improve the operating efficiency of computer.

In existing virtualization safety detection scheme, if more virtual logical computers in same physical machine be present (virtual machine), it is necessary to set killing server in every virtual machine when carrying out safety detection to the information in more virtual machines, Information in every virtual machine is subjected to safety detection in respective killing server.

Due to including same or analogous information in every virtual machine, and killing server is also mutually the same, if More virtual machines carry out safety detection to identical information simultaneously, certainly will add the resource of the physical machine where more virtual machines Take.

The content of the invention

In view of above-mentioned existing virtualization safety detection method carries out safety to the information in more virtual machines, easily cause The problem of resource occupation of physical machine is high, it is proposed that the present invention overcomes above mentioned problem or solved at least in part to provide one kind The certainly virtualization safety detection method and system of above mentioned problem.

According to one aspect of the present invention, there is provided one kind virtualization safety detection method, including:

Light agent client obtains measurement information to be checked, and the measurement information to be checked is sent to caching server by network;

The caching server judges whether to be cached with the measurement information to be checked safety corresponding with the measurement information to be checked The corresponding relation of rank;

If being not present, the measurement information to be checked is sent to killing server by the caching server by the network Carry out the safety detection of the measurement information to be checked;The measurement information to be checked is determined according to the testing result of the killing server Level of security;

If in the presence of determining the level of security of the measurement information to be checked according to the corresponding relation;

Wherein, the light agent client is arranged in virtual machine.

Alternatively, the light agent client obtains measurement information to be checked, including:

An at least virtual machine in physical machine where the light agent client from the light agent client obtains Measurement information to be checked, wherein, more virtual machines are provided with the physical machine;

And/or

The light agent client is located at least the one of same cluster from the physical machine where the light agent client Measurement information to be checked is obtained in an at least virtual machine for platform physical machine, wherein, the cluster includes an at least physical machine, every The physical machine includes an at least virtual machine.

Alternatively, the information to be detected includes fileinfo, website information, access path information, registration table read-write letter At least one of breath.

Alternatively, the killing server is carried out the step of safety detection of the measurement information to be checked, including:

The killing server obtains the characteristic value of the measurement information to be checked;

The killing server scans the characteristic value by killing engine and carries out safety detection to the measurement information to be checked.

Alternatively, methods described also includes:

If the killing server scans the characteristic value by killing engine and carries out safe inspection to the measurement information to be checked Survey does not obtain testing result, the private of cluster where the killing server sends the characteristic value to the light agent client There is cloud server to carry out safety detection, obtain testing result, and the testing result is returned into the killing server.

Alternatively, methods described also includes:

If the privately owned cloud server carries out safety detection to the measurement information to be checked and does not obtain testing result, by institute State the publicly-owned cloud server that characteristic value is sent to the cluster and carry out safety detection, obtain testing result, and by described in Testing result returns to the privately owned cloud server, and is returned to the testing result by the privately owned cloud server The killing server.

Alternatively, cluster is privately owned where the killing server sends the characteristic value to the light agent client Cloud server carries out safety detection, including:

The killing server sends the characteristic value to the light agent client institute according to default scanning sequency Safety detection is carried out in the privately owned cloud server of cluster.

Alternatively, in the acquisition testing result, and after the testing result is returned into the killing server, institute Stating method also includes:

The killing server, which sends the safety detection result into the caching server, to be stored.

Alternatively, methods described also includes:

The privately owned cloud server obtains fresh information according to setting rule from the publicly-owned cloud server, wherein, Include the corresponding relation of characteristic value that the publicly-owned cloud server regularly updates and level of security in the fresh information;

The privately owned cloud server updates the feature stored in the privately owned cloud server according to the fresh information Value and the corresponding relation of level of security.

According to another aspect of the present invention, there is provided one kind virtualization safety detecting system, including:Caching server, look into Kill server and the light agent client being arranged in virtual machine,;Wherein

The light agent client, for obtaining measurement information to be checked, the measurement information to be checked is sent to institute by network State caching server;

The caching server, it is corresponding with the measurement information to be checked for judging whether to be cached with the measurement information to be checked The corresponding relation of level of security;If being not present, the measurement information to be checked is sent to by the killing service by the network Device;If in the presence of determining the level of security of the measurement information to be checked according to the corresponding relation;

The killing server, the measurement information to be checked sent for receiving the caching server, to described to be checked Measurement information carries out safety detection and obtains testing result;

The caching server, it is additionally operable to determine the measurement information to be checked according to the testing result of the killing server Level of security.

Alternatively, at least one in the physical machine where the light agent client from the light agent client is virtual Machine obtains measurement information to be checked, wherein, more virtual machines are provided with the physical machine;

And/or

The light agent client is located at least the one of same cluster from the physical machine where the light agent client Measurement information to be checked is obtained in an at least virtual machine for platform physical machine, wherein, the cluster includes an at least physical machine, every The physical machine includes an at least virtual machine.

Alternatively, the information to be detected includes fileinfo, website information, access path information, registration table read-write letter At least one of breath.

Alternatively, the killing server, including:

Characteristic value acquisition module, for obtaining the characteristic value of the measurement information to be checked;

Safety detection module, safe inspection is carried out to the measurement information to be checked for scanning the characteristic value by killing engine Survey.

Alternatively, the killing server, in addition to:

Privately owned high in the clouds detection module, if scanning the characteristic value to institute by killing engine for the safety detection module State measurement information progress safety detection to be checked and do not obtain testing result, the characteristic value is sent to where the light agent client The privately owned cloud server of cluster carries out safety detection, obtains testing result, and the testing result is returned into the killing Server.

Alternatively, the killing server, in addition to:

Publicly-owned high in the clouds detection module, if carrying out safety detection to the measurement information to be checked for the privately owned cloud server Testing result is not obtained, then the publicly-owned cloud server that the characteristic value is sent to the cluster is subjected to safety detection, Testing result is obtained, and the testing result is returned into the privately owned cloud server, and passes through the privately owned cloud service The testing result is returned to the killing server by device.

Alternatively, the privately owned high in the clouds detection module sends the characteristic value to described according to default scanning sequency The privately owned cloud server of cluster carries out safety detection where light agent client.

Alternatively, the killing server, in addition to:

Cache memory module, for obtaining testing result in the privately owned high in the clouds detection module, and by the testing result After returning to the killing server, the safety detection result is sent into the caching server and stored.

Alternatively, the privately owned cloud server obtains renewal letter according to setting rule from the publicly-owned cloud server Breath, wherein, pair of characteristic value that the publicly-owned cloud server regularly updates and level of security is included in the fresh information It should be related to;

The privately owned cloud server updates the feature stored in the privately owned cloud server according to the fresh information Value and the corresponding relation of level of security.

In existing virtualization safety detection scheme, when carrying out safety detection to the information in more virtual machines simultaneously, Killing server in every virtual machine starts carries out safety detection to information, adds the resources occupation rate of physical machine.And According to the secure virtual machine detection scheme of the present invention, light agent client is set in virtual machine, obtained by light agent client Measurement information to be checked in virtual machine, and the judgement for carrying out level of security is sent to caching server, caching server judges whether The corresponding relation of measurement information to be checked level of security corresponding with measurement information to be checked is cached with, if in the presence of true according to corresponding relation The level of security of fixed measurement information to be checked;If being not present, measurement information to be checked is sent to killing server and carries out safety detection, and Level of security is determined according to safety detection result.

The caching server of measurement information to be checked and the corresponding relation of its level of security is cached with by setting, first with caching Server is judged, is detected without killing server security, improves the efficiency of safety detection.

Light agent client is arranged in a virtual machine in more virtual machines, only takes up in a virtual machine and is System resource, reduce the resources occupation rate of physical machine.

Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the embodiment of the present invention.

Brief description of the drawings

By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:

Fig. 1 is a kind of step flow chart of according to embodiments of the present invention one virtualization safety detection method;

Fig. 2 is a kind of step flow chart of according to embodiments of the present invention two virtualization safety detection method;

Fig. 3 is a kind of structured flowchart of according to embodiments of the present invention three virtualization safety detecting system;

Fig. 4 is a kind of structured flowchart of according to embodiments of the present invention four virtualization safety detecting system.

Embodiment

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.

Embodiment one

A kind of virtualization safety detection method provided in an embodiment of the present invention is discussed in detail.

Reference picture 1, show a kind of step flow chart of virtualization safety detection method in the embodiment of the present invention.

Virtualization safety detection method in the embodiment of the present invention can apply to include light agent client, buffer service In system including device and killing server.

Wherein, the light agent client can be arranged in virtual machine, the caching server and the killing service Device can be arranged in virtual machine or physical machine.For example, the light agent client can be arranged at one in more virtual machines In platform virtual machine, the caching server and the killing server can be only arranged in a physical machine, or, can also It is arranged in a virtual machine, alternatively, light agent client, the caching server and the killing server can be with It is arranged in same virtual machine in more virtual machines, and then without setting in other virtual machines.

The virtualization safety detection method of the present embodiment comprises the following steps:

Step 100, light agent client obtains measurement information to be checked, and the measurement information to be checked is sent to caching by network Server.

The measurement information to be checked can be derived from same virtual machine, can also be derived from more virtual machines, also It is to say, the measurement information to be checked in other virtual machines can be obtained by the light agent client in a virtual machine.With passing through Bottom physical layer transmission measurement information to be checked is compared, and because of the limitation of bottom physical layer in itself, is only capable of transmitting fileinfo, and passes through net The measurement information to be checked of network transmission, in addition to it can be fileinfo, website information, access path letter can also be included but is not limited to Breath, registration table reading writing information etc..

Step 102, the caching server judges whether to be cached with the measurement information to be checked and the measurement information pair to be checked The corresponding relation for the level of security answered;If being not present, step 104 is performed;If in the presence of execution step 106.

The corresponding relation of the corresponding level of security of measurement information to be checked can be cached in caching server.It is for example, slow Deposit the corresponding relation that the corresponding level of securitys " danger " of measurement information A to be checked are cached with server;Delay in caching server There is the corresponding relation of the corresponding level of securitys " safety " of measurement information B to be checked.

Step 104, the measurement information to be checked is sent to killing server by the network and entered by the caching server The safety detection of the row measurement information to be checked;The peace of the measurement information to be checked is determined according to the testing result of the killing server Full rank.

For example, caching server receives the measurement information C to be checked from light agent client, do not deposited in caching server In the corresponding relation of level of security corresponding measurement information C to be checked, then caching server sends measurement information C to be checked to killing Server carries out measurement information C to be checked safety detection, and measurement information C to be checked testing result, caching clothes are obtained by killing server Business device can determine measurement information C to be checked level of security according to testing result.

That is, the corresponding relation of the corresponding level of security of certain measurement information to be checked is not present in caching server When, the measurement information to be checked is sent to killing server and carries out safety detection, the inspection obtained by killing server by caching server Survey the level of security that result judges the measurement information to be checked.

Step 106, the level of security of the measurement information to be checked is determined according to the corresponding relation.

If the corresponding relation of the corresponding level of security of certain measurement information to be checked in caching server be present, directly determine Go out level of security corresponding to the measurement information to be checked.

In summary, the embodiment of the present invention sets light agent client in virtual machine, is obtained by light agent client empty Measurement information to be checked in plan machine, and the judgement for carrying out level of security is sent to caching server, caching server judges whether to delay There is the corresponding relation of measurement information to be checked level of security corresponding with measurement information to be checked, if in the presence of being determined according to corresponding relation The level of security of measurement information to be checked;If being not present, measurement information to be checked is sent to killing server and carries out safety detection, and root Level of security is determined according to safety detection result.

The caching server of measurement information to be checked and the corresponding relation of its level of security is cached with by setting, first with caching Server is judged, is detected without killing server security, improves the efficiency of safety detection.

Light agent client is arranged in a virtual machine in more virtual machines, only takes up in a virtual machine and is System resource, reduce the resources occupation rate of physical machine.

Embodiment two

A kind of virtualization safety detection method provided in an embodiment of the present invention is discussed in detail.

Reference picture 2, show a kind of step flow chart of virtualization safety detection method in the embodiment of the present invention.

Virtualization safety detection method in the embodiment of the present invention can apply to include light agent client, buffer service In system including device and killing server.

Wherein, the light agent client can be arranged in virtual machine, the caching server and the killing service Device can be arranged in virtual machine or in physical machine.For example, the light agent client can be arranged in more virtual machines In one virtual machine, the caching server and the killing server can be only arranged in a physical machine, or, also may be used To be arranged in a virtual machine, alternatively, light agent client, the caching server and the killing server can To be arranged in same virtual machine in more virtual machines, and then without setting in other virtual machines.

The virtualization safety detection method of the present embodiment comprises the following steps:

Step 200, light agent client obtains measurement information to be checked, and the measurement information to be checked is sent to caching by network Server.

The measurement information to be checked can be derived from same virtual machine, can also be derived from more virtual machines, also It is to say, the measurement information to be checked in other virtual machines can be obtained by the light agent client in a virtual machine.

Preferably, according to the separate sources of measurement information to be checked, light agent client obtains letter to be detected in the step 200 The process of breath can be:

1), at least virtual machine in the physical machine where the light agent client from the light agent client obtains Measurement information to be checked is taken, wherein, more virtual machines are provided with the physical machine.

For example, the physical machine W1 where light agent client Q1 includes virtual machine X1 and X2, then light agent client Q1 Measurement information to be checked can be obtained from virtual machine X1 and X2, measurement information to be checked both can be individually obtained from virtual machine X1, again may be used Individually to obtain measurement information to be checked from virtual machine X2.

And/or

2), the light agent client is located at same cluster at least from the physical machine where the light agent client Measurement information to be checked is obtained in an at least virtual machine for one physical machine, wherein, the cluster includes an at least physical machine, often Physical machine described in platform includes an at least virtual machine.

For example, the physical machine W1 where light agent client Q1 is located in cluster J1, cluster J1 also includes physical machine W2, thing Reason machine W1 includes virtual machine X1 and X2, and physical machine W2 includes virtual machine X3 and X4, then light agent client Q1 can be from virtual machine Measurement information to be checked is obtained in X1, X2, X3 and X4, measurement information to be checked both can be individually obtained from virtual machine X1, again can be independent Measurement information to be checked is obtained from virtual machine X2, measurement information to be checked can also be individually obtained from virtual machine X3, it is also possible to single Measurement information to be checked is solely obtained from virtual machine X4.

The light agent client obtain measurement information to be checked can individually select it is above-mentioned 1) in mode, can also individually select Select it is above-mentioned 2) in mode, can also simultaneous selection it is above-mentioned 1) and 2) in mode.

Preferably, the measurement information to be checked can include fileinfo, website information, access path information, registration table reading At least one of write information, the particular content that the embodiment of the present invention treats detection information are not restricted.

Step 202, the caching server judges whether to be cached with the measurement information to be checked and the measurement information pair to be checked The corresponding relation for the level of security answered;If being not present, step 204 is performed;If in the presence of execution step 206.

The corresponding relation of the corresponding level of security of measurement information to be checked can be cached in caching server.It is for example, slow Deposit the corresponding relation that the corresponding level of securitys " danger " of measurement information A to be checked are cached with server;Delay in caching server There is the corresponding relation of the corresponding level of securitys " safety " of measurement information B to be checked.

Step 204, the measurement information to be checked is sent to killing server by the network and entered by the caching server The safety detection of the row measurement information to be checked;The peace of the measurement information to be checked is determined according to the testing result of the killing server Full rank.

For example, caching server receives the measurement information C to be checked from light agent client, do not deposited in caching server In the corresponding relation of level of security corresponding measurement information C to be checked, then caching server sends measurement information C to be checked to killing Server carries out measurement information C to be checked safety detection, and measurement information C to be checked testing result, caching clothes are obtained by killing server Business device can determine measurement information C to be checked level of security according to testing result.

That is, the corresponding relation of the corresponding level of security of certain measurement information to be checked is not present in caching server When, the measurement information to be checked is sent to killing server and carries out safety detection, the inspection obtained by killing server by caching server Survey the level of security that result judges the measurement information to be checked.

Preferably, the step of killing server carries out the safety detection of the measurement information to be checked in above-mentioned steps 204 can be with Including:

Step 041, the killing server obtains the characteristic value of the measurement information to be checked.

The characteristic value of the measurement information to be checked is to have the attribute information of uniqueness, killing clothes for identifying measurement information to be checked Business device, which can treat detection information, calculate etc. operation and obtains characteristic value, and the embodiment of the present invention obtains to be checked to killing server The technological means of the characteristic value of measurement information is not restricted.

Step 042, the killing server scans the characteristic value by killing engine and the measurement information to be checked is carried out Safety detection.

The killing engine is the core component of killing server, characteristic value can be scanned using killing engine and Identification, realize the safety detection for treating detection information.

Preferably, if in above-mentioned steps 042, the killing server scans the characteristic value to described by killing engine Measurement information to be checked carries out safety detection and does not obtain testing result, then performs step 043.

Step 043, the private of cluster where the killing server sends the characteristic value to the light agent client There is cloud server to carry out safety detection, obtain testing result, and the testing result is returned into the killing server.

Cluster where the light agent client is provided with privately owned cloud server, and the privately owned cloud server is usual The physical machine being configured to allow in the cluster and virtual machine connected reference, are stored with privately owned cloud server in the cluster A large amount of measurement informations to be checked relevant information, including the characteristic value of measurement information to be checked, corresponding level of security etc..

Preferably, in above-mentioned steps 043, the killing server sends the characteristic value to the light agent client The process that the privately owned cloud server of place cluster carries out safety detection can be:

The killing server sends the characteristic value to the light agent client institute according to default scanning sequency Safety detection is carried out in the privately owned cloud server of cluster.

If multiple characteristic values for needing transmission to carry out safety detection to privately owned cloud server be present, killing server can According to default scanning sequency, to send multiple characteristic values to privately owned cloud server and carry out safety detection.

Preferably, in above-mentioned steps 043, described look into is returned in the acquisition testing result, and by the testing result After killing server, the safety detection result can also be sent and be carried out into the caching server by the killing server Storage.

It is to add caching clothes that killing server, which sends safety detection result the purpose stored to caching server, The corresponding relation storehouse of the corresponding level of security of measurement information to be checked, can improve caching server in above-mentioned steps on business device The efficiency judged in 202.

Preferably, if in above-mentioned steps 043, the privately owned cloud server carries out safety detection to the measurement information to be checked Testing result is not obtained, then performs step 044.

Step 044, the publicly-owned cloud server that the characteristic value is sent to the cluster is subjected to safety detection, obtained Testing result is obtained, and the testing result is returned into the privately owned cloud server, and passes through the privately owned cloud server The testing result is returned into the killing server.

Generally, the safety detection ability of the more publicly-owned cloud server of safety detection ability of privately owned cloud server is weak, When privately owned cloud server does not obtain testing result, characteristic value is sent to publicly-owned cloud server and carries out safety detection, can be with Testing result is obtained, then testing result is returned into privately owned cloud server and killing server, follow-up private clound can be increased Hold the detection success rate of server and killing server.

Preferably, the privately owned cloud server can obtain renewal according to setting rule from the publicly-owned cloud server Information, wherein, characteristic value and safe level that the publicly-owned cloud server regularly updates can be included in the fresh information Other corresponding relation.

Preferably, the privately owned cloud server can be updated in the privately owned cloud server according to the fresh information The characteristic value of storage and the corresponding relation of level of security.

Step 206, the level of security of the measurement information to be checked is determined according to the corresponding relation.

If the corresponding relation of the corresponding level of security of certain measurement information to be checked in caching server be present, directly determine Go out level of security corresponding to the measurement information to be checked.

In summary, light agent client is set in a virtual machine of the embodiment of the present invention in more virtual machines, delayed Server and killing server are deposited, the measurement information to be checked in virtual machine is obtained by light agent client, and send to buffer service Device carries out the judgement of level of security, and caching server judges whether to be cached with measurement information to be checked safety corresponding with measurement information to be checked The corresponding relation of rank, if in the presence of determining the level of security of measurement information to be checked according to corresponding relation;If being not present, will treat Detection information sends to killing server and carries out safety detection, and determines level of security according to safety detection result.

The caching server of measurement information to be checked and the corresponding relation of its level of security is cached with by setting, first with caching Server is judged, is detected without killing server security, improves the efficiency of safety detection.

A virtual machine light agent client, caching server and killing server being arranged in more virtual machines It is interior, the system resource in a virtual machine is only taken up, reduces the resources occupation rate of physical machine.

Embodiment three

A kind of virtualization safety detecting system provided in an embodiment of the present invention is discussed in detail.

Reference picture 3, show a kind of structured flowchart of virtualization safety detecting system in the embodiment of the present invention.

The system can include:The light agent client 300 being arranged in virtual machine, and the He of caching server 302 Killing server 304;

Wherein, caching server 302 and killing server 304 can be arranged in physical machine or virtual machine.It is for example, described Light agent client 300 can be arranged in a virtual machine in more virtual machines, the caching server 302 and described looked into Killing server 304 can be only arranged in a physical machine, or, it can also be arranged in a virtual machine, it is alternatively, described Light agent client 300, the caching server 302 and the killing server 304 can be arranged in more virtual machines In same virtual machine, and then without setting in other virtual machines.

The light agent client 300, for obtaining measurement information to be checked, by the measurement information to be checked by network send to The caching server 302.

The caching server 302, for judging whether to be cached with the measurement information to be checked and the measurement information pair to be checked The corresponding relation for the level of security answered;If being not present, the measurement information to be checked is sent to by the killing by the network Server 304;If in the presence of determining the level of security of the measurement information to be checked according to the corresponding relation.

The killing server 304, the measurement information to be checked sent for receiving the caching server 302, to institute State measurement information progress safety detection to be checked and obtain testing result.

The caching server 302, it is additionally operable to be determined according to the testing result of the killing server 304 described to be detected The level of security of information.

In summary, the embodiment of the present invention sets light agent client in virtual machine, is obtained by light agent client empty Measurement information to be checked in plan machine, and the judgement for carrying out level of security is sent to caching server, caching server judges whether to delay There is the corresponding relation of measurement information to be checked level of security corresponding with measurement information to be checked, if in the presence of being determined according to corresponding relation The level of security of measurement information to be checked;If being not present, measurement information to be checked is sent to killing server and carries out safety detection, and root Level of security is determined according to safety detection result.

The caching server of measurement information to be checked and the corresponding relation of its level of security is cached with by setting, first with caching Server is judged, is detected without killing server security, improves the efficiency of safety detection.

Light agent client is arranged in a virtual machine in more virtual machines, only takes up in a virtual machine and is System resource, reduce the resources occupation rate of physical machine.

Example IV

A kind of virtualization safety detecting system provided in an embodiment of the present invention is discussed in detail.

Reference picture 4, show a kind of structured flowchart of virtualization safety detecting system in the embodiment of the present invention.

The system can include:The light agent client 400 being arranged in virtual machine, and the He of caching server 402 Killing server 404;Wherein, caching server 402 and killing server 404 can be arranged in physical machine or virtual machine.Example Such as, the light agent client 400 can be arranged in a virtual machine in more virtual machines, the caching server 402 It can be only arranged in a physical machine with the killing server 404, or, it can also be arranged in a virtual machine, can Selection of land, light agent client 400, the caching server 402 and the killing server 404 can be arranged at more void In same virtual machine in plan machine, and then without setting in other virtual machines.

Wherein, the killing server 404 can include:Characteristic value acquisition module 4041, safety detection module 4042 are private There are high in the clouds detection module 4043, publicly-owned high in the clouds detection module 4044, cache memory module 4045.

The light agent client 400, for obtaining measurement information to be checked, by the measurement information to be checked by network send to The caching server 402.

Wherein, the measurement information to be checked can include fileinfo, website information, access path information, registration table read-write At least one of information.

Preferably, at least one in the physical machine where the light agent client 400 from the light agent client 400 Platform virtual machine obtains measurement information to be checked, wherein, more virtual machines are provided with the physical machine.

And/or

The light agent client 400 is located at same cluster from the physical machine where the light agent client 400 Measurement information to be checked is obtained in an at least virtual machine at least one physical machine, wherein, the cluster includes an at least physics Machine, every physical machine include an at least virtual machine.

The caching server 402, for judging whether to be cached with the measurement information to be checked and the measurement information pair to be checked The corresponding relation for the level of security answered;If being not present, the measurement information to be checked is sent to by the killing by the network Server 404;If in the presence of determining the level of security of the measurement information to be checked according to the corresponding relation.

The killing server 404, the measurement information to be checked sent for receiving the caching server 402, to institute State measurement information progress safety detection to be checked and obtain testing result.

Preferably, the killing server 404 can include:

Characteristic value acquisition module 4041, for obtaining the characteristic value of the measurement information to be checked.

Safety detection module 4042, the measurement information to be checked is pacified for scanning the characteristic value by killing engine Full inspection is surveyed.

Privately owned high in the clouds detection module 4043, if scanning the spy by killing engine for the safety detection module 4042 Value indicative carries out safety detection to the measurement information to be checked and does not obtain testing result, and the characteristic value is sent to the light agency visitor The privately owned cloud server of the place cluster of family end 400 carries out safety detection, obtains testing result, and the testing result is returned To the killing server 404.

Preferably, the privately owned high in the clouds detection module 4043 is according to default scanning sequency, by the characteristic value send to The privately owned cloud server of the light place cluster of agent client 400 carries out safety detection.

Publicly-owned high in the clouds detection module 4044, if carrying out safety to the measurement information to be checked for the privately owned cloud server Detection does not obtain testing result, then the publicly-owned cloud server that the characteristic value is sent to the cluster is carried out into safe inspection Survey, obtain testing result, and the testing result is returned into the privately owned cloud server, and taken by the privately owned high in the clouds The testing result is returned to the killing server 404 by business device.

Cache memory module 4045, for obtaining testing result in the privately owned high in the clouds detection module 4043, and by described in After testing result returns to the killing server 404, the safety detection result is sent into the caching server Stored.

Preferably, the privately owned cloud server obtains renewal letter according to setting rule from the publicly-owned cloud server Breath, wherein, pair of characteristic value that the publicly-owned cloud server regularly updates and level of security is included in the fresh information It should be related to.

Preferably, the privately owned cloud server updates in the privately owned cloud server according to the fresh information and stored Characteristic value and level of security corresponding relation.

The caching server 402, it is additionally operable to be determined according to the testing result of the killing server 404 described to be detected The level of security of information.

In summary, the embodiment of the present invention sets light agent client in virtual machine, is obtained by light agent client empty Measurement information to be checked in plan machine, and the judgement for carrying out level of security is sent to caching server, caching server judges whether to delay There is the corresponding relation of measurement information to be checked level of security corresponding with measurement information to be checked, if in the presence of being determined according to corresponding relation The level of security of measurement information to be checked;If being not present, measurement information to be checked is sent to killing server and carries out safety detection, and root Level of security is determined according to safety detection result.

The caching server of measurement information to be checked and the corresponding relation of its level of security is cached with by setting, first with caching Server is judged, is detected without killing server security, improves the efficiency of safety detection.

A virtual machine light agent client, caching server and killing server being arranged in more virtual machines It is interior, the system resource in a virtual machine is only taken up, reduces the resources occupation rate of physical machine.

Virtualization safety detection scheme is not consolidated with any certain computer, virtual system or miscellaneous equipment provided herein There is correlation.Various general-purpose systems can also be used together with teaching based on this.As described above, construction has this hair Structure required by the system of bright scheme is obvious.In addition, the present invention is not also directed to any certain programmed language.Should Understand, the content of invention described herein can be realized using various programming languages, and language-specific is done above Description is to disclose the preferred forms of the present invention.

In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as right As claim reflects, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows tool Thus claims of body embodiment are expressly incorporated in the embodiment, wherein the conduct of each claim in itself The separate embodiments of the present invention.

Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit requires, summary and accompanying drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation Replace.

In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in detail in the claims, embodiment claimed it is one of any Mode it can use in any combination.

The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice Microprocessor or digital signal processor (DSP) are realized in virtualization safety detection scheme according to embodiments of the present invention The some or all functions of some or all parts.The present invention is also implemented as being used to perform method as described herein Some or all equipment or program of device (for example, computer program and computer program product).Such reality The program of the existing present invention can store on a computer-readable medium, or can have the form of one or more signal. Such signal can be downloaded from internet website and obtained, and either be provided or in the form of any other on carrier signal There is provided.

It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.

Claims (18)

1. one kind virtualization safety detection method, including:
Light agent client obtains measurement information to be checked, and the measurement information to be checked is sent to caching server by network;
The caching server judges whether to be cached with the measurement information to be checked level of security corresponding with the measurement information to be checked Corresponding relation;
If being not present, the measurement information to be checked is sent to killing server by the network and carried out by the caching server The safety detection of the measurement information to be checked;The safety of the measurement information to be checked is determined according to the testing result of the killing server Rank;
If in the presence of determining the level of security of the measurement information to be checked according to the corresponding relation;
Wherein, the light agent client is arranged in virtual machine.
2. according to the method for claim 1, wherein, the light agent client obtains measurement information to be checked, including:
An at least virtual machine in physical machine where the light agent client from the light agent client obtains to be checked Measurement information, wherein, more virtual machines are provided with the physical machine;
And/or
The light agent client is from least thing for being located at same cluster with the physical machine where the light agent client Measurement information to be checked is obtained in an at least virtual machine for reason machine, wherein, the cluster includes an at least physical machine, described in every Physical machine includes an at least virtual machine.
3. method according to claim 1 or 2, wherein, the information to be detected includes fileinfo, website information, visit Ask at least one of routing information, registration table reading writing information.
4. according to the method for claim 3, wherein, the killing server carries out the safety detection of the measurement information to be checked The step of, including:
The killing server obtains the characteristic value of the measurement information to be checked;
The killing server scans the characteristic value by killing engine and carries out safety detection to the measurement information to be checked.
5. according to the method for claim 4, wherein, methods described also includes:
If the killing server scans the characteristic value by killing engine and carries out safety detection not to the measurement information to be checked Testing result is obtained, the private clound of cluster where the killing server sends the characteristic value to the light agent client Hold server to carry out safety detection, obtain testing result, and the testing result is returned into the killing server.
6. according to the method for claim 5, wherein, methods described also includes:
If the privately owned cloud server carries out safety detection to the measurement information to be checked and does not obtain testing result, by the spy Value indicative sends publicly-owned cloud server to the cluster and carries out safety detection, obtains testing result, and by the detection As a result return to the privately owned cloud server, and by the privately owned cloud server returned to the testing result described Killing server.
7. according to the method for claim 5, wherein, the killing server sends the characteristic value to the light agency The privately owned cloud server of cluster where client carries out safety detection, including:
The killing server collects according to default scanning sequency where the characteristic value is sent to the light agent client The privately owned cloud server of group carries out safety detection.
8. according to the method for claim 5, wherein, returned in the acquisition testing result, and by the testing result After the killing server, methods described also includes:
The killing server, which sends the safety detection result into the caching server, to be stored.
9. according to the method for claim 6, wherein, methods described also includes:
The privately owned cloud server obtains fresh information according to setting rule from the publicly-owned cloud server, wherein, it is described Include the corresponding relation of characteristic value that the publicly-owned cloud server regularly updates and level of security in fresh information;
The privately owned cloud server updated according to the fresh information characteristic value that is stored in the privately owned cloud server with The corresponding relation of level of security.
10. one kind virtualization safety detecting system, including:Caching server, killing server and it is arranged in virtual machine Light agent client,;Wherein
The light agent client, for obtaining measurement information to be checked, the measurement information to be checked is sent to described slow by network Deposit server;
The caching server, for judging whether to be cached with the measurement information to be checked safety corresponding with the measurement information to be checked The corresponding relation of rank;If being not present, the measurement information to be checked is sent to by the killing server by the network;If In the presence of then determining the level of security of the measurement information to be checked according to the corresponding relation;
The killing server, the measurement information to be checked sent for receiving the caching server, to the letter to be detected Breath carries out safety detection and obtains testing result;
The caching server, it is additionally operable to determine the safety of the measurement information to be checked according to the testing result of the killing server Rank.
11. system according to claim 10, wherein, where the light agent client from the light agent client An at least virtual machine in physical machine obtains measurement information to be checked, wherein, more virtual machines are provided with the physical machine;
And/or
The light agent client is from least thing for being located at same cluster with the physical machine where the light agent client Measurement information to be checked is obtained in an at least virtual machine for reason machine, wherein, the cluster includes an at least physical machine, described in every Physical machine includes an at least virtual machine.
12. the system according to claim 10 or 11, wherein,
The information to be detected includes at least one in fileinfo, website information, access path information, registration table reading writing information Kind.
13. system according to claim 12, wherein, the killing server, including:
Characteristic value acquisition module, for obtaining the characteristic value of the measurement information to be checked;
Safety detection module, safety detection is carried out to the measurement information to be checked for scanning the characteristic value by killing engine.
14. system according to claim 13, wherein, the killing server, in addition to:
Privately owned high in the clouds detection module, treated if scanning the characteristic value by killing engine for the safety detection module to described Detection information carries out safety detection and does not obtain testing result, cluster where the characteristic value is sent to the light agent client Privately owned cloud server carry out safety detection, obtain testing result, and the testing result returned into the killing service Device.
15. system according to claim 14, wherein, the killing server, in addition to:
Publicly-owned high in the clouds detection module, do not obtained if carrying out safety detection to the measurement information to be checked for the privately owned cloud server To testing result, then the publicly-owned cloud server that the characteristic value is sent to the cluster is subjected to safety detection, obtained Testing result, and the testing result is returned into the privately owned cloud server, and will by the privately owned cloud server The testing result returns to the killing server.
16. system according to claim 14, wherein, the privately owned high in the clouds detection module according to default scanning sequency, The privately owned cloud server of cluster carries out safety detection where the characteristic value is sent to the light agent client.
17. system according to claim 14, wherein, the killing server, in addition to:
Cache memory module, for obtaining testing result in the privately owned high in the clouds detection module, and the testing result is returned After the killing server, the safety detection result is sent into the caching server and stored.
18. system according to claim 15, wherein,
The privately owned cloud server obtains fresh information according to setting rule from the publicly-owned cloud server, wherein, it is described Include the corresponding relation of characteristic value that the publicly-owned cloud server regularly updates and level of security in fresh information;
The privately owned cloud server updated according to the fresh information characteristic value that is stored in the privately owned cloud server with The corresponding relation of level of security.
CN201410773774.8A 2014-12-12 2014-12-12 Virtualize safety detection method and system CN104504330B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410773774.8A CN104504330B (en) 2014-12-12 2014-12-12 Virtualize safety detection method and system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410773774.8A CN104504330B (en) 2014-12-12 2014-12-12 Virtualize safety detection method and system
PCT/CN2015/095821 WO2016091086A1 (en) 2014-12-12 2015-11-27 Virtualization security detection method and system

Publications (2)

Publication Number Publication Date
CN104504330A CN104504330A (en) 2015-04-08
CN104504330B true CN104504330B (en) 2017-12-08

Family

ID=52945726

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410773774.8A CN104504330B (en) 2014-12-12 2014-12-12 Virtualize safety detection method and system

Country Status (2)

Country Link
CN (1) CN104504330B (en)
WO (1) WO2016091086A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104504330B (en) * 2014-12-12 2017-12-08 北京奇安信科技有限公司 Virtualize safety detection method and system
CN107682333A (en) * 2017-09-30 2018-02-09 北京奇虎科技有限公司 Virtualization safety defense system and method based on cloud computing environment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8176311B1 (en) * 2009-01-23 2012-05-08 Juniper Networks, Inc. Initializing platform-specific features of a platform during early stages of booting the kernel
CN103761480A (en) * 2014-01-13 2014-04-30 北京奇虎科技有限公司 Method and device for detecting file security
CN103812894A (en) * 2012-11-12 2014-05-21 中国石油天然气集团公司 Web release file version management method in real-time monitoring system
CN103902910A (en) * 2013-12-30 2014-07-02 北京奇虎科技有限公司 Method and device for detecting malicious codes in intelligent terminal
CN104077532A (en) * 2014-06-20 2014-10-01 中标软件有限公司 Linux virtualization platform safety detection method and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090178131A1 (en) * 2008-01-08 2009-07-09 Microsoft Corporation Globally distributed infrastructure for secure content management
FR2977050A1 (en) * 2011-06-24 2012-12-28 France Telecom Method of detecting attacks and protection
CN104504330B (en) * 2014-12-12 2017-12-08 北京奇安信科技有限公司 Virtualize safety detection method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8176311B1 (en) * 2009-01-23 2012-05-08 Juniper Networks, Inc. Initializing platform-specific features of a platform during early stages of booting the kernel
CN103812894A (en) * 2012-11-12 2014-05-21 中国石油天然气集团公司 Web release file version management method in real-time monitoring system
CN103902910A (en) * 2013-12-30 2014-07-02 北京奇虎科技有限公司 Method and device for detecting malicious codes in intelligent terminal
CN103761480A (en) * 2014-01-13 2014-04-30 北京奇虎科技有限公司 Method and device for detecting file security
CN104077532A (en) * 2014-06-20 2014-10-01 中标软件有限公司 Linux virtualization platform safety detection method and system

Also Published As

Publication number Publication date
CN104504330A (en) 2015-04-08
WO2016091086A1 (en) 2016-06-16

Similar Documents

Publication Publication Date Title
Murray et al. Global biogeography of human infectious diseases
CN105320883B (en) File security loads implementation method and device
Leaman et al. The bifurcated age–metallicity relation of Milky Way globular clusters and its implications for the accretion history of the galaxy
Baselga Separating the two components of abundance‐based dissimilarity: balanced changes in abundance vs. abundance gradients
Hurtado-Ferro et al. Looking in the rear-view mirror: bias and retrospective patterns in integrated, age-structured stock assessment models
CN103685307B (en) The method and system of feature based storehouse detection fishing fraud webpage, client, server
US8928591B2 (en) Techniques for providing a user interface having bi-directional writing tools
Rezaeian et al. Simulation of orthogonal horizontal ground motion components for specified earthquake and site characteristics
US9734336B2 (en) Process security validation
US20170060609A1 (en) Managing a shared pool of configurable computing resources which has a set of containers
CN106161342B (en) The dynamic optimization of safety applications
Grafström et al. Spatially balanced sampling through the pivotal method
US9223977B2 (en) Detection of DOM-based cross-site scripting vulnerabilities
Jiménez‐Valverde et al. The ghost of unbalanced species distribution data in geographical model predictions
CN103632096B (en) A kind of method and apparatus that safety detection is carried out to equipment
US9836389B2 (en) Test data generation utilizing analytics
US20140310691A1 (en) Method and device for testing multiple versions
US10067848B2 (en) Methods and systems for benchmarking web browser performance
CN103748555A (en) Rapid provisioning of virtual machines based on multi-dimensional user request patterns in a cloud
US10007801B2 (en) Automatic audit logging of events in software applications performing regulatory workloads
Mavridis et al. A selection model for accounting for publication bias in a full network meta‐analysis
CN104683180B (en) A kind of method for monitoring performance, system and application server
US9336389B1 (en) Rapid malware inspection of mobile applications
Ellis et al. Spatially explicit power analyses for occupancy‐based monitoring of wolverine in the US Rocky Mountains
US20190012105A1 (en) Topology management for distributed data storage

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20161212

Address after: 100015 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3

Applicant after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD.

Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Applicant before: Beijing Qihoo Technology Co., Ltd.

Applicant before: Qizhi Software (Beijing) Co., Ltd.

GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing.

Patentee after: Qianxin Technology Group Co., Ltd.

Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing.

Patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD.