CN106534174A - Cloud protection method, apparatus and system of sensitive data - Google Patents
Cloud protection method, apparatus and system of sensitive data Download PDFInfo
- Publication number
- CN106534174A CN106534174A CN201611117649.7A CN201611117649A CN106534174A CN 106534174 A CN106534174 A CN 106534174A CN 201611117649 A CN201611117649 A CN 201611117649A CN 106534174 A CN106534174 A CN 106534174A
- Authority
- CN
- China
- Prior art keywords
- local device
- access
- cloud server
- data
- log information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The invention discloses a cloud protection method, apparatus and system of sensitive data, and relates to the technical field of network security. The main purpose is to reinforce the protection pertinence of cloud protection while considering the security of the sensitive data, and improve the protection effect of the cloud protection. The main technical scheme of the invention is as follows: receiving log information sent by a local device by a cloud server, wherein the log information is log information obtained on the basis of the sensitive data; configuring a protection strategy for the local device according to the log information; and sending the protection strategy to the local device, so that the local device executes a security protection operation according to the protection strategy. The cloud protection method, apparatus and system disclosed by the invention is mainly applied to the security protection of the sensitive data.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of cloud means of defence of sensitive data, device and it is
System.
Background technology
With the continuous popularization of Internet internets, the increase of the network bandwidth, extensively the network of connection gives everybody at a high speed
Bring conveniently, also extremely advantageous condition is created for network attack.And carry out malice competition, extortion using network attack and strangle
Rope has defined perfect hacker's industrial chain.Also, start network attack cost extremely low, easily can search on the net
To many network attack devices, technical requirements are also more and more lower.Conversely, the price of professional protecting network attack is very
Costliness, and for attack source to trace difficulty also very big so that protection cost is far longer than intrusion scene, causes network attack
Event takes place frequently, and especially DDos is attacked, and existing single security protection system and passive strategy are difficult to successfully manage.It is right
This, the appearance of cloud protection protects resource to form powerful by integrating existing DDos the characteristics of effectively can attack for DDos
Cloud guard system.
However, the carried out fence operation of existing cloud guard system will be based on local network data, by data analysis
Specific fence operation is carried out, therefore, local network data needs or part needs to upload high in the clouds so that high in the clouds carries out data
Analysis.But, the user special for part, its local data belong to sensitive data, it has not been convenient to which uploading high in the clouds carries out data
Analysis, such as relating to safety, information data of finance etc., in this regard, the prevention policies of existing cloud guard system can only adopt standard
Protectiving scheme, and lack have targetedly protect, cause protection effect not good.
The content of the invention
In view of this, the present invention provides a kind of cloud means of defence of sensitive data, apparatus and system, and main purpose is simultaneous
Strengthen the protection specific aim of cloud protection while turning round and look at sensitive data security, improve the protection effect of cloud protection.
According to the first aspect of the invention, it is proposed that a kind of cloud means of defence of sensitive data, the method include:
Cloud server receives the log information that local device sends, and the log information is obtained based on sensitive data
Log information;
It is that the local device configures prevention policies according to the log information;
The prevention policies are sent to the local device, so that local device performs safety according to the prevention policies
Fence operation.
According to the second aspect of the invention, it is proposed that a kind of cloud means of defence of sensitive data, the method include:
Local device reports local log information to cloud server, so that the cloud server is according to the daily record
Information configuration prevention policies;
According to the prevention policies for receiving, local access data are detected;
If prevention policies described in the access data hit, intercept corresponding access of access data and operate.
According to the third aspect of the invention, it is proposed that a kind of cloud protector of sensitive data, the device include:
Receiving unit, for receiving the log information of local device transmission, the log information is obtained based on sensitive data
The log information for arriving;
Dispensing unit, the log information for being received according to the receiving unit are local device configuration protection plan
Slightly;
Transmitting element, for the prevention policies of the configuration of described dispensing unit are sent to the local device, so as to local
Equipment performs security protection operation according to the prevention policies.
According to the fourth aspect of the invention, it is proposed that a kind of cloud protector of sensitive data, the device include:
Transmitting element, for reporting local log information to cloud server, so that the cloud server is according to institute
State log information configuration prevention policies;
Receiving unit, for according to the prevention policies for receiving, detecting to local access data;
Performance element, for when it is described access the prevention policies that receiving unit described in data hit is received when, intercept described
Access corresponding access of data to operate.
According to the fifth aspect of the invention, it is proposed that a kind of cloud guard system of sensitive data, the system is by containing upper
State the cloud server of the cloud protector of the sensitive data proposed by the 3rd aspect and propose containing above-mentioned 4th aspect
The local device of cloud protector of sensitive data constituted;
Wherein, the cloud server is used for, and receives the log information that local device sends, and the log information is to be based on
The log information that sensitive data is obtained, is that the local device configures prevention policies according to the log information, and will be described anti-
Shield strategy is sent to the local device;
The local device is used for, and reports local log information to cloud server, according to the prevention policies for receiving, right
Local access data are detected, if prevention policies described in accessing data hit, intercept the corresponding visit of the access data
Ask operation.
A kind of cloud means of defence of sensitive data of the present invention, apparatus and system, are completed by cloud server
The formulation of prevention policies, is specifically performed fence operation by local device, as the configuration for protecting plan strategy only needs locally
Equipment provides related log statistic data, without providing specific local data, thereby it can be assured that in local device
The security of sensitive data, simultaneously as cloud server can update the prevention policies in local device in real time so that this
Ground equipment can more targeted protecting network attack, improve protection effect.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of the drawings
By the detailed description for reading hereafter preferred embodiment, various other advantages and benefit are common for this area
Technical staff will be clear from understanding.Accompanying drawing is only used for the purpose for illustrating preferred embodiment, and is not considered as to the present invention
Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Fig. 1 shows a kind of cloud means of defence flow chart of sensitive data that the embodiment of the present invention is proposed;
Fig. 2 shows the cloud means of defence flow chart of second sensitive data that the embodiment of the present invention is proposed;
Fig. 3 shows the cloud means of defence flow chart of the third sensitive data that the embodiment of the present invention is proposed;
Fig. 4 shows a kind of composition frame chart of the cloud protector of sensitive data that the embodiment of the present invention is proposed;
Fig. 5 shows the composition frame chart of the cloud protector of second sensitive data that the embodiment of the present invention is proposed;
Fig. 6 shows the composition frame chart of the cloud protector of the third sensitive data that the embodiment of the present invention is proposed;
Fig. 7 shows the composition frame chart of the cloud protector of the 4th kind of sensitive data that the embodiment of the present invention is proposed;
Fig. 8 shows a kind of composition frame chart of the cloud protector of sensitive data that the embodiment of the present invention is proposed.
Specific embodiment
The exemplary embodiment of the present invention is more fully described below with reference to accompanying drawings.Although the present invention is shown in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the present invention and should not be by embodiments set forth here
Limited.On the contrary, there is provided these embodiments are able to be best understood from the present invention, and can be by the scope of the present invention
Complete conveys to those skilled in the art.
A kind of cloud means of defence of sensitive data is embodiments provided, the method is applied to the cloud of cloud guard system
End server in, concrete steps as shown in figure 1, including:
101st, receive the log information that local device sends.
In the embodiment of the present invention, cloud server is mainly responsible for the statistical analysis to log information, and local device is then
Be stored with sensitive data terminal device, wherein, sensitive data includes confidential data, public safety data etc., sensitive due to these
Secrecy propagation is carried out in the scope that data can only be limited again, therefore, for the networked instruments of these data are accomplished by particularly
Note.Multiple local devices that cloud server in embodiments of the present invention typically can be served in consolidated network, these
The mutual transmission of private data is allowed between ground equipment, and cloud server only receives the daily record letter sent by each local device
Breath.
Cloud server receive local device log information when, as local device is generally multiple stage, therefore, protect
When depositing log information, difference storage will be carried out according to corresponding locally setting, can root when ensureing subsequent applications log information with this
It is corresponding local device matching prevention policies according to different log informations.
102nd, prevention policies are configured for local device according to log information.
When prevention policies are configured, analysis optimization existing prevention policies of the cloud server by basis to log information,
To generate new prevention policies.Wherein, main protection includes attacking (Distributed Denial of for Ddos
Service, distributed denial of service), CC attack (Challenge Collapsar belong to one kind of ddos attack), Web should
The prevention policies of form are attacked with attack etc..
When prevention policies configuration is carried out, cloud server can be poor according to the log information of different local devices offer
The configuration do not changed, so that the protection effect of local device is optimal.
103rd, prevention policies are sent to local device.
After prevention policies are obtained, according to the corresponding local device of daily record, cloud server will be corresponding prevention policies
Send into local device.
By a kind of cloud protection side of the sensitive data in the application of embodiments of the present invention offer beyond the clouds server
Method is visible, and performed by cloud server is only the analysis and the setting of prevention policies of log information, and is not involved in protection behaviour
That what is made is embodied as, therefore, for cloud server, its role pressure is just alleviated relative to existing cloud server
Many, accordingly, the quantity of the local device that the cloud server in the embodiment of the present invention can be serviced is just more, and high in the clouds is taken
The configuration requirement of business device itself can also decrease, so as to reduce configuring the cost of cloud protection.
Corresponding to the cloud means of defence realized in cloud server, which mainly completes the configuration of prevention policies, and for
The primary operational of cloud protection then needs by local device to perform, therefore, for the concrete fence operation of local device, the present invention
Embodiment also provides a kind of cloud means of defence of sensitive data, and the local device in the method can be data server, such as net
Server cluster in site server, or data center, local device internal memory in embodiments of the present invention contain quick
Sense data, and needs of these sensitive datas in security can not usually upload cloud server, therefore, locally set
It is standby to be accomplished by locally realizing that security protection operates, while, it is also desirable to real-time prevention policies renewal is carried out by high in the clouds, specifically
Method as shown in Fig. 2 including:
201st, local log information is reported to cloud server.
Local device records local various operations, including the behaviour of regular job and security protection by way of daily record
Make.Due to the Safeguard tactics in local device except artificially changing in user in the case of it is substantially changeless,
Effective Developing Tactics can not be carried out according to the change of attack meanses, therefore, in the embodiment of the present invention, need by local device with
Cloud server combines, and the data updating capability having using cloud server is come the safety in real-time update local device
Prevention policies.
Local device when local log information is reported, due to the equipment serviced by cloud server it is numerous, therefore, this
Ground equipment needs to mark reported daily record the label of local device so that cloud server is known when log information is reported
Not.
Additionally, for the opportunity for reporting log information, it is real-time report or according to pre- that the embodiment of the present invention is not limited
Fixed time interval is reported.
202nd, according to the prevention policies for receiving, local access data are detected.
Local device is after log information is reported, corresponding according to the log information for being reported by cloud server is received
The prevention policies are replaced original Safeguard tactics in local device, and enable the prevention policies pair by Safeguard tactics
Local access data are detected in real time, to judge to access in data with the presence or absence of attack.Wherein, access number
According to the network access request being primarily referred to as local device, remember with the presence or absence of having in prevention policies in being asked by test access
The feature of the network attack of load is being judged.The access data also include the concrete data transmitted by user's access process.
In the embodiment of the present invention, can typically include the strategy to protecting multiple network to attack in prevention policies, due to right
The detection mode of different network attacks is not quite similar, therefore, specific detection mode is also not specifically limited.
203rd, when data hit prevention policies are accessed, Intercept Interview data are corresponding to access operation.
The detection of the data that conducted interviews according to the prevention policies of renewal, when data hit prevention policies are accessed, that is, detects
Go out to access the feature containing network attack in data, and determine that the access data belong to network attack according to prevention policies, now,
Local device will intercept corresponding access of the access data and operate, and specifically, will refuse the visit for access request local device
Ask, for data transfer operation local device will interrupt the operation and will be deleted with the data for receiving.
While Intercept Interview is operated, local device is by the interception operation note in corresponding log information.
For the cloud means of defence for applying a kind of sensitive data in local device that the embodiments of the present invention are provided
Understand, local device is for accessing the security protection operation of data locally completing, and its friendship with cloud server
Reporting and the correspondingly operation of the reception of prevention policies for daily record is only limitted to mutually, without local sensitive data is reported
Cloud server, therefore, local device avoids the risk that sensitive data leaks, improves when network access is tackled
The security of sensitive data.
Above-mentioned two embodiment is respectively illustrated for sensitive data from cloud server and local device two ends respectively
Under the scene of networked instruments, how to guarantee while the internet security of sensitive data, to increase the security protection of local device
Ability.Wherein, cloud server is for the data analysis to log information and counts, while corresponding prevention policies are generated, and
Local device is then for cloud service body log information, and carries out real-time detection to accessing data according to prevention policies.
By the protection effect of the realization to sensitive data based on high in the clouds that cooperate at two ends.Further, for more detailed theory
The cloud means of defence of the sensitive data of bright above-mentioned offer implementing in actual applications, particularly to cloud server and this
The interaction of ground equipment room and specific application scenarios, for this purpose, the embodiment of the present invention additionally provides a kind of cloud of sensitive data preventing
Maintaining method, the scene applied by the method are based on multiple IDC (Internet Data Center, Internet data center) machine
The cloud guard system that room is arranged, wherein, the server in each IDC machine room is equivalent to local device, and cloud server is then
Control centre beyond the clouds is set, and cloud server configures corresponding prevention policies for each IDC machine room, simultaneously for multiple
Data flow in IDC machine rooms can also determine specific strategy by the detection of enforcement by cloud server, so as to optimize
Access of the user to data in IDC machine rooms.Concrete step as shown in figure 3, including:
301st, local device reports local log information to cloud server.
Wherein, local device is corresponding to the server in IDC machine rooms, hereinafter referred to as server in machine room.Server in machine room
Local all operations are recorded in the form of daily record, and timing is reported log information.The purpose that timing is reported mainly exists
In accumulative certain log information data, because cloud server is when being analyzed based on log information, the size of data volume
Determine that the accuracy of analysis, i.e. data volume are bigger, it is more clear for the description of the access data of the server in machine room, dividing
Also corresponding prevention policies more can be targetedly configured during analysis.Therefore, the embodiment of the present invention is preferably regularly reported
Log information, and the concrete time interval of timing can carry out free setting according to actual application scenarios.
Additionally, it is real-time report to report corresponding mode with timing, that is, log information is not locally being stored, raw
Into cloud server is reported to, the benefit of this mode can be to save local memory space, but corresponding problem is
Report frequent operation to take certain bandwidth resources and partial process resource, and for cloud server, in real time
Log information is received for analysis can only be then the analysis based on log information increment, i.e., by daily record and original day of increase
Will is analyzed jointly, obtains prevention policies, the prevention policies obtained by this analysis mode due to increased daily record quantity compared with
It is few, also less are affected on the prevention policies for finally giving, is that, after arrival is a number of, resulting prevention policies are just mostly
Can change, so, for the mode of real-time report log information, server in machine room is real-time report, but cloud service
Device is then that server in machine room can be just fed back to when the prevention policies for being calculated change.
302nd, cloud server is that local device configures prevention policies according to log information, and is sent to local device.
Wherein, cloud server is when log information is analyzed, and selective analysis is that user in server in machine room accesses day
Will, and the daily record that Intercept Interview is attacked, combine the content of network big data information by cloud server, for the access of daily record
Data are calculated and generate prevention policies, and are applied in sending it to server in machine room.
Additionally, cloud server is while prevention policies are configured, for the machine room in the multiple IDC in consolidated network takes
The business device also ability with configuration access strategy, that is, server in machine room is while log information is reported, and also services this
The resource information of device together reports high in the clouds, and resource information therein refers to the process resource information and correspondence of server itself
Network resource information, and the sensitive data information of non-memory.Cloud server is matched somebody with somebody for the server in machine room according to resource information
Network access policies are put, the access strategy determines if permission user access for server in machine room or is access request
Planning access path, by taking the strategy of path planning as an example, sets IDC the machine room A and B in two strange lands, when cloud server is according to A
The resource information analysis for reporting obtains the entrance of its network access when breaking down and cannot access, and it is right that cloud server will be changed
The access path of A, is revised as receiving access request from B and initiating to access to A indirectly.Again for example, A is with identical sensitivity with B
The IDC server in machine room of data, A are backuped each other with B, when the resource information that cloud server analyzes A and B obtains the current places of B
Reason resource saturation when, cloud server adjustment access strategy, by access B request be transferred in A, responded by A.Cause
This, cloud server can first judge whether the access plan for needing to update when prevention policies are sent to server in machine room
Slightly, together send to server in machine room if existing, vice versa.
303rd, local device updates prevention policies and local access data is detected.
Server in machine room after the prevention policies for receiving cloud server feedback needs to be replaced existing protection plan
Slightly, in this regard, it is to automatically update or be updated according to the instruction of user that the embodiment of the present invention is not limited.
Detection to accessing data specifically can be found in the content in the step 202 in above-described embodiment, the embodiment of the present invention
Repeat no more.
304th, cloud server makes fence operation form.
This step is after server in machine room performs fence operation according to the prevention policies for updating, for performed result
The collect statistics for carrying out, are represented in the form of fence operation form.Wherein, cloud server will make the form, just need
Corresponding peration data is obtained, and for the peration data of server in machine room execution, the mode for reporting high in the clouds equally can be
Real-time report or first record regularly is reported in local daily record.For real-time report mode, server in machine room will not be protected
The peration data, and corresponding daily record are deposited, these information are completed by cloud server agency completely, therefore, complete in execution
During one interception operation, the implementing result and relevant information of the operation are directly reported cloud server by server in machine room,
Simultaneously the implementing result for being stored in endemic species is deleted.For the mode that reports of daily record timing then with the embodiment of the present invention in
The step of 301 content it is identical, specifically can be found in above, here is omitted.
Cloud server is responsible for be understood to the explanation of cloud server and server in machine room according to embodiments of the present invention
The logic control of security protection, and server in machine room is then the concrete executive agent of security protection.But, for some are special
Situation, such as when server in machine room meets with a large amount of attacks and causes locally to be not enough to tackle these network attacks, the embodiment of the present invention
The middle function of providing a key pattern switching, i.e., perform specific fence operation by cloud server, specifically, by cloud server
Real-time detection is carried out to server in machine room, adaptibility to response of the current server in machine room to network attack is judged, judgement machine can be passed through
The speed and the process resource of itself of room server intercepts network attack judged, when it is determined that server in machine room itself it is anti-
During shield scarce capacity, the fence operation authority of the server in machine room will be obtained, substitute server in machine room and perform corresponding protection behaviour
Make.In addition it is also possible to be the request that pattern switching is actively sent by server in machine room, when cloud server receives the request
When, with regard to direct access operating right and perform corresponding fence operation.
Have been described in detail above in the embodiment of the present invention and the concrete fence operation to sensitive data is protected based on cloud, as right
The concrete device of said method should be realized, the embodiment of the present invention additionally provides a kind of cloud protector of sensitive data, the device
It is applied in cloud server, is mainly used in formulating the Safeguard tactics of matching and being handed down to according to log information locally setting
It is standby, it is concrete as shown in figure 4, the device includes:
Receiving unit 41, for receiving the log information of local device transmission, the log information is based on sensitive data
The log information for obtaining;
Dispensing unit 42, the log information for being received according to the receiving unit 41 are local device configuration protection
Strategy;
Transmitting element 43, for the prevention policies that the dispensing unit 42 is configured are sent to the local device, so as to
Local device performs security protection operation according to the prevention policies.
Further, as shown in figure 5, described device also includes:
Acquiring unit 44, performs the implementing result of the prevention policies for obtaining the local device;
Statistics signal generating unit 45, for counting the implementing result of the acquisition of the acquiring unit 44 and generating the correspondence protection
The fence operation form of strategy.
Further, as shown in figure 5, described device also includes:
Detector unit 46, for detecting the resource information of the local device, the resource information includes that process resource is believed
Breath and network resource information;
The dispensing unit 42 is additionally operable to, and is matched somebody with somebody for the local device according to the resource information of the detection of the detector unit 46
Access strategy is put, the access strategy includes determining whether the local device allows the routing information for accessing and accessing;
The transmitting element 43 is additionally operable to, and the access strategy that the dispensing unit 42 is configured is sent to described and is locally set
It is standby.
Further, as shown in figure 5, described device also includes:
Performance element 47, for when the local device because being performed locally security protection behaviour by network attack
The security protection operating right of the local device when making, is obtained, the peace is performed to the local device using the authority
Full protection is operated.
Corresponding to the above-mentioned device embodiment being applied in cloud server, the embodiment of the present invention additionally provides a kind of quick
The cloud protector of sense data, the device are applied in local device, are mainly used in being performed according to the Safeguard tactics for receiving
Corresponding security protection operation, it is concrete as shown in fig. 6, the device includes:
Transmitting element 51, for reporting local log information to cloud server, so as to the cloud server according to
The log information configures prevention policies;
Receiving unit 52, for according to the prevention policies for receiving, detecting to local access data;
Performance element 53, for when it is described access data hit described in receiving unit 52 receive prevention policies when, intercept
The access data are corresponding to access operation.
Further, as shown in fig. 7, described device also includes:
The transmitting element 51 is additionally operable to, and after the corresponding access operation of the access data is intercepted, will intercept operation
Result report the cloud server, so as to cloud server according to it is described interception operation statistics fence operation form;
Acquiring unit 54, for obtaining the fence operation form to the cloud server;
Unit 55 is deleted, after sending and intercepting the result for operating in the transmitting element 51, deletion is described to intercept behaviour
The result of work.
Further, the transmitting element 51 of described device is additionally operable to, and sends local resource information, institute to cloud server
Stating resource information includes process resource information and network resource information, so that the cloud server is matched somebody with somebody according to the resource information
Put corresponding access strategy;
The performance element 53 is additionally operable to, and performs the access strategy that the cloud server sends, the access strategy bag
Include and determine whether the local device allows the routing information for accessing and accessing.
Additionally, the embodiment of the present invention additionally provides a kind of cloud guard system of sensitive data, as shown in figure 8, the system by
Cloud server 81 and local device 82 are constituted, wherein, apply above-mentioned enforcement in far-end server and local device respectively
The cloud protector of the corresponding sensitive data introduced in example.
Cloud server 81 is used for, and receives the log information that local device 82 sends, and the log information is based on sensitivity
The log information that data are obtained, is that the local device configures prevention policies according to the log information, and by the protection plan
Slightly send to the local device;
Local device 82 is used for, and reports local log information to cloud server 81, according to the prevention policies for receiving, right
Local access data are detected, if prevention policies described in accessing data hit, intercept the corresponding visit of the access data
Ask operation.
In sum, a kind of cloud means of defence of sensitive data that the embodiment of the present invention is provided, apparatus and system, are logical
Cross and configure after corresponding prevention policies for local device beyond the clouds, voluntarily performed specifically according to the prevention policies by local device
Fence operation, the risk that can so avoid local device that data caused by sensitive data upload high in the clouds leak, and pass through cloud
End server can make full use of the ability that the big data of cloud is analyzed to effectively improve the efficiency of protection configuring prevention policies, especially
It is to carry out the specific aim that targetedly analysis of strategies can more improve protection for the local log information for uploading.Simultaneously as
The addition of cloud can also realize the series of optimum behaviour such as the data flow control between multiple local devices, the optimization of access path
Make, so as to improve local data-handling capacity, and when the protective capacities of local device cannot successfully manage network attack, cloud
End server again may be by the control that the mode of pattern switching realizes the fence operation to local device.It is with this, of the invention
Embodiment effectively enhances the network protection ability and many equipment of the sensitive data equipment that is stored with by the setting of various dimensions
Data harmonization ability.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion described in detail in certain embodiment
Point, may refer to the associated description of other embodiment.
It is understood that above-mentioned cloud server and the correlated characteristic in device mutually can be referred to.In addition, above-mentioned reality
It is, for distinguishing each embodiment, and not represent the quality of each embodiment to apply " first ", " second " in example etc..
Those skilled in the art can be understood that, for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, may be referred to the corresponding process in aforementioned cloud server embodiment, and here is no longer gone to live in the household of one's in-laws on getting married
State.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this
Bright preferred forms.
In specification mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention
Example can be put into practice in the case where not having these details.In some instances, known cloud service is not been shown in detail
Device, structure and technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the present invention and help understand one or more in each inventive aspect, exist
Above to, in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes
In example, figure or descriptions thereof.However, should the cloud server of the disclosure be construed to reflect following intention:That is institute
Claimed invention requires the more features of feature is expressly recited in each claim by ratio.More precisely,
As the following claims reflect, inventive aspect is less than all spies of single embodiment disclosed above
Levy.Therefore, it then follows thus claims of specific embodiment are expressly incorporated in the specific embodiment, wherein each right
Separate embodiments of the requirement all as the present invention itself.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more different from embodiment equipment.Can be the module or list in embodiment
Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any
Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed
All processes or unit of what cloud server or equipment are combined.Unless expressly stated otherwise, this specification (includes companion
With claim, summary and accompanying drawing) disclosed in each feature can it is identical by offers, equivalent or similar purpose replacement spy
Levy to replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In some included features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint
One of meaning can in any combination mode using.
The present invention all parts embodiment can be realized with hardware, or with one or more processor operation
Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) are realizing denomination of invention according to embodiments of the present invention (as determined in website
Connection grade device) in some or all parts some or all functions.The present invention be also implemented as
Perform some or all equipment or program of device (for example, computer program of cloud server as described herein
And computer program).Such program for realizing the present invention can be stored on a computer-readable medium, or can have
There is the form of one or more signal.Such signal can be downloaded from internet website and be obtained, or in carrier signal
Upper offer, or provided with any other form.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame
Claim.
The embodiment of the invention also discloses following scheme:
The cloud means of defence of A1, a kind of sensitive data, methods described include:
Cloud server receives the log information that local device sends, and the log information is obtained based on sensitive data
Log information;
It is that the local device configures prevention policies according to the log information;
The prevention policies are sent to the local device, so that local device performs safety according to the prevention policies
Fence operation.
A2, the method according to A1, methods described also include:
Obtain the implementing result that the local device performs the prevention policies;
Count the implementing result and generate the fence operation form of the correspondence prevention policies.
A3, the method according to A1 or A2, methods described also include:
The resource information of the local device is detected, the resource information includes process resource information and Internet resources letter
Breath;
According to the resource information be the local device configuration access strategy, the access strategy include determine described
Whether ground equipment allows the routing information for accessing and accessing;
The access strategy is sent to the local device.
A4, the method according to A1, methods described also include:
When the local device is operated because security protection cannot be performed locally by network attack, described is obtained
The security protection operating right of ground equipment, performs the security protection by the cloud server and operates.
The cloud means of defence of B5, a kind of sensitive data, methods described include:
Local device reports local log information to cloud server, so that the cloud server is according to the daily record
Information configuration prevention policies;
According to the prevention policies for receiving, local access data are detected;
If prevention policies described in the access data hit, intercept corresponding access of access data and operate.
B6, the method according to B5, after the corresponding access operation of the access data is intercepted, methods described is also wrapped
Include:
The result for intercepting operation is reported into the cloud server, so that cloud server is according to the interception operation statistics
Fence operation form;
Obtain the fence operation form;
Delete the result for intercepting operation.
B7, the method according to B5 or B6, methods described also include:
Local resource information is sent to cloud server, the resource information includes process resource information and Internet resources
Information, so that the cloud server configures corresponding access strategy according to the resource information;
The access strategy that the cloud server sends is performed, the access strategy includes whether determining the local device
Allow the routing information for accessing and accessing.
The cloud protector of C8, a kind of sensitive data, described device include:
Receiving unit, for receiving the log information of local device transmission, the log information is obtained based on sensitive data
The log information for arriving;
Dispensing unit, the log information for being received according to the receiving unit are local device configuration protection plan
Slightly;
Transmitting element, for the prevention policies of the configuration of described dispensing unit are sent to the local device, so as to local
Equipment performs security protection operation according to the prevention policies.
C9, the device according to C8, described device also include:
Acquiring unit, performs the implementing result of the prevention policies for obtaining the local device;
Statistics signal generating unit, for counting the implementing result of the acquiring unit acquisition and generating the correspondence prevention policies
Fence operation form.
C10, the device according to C8 or C9, described device also include:
Detector unit, for detecting the resource information of the local device, the resource information includes process resource information
And network resource information;
The dispensing unit is additionally operable to, and is that local device configuration is visited according to the resource information of detector unit detection
Strategy is asked, the access strategy includes determining whether the local device allows the routing information for accessing and accessing;
The transmitting element is additionally operable to, and the access strategy of the configuration of described dispensing unit is sent to the local device.
C11, the device according to C8, described device also include:
Performance element, for when the local device because being performed locally security protection operation by network attack
When, the security protection operating right of the local device is obtained, the safety is performed to the local device using the authority
Fence operation.
The cloud protector of D12, a kind of sensitive data, described device include:
Transmitting element, for reporting local log information to cloud server, so that the cloud server is according to institute
State log information configuration prevention policies;
Receiving unit, for according to the prevention policies for receiving, detecting to local access data;
Performance element, for when it is described access the prevention policies that receiving unit described in data hit is received when, intercept described
Access corresponding access of data to operate.
D13, the device according to D12, described device also include:
The transmitting element is additionally operable to, and after the corresponding access operation of the access data is intercepted, will intercept operation
As a result the cloud server is reported, so that cloud server is according to the interception operation statistics fence operation form;
Acquiring unit, for obtaining the fence operation form to the cloud server;
Unit is deleted, and after the result of operation being intercepted in transmitting element transmission, deletion is described to intercept what is operated
As a result.
D14, the device according to D12 or D13, described device also include:
The transmitting element is additionally operable to, and sends local resource information to cloud server, and the resource information includes place
Reason resource information and network resource information, so that the cloud server configures corresponding access plan according to the resource information
Slightly;
The performance element is additionally operable to, and performs the access strategy that the cloud server sends, and the access strategy includes
Determine whether the local device allows the routing information for accessing and accessing.
The cloud guard system of E15, a kind of sensitive data, the system is by containing the sensitivity as any one of C8-C11
The cloud server of the cloud protector of data and the cloud protector containing the sensitive data as any one of D12-D14
Local device composition;
Wherein, the cloud server is used for, and receives the log information that local device sends, and the log information is to be based on
The log information that sensitive data is obtained, is that the local device configures prevention policies according to the log information, and will be described anti-
Shield strategy is sent to the local device;
The local device is used for, and reports local log information to cloud server, according to the prevention policies for receiving, right
Local access data are detected, if prevention policies described in accessing data hit, intercept the corresponding visit of the access data
Ask operation.
Claims (10)
1. the cloud means of defence of a kind of sensitive data, it is characterised in that methods described includes:
Cloud server receives the log information that local device sends, and the log information is the daily record obtained based on sensitive data
Information;
It is that the local device configures prevention policies according to the log information;
The prevention policies are sent to the local device, so that local device performs security protection according to the prevention policies
Operation.
2. method according to claim 1, it is characterised in that methods described also includes:
Obtain the implementing result that the local device performs the prevention policies;
Count the implementing result and generate the fence operation form of the correspondence prevention policies.
3. method according to claim 1 and 2, it is characterised in that methods described also includes:
The resource information of the local device is detected, the resource information includes process resource information and network resource information;
It is the local device configuration access strategy according to the resource information, the access strategy includes determining and described locally sets
The standby routing information for whether allowing to access and access;
The access strategy is sent to the local device.
4. method according to claim 1, it is characterised in that methods described also includes:
When the local device is operated because security protection cannot be performed locally by network attack, acquisition is described locally to be set
Standby security protection operating right, performs the security protection by the cloud server and operates.
5. the cloud means of defence of a kind of sensitive data, it is characterised in that methods described includes:
Local device reports local log information to cloud server, so that the cloud server is according to the log information
Configuration prevention policies;
According to the prevention policies for receiving, local access data are detected;
If prevention policies described in the access data hit, intercept corresponding access of access data and operate.
6. method according to claim 5, it is characterised in that described access that data are corresponding to access operation intercepting
Afterwards, methods described also includes:
The result for intercepting operation is reported into the cloud server, so that cloud server is according to the interception operation statistics protection
Operation form;
Obtain the fence operation form;
Delete the result for intercepting operation.
7. the method according to claim 5 or 6, it is characterised in that methods described also includes:
Local resource information is sent to cloud server, the resource information includes process resource information and Internet resources letter
Breath, so that the cloud server configures corresponding access strategy according to the resource information;
The access strategy that the cloud server sends is performed, the access strategy includes determining whether the local device allows
The routing information for accessing and accessing.
8. the cloud protector of a kind of sensitive data, it is characterised in that described device includes:
Receiving unit, for receiving the log information of local device transmission, the log information is obtained based on sensitive data
Log information;
Dispensing unit, the log information for being received according to the receiving unit are that the local device configures prevention policies;
Transmitting element, for the prevention policies of the configuration of described dispensing unit are sent to the local device, so as to local device
Security protection operation is performed according to the prevention policies.
9. the cloud protector of a kind of sensitive data, it is characterised in that described device includes:
Transmitting element, for reporting local log information to cloud server, so that the cloud server is according to the day
Will information configuration prevention policies;
Receiving unit, for according to the prevention policies for receiving, detecting to local access data;
Performance element, for when it is described access the prevention policies that receiving unit described in data hit is received when, intercept the access
Data are corresponding to access operation.
10. the cloud guard system of a kind of sensitive data, it is characterised in that the system is by containing as claimed in claim 8 quick
The cloud server and the sheet of the cloud protector containing sensitive data as claimed in claim 9 of the cloud protector of sense data
Ground equipment composition;
Wherein, the cloud server is used for, and receives the log information that local device sends, and the log information is based on sensitivity
The log information that data are obtained, is that the local device configures prevention policies according to the log information, and by the protection plan
Slightly send to the local device;
The local device is used for, and reports local log information to cloud server, according to the prevention policies for receiving, to local
Access data detected, if access data hit described in prevention policies, intercept it is described access data it is corresponding access behaviour
Make.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611117649.7A CN106534174A (en) | 2016-12-07 | 2016-12-07 | Cloud protection method, apparatus and system of sensitive data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611117649.7A CN106534174A (en) | 2016-12-07 | 2016-12-07 | Cloud protection method, apparatus and system of sensitive data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106534174A true CN106534174A (en) | 2017-03-22 |
Family
ID=58341714
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611117649.7A Pending CN106534174A (en) | 2016-12-07 | 2016-12-07 | Cloud protection method, apparatus and system of sensitive data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106534174A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108234469A (en) * | 2017-12-28 | 2018-06-29 | 江苏通付盾信息安全技术有限公司 | Mobile terminal application safety protecting method, apparatus and system |
| CN111740884A (en) * | 2020-08-25 | 2020-10-02 | 云盾智慧安全科技有限公司 | Log processing method, electronic equipment, server and storage medium |
| CN113225334A (en) * | 2021-04-30 | 2021-08-06 | 中国工商银行股份有限公司 | Terminal security management method and device, electronic equipment and storage medium |
| CN114124429A (en) * | 2021-08-23 | 2022-03-01 | 阿里巴巴新加坡控股有限公司 | Data processing method and device, electronic equipment and computer readable storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102006297A (en) * | 2010-11-23 | 2011-04-06 | 中国科学院软件研究所 | Two-level policy decision-based access control method and system |
| CN103428177A (en) * | 2012-05-18 | 2013-12-04 | 中兴通讯股份有限公司 | Configuration and generation method and device for cloud environment audit logs and/or security events |
| US20140129792A1 (en) * | 2011-09-26 | 2014-05-08 | Google Inc. | Permissions of objects in hosted storage |
| CN103916376A (en) * | 2013-01-09 | 2014-07-09 | 台达电子工业股份有限公司 | Cloud system with attract defending mechanism and defending method thereof |
| CN104468632A (en) * | 2014-12-31 | 2015-03-25 | 北京奇虎科技有限公司 | Loophole attack prevention method, device and system |
| CN104767689A (en) * | 2014-01-07 | 2015-07-08 | 腾讯科技(深圳)有限公司 | Method of controlling network access amount and server |
| CN104955043A (en) * | 2015-06-01 | 2015-09-30 | 成都中科创达软件有限公司 | Intelligent terminal safety protection system |
| CN105678193A (en) * | 2016-01-06 | 2016-06-15 | 杭州数梦工场科技有限公司 | Tamper-proof processing method and device |
| CN105827627A (en) * | 2016-04-29 | 2016-08-03 | 北京网康科技有限公司 | Method and apparatus for acquiring information |
| CN105991628A (en) * | 2015-03-24 | 2016-10-05 | 杭州迪普科技有限公司 | Network attack identification method and network attack identification device |
-
2016
- 2016-12-07 CN CN201611117649.7A patent/CN106534174A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102006297A (en) * | 2010-11-23 | 2011-04-06 | 中国科学院软件研究所 | Two-level policy decision-based access control method and system |
| US20140129792A1 (en) * | 2011-09-26 | 2014-05-08 | Google Inc. | Permissions of objects in hosted storage |
| CN103428177A (en) * | 2012-05-18 | 2013-12-04 | 中兴通讯股份有限公司 | Configuration and generation method and device for cloud environment audit logs and/or security events |
| CN103916376A (en) * | 2013-01-09 | 2014-07-09 | 台达电子工业股份有限公司 | Cloud system with attract defending mechanism and defending method thereof |
| CN104767689A (en) * | 2014-01-07 | 2015-07-08 | 腾讯科技(深圳)有限公司 | Method of controlling network access amount and server |
| CN104468632A (en) * | 2014-12-31 | 2015-03-25 | 北京奇虎科技有限公司 | Loophole attack prevention method, device and system |
| CN105991628A (en) * | 2015-03-24 | 2016-10-05 | 杭州迪普科技有限公司 | Network attack identification method and network attack identification device |
| CN104955043A (en) * | 2015-06-01 | 2015-09-30 | 成都中科创达软件有限公司 | Intelligent terminal safety protection system |
| CN105678193A (en) * | 2016-01-06 | 2016-06-15 | 杭州数梦工场科技有限公司 | Tamper-proof processing method and device |
| CN105827627A (en) * | 2016-04-29 | 2016-08-03 | 北京网康科技有限公司 | Method and apparatus for acquiring information |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108234469A (en) * | 2017-12-28 | 2018-06-29 | 江苏通付盾信息安全技术有限公司 | Mobile terminal application safety protecting method, apparatus and system |
| CN111740884A (en) * | 2020-08-25 | 2020-10-02 | 云盾智慧安全科技有限公司 | Log processing method, electronic equipment, server and storage medium |
| CN113225334A (en) * | 2021-04-30 | 2021-08-06 | 中国工商银行股份有限公司 | Terminal security management method and device, electronic equipment and storage medium |
| CN114124429A (en) * | 2021-08-23 | 2022-03-01 | 阿里巴巴新加坡控股有限公司 | Data processing method and device, electronic equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200329072A1 (en) | System and method for utilization of threat data for network security | |
| US10505953B2 (en) | Proactive prediction and mitigation of cyber-threats | |
| US8429751B2 (en) | Method and apparatus for phishing and leeching vulnerability detection | |
| US10084815B2 (en) | Remediating computer security threats using distributed sensor computers | |
| AU2014244137B2 (en) | Internet protocol threat prevention | |
| US9124622B1 (en) | Detecting computer security threats in electronic documents based on structure | |
| US7743420B2 (en) | Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications | |
| US9008617B2 (en) | Layered graphical event mapping | |
| US20100199345A1 (en) | Method and System for Providing Remote Protection of Web Servers | |
| CN108701187A (en) | Mixed hardware software distribution threat analysis | |
| WO2016160847A1 (en) | Distribution of security rules among sensor computers | |
| CN107659583A (en) | A kind of method and system attacked in detection thing | |
| US20190044961A1 (en) | System and methods for computer network security involving user confirmation of network connections | |
| CN104509034A (en) | Pattern consolidation to identify malicious activity | |
| CN106534174A (en) | Cloud protection method, apparatus and system of sensitive data | |
| CN103283202A (en) | System and method for network level protection against malicious software | |
| CN114372286A (en) | Data security management method and device, computer equipment and storage medium | |
| CN105915532A (en) | Method and device for recognizing fallen host | |
| KR102260273B1 (en) | Apparatus for visualizing security policy information, method thereof, and storage medium for storing a program visualizing security policy information | |
| CN107277080A (en) | A kind of is the internet risk management method and system of service based on safety | |
| CN113901450A (en) | Industrial host terminal safety protection system | |
| KR101991737B1 (en) | Visualization method and visualization apparatus | |
| Dulanović | An intrusion prevention system as a proactive security mechanism in network infrastructure | |
| KR102314557B1 (en) | System for managing security control and method thereof | |
| KR101991736B1 (en) | Correlation visualization method and correlation visualization apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant after: Beijing Qihu Technology Co., Ltd. Applicant after: Qianxin Technology Group Co., Ltd. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before: Beijing Qihu Technology Co., Ltd. Applicant before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170322 |