CN107295021B - Security detection method and system of host based on centralized management - Google Patents

Security detection method and system of host based on centralized management Download PDF

Info

Publication number
CN107295021B
CN107295021B CN201710703313.7A CN201710703313A CN107295021B CN 107295021 B CN107295021 B CN 107295021B CN 201710703313 A CN201710703313 A CN 201710703313A CN 107295021 B CN107295021 B CN 107295021B
Authority
CN
China
Prior art keywords
security
log information
information
host
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710703313.7A
Other languages
Chinese (zh)
Other versions
CN107295021A (en
Inventor
邓华光
邹荣新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201710703313.7A priority Critical patent/CN107295021B/en
Publication of CN107295021A publication Critical patent/CN107295021A/en
Application granted granted Critical
Publication of CN107295021B publication Critical patent/CN107295021B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention provides a host security detection method and system based on centralized management, which are used for improving the host security detection efficiency based on the centralized management. The method provided by the embodiment of the invention comprises the following steps: the method comprises the steps that clients deployed on a plurality of hosts of different users respectively collect log information of corresponding hosts and upload the log information to a cloud platform, the cloud platform is deployed in a public network, and each host needing safety detection is provided with one client; the cloud platform respectively forwards the log information to a security management platform to which a user corresponding to the log information belongs, and the cloud platform comprises at least one security management platform; and the security management platform respectively analyzes the log information, generates security threat information according to the log information and displays the security threat information to a user.

Description

Security detection method and system of host based on centralized management
Technical Field
The invention relates to the field of network security, in particular to a security detection method and system of a host based on centralized management.
Background
The explosion of the internet enables all industries to enter an information network era, the online service is diversified, the number of people enjoying the service is huge, the number of servers and hosts of a company is increased, meanwhile, the attack threats to the hosts are increased continuously, the challenge of managing the hosts is increased, and the traditional host security maintenance is not suitable for the existing large data center.
The current situation of multi-host data center management has the following specific problems: the traditional host security defense mode is to deploy antivirus software to scan bugs for a single host, the antivirus software runs in the host, detects data in the host and generates a report file for the host, the generated security events cannot be processed in real time, and a user needs to extract the report file generated by the antivirus software of each host one by one regularly to evaluate the security condition of the single host and analyze whether security threats exist in the host. The user regularly checks the safety of the analysis host one by one, the process is complicated, the efficiency is low, and the analysis of the user on a single host is difficult to evaluate the safety condition of the whole data center.
Therefore, it is necessary to develop a security detection method for a host under centralized management to solve the problem of low detection efficiency of the host under centralized management.
Disclosure of Invention
The embodiment of the invention provides a host security detection method and system based on centralized management, which are used for improving the host security detection efficiency based on the centralized management.
A first aspect of an embodiment of the present invention provides a security detection method for a host based on centralized management, where the method includes:
the method comprises the steps that clients deployed on a plurality of hosts of different users respectively collect log information of corresponding hosts and upload the log information to a cloud platform, the cloud platform is deployed in a public network, and each host needing safety detection is provided with one client;
the cloud platform respectively forwards the log information to a security management platform to which a user corresponding to the log information belongs, and the cloud platform comprises at least one security management platform;
and the security management platform respectively analyzes the log information, generates security threat information according to the log information and displays the security threat information to a user.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the method further includes:
the client detects whether a preset safety event occurs in the corresponding host in real time according to a preset rule;
and if the preset safety event occurs, immediately processing the preset safety event according to a preset rule.
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the instantly processing the preset security event according to a preset rule includes:
when the client monitors that the corresponding host computer has the malicious file in real time according to the preset rule, the client automatically isolates or deletes the malicious file.
With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the instantly processing the preset security event according to a preset rule includes:
when the client monitors that the corresponding host computer has the brute force attack according to the preset rule, the client blocks the IP address of the attack source of the brute force attack.
With reference to the first aspect, the first possible implementation manner of the first aspect, the second possible implementation manner of the first aspect, and the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the log information includes one or more of hardware asset information, operating system information, network connection information, port information opened by the host, process information, network traffic information, and security log information of the host;
and the safety management platform analyzes the log information and displays the log information to a user.
With reference to the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, the method further includes:
and after the user configures a corresponding security policy according to the security threat information, the security management platform sends the security policy to a target client of a target host corresponding to the log information or to clients of all hosts to which the user belongs.
With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the security management platform is a virtualized application deployed on the cloud platform by using a Docker container technology.
A second aspect of the embodiments of the present invention provides a security detection system based on a host computer with centralized management, including:
a cloud platform and a client, wherein,
the client is deployed in a plurality of hosts of different users, the log information of the corresponding hosts is respectively collected and uploaded to the cloud platform, and each host needing safety detection is provided with one client;
the cloud platform is deployed in a public network and used for respectively forwarding the log information to a security management platform to which a user corresponding to the log information belongs, and the cloud platform comprises at least one security management platform;
and the security management platform respectively analyzes the log information, generates security threat information according to the log information and displays the security threat information to a user.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the client includes:
and the detection module is used for detecting whether a preset safety event occurs in the host according to a preset rule and immediately processing the preset safety event according to the preset rule.
With reference to the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the detection module includes:
the first detection unit is used for monitoring whether a malicious file exists in the host in real time according to a preset rule, and if the malicious file exists, automatically isolating or deleting the malicious file.
With reference to the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the detection module further includes:
and the second detection unit is used for monitoring whether the host has brute force attack or not, and blocking the IP address of an attack source of the brute force attack if the brute force attack exists.
With reference to the second aspect, the first possible implementation manner of the second aspect, the second possible implementation manner of the second aspect, and the third possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the log information includes one or more of hardware asset information, operating system information, network connection information, port information opened by the host, process information, network traffic information, and security log information of the host, and the security management platform further includes:
and the safety visualization module is used for analyzing the log information and displaying the log information to a user.
With reference to the fourth possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect, the security management platform further includes:
and the security policy module is used for sending the security policy to a target client of a target host corresponding to the log information or to clients of all hosts to which the user belongs by the security management platform after the user configures the corresponding security policy according to the security threat information.
With reference to the fifth possible implementation manner of the second aspect, in a sixth possible implementation manner of the second aspect, the security management platform is a virtualized application deployed on the cloud platform by using a Docker container technology.
According to the technical scheme, the embodiment of the invention has the following advantages:
in the embodiment of the invention, the client terminals deployed on a plurality of hosts of different users respectively acquire the log information of the corresponding hosts and upload the log information to the cloud platform, the cloud platform forwards the log information to the security management platform to which the corresponding user belongs, and the security management platform can analyze the log information, generate the security threat information according to the log information and display the security threat information to the user. The embodiment of the invention can automatically acquire the log information of a plurality of hosts of a user in real time to the security management platform deployed on the cloud platform for data detection to generate corresponding security threat information, and compared with the mode that antivirus software is operated by the hosts to detect self data and generate detection reports, report files are manually extracted one by one at regular intervals, manual extraction one by one is not needed, the efficiency of security monitoring is improved, the data quantity required to be detected by the hosts is reduced, and the resource overhead of the hosts is saved.
Drawings
FIG. 1 is a system architecture diagram of security detection based on a centrally managed host according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an embodiment of a security detection method based on a centrally managed host according to an embodiment of the present invention;
fig. 3 is a schematic diagram of another embodiment of a security detection method based on a centrally managed host in an embodiment of the present invention;
fig. 4 is a schematic diagram of another embodiment of a security detection method based on a centrally managed host in an embodiment of the present invention;
FIG. 5 is a diagram of an embodiment of a security detection system based on a centrally managed host according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a detailed functional module of a client of a security detection system based on a centrally managed host according to an embodiment of the present invention;
fig. 7 is a schematic diagram of detailed functional modules of a security management platform of a security detection method based on a centrally managed host in an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a host security detection method and system based on centralized management, which are used for improving the host security detection efficiency based on the centralized management.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For convenience of understanding, a system architecture of security detection based on a centrally managed host in the embodiment of the present invention is briefly described as an example, please refer to fig. 1, a cloud platform in the embodiment of the present invention may dynamically allocate virtualized security management platforms for different tenants, and includes at least one security management platform, and each security management platform may perform centralized management on multiple hosts to which a user belongs.
In the embodiment of the invention, the cloud platform deployed in a public network and the clients deployed in the hosts of a plurality of users realize the centralized detection and analysis of the multiple hosts of the users, the cloud platform deployed in the public network can be accessed by different tenants of different enterprises, the hosts in the embodiment of the invention can be virtual hosts or hosts of physical servers deployed on the public cloud or the private cloud, the clients mainly execute information collection and response execution actions, the cloud platform dynamically allocates virtualized security management platforms for different tenants, the security management platform in the cloud platform can form preset rules through big data security analysis, analysis of an artificial intelligent detection engine, a score calculation model of a reputation system, a huge reputation name single library and the like to perform security detection on data collected by the clients, for example, a black and white list can be formed according to the reputation single library to distinguish whether the file type in log information is a normal file or a malicious file, the specific detection method is not limited herein. When the detection result is a threat event, the handling can be responded in real time, and a corresponding security policy can be configured, for example, files are isolated or intrusion behaviors are blocked.
Referring to fig. 2, a specific process in an embodiment of the present invention is described below, where an embodiment of a method for detecting security of a host based on centralized management in an embodiment of the present invention may include:
201. the method comprises the steps that clients deployed on a plurality of hosts of different users respectively collect log information of corresponding hosts and upload the log information to a cloud platform;
in this embodiment, the client may be deployed on multiple hosts that need to perform security detection, the hosts may belong to different users, the client may collect log information of corresponding hosts, the client may select, according to a detection requirement, host-related information that needs to be collected as a part of the log information to be uploaded to the cloud platform, and specific log information may be reasonably set according to the detection requirement, for example, the client finds a service port where a host program is not developed, and at this time, the client may further record process information of the host into the log information to allow the user to determine whether a malicious process exists.
Specifically, the log information may include hardware asset information, operating system information, network connection information, service port information opened by the host, process information, network traffic information, security log information, and the like of the host, which may reflect an operating state or a security state of the host, and is not limited herein.
Specifically, the cloud platform in this embodiment may be a SaaS (Software-as-a-Service) cloud platform deployed in a public network in actual application, a user does not need to install a corresponding cloud platform Software client, the user can manage a host to which the user belongs and store a large amount of real-time data extracted from the host only by logging in the SaaS cloud platform on the Web, and the specific cloud platform is not limited here.
Specifically, the client in this embodiment configures the address of the cloud platform corresponding to the client through the parameter when the host is installed, so that the client in the corresponding host can be connected to the corresponding cloud platform, and under a special condition, when the host client cannot be directly connected to the corresponding cloud platform, the client can be connected to the corresponding cloud platform through a socks proxy manner, and a specific connection manner is not limited here.
It can be understood that, during the process of transmitting data to the cloud platform, the client may perform encryption or not perform encryption according to the requirement of the user, which is not limited herein.
202. The cloud platform respectively forwards the log information to the security management platforms to which the corresponding users belong;
after the cloud platform uniformly receives the log information sent by different hosts of different users, the cloud platform can respectively forward the log information to the security management platform of the corresponding user according to the difference of the users to further process the log information.
Specifically, the cloud platform may employ Apache, Lighttpd, or Nginx servers to forward the log information of the user to the security management platform of the corresponding tenant, for example, the cloud platform employs a high-performance HTTP and a reverse proxy server Ngxin, and the log information is forwarded to the security management platform of the corresponding tenant, where the following procedures may be referred to for specific configuration of the Ngxin:
Figure BDA0001380899300000071
the specific parameter configuration in the program may be adjusted according to the specific situation of the relevant cloud platform deployed by the provider, which is not limited herein.
203. The safety management platform analyzes the log information, generates safety threat information according to the log information and displays the safety threat information to a user;
in this embodiment, the security management platform may perform security detection on data acquired by the client through big data security analysis, analysis by an artificial intelligence detection engine, a score calculation model of a reputation system, and a reputation list library with a huge volume, where a specific detection manner is not limited here, and if a security threat exists in log information of a host or related data information in the host recorded in the log information, the security management platform may generate corresponding security threat information and display the security threat information to a user.
In the embodiment of the invention, the client terminals deployed on a plurality of hosts of different users respectively acquire the log information of the corresponding hosts and upload the log information to the cloud platform, the cloud platform forwards the log information to the security management platform to which the corresponding user belongs, and the security management platform can analyze the log information, generate the security threat information according to the log information and display the security threat information to the user. The embodiment of the invention can automatically collect the log information of a plurality of hosts of a user in real time to a security management platform deployed on a cloud platform for data detection to generate corresponding security threat information, and compared with a mode that antivirus software is operated by the hosts to detect self data and generate detection reports, report files are manually extracted one by one at regular intervals, manual extraction one by one is not needed, the efficiency of security monitoring is improved, the amount of data needing to be detected by the hosts is reduced, the resource expenditure of the hosts is saved, the user can centrally manage the plurality of hosts through the security management platform, the log information is analyzed in real time and the corresponding security threat information is generated, and the possibility of time delay in the security event processing process is reduced.
Secondly, the security management platform in this embodiment can perform security detection on data acquired by the client through big data security analysis, analysis of an artificial intelligence detection engine, a score calculation model of a reputation system and a reputation name list library with a huge volume, thereby improving the accuracy of detection.
On the basis of the above embodiment, a user can acquire corresponding log information from a plurality of hosts to detect potential safety hazards on the corresponding hosts by acquiring the log information, but in actual application, some common security events exist in most hosts, for example, brute force attack on servers in the hosts, writing of malicious files, and the like, the security events need to be protected or processed in real time, and in addition, some sensitive data pieces in the hosts are generally not suitable for being uploaded to a cloud for security detection, and for this reason, preset security rules need to be set in a client according to the needs of the user to protect or process specific security events and sensitive data in the hosts in real time. Referring to fig. 3, another embodiment of a method for detecting security of a host based on centralized management according to an embodiment of the present invention includes:
301. the method comprises the steps that clients deployed on a plurality of hosts of different users respectively collect log information of corresponding hosts and upload the log information to a cloud platform;
302. the cloud platform respectively forwards the log information to the security management platforms to which the corresponding users belong;
303. the safety management platform analyzes the log information, generates safety threat information according to the log information and displays the safety threat information to a user;
steps 301 to 303 in this embodiment are similar to those described in steps 201 to 203 in the embodiment shown in fig. 2, and are not described again here.
304. The client detects whether a preset safety event occurs in the corresponding host in real time according to a preset rule;
in actual application, the host needs to protect some common security events in real time, the corresponding client can reasonably set the security detection rules and the processing rules of the security events needing real-time automatic detection as preset rules at the clients of all hosts to which the user belongs according to the operation of the user, the client can detect whether the preset security events occur in the corresponding host in real time according to the preset rules, and the specific security detection rules are not limited here.
It is understood that, in this embodiment, the implementation sequence of step 304 and the subsequent steps may be performed before, after, or simultaneously with steps 301 to 303, and the specific implementation sequence is not limited herein.
305. And the client immediately processes the preset security event according to the preset rule.
When the client detects the preset security event according to the preset rule, the client can immediately process the preset security event according to the preset rule set by the user, and the specific processing mode can be that a malicious file is automatically isolated or deleted, the IP address of an attack source of the brute force attack is blocked, or the occurrence of the preset security event is written into log information in a security log mode, which is not limited herein.
Furthermore, the cloud platform can collect log information of a plurality of users for comprehensive analysis, and more comprehensively identify various security threats so as to update the corresponding preset rule base in real time.
Specifically, when a client monitors that a malicious file exists in a corresponding host in real time according to a preset rule, the client can automatically isolate or delete the malicious file, for example, a web server client in the host can automatically discover a web server root directory, the directory is monitored in real time by using an inotify technology, when a file in the directory is changed, the file can be scanned to discover the webshell malicious file in time, and the malicious file can be automatically isolated or deleted through configuration. For example, the client detects the domain name resolution of the local computer in real time and judges whether the file is a botnet behavior or not by a regular library, detects a botnet malicious file in real time, and once the malicious file is detected, the client can report the details of the event to a security management platform in a log form or automatically isolate and delete the malicious file.
Specifically, when the client monitors that a brute force attack exists in the corresponding host, the client can block the IP address of the attack source of the brute force attack to protect the security of the host. Optionally, the client may analyze and summarize an access log of the host, and report detailed information of the brute force attack to the security management platform in the form of a threat log.
On the basis of the embodiments shown in fig. 2 or fig. 3, a user often cannot accurately evaluate the security state and the operating state of the entire data center formed by multiple hosts by collecting log information of a single host through a client, nor can set some uniform security rules for the entire data center, and in order to solve the problem, the client needs to visualize the collected log information to the user, specifically, referring to fig. 4, another embodiment of a security detection method based on a centrally managed host according to an embodiment of the present invention may include:
401. the method comprises the steps that clients deployed on a plurality of hosts of different users respectively collect log information of corresponding hosts and upload the log information to a cloud platform;
in this embodiment, the client may be deployed on multiple hosts of different users and respectively collects log information of corresponding hosts, the client may select host-related information to be collected as a part of the log information according to a detection requirement and upload the log information to the cloud platform, and specific log information may be reasonably set according to the detection requirement, for example, the log information may include hardware asset information, operating system information, network connection information, open service port information, process information, network traffic information, and other information that may reflect an operating state or a security state of the host, and is not limited specifically here.
Specifically, in the actual application, the cloud platform in this embodiment may be a SaaS (Software-as-a-Service) cloud platform deployed in a public network, and a user may manage a host to which the user belongs and store a large amount of real-time data extracted from the host only by logging in the SaaS cloud platform on the Web without installing a corresponding cloud platform Software client. The cloud platform can establish a completely independent virtualized security management platform according to different users by adopting a Docker virtualized container technology, and configures an independent IP address for the virtualized management platform by adopting a pipeline.
It can be understood that, during the process of transmitting data to the cloud platform, the client may perform encryption or not perform encryption according to the requirement of the user, which is not limited herein.
402. The cloud platform respectively forwards the log information to the security management platforms to which the corresponding users belong;
403. the safety management platform analyzes the log information, generates safety threat information according to the log information and displays the safety threat information to a user;
404. the client detects whether a preset safety event occurs in the corresponding host in real time according to a preset rule;
405. the client-side immediately processes the preset security event according to the preset rule;
the contents described in steps 402 to 405 in this embodiment are similar to the contents described in steps 302 to 305 in the embodiment shown in fig. 3, and are not repeated here.
406. The safety management platform displays log information to a user;
in order to accurately evaluate the safety state or the running state of a data center consisting of a plurality of hosts, a user can reasonably set the information type of log information collected by a client, such as hardware asset information, operating system information, network connection information, open service port information, process information, network flow information and the like of the hosts, which can reflect the running state or the safety state of the hosts, and the client can analyze and process various collected logs according to the setting of the user, and show events such as brute force, malicious files, illegal access and the like and the flow visual view of the whole access system to the user. Information is collected about the exposed surfaces, assets, etc. of all hosts. The user can check the security events, the asset information and the like of the host through logging in the security management platform.
Further, this embodiment may further include:
407. and the security management platform sends the security policy to the client.
When a user or the security management platform determines that a security risk exists in a corresponding host or a security event has occurred, the security management platform may generate a corresponding security policy according to an operation of the user, where the specific security policy changes with a security vulnerability or a security event, and is not limited herein. For example, the log information records that the client detects a certain type of suspicious file in the host, and the security management platform may configure the security policy corresponding to the host as isolating or deleting the suspicious file; for example, if it is described in the log information that a server in the host has malicious access to a malicious IP, the security management platform may configure the security policy corresponding to the host to shield the malicious IP from accessing the host again.
The security policy configured by the user for the security threat information may be for a single host, may be for one type of host or multiple types of hosts, and the security management platform may send the security policy to a target client of a target host corresponding to the log information or to clients of all hosts to which the user belongs according to the setting of the user, which is not specifically limited here.
For example, when a certain security event occurs, and a user needs all hosts to configure firewall rules for the security event, the user can directly configure the firewall rules on the security management platform and automatically issue the firewall rules to all corresponding hosts, and when the security event occurs again on any host to which the user belongs, the host can automatically process the corresponding security event according to the firewall rules.
Referring to fig. 5, an embodiment of a security detection system based on a centrally managed host according to an embodiment of the present invention may include:
a cloud platform 500 and a client 600, wherein,
the client 600 is deployed in a plurality of hosts of different users, and respectively collects log information of the corresponding hosts and uploads the log information to the cloud platform;
the cloud platform 500 respectively forwards the log information to the security management platforms 501 corresponding to the log information and to which the users belong, and the cloud platform 500 comprises at least one security management platform 501;
the security management platform 501 analyzes the log information respectively, generates security threat information according to the log information, and displays the security threat information to the user.
The specific functions of the security detection system based on a centralized management host in this embodiment are similar to those described in the embodiment shown in fig. 2, and please refer to the embodiment shown in fig. 2 for details, which are not described herein again.
In the embodiment of the invention, the client terminals deployed on a plurality of hosts of different users respectively acquire the log information of the corresponding hosts and upload the log information to the cloud platform, the cloud platform forwards the log information to the security management platform to which the corresponding user belongs, and the security management platform can analyze the log information, generate the security threat information according to the log information and display the security threat information to the user. The embodiment of the invention can automatically collect the log information of a plurality of hosts of a user in real time to a security management platform deployed on a cloud platform for data detection to generate corresponding security threat information, and compared with a mode that antivirus software is operated by the hosts to detect self data and generate detection reports, report files are manually extracted one by one at regular intervals, manual extraction one by one is not needed, the efficiency of security monitoring is improved, the amount of data needing to be detected by the hosts is reduced, the resource expenditure of the hosts is saved, the user can centrally manage the plurality of hosts through the security management platform, the log information is analyzed in real time and the corresponding security threat information is generated, and the possibility of time delay in the security event processing process is reduced.
On the basis of the embodiment shown in fig. 5, please refer to fig. 6, where fig. 6 is a schematic diagram of a detailed module of the client 600 in the embodiment of the present invention, as a possible implementation manner, the client 600 in the embodiment may further include:
the detecting module 601 is configured to detect whether a preset security event occurs in the host according to a preset rule, and immediately process the preset security event according to the preset rule.
Optionally, the detecting module 601 in this embodiment may further include:
the first detecting unit 6011 is configured to monitor whether a malicious file exists in the host in real time according to a preset rule, and automatically isolate or delete the malicious file if the malicious file exists.
Optionally, the detecting module 601 in this embodiment may further include:
the second detecting unit 6012 is configured to monitor whether a brute force attack exists in the host, and block an IP address of an attack source of the brute force attack if the brute force attack exists.
The specific functions of the security detection system based on the centrally managed host in the embodiment of the present invention are similar to those described in the embodiment shown in fig. 3, and please refer to the embodiment shown in fig. 3 for details, which are not described herein again.
On the basis of the foregoing embodiment, please refer to fig. 7, where fig. 7 is a schematic diagram of a detailed module of the security management platform 501 in the embodiment of the present invention, as a possible implementation manner, log information in the embodiment may include one or more of hardware asset information of a host, operating system information, network connection information, port information opened by the host, process information, network traffic information, and security log information, and may be reasonably set according to a requirement of a user, where the security management platform 501 in the embodiment may further include:
and the security visualization module 5011 is configured to parse the log information and display the log information to the user.
Optionally, the security management platform 501 in this embodiment may further include:
the security policy module 5012, after the user configures the corresponding security policy according to the security threat information, sends the security policy to the target client of the target host corresponding to the log information or to the clients of all hosts to which the user belongs.
Optionally, in this embodiment, the security management platform may be a virtualized application deployed on the cloud platform by using a Docker container technology.
In this embodiment, the client may be deployed on multiple hosts of different users and respectively collect log information of corresponding hosts, the client may select host-related information to be collected as a part of the log information according to a detection requirement and transmit the log information to the cloud platform, and finally, the security management platform sends the security policy to a target client of a target host corresponding to the log information and executes the security policy. The specific log information may be reasonably set according to the detection requirement, for example, the log information may include hardware asset information, operating system information, network connection information, open service port information, process information, network traffic information, and the like of the host, which may reflect an operating state or a security state of the host, and is not limited herein.
Specifically, for example, in the actual application, the cloud platform in this embodiment may be a SaaS (Software-as-a-Service) cloud platform deployed in a public network, and a user may manage a host to which the user belongs and store a large amount of real-time data extracted from the host only by logging in the SaaS cloud platform on the Web without installing a corresponding cloud platform Software client. The cloud platform can establish a completely independent virtualized security management platform according to different users by adopting a Docker virtualized container technology, and configures an independent IP address for the virtualized management platform by adopting a pipeline.
It can be understood that, during the process of transmitting data to the cloud platform, the client may perform encryption or not perform encryption according to the requirement of the user, which is not limited herein.
In this embodiment, the clients deployed on multiple hosts of different users may respectively collect log information of the corresponding host and upload the log information to the cloud platform, the cloud platform may forward the log information to the security management platform to which the corresponding user belongs, the security management platform may analyze the log information and configure a corresponding security policy according to the log information, and finally, the security management platform sends the security policy to a target client of a target host corresponding to the log information and executes the security policy. The embodiment of the invention can automatically acquire the log information of the multiple hosts of the user in real time to the security management platform deployed on the cloud platform, and compared with the manual method for extracting the log information one by one, the efficiency of security monitoring is improved.
Secondly, the security management platform in this embodiment can perform security detection on data acquired by the client through big data security analysis, analysis of an artificial intelligence detection engine, a score calculation model of a reputation system, and a reputation list library with a huge volume, so that the detection accuracy is improved, user log information does not need to be detected on the host, the operation overhead of the host is reduced, and the host resources are saved.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (12)

1. A security detection method based on a host computer with centralized management is characterized by comprising the following steps:
the method comprises the steps that clients deployed on a plurality of hosts of different users respectively collect log information of corresponding hosts and upload the log information to a cloud platform, the cloud platform is deployed in a public network, and each host needing safety detection is provided with one client;
the cloud platform respectively forwards the log information to a security management platform to which a user corresponding to the log information belongs, the cloud platform comprises a plurality of security management platforms, the security management platforms are virtualized application programs deployed on the cloud platform by adopting a Docker container technology, and each security management platform centrally manages a plurality of hosts to which the user belongs;
and the security management platform respectively analyzes the log information, generates security threat information according to the log information and displays the security threat information to a user.
2. The method of claim 1, further comprising:
the client detects whether a preset safety event occurs in the corresponding host in real time according to a preset rule;
and if the preset safety event occurs, immediately processing the preset safety event according to a preset rule.
3. The method of claim 2, wherein said instantly processing said preset security events according to preset rules comprises:
when the client monitors that the corresponding host computer has the malicious file in real time according to the preset rule, the client automatically isolates or deletes the malicious file.
4. The method of claim 3, wherein said processing said preset security events on-the-fly according to preset rules further comprises:
when the client monitors that the corresponding host computer has the brute force attack according to the preset rule, the client blocks the IP address of the attack source of the brute force attack.
5. The method according to any one of claims 1 to 4,
the log information comprises one or more items of hardware asset information, operating system information, network connection information, port information opened by the host, process information, network flow information and safety log information of the host;
and the safety management platform analyzes the log information and displays the log information to a user.
6. The method of claim 5, further comprising:
and after the user configures a corresponding security policy according to the security threat information, the security management platform sends the security policy to a target client of a target host corresponding to the log information or to clients of all hosts to which the user belongs.
7. A security detection system based on a host computer with centralized management is characterized by comprising:
a cloud platform and a client, wherein,
the client is deployed in a plurality of hosts of different users, the log information of the corresponding hosts is respectively collected and uploaded to the cloud platform, and each host needing safety detection is provided with one client;
the cloud platform is deployed in a public network and used for forwarding the log information to a security management platform to which a user corresponding to the log information belongs respectively, the cloud platform comprises a plurality of security management platforms, the security management platforms are virtualized application programs deployed on the cloud platform by adopting a Docker container technology, and each security management platform is used for carrying out centralized management on a plurality of hosts to which the user belongs;
and the security management platform respectively analyzes the log information, generates security threat information according to the log information and displays the security threat information to a user.
8. The system of claim 7, wherein the client comprises:
and the detection module is used for detecting whether a preset safety event occurs in the host according to a preset rule and immediately processing the preset safety event according to the preset rule.
9. The system of claim 8, wherein the detection module comprises:
the first detection unit is used for monitoring whether a malicious file exists in the host in real time according to a preset rule, and if the malicious file exists, automatically isolating or deleting the malicious file.
10. The system of claim 9, wherein the detection module further comprises:
and the second detection unit is used for monitoring whether the host has brute force attack or not, and blocking the IP address of an attack source of the brute force attack if the brute force attack exists.
11. The system of any one of claims 7 to 10, wherein the log information comprises one or more of hardware asset information, operating system information, network connection information, port information opened by the host, process information, network traffic information, and security log information of the host, and wherein the security management platform further comprises:
and the safety visualization module is used for analyzing the log information and displaying the log information to a user.
12. The system of claim 11, wherein the security management platform further comprises:
and the security policy module is used for sending the security policy to a target client of a target host corresponding to the log information or to clients of all hosts to which the user belongs by the security management platform after the user configures the corresponding security policy according to the security threat information.
CN201710703313.7A 2017-08-16 2017-08-16 Security detection method and system of host based on centralized management Active CN107295021B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710703313.7A CN107295021B (en) 2017-08-16 2017-08-16 Security detection method and system of host based on centralized management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710703313.7A CN107295021B (en) 2017-08-16 2017-08-16 Security detection method and system of host based on centralized management

Publications (2)

Publication Number Publication Date
CN107295021A CN107295021A (en) 2017-10-24
CN107295021B true CN107295021B (en) 2021-06-04

Family

ID=60106915

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710703313.7A Active CN107295021B (en) 2017-08-16 2017-08-16 Security detection method and system of host based on centralized management

Country Status (1)

Country Link
CN (1) CN107295021B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108429754A (en) * 2018-03-19 2018-08-21 深信服科技股份有限公司 A kind of high in the clouds Distributed Detection method, system and relevant apparatus
CN108763031B (en) * 2018-04-08 2022-05-24 奇安信科技集团股份有限公司 Log-based threat information detection method and device
CN109246125A (en) * 2018-10-09 2019-01-18 郑州云海信息技术有限公司 A kind of Host Security condition evaluation system
CN109660550B (en) * 2018-12-29 2022-09-20 中国电力科学研究院有限公司 System and method for security defense of embedded terminal
CN110519270B (en) * 2019-08-27 2022-01-28 杭州安恒信息技术股份有限公司 Method and device for rapidly detecting WebShell based on file source
CN110658770A (en) * 2019-10-22 2020-01-07 深圳市芝麻自动化科技有限公司 SAP manufacturing execution system data processing interface driving method
CN111464345A (en) * 2020-03-23 2020-07-28 广东电网有限责任公司 Centralized equipment management system and method
CN111526156B (en) * 2020-04-30 2020-12-22 安徽宝葫芦信息科技集团股份有限公司 Big data based security cloud platform system
CN112929357A (en) * 2021-02-01 2021-06-08 深信服科技股份有限公司 Virtual machine data analysis method, device, equipment and storage medium
CN114615089B (en) * 2022-05-09 2022-07-29 远江盛邦(北京)网络安全科技股份有限公司 Dynamic self-adaptive configuration method and device for server

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103124293A (en) * 2012-12-31 2013-05-29 中国人民解放军理工大学 Cloud data safe auditing method based on multi-Agent
CN103227797A (en) * 2013-05-08 2013-07-31 上海电机学院 Distributive management system of information network security for power enterprises
CN104378364A (en) * 2014-10-30 2015-02-25 广东电子工业研究院有限公司 Collaborative analysis method of information security operation centers
CN104392175A (en) * 2014-11-26 2015-03-04 华为技术有限公司 System and method and device for processing cloud application attack behaviors in cloud computing system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018119A (en) * 2007-02-09 2007-08-15 浪潮电子信息产业股份有限公司 Hardware-based server network security centralized management system without relevance to the operation system
CN101247263A (en) * 2008-03-18 2008-08-20 浪潮电子信息产业股份有限公司 Server centralized management method based on data link layer
US20140108073A1 (en) * 2012-10-08 2014-04-17 Marc Castel System and method for populating assets to a maintenance management system
CN202975775U (en) * 2012-12-23 2013-06-05 珠海市鸿瑞软件技术有限公司 Security management platform
CN106385416B (en) * 2016-09-14 2019-08-06 北京鼎普科技股份有限公司 A kind of construction method and information security management platform of information safety system platform

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103124293A (en) * 2012-12-31 2013-05-29 中国人民解放军理工大学 Cloud data safe auditing method based on multi-Agent
CN103227797A (en) * 2013-05-08 2013-07-31 上海电机学院 Distributive management system of information network security for power enterprises
CN104378364A (en) * 2014-10-30 2015-02-25 广东电子工业研究院有限公司 Collaborative analysis method of information security operation centers
CN104392175A (en) * 2014-11-26 2015-03-04 华为技术有限公司 System and method and device for processing cloud application attack behaviors in cloud computing system

Also Published As

Publication number Publication date
CN107295021A (en) 2017-10-24

Similar Documents

Publication Publication Date Title
CN107295021B (en) Security detection method and system of host based on centralized management
US10560434B2 (en) Automated honeypot provisioning system
US9185124B2 (en) Cyber defense systems and methods
US10652274B2 (en) Identifying and responding to security incidents based on preemptive forensics
Tien et al. KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches
Sibiya et al. Digital forensic framework for a cloud environment
Mualfah et al. Network forensics for detecting flooding attack on web server
CN110210213B (en) Method and device for filtering malicious sample, storage medium and electronic device
CN110188538B (en) Method and device for detecting data by adopting sandbox cluster
KR101788410B1 (en) An analysis system of security breach with analyzing a security event log and an analysis method thereof
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
US20210409446A1 (en) Leveraging network security scanning to obtain enhanced information regarding an attack chain involving a decoy file
CN104486320B (en) Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology
CN113901450A (en) Industrial host terminal safety protection system
CN107332863A (en) The safety detection method and system of a kind of main frame based on centralized management
Yamada et al. RAT-based malicious activities detection on enterprise internal networks
CN113987508A (en) Vulnerability processing method, device, equipment and medium
CN113489703A (en) Safety protection system
US11836247B2 (en) Detecting malicious behavior in a network using security analytics by analyzing process interaction ratios
CN117220994A (en) Data processing method and system based on network security service
Carrasco et al. A Proposal for a New Way of Classifying Network Security Metrics: Study of the Information Collected through a Honeypot
CN114205169A (en) Network security defense method, device and system
KR101518233B1 (en) Security Apparatus for Threats Detection in the Enterprise Internal Computation Environment
KR20220086402A (en) Cloud-based Integrated Security Service Providing System
CN113923025A (en) Threat detection method in industrial control network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant