CN107733725A - A kind of safe early warning method, device, equipment and storage medium - Google Patents

A kind of safe early warning method, device, equipment and storage medium Download PDF

Info

Publication number
CN107733725A
CN107733725A CN201711207874.4A CN201711207874A CN107733725A CN 107733725 A CN107733725 A CN 107733725A CN 201711207874 A CN201711207874 A CN 201711207874A CN 107733725 A CN107733725 A CN 107733725A
Authority
CN
China
Prior art keywords
service server
target service
server
early warning
servers
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711207874.4A
Other languages
Chinese (zh)
Other versions
CN107733725B (en
Inventor
张斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201711207874.4A priority Critical patent/CN107733725B/en
Publication of CN107733725A publication Critical patent/CN107733725A/en
Application granted granted Critical
Publication of CN107733725B publication Critical patent/CN107733725B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of safe early warning method, and applied to cloud server, cloud server is connected with each service server in server set, and this method comprises the following steps:Receive daily record of work information;Based on security log information therein, attack type is determined;It is determined that subset of servers corresponding with each attack type closes the common trait of all service servers included;Searched in each subset of servers complement of a set of server set with target service server of the similarity with common trait higher than the feature of predetermined threshold value;Safe early warning information is sent to each target service server.The technical scheme provided using the embodiment of the present invention, by cloud server according to security log information, safe early warning information is sent to target service server, timely early warning, the normal operation of target service server is ensured, improves Consumer's Experience.The invention also discloses a kind of safety early warning device, equipment and storage medium, has relevant art effect.

Description

A kind of safe early warning method, device, equipment and storage medium
Technical field
The present invention relates to Computer Applied Technology field, more particularly to a kind of safe early warning method, device, equipment and deposits Storage media.
Background technology
With the development of Computer Applied Technology, the disposal ability of service server improves constantly, at the same time, network peace Full problem becomes increasingly conspicuous.
In the prior art, it is by installing local fire wall, IPS equipment, waf equipment etc. pair in service server mostly Service server carries out security protection.These equipment can be with record security log information, user after service server is attacked Understand that service server has been on the hazard based on security log information, so as to take corresponding strategy to carry out service server Maintenance etc..That is, only service server after under attack, can just take corresponding strategy.This will influence business clothes The normal work of business device, brings greater loss to user, influences Consumer's Experience.
The content of the invention
In order to solve the above technical problems, the present invention provides following technical scheme:
A kind of safe early warning method, applied to cloud server, the cloud server and each industry in server set Business server connection, methods described include:
Receive the daily record of work information that each service server is sent in the server set;
If the daily record of work packet contains security log information, based on the security log information, it is determined that attack Type;
Determine that subset of servers corresponding with each attack type is closed respectively;
Closed for each subset of servers, determine that the subset of servers closes the common spy of all service servers included Sign;
Searched in the subset of servers complement of a set of the server set with similar to the common trait Target service server of the degree higher than the feature of predetermined threshold value;
Respectively safe early warning information is sent to each target service server.
In a kind of embodiment of the present invention, closed in described subset of servers in the server set Search with after target service server of the similarity with the common trait higher than the feature of predetermined threshold value, go back in supplementary set Including:
It is determined that prevention policies corresponding to each target service server;
The prevention policies of determination are sent to corresponding target service server respectively.
In a kind of embodiment of the present invention, the prevention policies of determination are sent to corresponding mesh respectively described After marking service server, in addition to:
For each target service server, prevention policies corresponding to the target service server are obtained to the target service Effect caused by server;
According to the effect, it is determined whether update prevention policies corresponding to the target service server.
In a kind of embodiment of the present invention, closed in described subset of servers in the server set Searched in supplementary set with after the target service server of the similarity of the common trait higher than the feature of predetermined threshold value, institute State before sending safe early warning information to each target service server respectively, in addition to:
According to the similarity, it is determined that security risk grade corresponding to each target service server;
Accordingly, it is described to send safe early warning information to each target service server respectively, including:
For each target service server, according to security risk grade corresponding to the target service server, to the mesh Mark service server and send corresponding safe early warning information.
It is described to be based on the security log information in a kind of embodiment of the present invention, attack type is determined, is wrapped Include:
Dimension association analysis is carried out to the security log information, obtains analysis result;
According to the analysis result, attack type is determined.
A kind of safety early warning device, applied to cloud server, the cloud server and each industry in server set Business server connection, described device include:
Information receiving module, for receiving the daily record of work letter that each service server is sent in the server set Breath;
Determination type module, if containing security log information for the daily record of work packet, based on the safety Log information, determine attack type;
Gather determining module, for determining that subset of servers corresponding with each attack type is closed respectively;
Characteristic determination module, for being closed for each subset of servers, determine that the subset of servers closes all industry included The common trait of business server;
Whois lookup module, in the subset of servers complement of a set of the server set search have with Target service server of the similarity of the common trait higher than the feature of predetermined threshold value;
Information sending module, for sending safe early warning information to each target service server respectively.
In a kind of embodiment of the present invention, in addition to tactful sending module, it is used for:
Being searched in described subset of servers complement of a set in the server set has and the common trait Target service server of the similarity higher than the feature of predetermined threshold value after, it is determined that preventing corresponding to each target service server Shield strategy;
The prevention policies of determination are sent to corresponding target service server respectively.
In a kind of embodiment of the present invention, in addition to policy update determining module, it is used for:
It is described the prevention policies of determination are sent to corresponding target service server respectively after, for each target Service server, prevention policies corresponding to the target service server are obtained to effect caused by the target service server;
According to the effect, it is determined whether update prevention policies corresponding to the target service server.
In a kind of embodiment of the present invention, in addition to level determination module, it is used for:
Being searched in described subset of servers complement of a set in the server set has and the common trait Similarity higher than predetermined threshold value feature target service server after, it is described respectively to each target service server send out Before sending safe early warning information, according to the similarity, it is determined that security risk grade corresponding to each target service server;
Accordingly, described information sending module, it is specifically used for:
For each target service server, according to security risk grade corresponding to the target service server, to the mesh Mark service server and send corresponding safe early warning information.
In a kind of embodiment of the present invention, the determination type module, including:
Dimensional analysis submodule, for carrying out dimension association analysis to the security log information, obtain analysis result;
Type determination module, for according to the analysis result, determining attack type.
A kind of safe early warning equipment, including:
Memory, for storing safe early warning program;
Processor, the step of safe early warning method as previously described is realized during for performing the safe early warning program.
A kind of computer-readable recording medium, safe early warning program, institute are stored with the computer-readable recording medium State the step of safe early warning method as previously described is realized when safe early warning program is executed by processor.
The technical scheme provided using the embodiment of the present invention, each business clothes in cloud server the reception server set It is engaged in the daily record of work information that device is sent, if daily record of work packet contains security log information, based on security log information, really Determine attack type, determine that subset of servers corresponding with each attack type is closed respectively, closed for each subset of servers, it is determined that The subset of servers closes the common trait of all service servers included, in the benefit that the subset of servers of server set is closed Concentrate and search with target service server of the similarity with common trait higher than the feature of predetermined threshold value, respectively to each mesh Mark service server and send safe early warning information.By cloud server according to the security log information received, it is determined that attack Type, and determine the common trait that subset of servers corresponding to each attack type is closed.According to common trait, to each target industry Business server sends safe early warning information, timely early warning, and user can recognize respective objects in time according to safe early warning information The known and unknown risk that service server currently faces, to take corresponding measure in time, ensure target service server Normal operation, improve Consumer's Experience.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of implementing procedure figure of safe early warning method in the embodiment of the present invention;
Fig. 2 is a kind of structural representation of safety early warning device in the embodiment of the present invention;
Fig. 3 is a kind of structural representation of safe early warning equipment in the embodiment of the present invention.
Embodiment
In order that those skilled in the art more fully understand the present invention program, with reference to the accompanying drawings and detailed description The present invention is described in further detail.Obviously, described embodiment is only part of the embodiment of the present invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, belongs to the scope of protection of the invention.
The core of the present invention is to provide a kind of safe early warning method, and this method can apply to cloud server, high in the clouds clothes Business device can be connected with each service server in server set.Each business clothes in cloud server the reception server set It is engaged in the daily record of work information that device is sent, if daily record of work packet contains security log information, based on security log information, really Determine attack type, determine that subset of servers corresponding with each attack type is closed respectively, closed for each subset of servers, it is determined that The subset of servers closes the common trait of all service servers included, in the benefit that the subset of servers of server set is closed Concentrate and search with target service server of the similarity with common trait higher than the feature of predetermined threshold value, respectively to each mesh Mark service server and send safe early warning information.By cloud server according to the security log information received, it is determined that attack Type, and determine the common trait that subset of servers corresponding to each attack type is closed.According to common trait, to each target industry Business server sends safe early warning information, timely early warning, and user can recognize respective objects in time according to safe early warning information The known and unknown risk that service server currently faces, to take corresponding measure in time, ensure target service server Normal operation, improve Consumer's Experience.
Be a kind of implementing procedure figure of safe early warning method in the embodiment of the present invention referring to Fig. 1, this method can include with Lower step:
S101:The daily record of work information that each service server is sent in the reception server set.
Cloud server can be connected with multiple service servers, and each service server is each equipped with network security and set Standby, such as fire wall, IPS equipment, waf equipment, multiple service servers being connected with cloud server form a server Set.Each service server in the server set can send daily record of work information, cloud service to cloud server The daily record of work information that each service server is sent in device the reception server set, user corresponding to each service server can Corresponding daily record of work information is checked to sign in cloud server.
Daily record of work information can include running log information and security log information.Wherein, running log information refers to The log information that service server generates in normal course of operation, security log information refer to that service server is under attack In the case of Network Security Device generate log information.
S102:If daily record of work packet contains security log information, based on security log information, it is determined that attack class Type.
, can be true after cloud server receives the daily record of work information that each service server is sent in server set Surely it whether there is security log information in the daily record of work information received, if it is present existing in explanation server set The service server attacked, the security log information can be based on, determines attack type.
Attack type specifically refers to which kind of attack service server receives, and is such as directed to the attack of system vulnerability, for spy Determine the attack of business, using attack of particular types virus etc..
The present invention a kind of embodiment in, based on security log information, determine attack type, can include with Lower step:
Step 1:Dimension association analysis is carried out to security log information, obtains analysis result;
Step 2:According to analysis result, attack type is determined.
For convenience of description, above-mentioned two step can be combined and illustrated.
Cloud server determines security log information be present in the daily record of work information that receives, then explanation there is currently by The service server of attack is arrived, cloud server can be to actual time safety log information, history security log information, Ge Geye The dimension association analysis of the progress such as security log information of business server laterally, longitudinal, obtains analysis result, according to analysis knot Fruit, determine attack type.
Dimension can include time dimension, source IP dimension, purpose IP dimensions, attack type dimension, attacker's dimension, safety Event type dimension, by attacker's type dimension, phase of the attack dimension etc..
For example, security log information is carried out into attacker's IP dimension association analysis, attack is can be derived that by statistical analysis The type of the service server of person's attack;Security log information is subjected to time dimension association analysis, by analyzing each safe day Distribution of the will information on time dimension, such as short time produce substantial amounts of daily record, it may be possible to which attacker is using instrument batch Attack etc..
By being excavated to security log information, it can be deduced that when attacker proceeds by attack, attacker uses Attack meanses, attacker's service server, service server attacked for having attacked which network segment which has suspicious Behavior, these behaviors may cause the information such as what harm to service server.Using big data to rely on, each security log is believed Breath is contrasted, cluster analysis, excavates the attacker's information hidden in all security log informations.Pass through the attack to attacker The information such as means, the service server attacked carry out going deep into excavation, so that it is determined that the attack purpose of attacker.
S103:Determine that subset of servers corresponding with each attack type is closed respectively.
Based on security log information, after determining attack type, there may be multiple attack types, be attacked due to each Multiple service servers may be corresponded to by hitting type, and service server corresponding to each attack type may be constructed corresponding server Subclass, therefore can determine that subset of servers corresponding with each attack type is closed respectively.
It should be noted that a service server can be only present in a subset of servers conjunction, there may also be In the conjunction of multiple subset of servers.
S104:Closed for each subset of servers, determine being total to for all service servers that subset of servers conjunction includes Same feature.
Cloud server determines that subset of servers corresponding with each attack type is closed.For each subset of servers Close, the service server during the subset of servers is closed corresponds to same attack type, the business service in subset of servers conjunction Device there may be certain common trait, and the common trait is likely to cause each service server in subset of servers conjunction By a major reason of same attack type flaw attack.Therefore each subset of servers can be directed to close, determine the server The common trait for all service servers that subclass includes.
For example, common trait can be same client type, the same type of software of installation, the peace often contacted System version of dress etc..
S105:Searched in the subset of servers complement of a set of server set high with the similarity with common trait In the target service server of the feature of predetermined threshold value.
Closed for each subset of servers, cloud server determines that the subset of servers closes all service servers included Common trait after, there may be in the subset of servers complement of a set of server set with similar to the common trait Feature service server, these have the feature similar to the common trait service servers may exist is attacked Risk.In embodiments of the present invention, a threshold value can be preset.Closed for each subset of servers, it is determined that servicing The feature of which service server is corresponding with subset of servers conjunction common in the subset of servers complement of a set of device set The similarity of feature is higher than the threshold value.Being searched i.e. in the subset of servers complement of a set of server set has and common spy Target service server of the similarity of sign higher than the feature of predetermined threshold value.
It should be noted that threshold value can be set and be adjusted according to actual conditions, such as can be according to common with this It is adjusted with characteristic similarity less than the frequency that the service server of the feature of predetermined threshold value is attacked, when according to the pre- of setting If threshold value performs the technical scheme that the multiple embodiment of the present invention is provided, have and be less than default threshold with the common trait similarity The frequency that the service server of the feature of value is attacked is still higher, then can reduce the predetermined threshold value.
S106:Respectively safe early warning information is sent to each target service server.
Cloud server is found out in the subset of servers complement of a set of server set to be had and common trait After target service server of the similarity higher than the feature of predetermined threshold value, illustrate target service server possibility under attack It is bigger, safe early warning information can be sent to each target service server respectively.Specifically, cloud server can pass through The modes such as information push carry out the transmission of safe early warning information.So as to utilize the convenience of mobile Internet, accomplish timely early warning, The reaction time of user when attack occurs is reduced as far as possible.
The method provided using the embodiment of the present invention, each service server in cloud server the reception server set The daily record of work information of transmission, if daily record of work packet contains security log information, based on security log information, it is determined that attacking Type is hit, determines that subset of servers corresponding with each attack type is closed respectively, is closed for each subset of servers, determine the clothes The common trait for all service servers that business device subclass includes, in the subset of servers complement of a set of server set Search with target service server of the similarity with common trait higher than the feature of predetermined threshold value, respectively to each target industry Business server sends safe early warning information.By cloud server according to the security log information received, attack type is determined, And determine the common trait that subset of servers corresponding to each attack type is closed.According to common trait, taken to each target service Business device sends safe early warning information, timely early warning, and user can recognize respective objects business in time according to safe early warning information The known and unknown risk that server currently faces, to take corresponding measure in time, ensureing target service server just Often operation, improves Consumer's Experience.
In a kind of embodiment of the present invention, after step S105, it can also comprise the following steps:
Step 1:It is determined that prevention policies corresponding to each target service server;
Step 2:The prevention policies of determination are sent to corresponding target service server respectively.
For convenience of description, above-mentioned two step can be combined and illustrated.
Closed for each subset of servers, cloud server is looked into the subset of servers complement of a set of server set , can be according to the service after finding out the target service server with the feature for being higher than predetermined threshold value with the similarity of common trait The attack type that service server is subject in device subclass, it is determined that protection plan corresponding to corresponding each target service server Slightly, the gateway firewall with each target service server forms dynamic linkage defense system, and respectively by the protection plan of determination Corresponding target service server is slightly sent to, so that each destination server tackles known and unknown risk in time.
Prevention policies can be directed to the attack type that service server is subject to during each subset of servers is closed and generate in real time, or Person searches from the policy library being obtained ahead of time.
In a kind of embodiment of the present invention, the prevention policies of determination are being sent to corresponding target industry respectively It is engaged in after server, this method can also comprise the following steps:
Step 1:For each target service server, prevention policies corresponding to the target service server are obtained to this Effect caused by target service server;
Step 2:According to effect, it is determined whether update prevention policies corresponding to the target service server.
For convenience of description, above-mentioned two step can be combined and illustrated.
After the prevention policies determined are sent to corresponding target service server by cloud server, can in real time or Every certain time interval, for each target service server, prevention policies corresponding to the target service server are obtained To effect caused by the target service server.According to the effect of acquisition, cloud server can detect each protection of transmission Whether strategy serves protective action to corresponding target service server, determines whether to update the target service server Corresponding prevention policies.
In actual applications, newest internet security event can be introduced, the XX viruses of such as newest outburst, when high in the clouds takes After the prevention policies determined are sent to corresponding target service server by business device, the target service server pair can be obtained The prevention policies answered are to effect caused by the target service server.According to the effect of acquisition, cloud server can detect Whether each prevention policies sent serve protective action to corresponding target service server, determine whether to update the mesh Mark prevention policies corresponding to service server.
In a kind of embodiment of the present invention, after step S105, before step S106, this method can be with Comprise the following steps:
According to similarity, it is determined that security risk grade corresponding to each target service server;
Accordingly, step S106 may comprise steps of:
For each target service server, according to security risk grade corresponding to the target service server, to the mesh Mark service server and send corresponding safe early warning information.
Closed for each subset of servers, cloud server is looked into the subset of servers complement of a set of server set , can be according to similarity after finding out the target service server with the feature for being higher than predetermined threshold value with the similarity of common trait Height, divide the security risk grade of target service server, such as can be by security risk grade classification to be possible to be attacked Hit, be likely to be attacked with will be by attack Three Estate.Can according to corresponding to each target service server similarity, really Security risk grade corresponding to fixed each target service server.
Accordingly, each security risk grade can be directed to and sets corresponding safe early warning information, i.e. having for division It may be attacked, be likely to be attacked with that will be slight by safe early warning information setting by three security risk grades of attack Warning information, general warning information and the safe early warning information of serious warning information Three Estate.Taken for each target service Be engaged in device, can according to corresponding to the destination server security risk grade, to the target service server send it is corresponding Safe early warning information.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of safety early warning device, applied to cloud Server is held, cloud server is connected with each service server in server set, a kind of safe early warning dress described below Putting can be mutually to should refer to a kind of above-described safe early warning method.
Referring to Fig. 2, the device can include with lower module:
Information receiving module 201, for the daily record of work information that each service server is sent in the reception server set;
Determination type module 202, if containing security log information for daily record of work packet, believed based on security log Breath, determines attack type;
Gather determining module 203, for determining that subset of servers corresponding with each attack type is closed respectively;
Characteristic determination module 204, for being closed for each subset of servers, determine that subset of servers conjunction includes all The common trait of service server;
Whois lookup module 205, in the subset of servers complement of a set of server set search have with Target service server of the similarity of common trait higher than the feature of predetermined threshold value;
Information sending module 206, for sending safe early warning information to each target service server respectively.
The device provided using the embodiment of the present invention, each service server in cloud server the reception server set The daily record of work information of transmission, if daily record of work packet contains security log information, based on security log information, it is determined that attacking Type is hit, determines that subset of servers corresponding with each attack type is closed respectively, is closed for each subset of servers, determine the clothes The common trait for all service servers that business device subclass includes, in the subset of servers complement of a set of server set Search with target service server of the similarity with common trait higher than the feature of predetermined threshold value, respectively to each target industry Business server sends safe early warning information.By cloud server according to the security log information received, attack type is determined, And determine the common trait that subset of servers corresponding to each attack type is closed.According to common trait, taken to each target service Business device sends safe early warning information, timely early warning, and user can recognize respective objects business in time according to safe early warning information The known and unknown risk that server currently faces, to take corresponding measure in time, ensureing target service server just Often operation, improves Consumer's Experience.
In a kind of embodiment of the present invention, in addition to tactful sending module, it is used for:
Search in the subset of servers complement of a set in server set and be higher than with the similarity with common trait After the target service server of the feature of predetermined threshold value, it is determined that prevention policies corresponding to each target service server;
The prevention policies of determination are sent to corresponding target service server respectively.
In a kind of embodiment of the present invention, in addition to policy update module, it is used for:
After the prevention policies of determination are sent into corresponding target service server respectively, for each target service Server, prevention policies corresponding to the target service server are obtained to effect caused by the target service server;
According to effect, it is determined whether update prevention policies corresponding to the target service server.
In a kind of embodiment of the present invention, in addition to level determination module, it is used for:
Search in the subset of servers complement of a set in server set and be higher than with the similarity with common trait After the target service server of the feature of predetermined threshold value, respectively to each target service server send safe early warning information it Before, according to similarity, it is determined that security risk grade corresponding to each target service server;
Accordingly, information sending module 206, it is specifically used for:
For each target service server, according to security risk grade corresponding to the target service server, to the mesh Mark service server and send corresponding safe early warning information.
In a kind of embodiment of the present invention, determination type module 202, including:
Dimensional analysis submodule, for carrying out dimension association analysis to security log information, obtain analysis result;
Type determination module, for according to analysis result, determining attack type.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of safe early warning equipment, applied to cloud Server is held, cloud server is connected with each service server in server set, and a kind of safe early warning described below is set It is standby can be mutually to should refer to a kind of above-described safe early warning method.
Referring to Fig. 3, the equipment can include:
Memory 301, for storing safe early warning program;
Processor 302, during for performing safe early warning program in implementation method embodiment the step of safe early warning method.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of computer-readable recording medium, should For cloud server, cloud server is connected with each service server in server set, a kind of calculating described below Machine readable storage medium storing program for executing can be mutually to should refer to a kind of above-described safe early warning method.
A kind of computer-readable recording medium, safe early warning program is stored with computer-readable recording medium, and safety is pre- When alert program is executed by processor in implementation method embodiment the step of safe early warning method.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be with it is other The difference of embodiment, between each embodiment same or similar part mutually referring to.For dress disclosed in embodiment For putting, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part is referring to method part Explanation.
Professional further appreciates that, with reference to the unit of each example of the embodiments described herein description And algorithm steps, can be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate hardware and The interchangeability of software, the composition and step of each example are generally described according to function in the above description.These Function is performed with hardware or software mode actually, application-specific and design constraint depending on technical scheme.Specialty Technical staff can realize described function using distinct methods to each specific application, but this realization should not Think beyond the scope of this invention.
Directly it can be held with reference to the step of method or algorithm that the embodiments described herein describes with hardware, processor Capable software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.
Specific case used herein is set forth to the principle and embodiment of the present invention, and above example is said It is bright to be only intended to help and understand technical scheme and its core concept.It should be pointed out that for the common of the art For technical staff, under the premise without departing from the principles of the invention, some improvement and modification can also be carried out to the present invention, these Improve and modification is also fallen into the protection domain of the claims in the present invention.

Claims (12)

  1. A kind of 1. safe early warning method, it is characterised in that applied to cloud server, the cloud server and server set In each service server connection, methods described includes:
    Receive the daily record of work information that each service server is sent in the server set;
    If the daily record of work packet contains security log information, based on the security log information, attack type is determined;
    Determine that subset of servers corresponding with each attack type is closed respectively;
    Closed for each subset of servers, determine that the subset of servers closes the common trait of all service servers included;
    Searched in the subset of servers complement of a set of the server set high with the similarity with the common trait In the target service server of the feature of predetermined threshold value;
    Respectively safe early warning information is sent to each target service server.
  2. 2. according to the method for claim 1, it is characterised in that in described subset of servers in the server set Searched in complement of a set with the similarity of the common trait higher than the feature of predetermined threshold value target service server it Afterwards, in addition to:
    It is determined that prevention policies corresponding to each target service server;
    The prevention policies of determination are sent to corresponding target service server respectively.
  3. 3. according to the method for claim 2, it is characterised in that be respectively sent to the prevention policies of determination accordingly described Target service server after, in addition to:
    For each target service server, prevention policies corresponding to the target service server are obtained to the target service service Effect caused by device;
    According to the effect, it is determined whether update prevention policies corresponding to the target service server.
  4. 4. according to the method for claim 1, it is characterised in that in described subset of servers in the server set Searched in complement of a set with the similarity of the common trait higher than the feature of predetermined threshold value target service server it Afterwards, it is described respectively to each target service server send safe early warning information before, in addition to:
    According to the similarity, it is determined that security risk grade corresponding to each target service server;
    Accordingly, it is described to send safe early warning information to each target service server respectively, including:
    For each target service server, according to security risk grade corresponding to the target service server, to the target industry Business server sends corresponding safe early warning information.
  5. 5. the method according to any one of Claims 1-4, it is characterised in that described to be believed based on the security log Breath, determines attack type, including:
    Dimension association analysis is carried out to the security log information, obtains analysis result;
    According to the analysis result, attack type is determined.
  6. A kind of 6. safety early warning device, it is characterised in that applied to cloud server, the cloud server and server set In each service server connection, described device includes:
    Information receiving module, for receiving the daily record of work information that each service server is sent in the server set;
    Determination type module, if containing security log information for the daily record of work packet, based on the security log Information, determine attack type;
    Gather determining module, for determining that subset of servers corresponding with each attack type is closed respectively;
    Characteristic determination module, for being closed for each subset of servers, determine that the subset of servers closes all business clothes included The common trait of business device;
    Whois lookup module, in the subset of servers complement of a set of the server set search have with it is described Target service server of the similarity of common trait higher than the feature of predetermined threshold value;
    Information sending module, for sending safe early warning information to each target service server respectively.
  7. 7. device according to claim 6, it is characterised in that also including tactful sending module, be used for:
    Searched in described subset of servers complement of a set in the server set with the phase with the common trait After target service server of the degree higher than the feature of predetermined threshold value, it is determined that protection plan corresponding to each target service server Slightly;
    The prevention policies of determination are sent to corresponding target service server respectively.
  8. 8. device according to claim 7, it is characterised in that also including policy update determining module, be used for:
    It is described the prevention policies of determination are sent to corresponding target service server respectively after, for each target service Server, prevention policies corresponding to the target service server are obtained to effect caused by the target service server;
    According to the effect, it is determined whether update prevention policies corresponding to the target service server.
  9. 9. device according to claim 6, it is characterised in that also including level determination module, be used for:
    Searched in described subset of servers complement of a set in the server set with the phase with the common trait Like degree higher than predetermined threshold value feature target service server after, it is described respectively to each target service server send pacify Before full warning information, according to the similarity, it is determined that security risk grade corresponding to each target service server;
    Accordingly, described information sending module, it is specifically used for:
    For each target service server, according to security risk grade corresponding to the target service server, to the target industry Business server sends corresponding safe early warning information.
  10. 10. the device according to any one of claim 6 to 9, it is characterised in that the determination type module, including:
    Dimensional analysis submodule, for carrying out dimension association analysis to the security log information, obtain analysis result;
    Type determination module, for according to the analysis result, determining attack type.
  11. A kind of 11. safe early warning equipment, it is characterised in that including:
    Memory, for storing safe early warning program;
    Processor, the safe early warning method as described in any one of claim 1 to 5 is realized during for performing the safe early warning program The step of.
  12. 12. a kind of computer-readable recording medium, it is characterised in that it is pre- that safety is stored with the computer-readable recording medium Alert program, realizes the safe early warning method as described in any one of claim 1 to 5 when the safe early warning program is executed by processor The step of.
CN201711207874.4A 2017-11-27 2017-11-27 Safety early warning method, device, equipment and storage medium Active CN107733725B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711207874.4A CN107733725B (en) 2017-11-27 2017-11-27 Safety early warning method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711207874.4A CN107733725B (en) 2017-11-27 2017-11-27 Safety early warning method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN107733725A true CN107733725A (en) 2018-02-23
CN107733725B CN107733725B (en) 2021-01-19

Family

ID=61219626

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711207874.4A Active CN107733725B (en) 2017-11-27 2017-11-27 Safety early warning method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN107733725B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109347846A (en) * 2018-10-30 2019-02-15 郑州市景安网络科技股份有限公司 A kind of website clearance method, apparatus, equipment and readable storage medium storing program for executing
CN109711155A (en) * 2018-11-13 2019-05-03 同盾控股有限公司 A kind of early warning determines method and apparatus
CN110809004A (en) * 2019-11-12 2020-02-18 成都知道创宇信息技术有限公司 Safety protection method and device, electronic equipment and storage medium
CN111756720A (en) * 2020-06-16 2020-10-09 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium
CN115809799A (en) * 2022-07-05 2023-03-17 中南民族大学 Event-driven cultural relic building fire safety grading early warning method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104486426A (en) * 2014-12-17 2015-04-01 天脉聚源(北京)教育科技有限公司 Early warning method and early warning device for intelligent teaching system
CN106209856A (en) * 2016-07-14 2016-12-07 何钟柱 Big data security postures based on trust computing ground drawing generating method
CN106254092A (en) * 2016-07-14 2016-12-21 浪潮电子信息产业股份有限公司 A kind of method for early warning, Apparatus and system
CN106341386A (en) * 2015-07-07 2017-01-18 埃森哲环球服务有限公司 Threat assessment level determination and remediation for cloud-based multi-layer security architecture
CN106790023A (en) * 2016-12-14 2017-05-31 平安科技(深圳)有限公司 Network security Alliance Defense method and apparatus
WO2017136811A1 (en) * 2016-02-05 2017-08-10 Golden Security Services Us Inc. Categorizing compliance with security protocols

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104486426A (en) * 2014-12-17 2015-04-01 天脉聚源(北京)教育科技有限公司 Early warning method and early warning device for intelligent teaching system
CN106341386A (en) * 2015-07-07 2017-01-18 埃森哲环球服务有限公司 Threat assessment level determination and remediation for cloud-based multi-layer security architecture
WO2017136811A1 (en) * 2016-02-05 2017-08-10 Golden Security Services Us Inc. Categorizing compliance with security protocols
CN106209856A (en) * 2016-07-14 2016-12-07 何钟柱 Big data security postures based on trust computing ground drawing generating method
CN106254092A (en) * 2016-07-14 2016-12-21 浪潮电子信息产业股份有限公司 A kind of method for early warning, Apparatus and system
CN106790023A (en) * 2016-12-14 2017-05-31 平安科技(深圳)有限公司 Network security Alliance Defense method and apparatus

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109347846A (en) * 2018-10-30 2019-02-15 郑州市景安网络科技股份有限公司 A kind of website clearance method, apparatus, equipment and readable storage medium storing program for executing
CN109711155A (en) * 2018-11-13 2019-05-03 同盾控股有限公司 A kind of early warning determines method and apparatus
CN110809004A (en) * 2019-11-12 2020-02-18 成都知道创宇信息技术有限公司 Safety protection method and device, electronic equipment and storage medium
CN111756720A (en) * 2020-06-16 2020-10-09 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium
CN111756720B (en) * 2020-06-16 2023-03-24 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium
CN115809799A (en) * 2022-07-05 2023-03-17 中南民族大学 Event-driven cultural relic building fire safety grading early warning method and system
CN115809799B (en) * 2022-07-05 2023-08-01 中南民族大学 Event-driven-based hierarchical early warning method and system for fire safety of cultural relics

Also Published As

Publication number Publication date
CN107733725B (en) 2021-01-19

Similar Documents

Publication Publication Date Title
CN107733725A (en) A kind of safe early warning method, device, equipment and storage medium
CN108696473B (en) Attack path restoration method and device
EP3343867B1 (en) Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset
US10666680B2 (en) Service overload attack protection based on selective packet transmission
US9342691B2 (en) Internet protocol threat prevention
CN109922075A (en) Network security knowledge map construction method and apparatus, computer equipment
CN109347814A (en) A kind of container cloud security means of defence and system based on Kubernetes building
CN110598404A (en) Security risk monitoring method, monitoring device, server and storage medium
CN106961450A (en) Safety defense method, terminal, cloud server and safety defense system
CN105915532A (en) Method and device for recognizing fallen host
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
WO2016121348A1 (en) Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored
CN105141573A (en) Security protection method and security protection system based on WEB access compliance auditing
CN106713358A (en) Attack detection method and device
CN108183884B (en) Network attack determination method and device
CN112861132A (en) Cooperative protection method and device
CN113315785B (en) Alarm reduction method, device, equipment and computer readable storage medium
Le et al. A threat computation model using a Markov Chain and common vulnerability scoring system and its application to cloud security
Waziri Website forgery: Understanding phishing attacks and nontechnical Countermeasures
CN108377242A (en) A kind of computer network security detection method
CN109255243B (en) Method, system, device and storage medium for repairing potential threats in terminal
CN105337983A (en) DoS attack defending method
KR20090118202A (en) Web security system and method by examination in each network layer
Abbasi et al. The use of anomaly detection for the detection of different types of DDoS attacks in cloud environment
Denham et al. Analysis of Decoy Strategies for Detecting Ransomware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant