CN107733725B - Safety early warning method, device, equipment and storage medium - Google Patents

Safety early warning method, device, equipment and storage medium Download PDF

Info

Publication number
CN107733725B
CN107733725B CN201711207874.4A CN201711207874A CN107733725B CN 107733725 B CN107733725 B CN 107733725B CN 201711207874 A CN201711207874 A CN 201711207874A CN 107733725 B CN107733725 B CN 107733725B
Authority
CN
China
Prior art keywords
server
target service
service server
safety
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711207874.4A
Other languages
Chinese (zh)
Other versions
CN107733725A (en
Inventor
张斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201711207874.4A priority Critical patent/CN107733725B/en
Publication of CN107733725A publication Critical patent/CN107733725A/en
Application granted granted Critical
Publication of CN107733725B publication Critical patent/CN107733725B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a safety early warning method, which is applied to a cloud server, wherein the cloud server is connected with each business server in a server set, and the method comprises the following steps: receiving work log information; determining an attack type based on the safety log information; determining common characteristics of all service servers contained in the server subset corresponding to each attack type; searching a target service server with the characteristic that the similarity with the common characteristic is higher than a preset threshold value in the complementary set of each server subset of the server set; and sending safety early warning information to each target service server. By applying the technical scheme provided by the embodiment of the invention, the cloud server sends the safety early warning information to the target service server according to the safety log information, and early warning is timely carried out, so that the normal operation of the target service server is ensured, and the user experience is improved. The invention also discloses a safety early warning device, equipment and a storage medium, and has corresponding technical effects.

Description

Safety early warning method, device, equipment and storage medium
Technical Field
The invention relates to the technical field of computer application, in particular to a safety early warning method, a safety early warning device, safety early warning equipment and a storage medium.
Background
With the development of computer application technology, the processing capacity of the service server is continuously improved, and meanwhile, the network security problem is increasingly highlighted.
In the prior art, a local firewall, an IPS device, a waf device, and the like are mostly installed in a service server to perform security protection on the service server. After the service server is attacked, the devices can record the security log information, and the user can know that the service server is threatened based on the security log information, so that the service server can be maintained by adopting a corresponding strategy. That is, only after the service server is attacked, the corresponding policy can be adopted. This will affect the normal operation of the service server, bring great loss to the user, and affect the user experience.
Disclosure of Invention
In order to solve the technical problems, the invention provides the following technical scheme:
a safety early warning method is applied to a cloud server, the cloud server is connected with each business server in a server set, and the method comprises the following steps:
receiving work log information sent by each service server in the server set;
if the working log information contains safety log information, determining an attack type based on the safety log information;
respectively determining a server subset corresponding to each attack type;
for each server subset, determining common characteristics of all service servers contained in the server subset;
searching a target service server with the characteristic that the similarity with the common characteristic is higher than a preset threshold value in a complementary set of the server subset of the server set;
and respectively sending safety early warning information to each target service server.
In a specific embodiment of the present invention, after searching for a target service server having a feature whose similarity to the common feature is higher than a preset threshold in the complementary set of the subset of servers in the server set, the method further includes:
determining a protection strategy corresponding to each target service server;
and respectively sending the determined protection strategies to corresponding target service servers.
In a specific embodiment of the present invention, after the sending the determined protection policies to the corresponding target service servers, the method further includes:
aiming at each target service server, acquiring the effect of a protection strategy corresponding to the target service server on the target service server;
and determining whether to update the protection strategy corresponding to the target service server according to the effect.
In a specific embodiment of the present invention, after searching for a target service server having a feature whose similarity with the common feature is higher than a preset threshold in the complementary set of the server subset of the server set, and before sending security warning information to each target service server, respectively, the method further includes:
determining the safety risk level corresponding to each target service server according to the similarity;
correspondingly, the sending safety early warning information to each target service server respectively includes:
and aiming at each target service server, sending corresponding safety early warning information to the target service server according to the safety risk level corresponding to the target service server.
In a specific embodiment of the present invention, the determining the attack type based on the security log information includes:
performing dimension correlation analysis on the safety log information to obtain an analysis result;
and determining the attack type according to the analysis result.
The utility model provides a safety precaution device, is applied to high in the clouds server, high in the clouds server is connected with every business server in the server set, the device includes:
the information receiving module is used for receiving the work log information sent by each service server in the server set;
the type determining module is used for determining an attack type based on the safety log information if the working log information contains the safety log information;
the set determining module is used for respectively determining a server subset corresponding to each attack type;
the characteristic determining module is used for determining the common characteristics of all the service servers contained in each server subset;
the server searching module is used for searching a target service server with the characteristic that the similarity with the common characteristic is higher than a preset threshold value in the complementary set of the server subset of the server set;
and the information sending module is used for sending the safety early warning information to each target service server respectively.
In a specific embodiment of the present invention, the method further includes a policy sending module, configured to:
after target service servers with the characteristics that the similarity with the common characteristics is higher than a preset threshold value are searched in the complementary set of the server subset of the server set, a protection strategy corresponding to each target service server is determined;
and respectively sending the determined protection strategies to corresponding target service servers.
In a specific embodiment of the present invention, the method further includes a policy update determination module, configured to:
after the determined protection strategies are respectively sent to the corresponding target service servers, aiming at each target service server, obtaining the effect of the protection strategy corresponding to the target service server on the target service server;
and determining whether to update the protection strategy corresponding to the target service server according to the effect.
In an embodiment of the present invention, the method further includes a rank determining module, configured to:
after the target service servers with the characteristics that the similarity with the common characteristics is higher than a preset threshold value are searched in the complementary set of the server subset of the server set and before the safety early warning information is respectively sent to each target service server, determining the safety risk level corresponding to each target service server according to the similarity;
correspondingly, the information sending module is specifically configured to:
and aiming at each target service server, sending corresponding safety early warning information to the target service server according to the safety risk level corresponding to the target service server.
In a specific embodiment of the present invention, the type determining module includes:
the dimension analysis submodule is used for carrying out dimension correlation analysis on the safety log information to obtain an analysis result;
and the type determining submodule is used for determining the attack type according to the analysis result.
A safety precaution device, comprising:
the memory is used for storing a safety early warning program;
and the processor is used for realizing the steps of the safety early warning method when the safety early warning program is executed.
A computer readable storage medium having stored thereon a safety precaution program which, when executed by a processor, implements the steps of the safety precaution method as previously described.
By applying the technical scheme provided by the embodiment of the invention, the cloud server receives the working log information sent by each service server in the server set, if the working log information contains the safety log information, the attack type is determined based on the safety log information, the server sub-sets corresponding to each attack type are respectively determined, the common characteristics of all service servers contained in each server sub-set are determined aiming at each server sub-set, the target service servers with the characteristics of which the similarity with the common characteristics is higher than the preset threshold value are searched in the complementary set of the server sub-sets of the server set, and the safety early warning information is respectively sent to each target service server. And determining attack types according to the received safety log information through the cloud server, and determining common characteristics of the server subset corresponding to each attack type. According to the common characteristics, safety early warning information is sent to each target service server, early warning is carried out in time, and a user can know the known and unknown risks currently facing the corresponding target service server in time according to the safety early warning information so as to take corresponding measures in time, ensure the normal operation of the target service server and improve the user experience.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of an implementation of a security early warning method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a safety precaution device in an embodiment of the invention;
fig. 3 is a schematic structural diagram of a safety precaution device in an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The core of the invention is to provide a safety early warning method, which can be applied to a cloud server, and the cloud server can be connected with each business server in a server set. The cloud server receives working log information sent by each service server in the server set, if the working log information contains safety log information, attack types are determined based on the safety log information, server sub-sets corresponding to the attack types are respectively determined, common characteristics of all service servers contained in the server sub-sets are determined aiming at the server sub-sets, target service servers with characteristics, the similarity of the characteristics and the common characteristics is higher than a preset threshold value, are searched in complementary sets of the server sub-sets of the server set, and safety early warning information is sent to each target service server respectively. And determining attack types according to the received safety log information through the cloud server, and determining common characteristics of the server subset corresponding to each attack type. According to the common characteristics, safety early warning information is sent to each target service server, early warning is carried out in time, and a user can know the known and unknown risks currently facing the corresponding target service server in time according to the safety early warning information so as to take corresponding measures in time, ensure the normal operation of the target service server and improve the user experience.
Referring to fig. 1, which is a flowchart illustrating an implementation of a safety precaution method in an embodiment of the present invention, the method may include the following steps:
s101: and receiving the work log information sent by each service server in the server set.
The cloud server can be connected with a plurality of service servers, each service server is provided with network security equipment such as a firewall, an IPS (intrusion prevention system) device and a waf device, and the plurality of service servers connected with the cloud server form a server set. Each business server in the server set can send work log information to the cloud server, the cloud server receives the work log information sent by each business server in the server set, and a user corresponding to each business server can log in the cloud server to check corresponding work log information.
The work log information may include run log information and security log information. The operation log information refers to log information generated by the service server in a normal operation process, and the safety log information refers to log information generated by the network safety equipment under the condition that the service server is attacked.
S102: and if the working log information contains the safety log information, determining the attack type based on the safety log information.
After the cloud server receives the work log information sent by each service server in the server set, whether the received work log information contains the safety log information or not can be determined, if yes, the server set is shown to contain the attacked service server, and the attack type can be determined based on the safety log information.
The attack type specifically refers to what kind of attack the service server is subjected to, such as an attack against a system bug, an attack against a specific service, an attack using a specific kind of virus, and the like.
In a specific embodiment of the present invention, determining the attack type based on the security log information may include the following steps:
the method comprises the following steps: performing dimension correlation analysis on the safety log information to obtain an analysis result;
step two: and determining the attack type according to the analysis result.
For convenience of description, the above two steps may be combined for illustration.
The cloud server can perform horizontal and longitudinal dimension correlation analysis on the real-time safety log information, historical safety log information, safety log information of each service server and the like to obtain an analysis result, and determines the attack type according to the analysis result.
The dimensions may include a time dimension, a source IP dimension, a destination IP dimension, an attack type dimension, an attacker dimension, a security event type dimension, an attacker type dimension, an attack stage dimension, and the like.
For example, the security log information is subjected to attacker IP dimension correlation analysis, and the type of a service server attacked by the attacker can be obtained through statistical analysis; the security log information is subjected to time dimension correlation analysis, and distribution of each piece of security log information in the time dimension is analyzed, for example, a large number of logs are generated in a short time, and an attacker may use a tool to attack in batches.
By mining the safety log information, information such as when an attacker starts to attack, an attack means used by the attacker, which network segments the attacker attacks on the service server, which suspicious behaviors the attacked service server has, and what harm the behavior may cause to the service server can be obtained. And on the basis of big data, comparing and clustering the safety log information, and mining attacker information hidden in all the safety log information. The attack purpose of the attacker is determined by deeply mining information such as the attack means of the attacker and the attacked service server.
S103: and respectively determining a server subset corresponding to each attack type.
After the attack type is determined based on the security log information, a plurality of attack types may exist, and since each attack type may correspond to a plurality of service servers, and the service servers corresponding to each attack type may form a corresponding server subset, the server subsets corresponding to each attack type may be determined respectively.
It should be noted that one service server may exist in only one server subset, or may exist in a plurality of server subsets.
S104: for each subset of servers, common characteristics of all the traffic servers contained in the subset of servers are determined.
And the cloud server determines a server subset corresponding to each attack type. For each server subset, the service servers in the server subset correspond to the same attack type, and the service servers in the server subset may have a certain common characteristic, which is likely to be an important reason for causing each service server in the server subset to be attacked by the same attack type. Thus, for each subset of servers, a common characteristic of all the traffic servers contained in the subset of servers can be determined.
By way of example, the common characteristic may be the same customer type, the same type of software installed, the system version installed, etc. that are often contacted.
S105: and searching a target service server with the characteristic that the similarity with the common characteristic is higher than a preset threshold value in the complementary set of the server subset of the server set.
After determining, by the cloud server, the common characteristics of all the business servers included in the server subset for each server subset, there may be business servers having characteristics similar to the common characteristics in the complementary set of the server subset of the server set, and these business servers having characteristics similar to the common characteristics may be attacked. In the embodiment of the present invention, a threshold value may be preset. For each subset of servers, determining which of the traffic servers in the complement of the subset of servers in the set of servers have a similarity to the common feature corresponding to the subset of servers above the threshold. That is, searching a target service server having a feature with similarity higher than a preset threshold with the common feature in the complementary set of the server subset of the server set.
It should be noted that the threshold may be set and adjusted according to an actual situation, for example, the threshold may be adjusted according to the frequency of the service server with the feature that the similarity with the common feature is lower than the preset threshold, and when the technical solution provided by the embodiments of the present invention is executed multiple times according to the set preset threshold, the frequency of the service server with the feature that the similarity with the common feature is lower than the preset threshold is still higher, and the preset threshold may be reduced.
S106: and respectively sending safety early warning information to each target service server.
After the cloud server finds out the target service server with the characteristic that the similarity with the common characteristic is higher than the preset threshold value in the complementary set of the server subset of the server set, the probability that the target service server is attacked is higher, and safety early warning information can be sent to each target service server respectively. Specifically, the cloud server can send the safety early warning information in the modes of information pushing and the like. Therefore, by using the convenience of the mobile internet, early warning is timely achieved, and the reaction time of the user when the attack occurs is reduced as much as possible.
By applying the method provided by the embodiment of the invention, the cloud server receives the working log information sent by each service server in the server set, if the working log information contains the safety log information, the attack type is determined based on the safety log information, the server sub-sets corresponding to each attack type are respectively determined, the common characteristics of all service servers contained in each server sub-set are determined aiming at each server sub-set, the target service servers with the characteristics of which the similarity with the common characteristics is higher than the preset threshold value are searched in the complementary set of the server sub-sets of the server set, and the safety early warning information is respectively sent to each target service server. And determining attack types according to the received safety log information through the cloud server, and determining common characteristics of the server subset corresponding to each attack type. According to the common characteristics, safety early warning information is sent to each target service server, early warning is carried out in time, and a user can know the known and unknown risks currently facing the corresponding target service server in time according to the safety early warning information so as to take corresponding measures in time, ensure the normal operation of the target service server and improve the user experience.
In an embodiment of the present invention, after step S105, the following steps may be further included:
the method comprises the following steps: determining a protection strategy corresponding to each target service server;
step two: and respectively sending the determined protection strategies to corresponding target service servers.
For convenience of description, the above two steps may be combined for illustration.
Aiming at each server subset, after searching out a target service server with the characteristic that the similarity with the common characteristic is higher than a preset threshold value in the complementary set of the server subset of the server set by the cloud server, determining a protection strategy corresponding to each corresponding target service server according to the attack type suffered by the service server in the server subset, forming a dynamic linkage defense system with a gateway firewall of each target service server, and respectively sending the determined protection strategy to the corresponding target service server, so that each target server can timely cope with known and unknown risks.
The protection policy can be generated in real time according to the attack type suffered by the service server in each server subset, or can be searched from a policy library obtained in advance.
In a specific embodiment of the present invention, after sending the determined protection policies to the corresponding target service servers, the method may further include the following steps:
the method comprises the following steps: aiming at each target service server, acquiring the effect of a protection strategy corresponding to the target service server on the target service server;
step two: and determining whether to update the protection strategy corresponding to the target service server according to the effect.
For convenience of description, the above two steps may be combined for illustration.
After the cloud server sends the determined protection strategy to the corresponding target service server, the effect of the protection strategy corresponding to the target service server on the target service server can be obtained in real time or at certain time intervals for each target service server. According to the obtained effect, the cloud server can detect whether each sent protection strategy plays a protection role on the corresponding target service server or not, so that whether the protection strategy corresponding to the target service server is updated or not is determined.
In practical application, the latest internet security event, such as the latest outbreak of the XX virus, can be introduced, and after the cloud server sends the determined protection policy to the corresponding target service server, the effect of the protection policy corresponding to the target service server on the target service server can be obtained. According to the obtained effect, the cloud server can detect whether each sent protection strategy plays a protection role on the corresponding target service server or not, so that whether the protection strategy corresponding to the target service server is updated or not is determined.
In an embodiment of the present invention, after step S105 and before step S106, the method may further include the steps of:
determining the safety risk level corresponding to each target service server according to the similarity;
accordingly, step S106 may include the steps of:
and aiming at each target service server, sending corresponding safety early warning information to the target service server according to the safety risk level corresponding to the target service server.
For each server subset, after the cloud server finds out a target service server with a characteristic that the similarity with the common characteristic is higher than a preset threshold value in the complementary set of the server subset of the server set, the security risk level of the target service server can be divided according to the similarity, for example, the security risk level can be divided into three levels of being possibly attacked, being possibly attacked and being about to be attacked. And determining the security risk level corresponding to each target service server according to the corresponding similarity of each target service server.
Correspondingly, the corresponding safety early warning information can be set for each safety risk level, namely the safety early warning information is set to be safety early warning information of three levels of slight early warning information, general early warning information and serious early warning information aiming at three divided safety risk levels which are possibly attacked, possibly attacked and about to be attacked. And aiming at each target service server, sending safety early warning information of a corresponding level to the target service server according to the safety risk level corresponding to the target service server.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a security early warning device, which is applied to a cloud server, the cloud server is connected to each service server in a server set, and a security early warning device described below and a security early warning method described above may be referred to in a corresponding manner.
Referring to fig. 2, the apparatus may include the following modules:
an information receiving module 201, configured to receive work log information sent by each service server in a server set;
a type determining module 202, configured to determine, if the working log information includes security log information, an attack type based on the security log information;
a set determining module 203, configured to determine a subset of servers corresponding to each attack type respectively;
a feature determining module 204, configured to determine, for each subset of servers, a common feature of all service servers included in the subset of servers;
a server searching module 205, configured to search, in a complementary set of the server subset of the server set, a target service server having a feature with similarity higher than a preset threshold with a common feature;
and an information sending module 206, configured to send security early warning information to each target service server respectively.
With the application of the device provided by the embodiment of the invention, the cloud server receives the working log information sent by each service server in the server set, if the working log information contains the safety log information, the attack type is determined based on the safety log information, the server sub-sets corresponding to each attack type are respectively determined, the common characteristics of all service servers contained in each server sub-set are determined aiming at each server sub-set, the target service servers with the characteristics of which the similarity with the common characteristics is higher than the preset threshold value are searched in the complementary set of the server sub-sets of the server set, and the safety early warning information is respectively sent to each target service server. And determining attack types according to the received safety log information through the cloud server, and determining common characteristics of the server subset corresponding to each attack type. According to the common characteristics, safety early warning information is sent to each target service server, early warning is carried out in time, and a user can know the known and unknown risks currently facing the corresponding target service server in time according to the safety early warning information so as to take corresponding measures in time, ensure the normal operation of the target service server and improve the user experience.
In a specific embodiment of the present invention, the method further includes a policy sending module, configured to:
after searching a target service server with the characteristic that the similarity with the common characteristic is higher than a preset threshold value in a complementary set of the server subset of the server set, determining a protection strategy corresponding to each target service server;
and respectively sending the determined protection strategies to corresponding target service servers.
In a specific embodiment of the present invention, the method further includes a policy update module, configured to:
after the determined protection strategies are respectively sent to corresponding target service servers, aiming at each target service server, the effect of the protection strategy corresponding to the target service server on the target service server is obtained;
and determining whether to update the protection strategy corresponding to the target service server according to the effect.
In an embodiment of the present invention, the method further includes a rank determining module, configured to:
after target service servers with the characteristics that the similarity with the common characteristics is higher than a preset threshold value are searched in the complementary set of the server subset of the server set, and before safety early warning information is respectively sent to each target service server, the safety risk level corresponding to each target service server is determined according to the similarity;
correspondingly, the information sending module 206 is specifically configured to:
and aiming at each target service server, sending corresponding safety early warning information to the target service server according to the safety risk level corresponding to the target service server.
In one embodiment of the present invention, the type determining module 202 includes:
the dimension analysis submodule is used for carrying out dimension correlation analysis on the safety log information to obtain an analysis result;
and the type determining submodule is used for determining the attack type according to the analysis result.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a security early warning device, which is applied to a cloud server, the cloud server is connected to each service server in a server set, and a security early warning device described below and a security early warning method described above may be referred to in a corresponding manner.
Referring to fig. 3, the apparatus may include:
a memory 301 for storing a safety precaution program;
a processor 302, configured to implement the steps of the safety precaution method in the method embodiment when executing the safety precaution program.
Corresponding to the above method embodiment, an embodiment of the present invention further provides a computer-readable storage medium, which is applied to a cloud server, where the cloud server is connected to each service server in a server set, and a computer-readable storage medium described below and a security early warning method described above may be referred to in a corresponding manner.
A computer-readable storage medium having a security early warning program stored thereon, the security early warning program, when executed by a processor, implementing the steps of the security early warning method in the method embodiments.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The principle and the implementation of the present invention are explained in the present application by using specific examples, and the above description of the embodiments is only used to help understanding the technical solution and the core idea of the present invention. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.

Claims (12)

1. A safety early warning method is applied to a cloud server, the cloud server is connected with each business server in a server set, and the method comprises the following steps:
receiving work log information sent by each service server in the server set;
if the working log information contains safety log information, determining an attack type based on the safety log information;
respectively determining a server subset corresponding to each attack type;
for each server subset, determining common characteristics of all service servers contained in the server subset;
searching a target service server with the characteristic that the similarity with the common characteristic is higher than a preset threshold value in a complementary set of the server subset of the server set;
and respectively sending safety early warning information to each target service server.
2. The method of claim 1, further comprising, after the searching for the target traffic server having a feature with a similarity higher than a preset threshold with the common feature in the complementary set of the subset of servers in the server set:
determining a protection strategy corresponding to each target service server;
and respectively sending the determined protection strategies to corresponding target service servers.
3. The method of claim 2, further comprising, after the sending the determined protection policies to the corresponding target traffic servers, respectively:
aiming at each target service server, acquiring the effect of a protection strategy corresponding to the target service server on the target service server;
and determining whether to update the protection strategy corresponding to the target service server according to the effect.
4. The method according to claim 1, wherein after the searching for the target service server having the feature whose similarity with the common feature is higher than the preset threshold in the complementary set of the subset of the servers in the server set, and before the sending the safety precaution information to each target service server respectively, further comprises:
determining the safety risk level corresponding to each target service server according to the similarity;
correspondingly, the sending safety early warning information to each target service server respectively includes:
and aiming at each target service server, sending corresponding safety early warning information to the target service server according to the safety risk level corresponding to the target service server.
5. The method of any of claims 1 to 4, wherein determining the attack type based on the security log information comprises:
performing dimension correlation analysis on the safety log information to obtain an analysis result;
and determining the attack type according to the analysis result.
6. The safety early warning device is applied to a cloud server, wherein the cloud server is connected with each business server in a server set, and the device comprises:
the information receiving module is used for receiving the work log information sent by each service server in the server set;
the type determining module is used for determining an attack type based on the safety log information if the working log information contains the safety log information;
the set determining module is used for respectively determining a server subset corresponding to each attack type;
the characteristic determining module is used for determining the common characteristics of all the service servers contained in each server subset;
the server searching module is used for searching a target service server with the characteristic that the similarity with the common characteristic is higher than a preset threshold value in the complementary set of the server subset of the server set;
and the information sending module is used for sending the safety early warning information to each target service server respectively.
7. The apparatus of claim 6, further comprising a policy sending module configured to:
after target service servers with the characteristics that the similarity with the common characteristics is higher than a preset threshold value are searched in the complementary set of the server subset of the server set, a protection strategy corresponding to each target service server is determined;
and respectively sending the determined protection strategies to corresponding target service servers.
8. The apparatus of claim 7, further comprising a policy update determination module configured to:
after the determined protection strategies are respectively sent to the corresponding target service servers, aiming at each target service server, obtaining the effect of the protection strategy corresponding to the target service server on the target service server;
and determining whether to update the protection strategy corresponding to the target service server according to the effect.
9. The apparatus of claim 6, further comprising a rank determination module configured to:
after the target service servers with the characteristics that the similarity with the common characteristics is higher than a preset threshold value are searched in the complementary set of the server subset of the server set and before the safety early warning information is respectively sent to each target service server, determining the safety risk level corresponding to each target service server according to the similarity;
correspondingly, the information sending module is specifically configured to:
and aiming at each target service server, sending corresponding safety early warning information to the target service server according to the safety risk level corresponding to the target service server.
10. The apparatus of any of claims 6 to 9, wherein the type determination module comprises:
the dimension analysis submodule is used for carrying out dimension correlation analysis on the safety log information to obtain an analysis result;
and the type determining submodule is used for determining the attack type according to the analysis result.
11. A safety precaution device, comprising:
the memory is used for storing a safety early warning program;
a processor for implementing the steps of the safety precaution method of any one of claims 1 to 5 when executing the safety precaution program.
12. A computer-readable storage medium, having a safety precaution program stored thereon, which when executed by a processor implements the steps of the safety precaution method of any one of claims 1 to 5.
CN201711207874.4A 2017-11-27 2017-11-27 Safety early warning method, device, equipment and storage medium Active CN107733725B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711207874.4A CN107733725B (en) 2017-11-27 2017-11-27 Safety early warning method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711207874.4A CN107733725B (en) 2017-11-27 2017-11-27 Safety early warning method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN107733725A CN107733725A (en) 2018-02-23
CN107733725B true CN107733725B (en) 2021-01-19

Family

ID=61219626

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711207874.4A Active CN107733725B (en) 2017-11-27 2017-11-27 Safety early warning method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN107733725B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109347846A (en) * 2018-10-30 2019-02-15 郑州市景安网络科技股份有限公司 A kind of website clearance method, apparatus, equipment and readable storage medium storing program for executing
CN109711155A (en) * 2018-11-13 2019-05-03 同盾控股有限公司 A kind of early warning determines method and apparatus
CN110809004A (en) * 2019-11-12 2020-02-18 成都知道创宇信息技术有限公司 Safety protection method and device, electronic equipment and storage medium
CN111756720B (en) * 2020-06-16 2023-03-24 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium
CN115809799B (en) * 2022-07-05 2023-08-01 中南民族大学 Event-driven-based hierarchical early warning method and system for fire safety of cultural relics

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104486426A (en) * 2014-12-17 2015-04-01 天脉聚源(北京)教育科技有限公司 Early warning method and early warning device for intelligent teaching system
CN106209856A (en) * 2016-07-14 2016-12-07 何钟柱 Big data security postures based on trust computing ground drawing generating method
CN106254092A (en) * 2016-07-14 2016-12-21 浪潮电子信息产业股份有限公司 A kind of method for early warning, Apparatus and system
CN106341386A (en) * 2015-07-07 2017-01-18 埃森哲环球服务有限公司 Threat assessment level determination and remediation for cloud-based multi-layer security architecture
CN106790023A (en) * 2016-12-14 2017-05-31 平安科技(深圳)有限公司 Network security Alliance Defense method and apparatus
WO2017136811A1 (en) * 2016-02-05 2017-08-10 Golden Security Services Us Inc. Categorizing compliance with security protocols

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104486426A (en) * 2014-12-17 2015-04-01 天脉聚源(北京)教育科技有限公司 Early warning method and early warning device for intelligent teaching system
CN106341386A (en) * 2015-07-07 2017-01-18 埃森哲环球服务有限公司 Threat assessment level determination and remediation for cloud-based multi-layer security architecture
WO2017136811A1 (en) * 2016-02-05 2017-08-10 Golden Security Services Us Inc. Categorizing compliance with security protocols
CN106209856A (en) * 2016-07-14 2016-12-07 何钟柱 Big data security postures based on trust computing ground drawing generating method
CN106254092A (en) * 2016-07-14 2016-12-21 浪潮电子信息产业股份有限公司 A kind of method for early warning, Apparatus and system
CN106790023A (en) * 2016-12-14 2017-05-31 平安科技(深圳)有限公司 Network security Alliance Defense method and apparatus

Also Published As

Publication number Publication date
CN107733725A (en) 2018-02-23

Similar Documents

Publication Publication Date Title
CN107733725B (en) Safety early warning method, device, equipment and storage medium
CN109922075B (en) Network security knowledge graph construction method and device and computer equipment
US10021127B2 (en) Threat indicator analytics system
US10051010B2 (en) Method and system for automated incident response
CN111756759B (en) Network attack tracing method, device and equipment
AU2015203069B2 (en) Deception network system
US8549645B2 (en) System and method for detection of denial of service attacks
CN109302426B (en) Unknown vulnerability attack detection method, device, equipment and storage medium
CN110598404A (en) Security risk monitoring method, monitoring device, server and storage medium
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
US20160269431A1 (en) Predictive analytics utilizing real time events
CN112115457B (en) Power terminal access method and system
CN113992386A (en) Method and device for evaluating defense ability, storage medium and electronic equipment
CN108183884B (en) Network attack determination method and device
CN111277561A (en) Network attack path prediction method and device and security management platform
CN114091039A (en) Attack protection system and application equipment based on RASP
CN114726579B (en) Method, device, equipment, storage medium and program product for defending network attack
CN111245839A (en) Violence cracking prevention method and device
CN109255243B (en) Method, system, device and storage medium for repairing potential threats in terminal
CN109218315B (en) Safety management method and safety management device
US11811823B2 (en) Complete data exfiltration profile and model (CODAEX)
CN117768184A (en) Threat information risk assessment method and device, electronic equipment and storage medium
CN116032618A (en) Mining behavior detection method, system, device, medium and equipment
CN116614260A (en) Complex network attack detection method, system, electronic equipment and storage medium
CN111147497A (en) Intrusion detection method, device and equipment based on knowledge inequality

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant