CN114338170A - Detection control method, device, electronic equipment, storage medium and computer system - Google Patents
Detection control method, device, electronic equipment, storage medium and computer system Download PDFInfo
- Publication number
- CN114338170A CN114338170A CN202111640036.2A CN202111640036A CN114338170A CN 114338170 A CN114338170 A CN 114338170A CN 202111640036 A CN202111640036 A CN 202111640036A CN 114338170 A CN114338170 A CN 114338170A
- Authority
- CN
- China
- Prior art keywords
- detection
- node
- detection module
- nodes
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 439
- 238000000034 method Methods 0.000 title claims abstract description 52
- 239000011159 matrix material Substances 0.000 claims description 6
- 239000000126 substance Substances 0.000 claims description 3
- 241000700605 Viruses Species 0.000 description 12
- 230000006870 function Effects 0.000 description 9
- 238000007689 inspection Methods 0.000 description 9
- 238000004364 calculation method Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- BTCSSZJGUNDROE-UHFFFAOYSA-N gamma-aminobutyric acid Chemical compound NCCCC(O)=O BTCSSZJGUNDROE-UHFFFAOYSA-N 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000013138 pruning Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a detection control method, a detection control device, electronic equipment, a storage medium and a computer system, which are applied to the technical field of network security, wherein the method comprises the following steps: determining the importance degree of each second node; determining at least one target node according to the importance degree of each second node; determining the detection sequence of each target node; according to the detection sequence, sequentially sending a detection control instruction to at least one target node; the detection control instruction is used for instructing the target node to switch to the second detection mode. The distributed second nodes can enter the targeted depth detection according to different importance degrees under the control of the first node, and the situation that each second node uses the same detection mode for detection without specificity is avoided. Meanwhile, the first detection mode and the second detection mode are deployed on the second node, so that when a large number of second nodes are laid, targeted laying is not needed, and difficulty and workload during laying are reduced.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a detection control method, an apparatus, an electronic device, a storage medium, and a computer system.
Background
In the existing cloud environment, hosts often adopt a distributed detection mode, that is, each host is deployed with a threat detector, and the threat detectors on each host node are provided with local virus libraries and have the capability of independently detecting malicious codes.
For the distributed detection mode in the cloud environment, after the threat detectors are deployed, the detection capability of the detectors on each host is the same (namely, the detection modules and the virus libraries are the same). The malicious code detection capability under each host is indiscriminate, the asset value, the security level, the threat level, the hardware resource and other factors of the host are not considered, and either a detector with larger resource occupation or a detector with smaller resource occupation is often deployed, and differential detection measures are not considered.
Disclosure of Invention
In view of the above, the present invention provides a detection control method, apparatus, electronic device, storage medium and computer system, which at least partially solve the problems in the prior art.
According to one aspect of the application, a detection control method is provided and applied to a first node, wherein the first node is associated with a plurality of second nodes, the second nodes have a first detection mode and a second detection mode, and the detection level of the second detection mode is higher than that of the first detection mode;
the method comprises the following steps:
determining the importance of each of the second nodes;
determining at least one target node from a plurality of second nodes according to the importance degree of each second node;
determining the detection sequence of each target node;
according to the detection sequence, sequentially sending a detection control instruction to at least one target node; the detection control instruction is used for instructing the target node to switch to a second detection mode.
In an exemplary embodiment of the present application, the determining the importance level of each of the second nodes includes:
acquiring characteristic information of a plurality of second nodes;
and determining the importance degree of each second node according to the characteristic information.
In an exemplary embodiment of the present application, the feature information includes N categories of feature data corresponding to each of the second nodes;
the determining the importance degree of each second node according to the feature information includes:
determining a feature vector corresponding to each second node according to the N-order judgment matrix and the N categories of feature data corresponding to each second node;
determining the importance degree of each second node according to the characteristic vector corresponding to each second node;
the feature vector is used for representing weight data corresponding to the feature data of each category corresponding to the second node corresponding to the feature vector.
In an exemplary embodiment of the present application, a first detection module and a second detection module are arranged inside the second node, the first detection module is configured to operate a first detection mode, and the second detection module is configured to operate a second detection mode;
before the sequentially sending the detection control instruction to at least one of the target nodes according to the detection sequence, the method further includes:
determining a detection module currently deployed by the target node;
and under the condition that the detection module currently deployed by the target node is a first detection module, the detection control instruction is used for indicating the target node to close the first detection module, deploy the second detection module and control the second detection module to operate the second detection mode.
In an exemplary embodiment of the present application, a first detection module and a second detection module are disposed inside the second node, the first detection module is configured to operate a first detection mode, and the second detection module can be loaded into the first detection module, so that the first detection module can operate the second detection mode;
before the sequentially sending the detection control instruction to at least one of the target nodes according to the detection sequence, the method further includes:
determining a current state of the first detection module in the target node;
and under the condition that the second detection module is not loaded by the first detection module in the target node, the detection control instruction is used for instructing the target node to load the second detection module into the first detection module and controlling the first detection module to operate the second detection mode.
In an exemplary embodiment of the present application, the detection control instruction is further configured to instruct the first detection module to release the second detection module.
According to one aspect of the present application, there is provided a computer system comprising:
a first node;
the plurality of second nodes are all associated with the first nodes, a first detection module and a second detection module are arranged in each second node, the first detection module is used for operating a first detection mode, the second detection module is used for operating a second detection mode, and the detection level of the second detection mode is higher than that of the first detection mode;
wherein the content of the first and second substances,
the first node is used for determining the importance degree of each second node, determining at least one target node from the plurality of second nodes according to the importance degree of each second node, determining the detection sequence of each target node, and sequentially sending a detection control instruction to at least one target node according to the detection sequence;
and the second node is used for controlling the operation of the first detection module and the second detection module according to the detection control instruction.
According to one aspect of the application, a detection control device is provided and applied to a first node, wherein a plurality of second nodes are associated with the first node, the second nodes have a first detection mode and a second detection mode, and the detection level of the second detection mode is higher than that of the first detection mode;
the device comprises:
a first determining module, configured to determine an importance level of each of the second nodes;
the second determining module is used for determining at least one target node from the plurality of second nodes according to the importance degree of each second node;
a third determining module, configured to determine a detection order of each target node;
the sending module is used for sequentially sending a detection control instruction to at least one target node according to the detection sequence; the detection control instruction is used for instructing the target node to switch to a second detection mode.
According to one aspect of the present application, there is provided an electronic device comprising a processor and a memory;
the processor is configured to perform the steps of any of the above methods by calling a program or instructions stored in the memory.
According to an aspect of the application, there is provided a computer-readable storage medium storing a program or instructions for causing a computer to perform the steps of any of the methods described above.
The application provides a detection control method, and a first node applied to the method can perform corresponding importance degree calculation on a second node related to the first node, and determines a target node from a plurality of second nodes according to the calculated importance degree. And accordingly, a detection control instruction is sent to the target node in a targeted manner so that the detection mode of the target node is switched to a second detection mode with a higher detection level. Therefore, the distributed second nodes can enter the targeted depth detection according to different importance degrees under the control of the first node, and the situation that each second node uses the same detection mode for detection without specificity is avoided. Meanwhile, the first detection mode and the second detection mode are deployed on the second node, so that when a large number of second nodes are laid, targeted laying is not needed, and difficulty and workload during laying are reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a monitoring control method provided in this embodiment;
fig. 2 is a block diagram of a monitoring control device according to this embodiment.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be noted that, in the case of no conflict, the features in the following embodiments and examples may be combined with each other; moreover, all other embodiments that can be derived by one of ordinary skill in the art from the embodiments disclosed herein without any creative effort shall fall within the scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
According to an aspect of the present application, referring to fig. 1, this embodiment provides a detection control method applied to a first node, where the first node is associated with a plurality of second nodes, the second nodes have a first detection mode and a second detection mode, and a detection level of the second detection mode is higher than a detection level of the first detection mode;
the method comprises the following steps:
step S100, determining the importance degree of each second node;
step S200, determining at least one target node from a plurality of second nodes according to the importance degree of each second node;
step S300, determining the detection sequence of each target node;
step S400, according to the detection sequence, sequentially sending a detection control instruction to at least one target node; the detection control instruction is used for instructing the target node to switch to a second detection mode.
Wherein the first node and the second node form a distributed computer network. The first node may be a computer or a server of the control end, etc. The second node may be a virtual machine established by relying on hardware resources of the first node or other cloud resources, or may be a physical computer or an electronic device having certain hardware resources. The association relationship between the first node and the second node is that the first node has control authority over the second node to some extent, for example, the second node can be instructed to start a corresponding detection mode to perform malicious detection on itself. Of course, the number of the first nodes may be multiple, and each first node is associated with a plurality of second nodes. The plurality of first nodes can also independently control the associated second nodes, and can also communicate with each other to jointly judge the importance degree of all the associated second nodes.
The first detection mode and the second detection mode in the second node may be corresponding detection modules or detection programs installed in the second node. Due to the difference between the detection levels of the first detection mode and the second detection mode, the first detection mode can be universally understood as a lightweight detection mode, and the second detection mode can be a heavyweight detection mode. The difference of the detection level is represented by whether the data of the virus library is more comprehensive, whether the detection algorithm is more, and whether the detected directory or address is more comprehensive. It is worth noting that the detection mode with higher detection level can call more system software and hardware resources when the detection mode runs detection. In the distributed system, most nodes are software and hardware resources are distributed only according to the original functions or function correspondences of the nodes, so that the unified detection is carried out in the existing distributed system by uniformly deploying a lightweight detection mode, and the problem of potential safety hazards caused by the fact that the nodes with high importance degree cannot use a heavyweight detection mode is solved.
In the detection control method provided by this embodiment, the first node to which the detection control method is applied can perform corresponding importance calculation on the associated second node. And determining the target node from the plurality of second nodes according to the calculated importance degree. And accordingly, a detection control instruction is sent to the target node in a targeted manner so that the detection mode of the target node is switched to a second detection mode with a higher detection level. Therefore, the distributed second nodes can enter the targeted deep detection according to the importance degree under the control of the first node, and the situation that each second node uses the same detection mode for detection without specificity is avoided. Meanwhile, the first detection mode and the second detection mode are deployed on the second node, so that when a large number of second nodes are laid, targeted laying is not needed, and difficulty and workload during laying are reduced. In addition, the first node can also appoint a detection sequence for the plurality of target nodes according to the information of the current work, the software and hardware state, the importance degree and the like of the second node, so that the second node is prevented from entering a second detection mode under the condition that the system resources are less due to the current work. And meanwhile, even if the target nodes are all in an idle state, the first node can also sequentially issue detection control instructions to the target nodes at certain time intervals by considering the resource condition of the whole distributed system. And the situation that the resource calling of the whole system is suddenly raised is avoided because a plurality of target nodes enter a second detection mode at the same time.
It should be noted that the detection control instruction is used to instruct the target node to enter the second detection mode, and the "entering the second detection mode" not only opens only the module or program corresponding to the second detection mode, but runs the detection mode to enter into operation. Meanwhile, when the target node receives the detection control instruction, the current state of the target node may be different, the first detection mode may be running, and the corresponding second detection module may not be started currently, so that the actions to be performed by the target node indicated by the detection control instruction are different under the condition that the current state of the target node is different, which will be described in detail in the following specific embodiments.
In an exemplary embodiment of the present application, the determining the importance level of each of the second nodes includes:
acquiring characteristic information of a plurality of second nodes;
and determining the importance degree of each second node according to the characteristic information.
The characteristic information includes at least one of: asset value information, software and hardware state information, historical attacked records, historical detection records and mandatory detection marks.
In this embodiment, a communication channel is provided between the first node and the second node associated therewith, the first node may send a characteristic information obtaining instruction to the second node according to a set period or according to an instruction of a control person, the second node sends its own characteristic information to the first node according to the characteristic information obtaining instruction, and the characteristic information includes identity information of the second node, so that the first node can distinguish a plurality of second nodes.
After the first node receives the characteristic information sent by each second node, the asset value information, the software and hardware state information, the historical attacked record, the historical detection record and the forced detection mark in each second node are comprehensively considered, so that the importance degree of each second node is determined. Meanwhile, the detection sequence can be sorted directly according to the degree of importance, and can also be comprehensively judged and sorted according to the degree of importance by combining with the characteristic information again.
The asset value information refers to the value of data stored in the second node, and the asset value can be evaluated according to a set rule or a calculation formula. The higher the asset value the more important it is. The software and hardware state information refers to the overall software and hardware resources of the second node and the current resource use condition, and for the second node with large overall software and hardware resources, the importance of the functions which are usually carried by the second node is higher, so that the importance degree is higher. The history attacked record records the times and frequency of malicious attacks received by the corresponding second node, and the higher the corresponding times and frequency, the higher the importance degree of the second node. The detection mode and the detection time adopted by the corresponding second node for detection each time are recorded in the historical detection record, and the importance degree of the second node is higher for the second node with larger time interval between the last use of the second detection mode and the current time, so that the situation that the second detection mode cannot be carried out all the time for some second nodes with low asset value is avoided. The mandatory detection mark can be set by a user actively, or automatically marked after the second node performs certain operations according to set rules (such as the change of internal storage data exceeds a threshold value, or a large amount of money is transacted, or important materials are loaded). The second node, to which the forced detection flag is set, is directly raised in importance and determined as the target node.
In the embodiment, the feature information includes a plurality of kinds of information, but the importance degree of each kind of information is different, so that when the overall importance degree is calculated, a weighting coefficient is added to at least part of the feature information for calculation, and the rationality comprehensive judgment of the importance degree is realized.
In an exemplary embodiment of the present application, the feature information includes N categories of feature data corresponding to each of the second nodes;
the determining the importance degree of each second node according to the feature information includes:
determining a feature vector corresponding to each second node according to the N-order judgment matrix and the N categories of feature data corresponding to each second node;
determining the importance degree of each second node according to the characteristic vector corresponding to each second node;
the feature vector is used for representing weight data corresponding to the feature data of each category corresponding to the second node corresponding to the feature vector.
Specifically, in this embodiment, the explanation is given by taking an example that the feature information includes the following 4 categories of feature data:
the feature data for the 4 categories are as follows:
(a) service importance of virtual machines
(b) Virtual machine is forcibly marked by user to be patrolled
(c) The virtual machine has been attacked
(d) Virtual machine is not patrolled for a long time
The routing inspection path planning adopts a routing inspection path dynamic selection algorithm based on multi-condition constraint, and comprises the following steps:
(1) determining weights of corresponding influence factors of different classes of feature data
Because the importance degrees of the corresponding influence factors of the feature data of different types are different, the determination of the weight of each influence factor can only determine which virtual machines need to be detected and the detection priority of each virtual machine, firstly, a 4 x 4 routing inspection influence factor judgment matrix is established,
wherein a isijThe relative importance of the influence factor i to the influence factor j is shown by a 1-9 scale method, as shown in the following table:
1-9 scale ratio method and meaning
Obtaining a characteristic vector W of the matrix A based on the matrix A:
W=(w1,w2,w3,w4) (2)
wherein w1A weight value representing "service importance degree of a virtual machine";
w2representing the weight of the virtual machine which is forcibly marked to be patrolled by the user;
w3a weight value representing that the virtual machine has been attacked;
w4representing the weight of the virtual machine which is not patrolled for a long time;
(2) determining the grade of the corresponding influence factor of the different types of feature data
Quantizing the grade mapping table number of each characteristic data influence factor to form a measurable grade value
(3) Determining patrol priority for each virtual machine
The calculation formula of the routing inspection path priority level of each virtual machine is as follows:
V=∑wix D wherein wiIs the weight of each impact factor and D is the rank of each impact factor.
And finally, obtaining the value (namely the importance degree) of the inspection priority V of each virtual machine, setting a threshold value (which can be dynamically adjusted) of the lowest inspection priority, screening the virtual machines lower than the threshold value of the lowest inspection priority, namely, sorting the rest virtual machines according to the height of the inspection priority to obtain the virtual machines which need to be inspected finally and the inspection paths.
In an exemplary embodiment of the present application, a first detection module and a second detection module are arranged inside the second node, the first detection module is configured to operate a first detection mode, and the second detection module is configured to operate a second detection mode;
before the sequentially sending the detection control instruction to at least one of the target nodes according to the detection sequence, the method further includes:
determining a detection module currently deployed by the target node;
and under the condition that the detection module currently deployed by the target node is a first detection module, the detection control instruction is used for indicating the target node to close the first detection module, deploy the second detection module and control the second detection module to operate the second detection mode.
Specifically, a detection module loader is arranged inside the second node, and the detection module loader may be uniformly sent to the second node by the first node. The detection module loader can load the first detection module and the second detection module in the second node and respectively load the first detection module and the second detection module into different directories, so that the two detection modules are independent of each other. The modules are prevented from interfering with each other and can operate independently. Meanwhile, the detection module loader has a switching function and can control the switches of the first detection module and the second detection module to switch the detection mode according to the detection control instruction. The first detection module is a level detector for reserving a small amount of virus libraries with good detection effect after the virus libraries are cut, has limited detection capability but low resource occupation, and is suitable for scenes with limited host resources (such as less hardware resources including internal memory, CPU, magnetic disks and the like); the second detection module is a full-magnitude virus library, has strong detection capability but large resource occupation, and is suitable for a scene with large host resources (such as hardware resources including a memory, a CPU, a disk and the like are large). It is understood that the second detection module comprises a virus library of the first detection module, and the first detection module is obtained by pruning the second detection module.
And the second node can freely start the first detection mode or the second detection mode according to the default requirement or the actual requirement of an operator in a normal state. Therefore, before the first node sends the detection control instruction, it needs to determine which detection module currently started by the target node is or whether detection is currently performed or not according to the software and hardware state information of the second node. And adjusting the actual content of the detection control instruction according to the determined detection module currently deployed by the target node.
And under the condition that the target node is currently started by the first detection module but is not detected, a detection control instruction is used for indicating the target node to close the first detection module, deploy the second detection module and control the second detection module to operate the second detection mode. The second detection mode can be detection by using the largest virus library for the whole disk or detection by using the largest virus library for the important directory.
And under the condition that the target node is currently started by the second detection module but is not detected, the detection control instruction is used for indicating the target node to operate the second detection mode.
And under the condition that the target node is currently started by the first detection module and runs the first detection mode, the detection control instruction is used for indicating the target node to run the second detection mode after the first detection mode is finished. Or the detection control instruction is used for indicating the second node to stop the first detection mode and start to operate the second detection mode.
In an exemplary embodiment of the present application, a first detection module and a second detection module are disposed inside the second node, the first detection module is configured to operate a first detection mode, and the second detection module can be loaded into the first detection module, so that the first detection module can operate the second detection mode;
before the sequentially sending the detection control instruction to at least one of the target nodes according to the detection sequence, the method further includes:
determining a current state of the first detection module in the target node;
and under the condition that the second detection module is not loaded by the first detection module in the target node, the detection control instruction is used for instructing the target node to load the second detection module into the first detection module and controlling the first detection module to operate the second detection mode.
Specifically, in this embodiment, the first detection module and the second detection module may also be set by using a detection module loader, which may specifically refer to the foregoing, and details are not repeated here. The difference from the previous embodiment is that in this embodiment, the second detection module cannot operate the second detection mode alone, but the two detection modules work in combination to operate the second detection mode after the detection module loader loads the second detection module into the first detection module. That is, in this embodiment, the second detection module does not include the virus library and the like of the first detection module. The first detection module and the second detection module are two mutually-distinguished detection modules obtained by splitting a full-scale virus library.
In this way, the whole data size of the first detection module and the second detection module deployed in the second node can be small, and the switching between the first detection mode and the second detection mode can also be realized.
Further, the detection control instruction is further used for instructing the first detection module to release the second detection module. After the first detection module releases the second detection module, the first detection mode can be continuously operated, so that the operation load of the system is reduced.
In an exemplary embodiment of the present application, the first node is further associated with a third node, and the third node deploys only the first detection module, or no detection module at all. The presence of the third node may refer to the second node. In the operation process of the distributed network, the situation that the external nodes are transferred to the network often occurs. However, the detection module of the foreign node may be configured differently from the present network, but because the foreign node also belongs to the present network, it also needs to be included in the scope of detection management. Therefore, when the first node acquires the feature information of the second node, the feature information of the third node is also acquired. And judging whether the deployment mode of the detection module in the third node is the same as that of the second node or not according to the characteristic information of the third node. And under different conditions, the detection module loader is sent to the third detection point, and the detection module loader is controlled to deploy the first detection module and/or the second detection module to the third node. So as to facilitate subsequent unified management.
According to one aspect of the present application, there is provided a computer system comprising:
a first node;
the plurality of second nodes are all associated with the first nodes, a first detection module and a second detection module are arranged in each second node, the first detection module is used for operating a first detection mode, the second detection module is used for operating a second detection mode, and the detection level of the second detection mode is higher than that of the first detection mode;
wherein the content of the first and second substances,
the first node is used for determining the importance degree of each second node, determining at least one target node from the plurality of second nodes according to the importance degree of each second node, determining the detection sequence of each target node, and sequentially sending a detection control instruction to at least one target node according to the detection sequence;
and the second node is used for controlling the operation of the first detection module and the second detection module according to the detection control instruction.
Wherein the first node and the second node form a distributed computer network. The first node may be a computer or a server of the control end, etc. The second node may be a virtual machine established by relying on hardware resources of the first node or other cloud resources, or may be a physical computer or an electronic device having certain hardware resources. The association relationship between the first node and the second node is that the first node has control authority over the second node to some extent, for example, the second node can be instructed to start a corresponding detection mode to perform malicious detection on itself. Of course, the number of the first nodes may be multiple, and each first node is associated with a plurality of second nodes. The plurality of first nodes can also independently control the associated second nodes, and can also communicate with each other to jointly judge the importance degree of all the associated second nodes.
The first detection mode and the second detection mode in the second node may be corresponding detection modules or detection programs installed in the second node. Due to the difference between the detection levels of the first detection mode and the second detection mode, the first detection mode can be universally understood as a lightweight detection mode, and the second detection mode can be a heavyweight detection mode. The difference of the detection level is represented by whether the data of the virus library is more comprehensive, whether the detection algorithm is more, and whether the detected directory or address is more comprehensive. It is worth noting that the detection mode with higher detection level can call more system software and hardware resources when the detection mode runs detection. In the distributed system, most nodes are software and hardware resources are distributed only according to the original functions or function correspondences of the nodes, so that the unified detection is carried out in the existing distributed system by uniformly deploying a lightweight detection mode, and the problem of potential safety hazards caused by the fact that the nodes with high importance degree cannot use a heavyweight detection mode is solved.
In the detection control method provided by this embodiment, the first node to which the detection control method is applied can perform corresponding importance calculation on the associated second node. And determining the target node from the plurality of second nodes according to the calculated importance degree. And accordingly, a detection control instruction is sent to the target node in a targeted manner so that the detection mode of the target node is switched to a second detection mode with a higher detection level. Therefore, the distributed second nodes can enter the targeted deep detection according to the importance degree under the control of the first node, and the situation that each second node uses the same detection mode for detection without specificity is avoided. Meanwhile, the first detection mode and the second detection mode are deployed on the second node, so that when a large number of second nodes are laid, targeted laying is not needed, and difficulty and workload during laying are reduced. In addition, the first node can also appoint a detection sequence for the plurality of target nodes according to the information of the current work, the software and hardware state, the importance degree and the like of the second node, so that the second node is prevented from entering a second detection mode under the condition that the system resources are less due to the current work. And meanwhile, even if the target nodes are all in an idle state, the first node can also sequentially issue detection control instructions to the target nodes at certain time intervals by considering the resource condition of the whole distributed system. And the situation that the resource calling of the whole system is suddenly raised is avoided because a plurality of target nodes enter a second detection mode at the same time.
Referring to fig. 2, according to an aspect of the present application, there is provided a detection control apparatus applied to a first node, the first node being associated with a plurality of second nodes, the second nodes having a first detection mode and a second detection mode, and a detection level of the second detection mode being higher than a detection level of the first detection mode;
the device comprises:
a first determining module, configured to determine an importance level of each of the second nodes;
the second determining module is used for determining at least one target node from the plurality of second nodes according to the importance degree of each second node;
a third determining module, configured to determine a detection order of each target node;
the sending module is used for sequentially sending a detection control instruction to at least one target node according to the detection sequence; the detection control instruction is used for instructing the target node to switch to a second detection mode.
Moreover, although the steps of a method of the present disclosure are depicted in a particular order in the drawings, this does not require or imply that all of the steps must be performed in this particular order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In the exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device according to this embodiment of the invention. The electronic device is only an example and should not bring any limitation to the function and the scope of use of the embodiments of the present invention.
The electronic device is in the form of a general purpose computing device. Components of the electronic device may include, but are not limited to: the at least one processor, the at least one memory, and a bus connecting the various system components (including the memory and the processor).
Wherein the storage stores program code executable by the processor to cause the processor to perform steps according to various exemplary embodiments of the present invention as described in the "exemplary methods" section above.
The memory may include readable media in the form of volatile memory, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM).
The storage may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The bus may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface. Also, the electronic device may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via a network adapter. As shown, the network adapter communicates with other modules of the electronic device over a bus. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A detection control method is applied to a first node, wherein the first node is associated with a plurality of second nodes, the second nodes have a first detection mode and a second detection mode, and the detection level of the second detection mode is higher than that of the first detection mode;
the method comprises the following steps:
determining the importance of each of the second nodes;
determining at least one target node from a plurality of second nodes according to the importance degree of each second node;
determining the detection sequence of each target node;
according to the detection sequence, sequentially sending a detection control instruction to at least one target node; the detection control instruction is used for instructing the target node to switch to a second detection mode.
2. The detection control method according to claim 1, wherein said determining the importance level of each of the second nodes comprises:
acquiring characteristic information of a plurality of second nodes;
and determining the importance degree of each second node according to the characteristic information.
3. The detection control method according to claim 2, wherein the feature information includes N categories of feature data corresponding to each of the second nodes;
the determining the importance degree of each second node according to the feature information includes:
determining a feature vector corresponding to each second node according to the N-order judgment matrix and the N categories of feature data corresponding to each second node;
determining the importance degree of each second node according to the characteristic vector corresponding to each second node;
the feature vector is used for representing weight data corresponding to the feature data of each category corresponding to the second node corresponding to the feature vector.
4. The detection control method according to claim 1, wherein a first detection module and a second detection module are arranged in the second node, the first detection module is used for operating a first detection mode, and the second detection module is used for operating a second detection mode;
before the sequentially sending the detection control instruction to at least one of the target nodes according to the detection sequence, the method further includes:
determining a detection module currently deployed by the target node;
and under the condition that the detection module currently deployed by the target node is a first detection module, the detection control instruction is used for indicating the target node to close the first detection module, deploy the second detection module and control the second detection module to operate the second detection mode.
5. The detection control method according to claim 1, wherein a first detection module and a second detection module are arranged inside the second node, the first detection module is used for operating a first detection mode, and the second detection module can be loaded into the first detection module so that the first detection module can operate the second detection mode;
before the sequentially sending the detection control instruction to at least one of the target nodes according to the detection sequence, the method further includes:
determining a current state of the first detection module in the target node;
and under the condition that the second detection module is not loaded by the first detection module in the target node, the detection control instruction is used for instructing the target node to load the second detection module into the first detection module and controlling the first detection module to operate the second detection mode.
6. The detection control method according to claim 5, wherein the detection control instruction is further configured to instruct the first detection module to release the second detection module.
7. A computer system, comprising:
a first node;
the second nodes are all associated with the first nodes, a first detection module and a second detection module are arranged in each second node, the first detection module is used for operating a first detection mode, the second detection module is used for operating a second detection mode, and the detection level of the second detection mode is higher than that of the first detection mode;
wherein the content of the first and second substances,
the first node is used for determining the importance degree of each second node, determining at least one target node from the plurality of second nodes according to the importance degree of each second node, determining the detection sequence of each target node, and sequentially sending a detection control instruction to at least one target node according to the detection sequence;
and the second node is used for controlling the operation of the first detection module and the second detection module according to the detection control instruction.
8. The detection control device is applied to a first node, a plurality of second nodes are associated with the first node, the second nodes have a first detection mode and a second detection mode, and the detection level of the second detection mode is higher than that of the first detection mode;
the device comprises:
a first determining module, configured to determine an importance level of each of the second nodes;
the second determining module is used for determining at least one target node from the plurality of second nodes according to the importance degree of each second node;
a third determining module, configured to determine a detection order of each target node;
the sending module is used for sequentially sending a detection control instruction to at least one target node according to the detection sequence; the detection control instruction is used for instructing the target node to switch to a second detection mode.
9. An electronic device comprising a processor and a memory;
the processor is adapted to perform the steps of the method of any one of claims 1 to 6 by calling a program or instructions stored in the memory.
10. A computer-readable storage medium, characterized in that it stores a program or instructions for causing a computer to carry out the steps of the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111640036.2A CN114338170B (en) | 2021-12-29 | 2021-12-29 | Detection control method, detection control device, electronic equipment, storage medium and computer system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111640036.2A CN114338170B (en) | 2021-12-29 | 2021-12-29 | Detection control method, detection control device, electronic equipment, storage medium and computer system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338170A true CN114338170A (en) | 2022-04-12 |
| CN114338170B CN114338170B (en) | 2023-12-15 |
Family
ID=81017571
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111640036.2A Active CN114338170B (en) | 2021-12-29 | 2021-12-29 | Detection control method, detection control device, electronic equipment, storage medium and computer system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338170B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117056928A (en) * | 2023-10-11 | 2023-11-14 | 深圳安天网络安全技术有限公司 | Virus library deployment method and device, medium and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2013205939A (en) * | 2012-03-27 | 2013-10-07 | Fujitsu Ltd | User detection device, method and program |
| CN105740841A (en) * | 2016-02-29 | 2016-07-06 | 浙江宇视科技有限公司 | Method and device for determining vehicle detection mode |
| CN112818534A (en) * | 2021-01-28 | 2021-05-18 | 应急管理部天津消防研究所 | Intelligent quantitative detection method and detection system for building fire-fighting facilities |
-
2021
- 2021-12-29 CN CN202111640036.2A patent/CN114338170B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2013205939A (en) * | 2012-03-27 | 2013-10-07 | Fujitsu Ltd | User detection device, method and program |
| CN105740841A (en) * | 2016-02-29 | 2016-07-06 | 浙江宇视科技有限公司 | Method and device for determining vehicle detection mode |
| CN112818534A (en) * | 2021-01-28 | 2021-05-18 | 应急管理部天津消防研究所 | Intelligent quantitative detection method and detection system for building fire-fighting facilities |
Non-Patent Citations (2)
| Title |
|---|
| 3GPP: "Charging management", 3GPP TS 32.299 V15.34.0 * |
| 万崇玮;李炜明;李和平;胡占义;: "基于尺度不变特征的视频镜头检测", 计算机辅助设计与图形学学报, no. 09 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117056928A (en) * | 2023-10-11 | 2023-11-14 | 深圳安天网络安全技术有限公司 | Virus library deployment method and device, medium and electronic equipment |
| CN117056928B (en) * | 2023-10-11 | 2024-01-26 | 深圳安天网络安全技术有限公司 | Virus library deployment method and device, medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338170B (en) | 2023-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108632330B (en) | Cloud resource management system and management method thereof | |
| US10474817B2 (en) | Dynamically optimizing performance of a security appliance | |
| US10210332B2 (en) | Identifying an evasive malicious object based on a behavior delta | |
| US10469512B1 (en) | Optimized resource allocation for virtual machines within a malware content detection system | |
| CN104662517A (en) | Techniques for detecting a security vulnerability | |
| US20150007177A1 (en) | Virtual machine management method and information processing apparatus | |
| JP5754440B2 (en) | Configuration information management server, configuration information management method, and configuration information management program | |
| US10565021B2 (en) | Automated capacity management in distributed computing systems | |
| CN116303290B (en) | Office document detection method, device, equipment and medium | |
| CN114338170A (en) | Detection control method, device, electronic equipment, storage medium and computer system | |
| KR20120090160A (en) | The smart phone comprising anti-virus ability and anti-virus method thereof | |
| CN114553543A (en) | Network attack detection method, hardware chip and electronic equipment | |
| CN116305129B (en) | Document detection method, device, equipment and medium based on VSTO | |
| EP3964990A1 (en) | Method and system for deciding on the need for an automated response to an incident | |
| KR102089450B1 (en) | Data migration apparatus, and control method thereof | |
| US8868750B2 (en) | Information processing device, computer system and program | |
| CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
| US8615805B1 (en) | Systems and methods for determining if a process is a malicious process | |
| CN112511649B (en) | Multi-access edge calculation method and equipment | |
| KR102073274B1 (en) | Method and system for determining critical state of distributed system | |
| EP3640821B1 (en) | Coefficient calculation method, component calling method, device, medium, server, and terminal | |
| CN117056915B (en) | File detection method and device, medium and electronic equipment | |
| KR20190077696A (en) | Cloud system, computing apparatus, service routing apparatus, method for providing the service, program for perfoming the method and a non-transient computer readable medium containing the program instructions | |
| CN117319481B (en) | Port resource reverse proxy method, system and storage medium | |
| WO2021240770A1 (en) | Knowledge generation apparatus, control method, and storage device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |