CN115996152B - Security protection method, device, equipment and storage medium - Google Patents
Security protection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115996152B CN115996152B CN202310290295.XA CN202310290295A CN115996152B CN 115996152 B CN115996152 B CN 115996152B CN 202310290295 A CN202310290295 A CN 202310290295A CN 115996152 B CN115996152 B CN 115996152B
- Authority
- CN
- China
- Prior art keywords
- file
- target
- security
- access request
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of computers, and discloses a safety protection method, a safety protection device, safety protection equipment and a storage medium. The running state of the cloud platform is monitored in real time; when the cloud platform is detected to transmit the file, acquiring the file type of the transmitted file; if the file type is the preset type, acquiring a security protection level corresponding to the file receiving target; carrying out security detection on the transmitted file through a file detection module corresponding to the security protection level; and when the security detection passes, forwarding the transmitted file to a file receiving target. When the file is detected, different file detection modules are selected according to the security protection level to carry out security detection, so that a cloud platform user can set a proper security protection level according to actual needs, and the actual use experience of the user is improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a security protection method, apparatus, device, and storage medium.
Background
At present, with the development of computing level technology, the application of cloud technology is also more and more widespread, and on the basis of how to carry out safety protection on a cloud platform, ensuring the safety of data in the cloud platform, the more strict safety protection consumes more time, and the existing cloud platform is generally only provided with basic protection for ensuring the suitability of most users, so that the protection level is lower, the data safety of enterprises is difficult to ensure, and the user experience is poor.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
The invention mainly aims to provide a safety protection method, a safety protection device, safety protection equipment and a safety protection storage medium, and aims to solve the technical problems that a cloud platform only provides basic protection and user experience is poor in the prior art.
To achieve the above object, the present invention provides a safety protection method, which includes the following steps:
monitoring the running state of the cloud platform in real time;
when the cloud platform is detected to transmit the file, acquiring the file type of the transmitted file;
if the file type is the preset type, acquiring a security protection level corresponding to a file receiving target;
carrying out security detection on the transmitted file through a file detection module corresponding to the security protection level;
and when the security detection passes, forwarding the transmitted file to the file receiving target.
Optionally, the file detection modules corresponding to the security protection level are multiple;
the step of performing security detection on the transmitted file by the file detection module corresponding to the security protection level includes:
Searching a plurality of file detection modules corresponding to the security protection level in a preset level module mapping table;
the transmitted files are respectively subjected to security detection through the plurality of file detection modules, so that a plurality of file detection results are obtained;
and if the file detection results are all file security, judging that the security detection is passed.
Optionally, after the step of monitoring the operation state of the cloud platform in real time, the method further includes:
when an external access request is detected, an access target corresponding to the external access request is obtained;
detecting whether the access target is a blacklist target;
if the access target is not the blacklist target, acquiring an access authority level corresponding to a request initiator of the external access request;
searching an access limit rule corresponding to the access right level;
and if the access target is not matched with the access limiting rule, sending the external access request to the access target.
Optionally, after the step of monitoring the operation state of the cloud platform in real time, the method further includes:
when a data access request is detected, acquiring a request initiation type of the data access request;
If the request initiating type is an intranet initiating type, acquiring an accessed target corresponding to the data access request;
if the accessed target is not a database, detecting whether the accessed target is a sensitive target or not;
if the target is a sensitive target, extracting a visitor identifier from the data access request;
detecting whether a request initiator corresponding to the visitor identifier has the authority to access the accessed target;
and if so, sending the data access request to the accessed target.
Optionally, after the step of obtaining the accessed target corresponding to the data access request if the request initiation type is an intranet initiation type, the method further includes:
if the accessed target is a database, extracting a visitor identifier and a database operation statement from the data access request;
determining a request initiator according to the visitor identification;
reading a database account identifier currently logged in the request initiator, and searching a data operation authority list corresponding to the database account identifier;
detecting whether the execution authority corresponding to the database operation statement is in the data operation authority list;
And if the data access request is in the data operation authority list, sending the data access request to a database.
Optionally, after the step of acquiring the request initiation type of the data access request when the data access request is detected, the method further includes:
if the request initiating type is an external network initiating type, detecting whether an accessed target corresponding to the data access request is a database or not;
if the target is not the database, detecting whether the accessed target is a core business target or not;
if the target is not the core business target, obtaining a visitor identifier corresponding to the data access request;
acquiring an access right set corresponding to the visitor identifier;
and if the accessed target is in the access right set, sending the data access request to the accessed target.
Optionally, after the step of detecting whether the accessed target corresponding to the data access request is a database if the request initiation type is an external network initiation type, the method further includes:
if the data access request is a database, detecting whether the data access request is forwarded by a fort machine;
if the data is forwarded by the fort machine, acquiring a database operation statement in the data access request and a database account identifier currently logged in the fort machine;
Detecting whether the database account corresponding to the database account identifier has the authority to execute the database operation statement or not;
and if so, sending the data access request to a database.
In addition, to achieve the above object, the present invention also provides a safety device, which includes the following modules:
the platform monitoring module is used for monitoring the running state of the cloud platform in real time;
the type acquisition module is used for acquiring the file type of the transmitted file when the cloud platform is detected to transmit the file;
the level acquisition module is used for acquiring a security protection level corresponding to a file receiving target if the file type is a preset type;
the security detection module is used for carrying out security detection on the transmitted file through the file detection module corresponding to the security protection level;
and the data forwarding module is used for forwarding the transmitted file to the file receiving target when the security detection passes.
In addition, to achieve the above object, the present invention also proposes a safety protection device, which may include: a processor, a memory, and a security guard program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the security guard method as described above.
In addition, to achieve the above object, the present invention also proposes a computer-readable storage medium having stored thereon a security protection program which, when executed by a processor, implements the steps of the security protection method as described above.
The running state of the cloud platform is monitored in real time; when the cloud platform is detected to transmit the file, acquiring the file type of the transmitted file; if the file type is the preset type, acquiring a security protection level corresponding to the file receiving target; carrying out security detection on the transmitted file through a file detection module corresponding to the security protection level; and when the security detection passes, forwarding the transmitted file to a file receiving target. When the file is detected, different file detection modules are selected according to the security protection level to carry out security detection, so that a cloud platform user can set a proper security protection level according to actual needs, and the actual use experience of the user is improved.
Drawings
FIG. 1 is a schematic diagram of an electronic device of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flow chart of a first embodiment of the security method of the present invention;
FIG. 3 is a flow chart of a second embodiment of the security method of the present invention;
FIG. 4 is a flow chart of a third embodiment of the security method according to the present invention;
FIG. 5 is a flow chart of a fourth embodiment of the safety protection method of the present invention;
fig. 6 is a block diagram of a first embodiment of the safety shield apparatus of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a security protection device of a hardware running environment according to an embodiment of the present invention.
As shown in fig. 1, the electronic device may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a Wireless interface (e.g., a Wireless-Fidelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the structure shown in fig. 1 is not limiting of the electronic device and may include more or fewer components than shown, or may combine certain components, or may be arranged in different components.
As shown in fig. 1, an operating system, a network communication module, a user interface module, and a security protection program may be included in the memory 1005 as one type of storage medium.
In the electronic device shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the electronic device of the present invention may be disposed in a security protection device, where the electronic device invokes a security protection program stored in the memory 1005 through the processor 1001, and executes a security protection method provided by an embodiment of the present invention.
An embodiment of the present invention provides a security protection method, referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of the security protection method of the present invention.
In this embodiment, the safety protection method includes the following steps:
step S10: and monitoring the running state of the cloud platform in real time.
It should be noted that, the execution body of the embodiment may be the security protection device, and the security protection device may be an electronic device capable of performing state monitoring, data interception and control on the cloud platform, such as a personal computer, a server, etc., and of course, may also be other devices capable of implementing the same or similar functions, which is not limited in this embodiment, and in this embodiment and the following embodiments, the security protection method of the present invention is described by taking the security protection device as an example.
It should be noted that, the real-time monitoring of the operation state of the cloud platform may be monitoring of the operation state, data transmission, network request, data reception, and the like of each application or virtual device in the cloud platform. The virtual device may be a virtual device such as a virtual machine or a virtual gateway.
Step S20: when the cloud platform is detected to transmit the file, the file type of the transmitted file is obtained.
It should be noted that if any software in the cloud platform is detected to receive a file or send a file, it may be determined that the cloud platform is detected to transmit the file, and if the cloud platform is attacked by a file transmission method or the like, the transmitted file must be a file of a specific type, and at this time, the file type of the transmitted file may be obtained. The file type of the transmitted file may be obtained by obtaining a file suffix, and determining the file type of the file according to the file suffix.
In a specific implementation, after the file type is acquired, part of data in the file can be read, and whether the suffix disguise exists in the file is detected according to the data format or the data form of the part of data.
Step S30: and if the file type is the preset type, acquiring a security protection level corresponding to the file receiving target.
It should be noted that, if the file type of the transmitted file is a preset type, the transmitted file indicates that the transmitted file has possibility of being used for attack, and at this time, in order to reasonably select a corresponding detection module for detection, a security protection level corresponding to the file receiving target may be obtained.
The preset type may be preset by a manager of the cloud platform, for example: the file type of the file with the suffix of 'js', 'exe' and the like is taken as a preset type. The file receiving target may be an application or virtual device in the cloud platform that receives the transferred file. The security level may be preset by an administrator of the cloud platform or a user of the cloud platform holding the file receiving target.
Step S40: and carrying out security detection on the transmitted file through the file detection module corresponding to the security protection level.
It should be noted that, a plurality of file detection modules with different detection intensities can be set in the cloud platform, different security protection levels can correspond to different file detection modules, the higher the security protection level is, the higher the detection intensity of the corresponding file detection module is, the higher the corresponding detection accuracy is, and the detection time is longer.
In a specific implementation, in order to improve the accuracy of file detection, the transmitted file may be detected by a plurality of different file detection modules, so as to improve the security of file detection as much as possible, and then each security protection level may correspond to a plurality of file detection modules, and then step S40 in this embodiment may include:
searching a plurality of file detection modules corresponding to the security protection level in a preset level module mapping table;
the transmitted files are respectively subjected to security detection through the plurality of file detection modules, so that a plurality of file detection results are obtained;
and if the file detection results are all file security, judging that the security detection is passed.
It should be noted that, the mapping table of the preset level module may store a correspondence between the security protection level and the file detection modules, where the correspondence may be preset by a manager identified by the security protection, and the higher the security protection level, the more the number of corresponding file detection modules.
In a specific implementation, the searching for the plurality of file detection modules corresponding to the security protection level in the preset level module mapping table may be searching for a file detection module corresponding to the security protection level in the preset level module mapping table that is less than or equal to the security protection level corresponding to the file receiving target.
For example: assuming that five file detection modules A, B, C, D, E exist in the preset level module mapping table, the corresponding security protection levels are 1, 2, 3, 4 and 5 respectively, and if the security protection level corresponding to the file receiving target is 4, the found file detection module is A, B, C, D.
In actual use, after a plurality of file detection modules corresponding to the security protection level are obtained, the transmitted file can be simultaneously transmitted to the plurality of file detection modules, so that the plurality of file detection modules synchronously detect the file transmitted by the belt, and a plurality of file detection results are generated.
It will be appreciated that if the plurality of file detection results are all file security, it means that the transmitted file is not a file for attack, and thus it can be determined that the security detection passes. If any one of the file detection results is not file security, the transmitted file is possibly used for attack, and the file transmission can be intercepted at the moment.
Step S50: and when the security detection passes, forwarding the transmitted file to the file receiving target.
It will be appreciated that if the security detection passes, it means that the transmitted file is not a file that is used for malicious attack, at which point the transmitted file may be forwarded to the file receiving destination.
The embodiment monitors the running state of the cloud platform in real time; when the cloud platform is detected to transmit the file, acquiring the file type of the transmitted file; if the file type is the preset type, acquiring a security protection level corresponding to the file receiving target; carrying out security detection on the transmitted file through a file detection module corresponding to the security protection level; and when the security detection passes, forwarding the transmitted file to a file receiving target. When the file is detected, different file detection modules are selected according to the security protection level to carry out security detection, so that a cloud platform user can set a proper security protection level according to actual needs, and the actual use experience of the user is improved.
Referring to fig. 3, fig. 3 is a flow chart of a second embodiment of a security protection method according to the present invention.
Based on the above-mentioned first embodiment, after the step S50 of the safety protection method of this embodiment, the method further includes:
Step S60: and when the external access request is detected, acquiring an access target corresponding to the external access request.
It should be noted that, the external access request may be a request initiated by an application or a virtual device in the cloud platform to access an external device or a website. The step of obtaining the access target corresponding to the external access request may be to analyze the external access request to obtain a request target in the request, then initiate a blank request to the request target, and then use an initiator of a response corresponding to the blank request as the access target.
Step S70: and detecting whether the access target is a blacklist target.
It should be noted that, whether the access target is a blacklist target may be detected by detecting whether the IP address or the device identification code of the access target is in a preset blacklist, if so, determining that the access target is the blacklist target; if not, it is determined that the access target is not a blacklist target.
Step S80: and if the access target is not the blacklist target, acquiring the access authority level corresponding to the request initiator of the external access request.
If the access target is not the blacklist target, it may be detected whether the request initiator has access rights to access the access target, and at this time, the access rights level corresponding to the request initiator for the external access request may be obtained. The request initiator can be an application or virtual equipment in the cloud platform for initiating the pair of external access requests, and the access authority level corresponding to the request initiator can be preset by a manager of the cloud platform according to actual needs.
Step S90: and searching an access limit rule corresponding to the access right level.
It should be noted that different access permission levels may correspond to different access restriction rules, and the access restriction rules may be preset by a manager of the cloud platform. For example: if the access restriction rule is set to "| x", this indicates that all external accesses are prohibited, and if the access restriction rule is set to "| AXX", this indicates that all domain names beginning with AXX are prohibited from being accessed.
Step S100: and if the access target is not matched with the access limiting rule, sending the external access request to the access target.
It will be appreciated that if the access target does not match the access restriction rule, this means that the request initiator is not prohibited from accessing the access target, and therefore an external access request may be sent to the access target.
If the access target is matched with the access limiting rule, the request initiator is prohibited from accessing the access target, at the moment, the pair of external access requests can be intercepted, and a corresponding interception log is generated for storage.
In the embodiment, when an external access request is detected, an access target corresponding to the external access request is obtained; detecting whether the access target is a blacklist target; if the access target is not the blacklist target, acquiring an access authority level corresponding to a request initiator of the external access request; searching an access limit rule corresponding to the access right level; and if the access target is not matched with the access limiting rule, sending the external access request to the access target. When the external access request is detected, blacklist detection and access limit detection are further carried out, so that enterprise users can set corresponding access rules according to actual needs, and the phenomenon of loss caused by access of enterprise staff to malicious websites is avoided.
Referring to fig. 4, fig. 4 is a flow chart of a third embodiment of a security protection method according to the present invention.
Based on the above-mentioned first embodiment, after the step S50 of the safety protection method of this embodiment, the method further includes:
step S60': and when the data access request is detected, acquiring the request initiation type of the data access request.
It should be noted that the data access request may be a request received by an application or a virtual device inside the cloud platform for acquiring data. The request initiation type can be divided into two types of intranet initiation type and extranet initiation type according to the difference of the request initiator.
Step S70': and if the request initiating type is an intranet initiating type, acquiring an accessed target corresponding to the data access request.
It should be noted that, if the request initiation type is the intranet initiation type, it indicates that the application or the virtual device in the cloud platform is accessing other applications or virtual devices in the same cloud platform. The accessed target may be an application or a virtual device in the cloud platform that receives the data access request.
Step S80': if the accessed object is not a database, detecting whether the accessed object is a sensitive object.
It will be appreciated that if the accessed object is not a database, then it may be detected whether the accessed object is a sensitive object, thereby determining whether further detection is required.
Whether the application or the virtual device in the cloud platform is a sensitive target or not can be preset by a manager or a user of the cloud platform.
Step S90': and if the target is a sensitive target, extracting the visitor identification from the data access request.
It will be appreciated that if the accessed target is a sensitive target, it means that the accessed target is an application or virtual device with sensitive data, and further detection is required at this time to determine whether the request initiator has the right to access the accessed target, so that the visitor identifier can be extracted from the data access request. The visitor identification may be a unique identification of an application or device that initiated the data access request in the cloud platform.
Step S100': and detecting whether the request initiator corresponding to the visitor identifier has the authority to access the accessed target.
It should be noted that, detecting whether the request initiator corresponding to the visitor identifier has the authority to access the accessed target may be to search the authority level corresponding to the visitor identifier, compare the searched authority level with the authority level required by accessing the accessed target, and if the authority level corresponding to the visitor identifier is higher than the authority level required by accessing the accessed target, determine that the request initiator has the authority to access the accessed target.
Step S110': and if so, sending the data access request to the accessed target.
It will be appreciated that if the right to access the accessed target is provided, this means that the request initiator is allowed to access the accessed target at this time, and therefore, a data access request may be sent to the accessed target. If the access right of the accessed target is not available, the data access request can be intercepted at the moment.
In a specific implementation, since the database is used for storing core data, when the accessed target is the database, further verification is required, and after step S70 in this embodiment, the method further includes:
if the accessed target is a database, extracting a visitor identifier and a database operation statement from the data access request;
determining a request initiator according to the visitor identification;
reading a database account identifier currently logged in the request initiator, and searching a data operation authority list corresponding to the database account identifier;
detecting whether the execution authority corresponding to the database operation statement is in the data operation authority list;
and if the data access request is in the data operation authority list, sending the data access request to a database.
It should be noted that the data operation authority list may include data tables in the accessible database, and operations executable on each accessible data table.
For example: database account a is only allowed to access A, B, C three data tables in the database, and only has the authority to view data, modify data and add data for table a, and only has the authority to view data for table B, C, then the corresponding database operation authority list is "{ a: select, update, insert, B: select, C: select }).
In a specific implementation, detecting whether the execution authority corresponding to the database operation statement is in the data operation authority list may be to obtain a target data table and an operation type corresponding to the database operation statement, monitoring whether the database operation authority list contains an entry corresponding to the target data table, if so, further detecting whether the entry has a keyword corresponding to the operation type, and if so, judging that the execution authority corresponding to the database operation statement is in the data operation authority list; otherwise, judging that the execution authority corresponding to the database operation statement is not in the data operation authority list.
It can be understood that if the execution authority corresponding to the database operation statement is in the data operation authority list, it indicates that the request initiator has authority to control the database to execute the database operation statement, so that the data access request can be sent to the database, so that the database executes the data operation statement contained in the data access request. If the execution authority corresponding to the database operation statement is not in the data operation authority list, the data access request can be intercepted at the moment.
The embodiment obtains the request initiation type of the data access request when the data access request is detected; if the request initiating type is an intranet initiating type, acquiring an accessed target corresponding to the data access request; if the accessed target is not a database, detecting whether the accessed target is a sensitive target or not; if the target is a sensitive target, extracting a visitor identifier from the data access request; detecting whether a request initiator corresponding to the visitor identifier has the authority to access the accessed target; and if so, sending the data access request to the accessed target. When the data access request is detected, the target is initiated according to the request of the data access request and the accessed target is selected in a proper mode for detection and verification, so that the user can flexibly set according to actual needs, and the actual use experience of the user is further improved.
Referring to fig. 5, fig. 5 is a flowchart illustrating a fourth embodiment of a security protection method according to the present invention.
Based on the above-mentioned third embodiment, after the step S60' of the safety protection method of the present embodiment, the method further includes:
step S70'': and if the request initiating type is an external network initiating type, detecting whether an accessed target corresponding to the data access request is a database.
It can be understood that if the request initiation type is the external network initiation type, it means that the external device or the website accesses the application or the virtual device in the cloud platform at this time, but in order to ensure the security of the database, external access to the database is forbidden, and only one fort machine is reserved as an external control entry, so that whether the accessed target is the database can be detected first at this time, thereby determining how to detect later.
Step S80'': and if not, detecting whether the accessed target is a core business target.
It will be appreciated that the core business object of the enterprise, i.e. the application or virtual device that loads the core business of the enterprise, will also typically prohibit external access, only allow access through the fort machine, and therefore, after determining that the access object is not a database, it may be further detected whether the accessed object is a core business object.
Step S90'': and if the target is not the core business target, acquiring the visitor identification corresponding to the data access request.
It can be understood that if the request is not a core service target, only the request initiator initiating the data access request needs to be checked to determine whether the request initiator has the authority to access the accessed target, and at this time, the visitor identifier corresponding to the data access request can be obtained. The visitor identification may be a unique identification of the cloud platform user.
Step S100'': and acquiring an access right set corresponding to the visitor identifier.
It should be noted that, the obtaining the access right set corresponding to the visitor identifier may be obtaining the access right set by searching for a corresponding mapping relationship in the access right list according to the visitor identifier. The access authority list stores a mapping relation between a visitor identifier and a unique identifier of an application or virtual equipment in the cloud platform, and the mapping relation can be preset by a manager of the cloud platform.
Step S110'': and if the accessed target is in the access right set, sending the data access request to the accessed target.
It will be appreciated that if the accessed target is in the set of access rights, it means that the user that initiated the data access request has the right to access the accessed target, and therefore the data access request may be sent to the accessed target.
Further, if the request initiation type is the external network initiation type and the accessed target is the database, further detection is required, and after step S70″ in this embodiment, the method further includes:
if the data access request is a database, detecting whether the data access request is forwarded by a fort machine;
If the data is forwarded by the fort machine, acquiring a database operation statement in the data access request and a database account identifier currently logged in the fort machine;
detecting whether the database account corresponding to the database account identifier has the authority to execute the database operation statement or not;
and if so, sending the data access request to a database.
It should be noted that, since the database prohibits the external network access and only allows the jump access through the reserved fort machine, when the request initiation type is the external network initiation type and the accessed target is the database, it needs to detect whether the data access request is forwarded through the fort machine, if not, it can directly intercept the data access request.
If the data is forwarded through the fort machine, it is required to detect whether the database account registered in the fort machine can execute the database operation statement in the data access request.
It can be understood that, whether the database account corresponding to the database identifier has the authority to execute the database operation statement or not can be detected by searching the corresponding data operation authority list through the database identifier, whether the execution authority corresponding to the database operation statement is in the data operation authority list or not is detected, if so, the database account corresponding to the database account identifier is judged to have the authority to execute the database operation statement; if the database account identification is not in the database operation statement, the database account corresponding to the database account identification can be judged to not have the authority to execute the database operation statement.
In this embodiment, if the request initiation type is an external network initiation type, whether the accessed target corresponding to the data access request is a database is detected; if the target is not the database, detecting whether the accessed target is a core business target or not; if the target is not the core business target, obtaining a visitor identifier corresponding to the data access request; acquiring an access right set corresponding to the visitor identifier; and if the accessed target is in the access right set, sending the data access request to the accessed target. When the data access request is detected, the target is initiated according to the request of the data access request and the accessed target is selected in a proper mode for detection and verification, so that the user can flexibly set according to actual needs, and the actual use experience of the user is further improved.
In addition, the embodiment of the invention also provides a storage medium, wherein the storage medium stores a safety protection program, and the safety protection program realizes the steps of the safety protection method when being executed by a processor.
Referring to fig. 6, fig. 6 is a block diagram of a first embodiment of the safety shield apparatus of the present invention.
As shown in fig. 6, a safety device according to an embodiment of the present invention includes:
the platform monitoring module 10 is used for monitoring the running state of the cloud platform in real time;
the type acquisition module 20 is configured to acquire a file type of a file to be transmitted when detecting that the cloud platform performs file transmission;
the level obtaining module 30 is configured to obtain a security protection level corresponding to the file receiving target if the file type is a preset type;
a security detection module 40, configured to perform security detection on the transmitted file through a file detection module corresponding to the security protection level;
and the data forwarding module 50 is used for forwarding the transmitted file to the file receiving target when the security detection passes.
The embodiment monitors the running state of the cloud platform in real time; when the cloud platform is detected to transmit the file, acquiring the file type of the transmitted file; if the file type is the preset type, acquiring a security protection level corresponding to the file receiving target; carrying out security detection on the transmitted file through a file detection module corresponding to the security protection level; and when the security detection passes, forwarding the transmitted file to a file receiving target. When the file is detected, different file detection modules are selected according to the security protection level to carry out security detection, so that a cloud platform user can set a proper security protection level according to actual needs, and the actual use experience of the user is improved.
Further, the number of the file detection modules corresponding to the security protection level is multiple;
the security detection module 40 is further configured to search a preset level module mapping table for a plurality of file detection modules corresponding to the security protection level; the transmitted files are respectively subjected to security detection through the plurality of file detection modules, so that a plurality of file detection results are obtained; and if the file detection results are all file security, judging that the security detection is passed.
Further, the data forwarding module 50 is further configured to obtain an access target corresponding to the external access request when the external access request is detected; detecting whether the access target is a blacklist target; if the access target is not the blacklist target, acquiring an access authority level corresponding to a request initiator of the external access request; searching an access limit rule corresponding to the access right level; and if the access target is not matched with the access limiting rule, sending the external access request to the access target.
Further, the data forwarding module 50 is further configured to obtain a request initiation type of the data access request when the data access request is detected; if the request initiating type is an intranet initiating type, acquiring an accessed target corresponding to the data access request; if the accessed target is not a database, detecting whether the accessed target is a sensitive target or not; if the target is a sensitive target, extracting a visitor identifier from the data access request; detecting whether a request initiator corresponding to the visitor identifier has the authority to access the accessed target; and if so, sending the data access request to the accessed target.
Further, the data forwarding module 50 is further configured to extract a visitor identifier and a database operation statement from the data access request if the accessed target is a database; determining a request initiator according to the visitor identification; reading a database account identifier currently logged in the request initiator, and searching a data operation authority list corresponding to the database account identifier; detecting whether the execution authority corresponding to the database operation statement is in the data operation authority list; and if the data access request is in the data operation authority list, sending the data access request to a database.
Further, the data forwarding module 50 is further configured to detect whether the accessed target corresponding to the data access request is a database if the request initiation type is an external network initiation type; if the target is not the database, detecting whether the accessed target is a core business target or not; if the target is not the core business target, obtaining a visitor identifier corresponding to the data access request; acquiring an access right set corresponding to the visitor identifier; and if the accessed target is in the access right set, sending the data access request to the accessed target.
Further, the data forwarding module 50 is further configured to detect whether the data access request is forwarded by the fort machine if it is a database; if the data is forwarded by the fort machine, acquiring a database operation statement in the data access request and a database account identifier currently logged in the fort machine; detecting whether the database account corresponding to the database account identifier has the authority to execute the database operation statement or not; and if so, sending the data access request to a database.
It should be understood that the foregoing is illustrative only and is not limiting, and that in specific applications, those skilled in the art may set the invention as desired, and the invention is not limited thereto.
It should be noted that the above-described working procedure is merely illustrative, and does not limit the scope of the present invention, and in practical application, a person skilled in the art may select part or all of them according to actual needs to achieve the purpose of the embodiment, which is not limited herein.
In addition, technical details not described in detail in this embodiment may refer to the security protection method provided by any embodiment of the present invention, and are not described herein.
Furthermore, it should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of embodiments, it will be clear to a person skilled in the art that the above embodiment method may be implemented by means of software plus a necessary general hardware platform, but may of course also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. Read Only Memory (ROM)/RAM, magnetic disk, optical disk) and comprising several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (9)
1. A method of safeguarding comprising the steps of:
monitoring the running state of the cloud platform in real time;
when the cloud platform is detected to transmit the file, acquiring the file type of the transmitted file;
if the file type is a preset type, acquiring a security protection level corresponding to a file receiving target, wherein the file receiving target is an application or virtual equipment in the cloud platform, which receives the transmitted file, and the security protection level is preset by a cloud platform user to which the file receiving target belongs;
carrying out security detection on the transmitted file through a file detection module corresponding to the security protection level;
forwarding the transmitted file to the file receiving target when the security detection passes;
the file detection modules corresponding to the security protection levels are multiple;
The step of performing security detection on the transmitted file by the file detection module corresponding to the security protection level includes:
searching file detection modules with the corresponding security protection level smaller than or equal to the security protection level corresponding to the file receiving target in a preset level module mapping table to obtain a plurality of file detection modules;
the transmitted files are respectively subjected to security detection through the plurality of file detection modules, so that a plurality of file detection results are obtained;
and if the file detection results are all file security, judging that the security detection is passed.
2. The method for protecting safety according to claim 1, wherein after the step of monitoring the operation state of the cloud platform in real time, the method further comprises:
when an external access request is detected, an access target corresponding to the external access request is obtained;
detecting whether the access target is a blacklist target;
if the access target is not the blacklist target, acquiring an access authority level corresponding to a request initiator of the external access request;
searching an access limit rule corresponding to the access right level;
and if the access target is not matched with the access limiting rule, sending the external access request to the access target.
3. The method for protecting safety according to claim 1, wherein after the step of monitoring the operation state of the cloud platform in real time, the method further comprises:
when a data access request is detected, acquiring a request initiation type of the data access request;
if the request initiating type is an intranet initiating type, acquiring an accessed target corresponding to the data access request;
if the accessed target is not a database, detecting whether the accessed target is a sensitive target or not;
if the target is a sensitive target, extracting a visitor identifier from the data access request;
detecting whether a request initiator corresponding to the visitor identifier has the authority to access the accessed target;
and if so, sending the data access request to the accessed target.
4. The method for protecting security as recited in claim 3, wherein after the step of obtaining the accessed target corresponding to the data access request if the request initiation type is an intranet initiation type, further comprises:
if the accessed target is a database, extracting a visitor identifier and a database operation statement from the data access request;
Determining a request initiator according to the visitor identification;
reading a database account identifier currently logged in the request initiator, and searching a data operation authority list corresponding to the database account identifier;
detecting whether the execution authority corresponding to the database operation statement is in the data operation authority list;
and if the data access request is in the data operation authority list, sending the data access request to a database.
5. A security guard method as claimed in claim 3, wherein after the step of obtaining the request initiation type of the data access request when the data access request is detected, further comprising:
if the request initiating type is an external network initiating type, detecting whether an accessed target corresponding to the data access request is a database or not;
if the target is not the database, detecting whether the accessed target is a core business target or not;
if the target is not the core business target, obtaining a visitor identifier corresponding to the data access request;
acquiring an access right set corresponding to the visitor identifier;
and if the accessed target is in the access right set, sending the data access request to the accessed target.
6. The method of claim 5, wherein after the step of detecting whether the accessed target corresponding to the data access request is a database if the request initiation type is an external network initiation type, further comprising:
if the data access request is a database, detecting whether the data access request is forwarded by a fort machine;
if the data is forwarded by the fort machine, acquiring a database operation statement in the data access request and a database account identifier currently logged in the fort machine;
detecting whether the database account corresponding to the database account identifier has the authority to execute the database operation statement or not;
and if so, sending the data access request to a database.
7. A safety shield apparatus, comprising:
the platform monitoring module is used for monitoring the running state of the cloud platform in real time;
the type acquisition module is used for acquiring the file type of the transmitted file when the cloud platform is detected to transmit the file;
the level acquisition module is used for acquiring a security protection level corresponding to a file receiving target if the file type is a preset type, wherein the file receiving target is an application or virtual equipment in the cloud platform, which receives the transmitted file, and the security protection level is preset by a cloud platform user to which the file receiving target belongs;
The security detection module is used for carrying out security detection on the transmitted file through the file detection module corresponding to the security protection level;
the data forwarding module is used for forwarding the transmitted file to the file receiving target when the safety detection passes;
the file detection modules corresponding to the security protection levels are multiple;
the security detection module is further used for searching a file detection module, corresponding to the security protection level in the preset level module mapping table, which is smaller than or equal to the security protection level corresponding to the file receiving target, and obtaining a plurality of file detection modules; the transmitted files are respectively subjected to security detection through the plurality of file detection modules, so that a plurality of file detection results are obtained; and if the file detection results are all file security, judging that the security detection is passed.
8. A safety shield apparatus, the safety shield apparatus comprising: a processor, a memory and a security program stored on the memory and executable on the processor, which security program when executed by the processor implements the steps of the security method of any of claims 1 to 6.
9. A computer readable storage medium, wherein a security protection program is stored on the computer readable storage medium, which when executed by a processor implements the steps of the security protection method according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310290295.XA CN115996152B (en) | 2023-03-23 | 2023-03-23 | Security protection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310290295.XA CN115996152B (en) | 2023-03-23 | 2023-03-23 | Security protection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115996152A CN115996152A (en) | 2023-04-21 |
| CN115996152B true CN115996152B (en) | 2023-06-09 |
Family
ID=85995355
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310290295.XA Active CN115996152B (en) | 2023-03-23 | 2023-03-23 | Security protection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115996152B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113595981A (en) * | 2021-06-25 | 2021-11-02 | 新浪网技术(中国)有限公司 | Method and device for detecting threat of uploaded file and computer-readable storage medium |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102831338B (en) * | 2012-06-28 | 2015-09-30 | 北京奇虎科技有限公司 | A kind of safety detection method of Android application program and system |
| CN104899515B (en) * | 2014-03-04 | 2019-04-16 | 北京奇安信科技有限公司 | A kind of variation and device of applications security |
| CN105681389B (en) * | 2015-12-18 | 2019-03-26 | 北京神州绿盟信息安全科技股份有限公司 | A kind of recognition methods and device based on Skype different function communication stream |
| CN106888221A (en) * | 2017-04-15 | 2017-06-23 | 北京科罗菲特科技有限公司 | A kind of Secure Information Tanslation Through Netware method |
| CN107426173B (en) * | 2017-06-06 | 2021-01-29 | 北京鸿享技术服务有限公司 | File protection method and device |
| CN108985062B (en) * | 2018-07-06 | 2020-12-15 | Oppo(重庆)智能科技有限公司 | File transmission control method, device and equipment |
| CN109815704B (en) * | 2019-01-24 | 2020-08-04 | 中国—东盟信息港股份有限公司 | Safety detection method and system for Kubernetes cloud native application |
| CN110855611B (en) * | 2019-10-10 | 2021-11-09 | 平安科技(深圳)有限公司 | Data outgoing method, device and related equipment |
| CN115086036B (en) * | 2022-06-15 | 2024-04-26 | 浙江浩瀚能源科技有限公司 | Cloud platform safety protection method, device, equipment and storage medium |
-
2023
- 2023-03-23 CN CN202310290295.XA patent/CN115996152B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113595981A (en) * | 2021-06-25 | 2021-11-02 | 新浪网技术(中国)有限公司 | Method and device for detecting threat of uploaded file and computer-readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115996152A (en) | 2023-04-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109743315B (en) | Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website | |
| CN109688097B (en) | Website protection method, website protection device, website protection equipment and storage medium | |
| US8484739B1 (en) | Techniques for securely performing reputation based analysis using virtualization | |
| CN111416811B (en) | Unauthorized vulnerability detection method, system, equipment and storage medium | |
| CN110417778B (en) | Access request processing method and device | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| WO2018182126A1 (en) | System and method for authenticating safe software | |
| EP3763097B1 (en) | System and method for restricting access to web resources from web robots | |
| US10482240B2 (en) | Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored | |
| CN112291258B (en) | Gateway risk control method and device | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| CN109547426B (en) | Service response method and server | |
| JP2010026662A (en) | Information leakage prevention system | |
| CN108076006B (en) | Method for searching attacked host and log management server | |
| CN109547427B (en) | Blacklist user identification method and device, computer equipment and storage medium | |
| WO2020019520A1 (en) | Application obtaining method and device | |
| CN112804222B (en) | Data transmission method, device, equipment and storage medium based on cloud deployment | |
| CN111131166B (en) | User behavior prejudging method and related equipment | |
| CN115996152B (en) | Security protection method, device, equipment and storage medium | |
| CN111949363A (en) | Service access management method, computer equipment, storage medium and system | |
| CN109558730B (en) | Safety protection method and device for browser | |
| CN115935328A (en) | Resource access control method, device, equipment and storage medium | |
| CN112948831A (en) | Application program risk identification method and device | |
| CN111291044A (en) | Sensitive data identification method and device, electronic equipment and storage medium | |
| US20200329056A1 (en) | Trusted advisor for improved security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |