CN116541832A - Method, system, equipment and storage medium for hosting and processing security event - Google Patents
Method, system, equipment and storage medium for hosting and processing security event Download PDFInfo
- Publication number
- CN116541832A CN116541832A CN202310828193.9A CN202310828193A CN116541832A CN 116541832 A CN116541832 A CN 116541832A CN 202310828193 A CN202310828193 A CN 202310828193A CN 116541832 A CN116541832 A CN 116541832A
- Authority
- CN
- China
- Prior art keywords
- managed
- security event
- computer
- network identification
- hosting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 81
- 230000008569 process Effects 0.000 claims abstract description 35
- 230000006399 behavior Effects 0.000 claims description 8
- 238000013507 mapping Methods 0.000 claims description 7
- 238000003672 processing method Methods 0.000 claims description 5
- 230000009471 action Effects 0.000 claims description 4
- 238000007726 management method Methods 0.000 description 98
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000003542 behavioural effect Effects 0.000 description 2
- 238000013523 data management Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Abstract
The invention relates to the field of computer system security, and discloses a method, a system, equipment and a storage medium for hosting and processing a security event, wherein the method comprises the following steps: receiving a security event sent by the managed computer, wherein the security event is a behavior event which occurs on the managed computer and infringes the security of data; inquiring a managed management computer corresponding to the managed computer based on a preset managed policy; and sending the security event alarm information to the hosting management computer. Because the invention queries the managed management computer corresponding to the managed computer based on the preset managed policy after receiving the security event sent by the managed computer and sends the security event alarm information to the managed management computer, compared with the prior art, the invention can forward the security event alarm information to the attended managed computer in time and prompt the personnel to process the security event, thereby enabling the security event happened on the unattended managed computer to be processed in time.
Description
Technical Field
The present invention relates to the field of computer system security, and in particular, to a method, a system, a device, and a storage medium for hosting and processing a security event.
Background
At present, in the field of computer system security, when protecting local data security, one important means is to install security software on a computer system, configure and execute a corresponding security policy to monitor, prevent or alarm actions affecting data security, and when an infringement event occurs, generate a corresponding security event to remind a user to perform treatment.
In reality, most application servers are unattended, security software usually notifies an administrator of a security event through logging, sending mail, short messages and the like, and waits for the administrator to process, but the security event cannot be processed in time due to certain hysteresis, which may lead to expansion of infringement behavior or misinformation and the like, thereby affecting normal computer service, interrupting a business system, collapsing and the like.
Therefore, a method for hosting and processing security events is needed, which can effectively solve the technical problem that security events generated by an unattended computer are not processed timely.
Disclosure of Invention
The invention mainly aims to provide a method, a system, equipment and a storage medium for hosting and processing a security event, and aims to solve the technical problem that security events generated by an unattended computer in the prior art are not processed timely.
To achieve the above object, the present invention provides a method for hosting and processing a security event, the method comprising the steps of:
receiving a security event sent by a managed computer, wherein the security event is an action event which occurs on the managed computer and infringes data security;
inquiring a managed management computer corresponding to the managed computer based on a preset managed policy;
and sending security event alarm information to the hosting management computer.
Optionally, the step of querying the hosted management computer corresponding to the hosted computer based on a preset hosting policy includes:
acquiring a first network identification identifier of the managed computer;
inquiring whether a second network identification identifier corresponding to the first network identification identifier exists or not based on the preset hosting strategy;
and if so, determining the managed management computer corresponding to the managed computer according to the second network identification mark.
Optionally, before the step of receiving the security event sent by the hosted computer, the method further includes:
acquiring the user on-duty condition of a client;
dividing the client into a managed computer and a managed management computer according to the user on duty condition;
acquiring a first network identification identifier of the managed computer and a second network identification identifier of the managed management computer;
and establishing a preset hosting strategy according to the first network identification mark and the second network identification mark, wherein the preset hosting strategy comprises a mapping relation between the first network identification mark and the second network identification mark.
Optionally, after the step of sending the security event alert information to the hosting management computer, the method further includes:
acquiring a security event processing instruction of the managed management computer;
inquiring the first network identification identifier of managed computation corresponding to the security event based on the preset managed policy;
and sending the security event processing instruction to a managed computer corresponding to the first network identification mark.
Optionally, after the step of sending the security event processing instruction to the hosted computer corresponding to the first network identification identifier, the method further includes:
acquiring an execution result of the hosted computer executing the security event processing instruction;
determining a second network identification identifier corresponding to the first network identification identifier according to the first network identification identifier of the managed computer and the preset managed policy;
and according to the second network identification mark, sending the execution result to the hosting management computer corresponding to the second network identification mark.
Optionally, after the step of querying whether the second network identification corresponding to the first network identification exists based on the preset hosting policy, the method further includes:
and if the security event does not exist, processing the security event, and sending the processing instruction to a managed computer corresponding to the first network identification mark.
Optionally, the first network identification and the second network identification comprise at least one of an IP address and a MAC address.
In addition, to achieve the above object, the present invention further proposes a managed processing system for a security event, the system including:
the event receiving module is used for receiving a security event sent by the managed computer, wherein the security event is a behavior event which occurs on the managed computer and infringes data security;
the hosting query module is used for querying a hosting management computer corresponding to the hosted computer based on a preset hosting strategy;
and the information sending module is used for sending the security event alarm information to the hosting management computer.
In addition, to achieve the above object, the present invention also proposes a managed processing device for a security event, the device comprising: a memory, a processor, and a managed process of a security event stored on the memory and executable on the processor, the managed process of a security event configured to implement the steps of the managed process method of a security event as described above.
In addition, to achieve the above object, the present invention also proposes a storage medium having stored thereon a managed process program of a security event, which when executed by a processor, implements the steps of the managed process method of a security event as described above.
The method comprises the steps of receiving a security event sent by a managed computer, wherein the security event is a behavior event which occurs on the managed computer and infringes data security; inquiring a managed management computer corresponding to the managed computer based on a preset managed policy; and sending security event alarm information to the hosting management computer. Because the invention queries the managed management computer corresponding to the managed computer based on the preset managed policy after receiving the security event sent by the managed computer and sends the security event alarm information to the managed management computer, compared with the prior art that the security event is informed to an administrator by recording a log, sending a mail, sending a short message and the like and waiting for the administrator to process, the security event can be timely forwarded to the attended managed computer to prompt the personnel to process the security event, thereby enabling the security event happened on the unattended managed computer to be timely processed.
Drawings
FIG. 1 is a schematic diagram of a managed processing device for security events of a hardware runtime environment in accordance with an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of a method for hosting a security event according to the present invention;
FIG. 3 is a flowchart illustrating a second embodiment of a method for hosting a security event according to the present invention;
FIG. 4 is a flowchart illustrating a third embodiment of a method for hosting a security event according to the present invention;
FIG. 5 is a schematic diagram of a scenario in which the managed processing method of the security event of the present invention is implemented;
FIG. 6 is a block diagram of a first embodiment of a managed processing system for security events of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a managed processing device for a security event of a hardware running environment according to an embodiment of the present invention.
As shown in fig. 1, the managed processing device of the security event may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a Wireless interface (e.g., a Wireless-Fidelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the structure shown in fig. 1 does not constitute a limitation of the hosted processing device for security events, and may include more or fewer components than illustrated, or may combine certain components, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a storage medium, may include an operating system, a network communication module, a user interface module, and a managed process for security events.
In the hosted processing device for security events shown in fig. 1, the network interface 1004 is primarily used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the security event hosting device may be disposed in the security event hosting device, where the security event hosting device invokes, through the processor 1001, the security event hosting process program stored in the memory 1005, and executes the security event hosting method provided by the embodiment of the present invention.
An embodiment of the present invention provides a method for hosting and processing a security event, and referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of a method for hosting and processing a security event according to the present invention.
In this embodiment, the method for hosting and processing the security event includes the following steps:
step S10: a security event sent by a hosted computer is received, the security event being a behavioral event that violates data security occurring on the hosted computer.
The execution body of the embodiment is a security management server, and the backup server may be a data server, or may be other data management devices having the same or similar functions as the data server, for example, a hosting device for a security event, and the present embodiment and the following embodiments will be illustrated by taking the security management server as an example.
It can be understood that the hosted computer refers to an unattended computer, i.e., a common computer system for providing services, and in most cases, no terminal input/output device is connected, no operator monitors the running state of the hosted computer through the input/output device, and no computer operation can be performed through the terminal.
It should be explained that the security event sent by the hosted computer refers to a behavior event detected by security detection software installed in the hosted computer system when there is a behavior on the hosted computer that violates the security of data.
In a specific implementation, a security policy enforcement agent is deployed on a hosted computer, and when the security policy enforcement agent of the hosted computer detects that a security event occurs, the security event is sent to a security management server.
Step S20: and querying a managed management computer corresponding to the managed computer based on a preset managed policy.
The hosting management computer may be a computer with a desktop system (a security event alert can be displayed through a warning pop-up window) and a person-in-charge administrator.
It can be understood that the preset hosting policy mainly designates which clients are hosted computers and which clients are hosted management computers and which hosted computers can be hosted by which hosted management computers, so that the hosted management computers corresponding to the hosted computers can be queried through the preset hosting policy.
It should be noted that, the step of querying the managed management computer corresponding to the managed computer based on the preset managed policy includes: acquiring a first network identification identifier of the managed computer; then inquiring whether a second network identification mark corresponding to the first network identification mark exists or not based on the preset hosting strategy; and if so, determining the managed management computer corresponding to the managed computer according to the second network identification mark.
In a specific implementation, after the preset hosting policy is generated, the security management server sends the preset hosting policy to a hosted computer and a hosting management computer related in the preset hosting policy through a network, and security policy execution agents of the hosted computer and the hosting management computer receive the preset hosting policy and take effect.
Step S30: and sending security event alarm information to the hosting management computer.
In a specific implementation, in order to implement timely processing of a security event of a managed computer, after a security management server receives the security event and queries a managed management computer corresponding to the managed computer sending the security event, security event alarm information is sent to the managed management computer, the security event alarm information can be displayed in a manner that a security event warning window is popped up on a desktop of the managed management computer, so that an operator of the managed management computer can immediately see the information of the security event in the warning window, and perform processing operation of the security event, then an instruction of the processing operation is transmitted back to the security management server, and finally the instruction is forwarded to the corresponding managed computer to execute processing of the security event through the security management server.
The embodiment receives a security event sent by a managed computer, wherein the security event is a behavior event which occurs on the managed computer and infringes data security; acquiring a first network identification identifier of the managed computer; inquiring whether a second network identification identifier corresponding to the first network identification identifier exists or not based on the preset hosting strategy; if so, determining a managed management computer corresponding to the managed computer according to the second network identification mark; and sending security event alarm information to the hosting management computer. Because the invention queries the managed management computer corresponding to the managed computer based on the preset managed policy after receiving the security event sent by the managed computer and sends the security event alarm information to the managed management computer, compared with the prior art that the security event is informed to an administrator by recording a log, sending a mail, sending a short message and the like and waiting for the administrator to process, the security event can be timely forwarded to the attended managed computer to prompt the personnel to process the security event, thereby enabling the security event happened on the unattended managed computer to be timely processed.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of a method for hosting a security event according to the present invention.
Based on the first embodiment, in this embodiment, before step S10, the method further includes:
step S01: and acquiring the user on-duty condition of the client.
It can be understood that the client refers to a computer that is provided with an operating system and application software and is capable of providing services to the outside world.
It should be noted that, the user on duty condition may be obtained by whether the client has a connection terminal input/output device, or may be obtained by manually detecting whether the client has an operator to monitor the running state of the client through the input/output device. For example, if the client is not connected to the terminal input/output device, it means that the client is an unattended computer.
Step S02: and dividing the client into a managed computer and a managed management computer according to the user on duty condition.
It can be understood that the hosted computer refers to an unattended computer, i.e., a common computer system for providing services, and in most cases, no terminal input/output device is connected, no operator monitors the running state of the hosted computer through the input/output device, and no computer operation can be performed through the terminal.
Further, the hosted management computer may be a computer with a desktop system installed (capable of displaying security event alerts through a warning pop-up window), a person-on-duty administrator.
Step S03: a first network identification of the hosted computer and a second network identification of the hosted management computer are obtained.
The first network identification is a unique identification of the managed computer, and the second network identification is a unique identification of the managed computer. The first network identification and the second network identification comprise at least one of an IP address and a MAC address.
Step S04: and establishing a preset hosting strategy according to the first network identification mark and the second network identification mark, wherein the preset hosting strategy comprises a mapping relation between the first network identification mark and the second network identification mark.
It should be noted that, one managed computer may specify multiple managed computers at the same time, and any one managed computer may process a security event. Therefore, the first network identifier and the second network identifier in the preset hosting policy may be in a one-to-one mapping relationship, or may be in a one-to-many relationship, or may be that the first network identifier does not have a corresponding second network identifier.
In a specific implementation, if the second network identification identifier corresponding to the first network identification identifier does not exist in the preset hosting policy, the security event is directly processed through a security management server, and the processing instruction is sent to a hosted computer corresponding to the first network identification identifier.
The embodiment obtains the user on-duty condition of the client; dividing the client into a managed computer and a managed management computer according to the user on duty condition; acquiring a first network identification identifier of the managed computer and a second network identification identifier of the managed management computer; establishing a preset hosting strategy according to the first network identification mark and the second network identification mark, wherein the preset hosting strategy comprises a mapping relation between the first network identification mark and the second network identification mark; then receiving a security event sent by the managed computer, wherein the security event is an action event which occurs on the managed computer and infringes data security; acquiring a first network identification identifier of the managed computer; inquiring whether a second network identification identifier corresponding to the first network identification identifier exists or not based on the preset hosting strategy; if so, determining a managed management computer corresponding to the managed computer according to the second network identification mark; and sending security event alarm information to the hosting management computer. Compared with the prior art, the method and the system for notifying the manager of the security event through recording logs, sending mails, sending short messages and the like and waiting for the manager to process the security event, the method and the system divide the client into the managed computer and the managed computer through the user on duty condition of the client, then establish the preset managed strategy according to the network identification marks of the managed computer and the managed computer, then timely forward the security event to the managed computer on duty based on the preset managed strategy, prompt the manager to process the security event manually, and accordingly timely process the security event occurring on the managed computer without duty.
Referring to fig. 4, fig. 4 is a flow chart of a third embodiment of a method for hosting a security event according to the present invention.
Based on the above embodiments, in this embodiment, after step S30, the method further includes:
step S40: and acquiring a security event processing instruction of the managed management computer.
The security event processing instruction is a series of operation instructions corresponding to the processing operation of the security event, wherein the operator hosting the management computer sees the information of the security event in the warning window.
In a specific implementation, the security event warning information can be displayed by popping up a security event warning window on a desktop of the hosting management computer, so that an operator of the hosting management computer can immediately see the security event information in the warning window, process the security event, and then send a security event processing instruction corresponding to the processing operation to the security management server.
Step S50: and inquiring the first network identification identifier of the managed computation corresponding to the security event based on the preset managed policy.
It can be understood that, the security event processing instruction corresponding to the processing operation is sent to the security management server, which security event of the hosted computer is corresponding to the security event processing instruction needs to be queried, and then the security event processing instruction is forwarded to the corresponding hosted computer according to the query result; because the preset hosting policy includes a mapping relationship between the first network identification identifier and the second network identification identifier, the first network identification identifier of the hosted computation corresponding to the security event can be queried based on the preset hosting policy.
Step S60: and sending the security event processing instruction to a managed computer corresponding to the first network identification mark.
It should be understood that the corresponding security event processing instruction is sent to the hosted computer corresponding to the first network identification identifier that sent the security event according to the first network identification identifier.
It should be noted that, after the step of sending the security event processing instruction to the hosted computer corresponding to the first network identification identifier, the method further includes:
step S601: acquiring an execution result of the hosted computer executing the security event processing instruction;
step S602: determining a second network identification identifier corresponding to the first network identification identifier according to the first network identification identifier of the managed computer and the preset managed policy;
step S603: and according to the second network identification mark, sending the execution result to the hosting management computer corresponding to the second network identification mark.
It should be understood that the above execution result may be whether the managed computer successfully executes the security event processing instruction, or whether a security event still exists after the managed computer executes the security event processing instruction.
In a specific implementation, referring to fig. 5, fig. 5 is a schematic view of an implementation scenario of a hosting processing method of a security event of the present invention, where a client is divided into a hosted computer and a hosting management computer, a hosting management policy is configured (i.e., a preset hosting management policy) through a user on duty situation, a preset hosting management policy is generated through a security management server, and then the hosting management policy is issued to a security policy execution agent module of the hosted computer and a security policy execution agent module of the hosting management computer through a hosting policy management module of the security management server; when a managed computer has a security event, the security event is sent to a security event management module of a security management server, then after the security event is managed and inquired, the security event is sent to a security policy execution agency module of the managed computer, and security event alarm information is sent to the managed computer; then the user executes the security event processing operation based on the security event alarm information, then the hosting management computer sends a security event processing instruction corresponding to the security event processing operation to a security event management module of the security management server, and performs security event inquiry, then sends the security event processing instruction to a corresponding hosted computer, then executes according to the security event processing instruction, returns a security event processing result to the security management server, and then the security event management module of the security management server returns the security event processing result to the hosting management computer, so that the user of the hosting management computer can timely see the security event processing execution result of the hosted management computer.
It should be explained that after the managed computer executes the security event processing instructions, the other processing instructions will not execute again.
It should be noted that, the security event management module in the security management server stores the security events of all clients, and also provides a security event processing interface, on which the security events can be directly processed, and the processing results are displayed.
After the step of sending the security event alert information to the hosting management computer, the embodiment further includes: inquiring the first network identification identifier of managed computation corresponding to the security event based on the preset managed policy; sending the security event processing instruction to a managed computer corresponding to the first network identification mark; acquiring an execution result of the hosted computer executing the security event processing instruction; determining a second network identification identifier corresponding to the first network identification identifier according to the first network identification identifier of the managed computer and the preset managed policy; and according to the second network identification mark, sending the execution result to the hosting management computer corresponding to the second network identification mark. Compared with the traditional log, mail notification and short message notification, the method has certain timeliness and convenience and superiority in processing, and short message, mail notification and security processing measures have certain hysteresis, and after the two notifications are seen, the two notifications can not be immediately processed by being linked with a system, or the processing measures are inconvenient and quick. In order to timely process the security event of the managed computer, after the security management server receives the security event and inquires the managed management computer corresponding to the managed computer sending the security event, security event alarm information is sent to the managed management computer, and the security event alarm information can be displayed in a mode that a security event warning window is popped up on the desktop of the managed management computer, so that an operator of the managed management computer can immediately see the information of the security event in the warning window and process the security event, then an instruction of the processing operation is transmitted back to the security management server, the instruction is transmitted to the corresponding managed computer through the security management server to execute the processing of the security event, and then the security management server returns a security event processing result to the managed management computer, so that a user of the managed management computer can timely see the security event processing execution result of the managed computer.
Compared with the prior art, the method and the system for notifying the manager of the security event through recording logs, sending mails, sending short messages and the like and waiting for the manager to process the security event, the method and the system divide the client into the managed computer and the managed computer through the user on duty condition of the client, then establish the preset managed strategy according to the network identification marks of the managed computer and the managed computer, then timely forward the security event to the managed computer on duty based on the preset managed strategy, prompt the manager to process the security event manually, and accordingly timely process the security event occurring on the managed computer without duty.
In addition, the embodiment of the invention also provides a storage medium, wherein the storage medium stores a managed processing program of the security event, and the managed processing program of the security event realizes the steps of the managed processing method of the security event when being executed by a processor.
Referring to fig. 6, fig. 6 is a block diagram of a first embodiment of a managed processing system for security events of the present invention.
As shown in fig. 6, the hosting processing system for security events according to the embodiment of the present invention includes: an event receiving module 601, a hosted query module 602, and an information sending module 603.
The event receiving module 601 is configured to receive a security event sent by a managed computer, where the security event is a behavioral event that occurs on the managed computer and is infringed on data security;
the hosting query module 602 is configured to query a hosting management computer corresponding to the hosted computer based on a preset hosting policy;
the information sending module 603 is configured to send security event alarm information to the hosting management computer.
The hosted query module 602 is further configured to obtain a first network identification of the hosted computer; inquiring whether a second network identification identifier corresponding to the first network identification identifier exists or not based on the preset hosting strategy; and if so, determining the managed management computer corresponding to the managed computer according to the second network identification mark.
The embodiment receives a security event sent by a managed computer, wherein the security event is a behavior event which occurs on the managed computer and infringes data security; acquiring a first network identification identifier of the managed computer; inquiring whether a second network identification identifier corresponding to the first network identification identifier exists or not based on the preset hosting strategy; if so, determining a managed management computer corresponding to the managed computer according to the second network identification mark; and sending security event alarm information to the hosting management computer. Because the invention queries the managed management computer corresponding to the managed computer based on the preset managed policy after receiving the security event sent by the managed computer and sends the security event alarm information to the managed management computer, compared with the prior art that the security event is informed to an administrator by recording a log, sending a mail, sending a short message and the like and waiting for the administrator to process, the security event can be timely forwarded to the attended managed computer to prompt the personnel to process the security event, thereby enabling the security event happened on the unattended managed computer to be timely processed.
Based on the first embodiment of the managed processing system for the security event, a second embodiment of the managed processing system for the security event is provided.
In this embodiment, the event receiving module 601 is further configured to obtain a user on duty condition of the client; dividing the client into a managed computer and a managed management computer according to the user on duty condition; acquiring a first network identification identifier of the managed computer and a second network identification identifier of the managed management computer; and establishing a preset hosting strategy according to the first network identification mark and the second network identification mark, wherein the preset hosting strategy comprises a mapping relation between the first network identification mark and the second network identification mark.
In this embodiment, the hosted query module 602 is further configured to process the security event if the security event does not exist, and send the processing instruction to a hosted computer corresponding to the first network identification identifier.
Other embodiments or specific implementations of the managed processing system for security events of the present invention may refer to the above method embodiments, and are not described herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. read-only memory/random-access memory, magnetic disk, optical disk), comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (10)
1. A method of escrow processing of a security event, the method comprising the steps of:
receiving a security event sent by a managed computer, wherein the security event is an action event which occurs on the managed computer and infringes data security;
inquiring a managed management computer corresponding to the managed computer based on a preset managed policy;
and sending security event alarm information to the hosting management computer.
2. The hosting processing method of security events of claim 1, wherein the step of querying a hosting management computer corresponding to the hosted computer based on a preset hosting policy comprises:
acquiring a first network identification identifier of the managed computer;
inquiring whether a second network identification identifier corresponding to the first network identification identifier exists or not based on the preset hosting strategy;
and if so, determining the managed management computer corresponding to the managed computer according to the second network identification mark.
3. The method of escrow processing of a security event of claim 2, wherein prior to the step of receiving the security event sent by the escrow computer, further comprising:
acquiring the user on-duty condition of a client;
dividing the client into a managed computer and a managed management computer according to the user on duty condition;
acquiring a first network identification identifier of the managed computer and a second network identification identifier of the managed management computer;
and establishing a preset hosting strategy according to the first network identification mark and the second network identification mark, wherein the preset hosting strategy comprises a mapping relation between the first network identification mark and the second network identification mark.
4. The method of escrow processing of a security event of claim 3, wherein after the step of sending security event alert information to the escrow management computer, further comprising:
acquiring a security event processing instruction of the managed management computer;
inquiring the first network identification identifier of managed computation corresponding to the security event based on the preset managed policy;
and sending the security event processing instruction to a managed computer corresponding to the first network identification mark.
5. The method of claim 4, further comprising, after the step of sending the security event processing instruction to the hosted computer to which the first network identification corresponds:
acquiring an execution result of the hosted computer executing the security event processing instruction;
determining a second network identification identifier corresponding to the first network identification identifier according to the first network identification identifier of the managed computer and the preset managed policy;
and according to the second network identification mark, sending the execution result to the hosting management computer corresponding to the second network identification mark.
6. The method for hosting a security event according to claim 2, wherein after the step of querying whether a second network identification corresponding to the first network identification exists based on the preset hosting policy, the method further comprises:
and if the security event does not exist, processing the security event, and sending the processing instruction to a managed computer corresponding to the first network identification mark.
7. The managed processing method of a security event of any of claims 2-6, wherein the first network identification identifier and the second network identification identifier comprise at least one of an IP address and a MAC address.
8. A managed processing system for a security event, the system comprising:
the event receiving module is used for receiving a security event sent by the managed computer, wherein the security event is a behavior event which occurs on the managed computer and infringes data security;
the hosting query module is used for querying a hosting management computer corresponding to the hosted computer based on a preset hosting strategy;
and the information sending module is used for sending the security event alarm information to the hosting management computer.
9. A managed processing device for a security event, the device comprising: a memory, a processor, and a managed process of a security event stored on the memory and executable on the processor, the managed process of a security event configured to implement the steps of the managed process of a security event method of any of claims 1 to 7.
10. A storage medium having stored thereon a managed process of a security event, which when executed by a processor, implements the steps of the managed process method of a security event of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310828193.9A CN116541832A (en) | 2023-07-07 | 2023-07-07 | Method, system, equipment and storage medium for hosting and processing security event |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310828193.9A CN116541832A (en) | 2023-07-07 | 2023-07-07 | Method, system, equipment and storage medium for hosting and processing security event |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116541832A true CN116541832A (en) | 2023-08-04 |
Family
ID=87456457
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310828193.9A Pending CN116541832A (en) | 2023-07-07 | 2023-07-07 | Method, system, equipment and storage medium for hosting and processing security event |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116541832A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101094104A (en) * | 2007-07-30 | 2007-12-26 | 中兴通讯股份有限公司 | Method and device for carrying out device management through proxy of security network management |
| CN101582883A (en) * | 2009-06-26 | 2009-11-18 | 西安电子科技大学 | System and method for managing security of general network |
| US20140150049A1 (en) * | 2012-11-26 | 2014-05-29 | Electronics And Telecommunications Research Institute | Method and apparatus for controlling management of mobile device using security event |
| CN111314105A (en) * | 2019-11-22 | 2020-06-19 | 深圳市信锐网科技术有限公司 | Method, device and system for matching connection of equipment |
-
2023
- 2023-07-07 CN CN202310828193.9A patent/CN116541832A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101094104A (en) * | 2007-07-30 | 2007-12-26 | 中兴通讯股份有限公司 | Method and device for carrying out device management through proxy of security network management |
| CN101582883A (en) * | 2009-06-26 | 2009-11-18 | 西安电子科技大学 | System and method for managing security of general network |
| US20140150049A1 (en) * | 2012-11-26 | 2014-05-29 | Electronics And Telecommunications Research Institute | Method and apparatus for controlling management of mobile device using security event |
| CN111314105A (en) * | 2019-11-22 | 2020-06-19 | 深圳市信锐网科技术有限公司 | Method, device and system for matching connection of equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7886295B2 (en) | Connection manager, method, system and program product for centrally managing computer applications | |
| US9716613B2 (en) | Automated alert management | |
| US8010840B2 (en) | Generation of problem tickets for a computer system | |
| EP2135188B1 (en) | Enterprise security assessment sharing | |
| US8276157B2 (en) | Monitoring information assets and information asset topologies | |
| US7562388B2 (en) | Method and system for implementing security devices in a network | |
| US20060010497A1 (en) | System and method for providing remediation management | |
| CN109669835B (en) | MySQL database monitoring method, device, equipment and readable storage medium | |
| US20070078905A1 (en) | Apparatus and Methods for a Do Not Disturb Feature on a Computer System | |
| EP2099155A1 (en) | Method and system for processing client request | |
| US20130275999A1 (en) | System, method, and computer program product for interfacing a plurality of related applications | |
| WO2019019457A1 (en) | Control center device, business system processing method and system, and storage medium | |
| US7275250B1 (en) | Method and apparatus for correlating events | |
| US20050114867A1 (en) | Program reactivation using triggering | |
| US20200210293A1 (en) | Application health monitoring and automatic remediation | |
| US20110196959A1 (en) | Middleware-driven server discovery | |
| US7895314B1 (en) | System and method for administering a device via instant messaging | |
| US7415505B2 (en) | System and method for electronic event logging | |
| US11334476B2 (en) | Client-side survey control | |
| CN111240760B (en) | Application publishing method, system, storage medium and equipment based on registry | |
| US7673035B2 (en) | Apparatus and method for processing data relating to events on a network | |
| CN116541832A (en) | Method, system, equipment and storage medium for hosting and processing security event | |
| JP2011526121A (en) | Notification to users targeted for messages in the surveillance system | |
| US10846420B2 (en) | Domain controller agent subscription to kerberos events for reliable transparent identification | |
| EP1952318A1 (en) | Independent message stores and message transport agents |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |