CN116980157A - Security detection method, device, equipment and storage medium based on cloud security configuration - Google Patents
Security detection method, device, equipment and storage medium based on cloud security configuration Download PDFInfo
- Publication number
- CN116980157A CN116980157A CN202211411416.3A CN202211411416A CN116980157A CN 116980157 A CN116980157 A CN 116980157A CN 202211411416 A CN202211411416 A CN 202211411416A CN 116980157 A CN116980157 A CN 116980157A
- Authority
- CN
- China
- Prior art keywords
- detection
- security
- detected
- configuration
- cloud
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 732
- 238000003860 storage Methods 0.000 title claims abstract description 67
- 238000000034 method Methods 0.000 claims abstract description 47
- 238000012544 monitoring process Methods 0.000 claims description 86
- 230000002159 abnormal effect Effects 0.000 claims description 45
- 230000001960 triggered effect Effects 0.000 claims description 18
- 230000008859 change Effects 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012216 screening Methods 0.000 claims description 9
- 230000004048 modification Effects 0.000 claims description 4
- 238000012986 modification Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 25
- 239000000306 component Substances 0.000 description 201
- 238000012545 processing Methods 0.000 description 19
- 230000006399 behavior Effects 0.000 description 17
- 230000006870 function Effects 0.000 description 17
- 230000000903 blocking effect Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 14
- 238000005336 cracking Methods 0.000 description 11
- 230000002147 killing effect Effects 0.000 description 11
- 230000008569 process Effects 0.000 description 11
- 230000005856 abnormality Effects 0.000 description 8
- 230000002829 reductive effect Effects 0.000 description 8
- 230000018109 developmental process Effects 0.000 description 7
- 238000013473 artificial intelligence Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 230000000007 visual effect Effects 0.000 description 6
- 238000011161 development Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 230000007123 defense Effects 0.000 description 4
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 4
- 239000000203 mixture Substances 0.000 description 4
- 230000002265 prevention Effects 0.000 description 4
- 238000009877 rendering Methods 0.000 description 4
- 238000012384 transportation and delivery Methods 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 230000009471 action Effects 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 238000001914 filtration Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000004927 fusion Effects 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 206010010947 Coordination abnormal Diseases 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000000586 desensitisation Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000036961 partial effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000011895 specific detection Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The embodiment of the application discloses a security detection method, a device, equipment and a storage medium based on cloud security configuration, which relate to cloud technology, wherein the method comprises the following steps: acquiring configuration risk characteristics in a target cloud security configuration scene; determining at least one object to be detected by using the configuration risk characteristics, and acquiring detection logic for carrying out safety detection on the at least one object to be detected; the detection logic is used for indicating at least one of a detection sequence of at least one object to be detected and a detection content item of the object to be detected; acquiring detection conditions for carrying out safety detection on at least one object to be detected; the detection condition is used for indicating whether to trigger the safety detection of at least one object to be detected; and under the condition that the detection condition is met, carrying out safety detection on at least one object to be detected according to the detection logic to obtain a safety detection result, wherein the safety detection result is used for indicating whether the object to be detected is in a safety state or not. By adopting the embodiment of the application, the efficiency of data detection can be improved.
Description
Technical Field
The present application relates to the field of cloud technologies, and in particular, to a security detection method, apparatus, device, and storage medium based on cloud security configuration.
Background
Today, where cloud services are vigorously developed, more and more enterprises migrate computer assets into cloud platforms, build service ecology by using cloud protogenesis technology, and face new security challenges under a cloud system, and the security risks are greatly different from the traditional security risks. The cloud security configuration problem is typical, and constitutes a great potential safety hazard to the ecology of the cloud native technology, and the cloud security configuration error is a primary reason for cloud data leakage. The existing method generally includes that the cloud application platform is logged in manually, the configuration of various cloud security products is checked to analyze the configuration security, and the data detection efficiency is low.
Disclosure of Invention
The embodiment of the application provides a security detection method, a security detection device, security detection equipment and a storage medium based on cloud security configuration, which can improve the efficiency of data detection.
In a first aspect, the present application provides a security detection method based on cloud security configuration, including:
acquiring configuration risk characteristics in a target cloud security configuration scene;
Determining at least one object to be detected by utilizing the configuration risk characteristics, and acquiring detection logic for carrying out safety detection on the at least one object to be detected; the detection logic is configured to indicate at least one of a detection order of the at least one object to be detected and a detection content item of the object to be detected;
acquiring detection conditions for carrying out safety detection on the at least one object to be detected; the detection condition is used for indicating whether to trigger the safety detection of the at least one object to be detected;
and under the condition that the detection condition is met, carrying out safety detection on the at least one object to be detected according to the detection logic to obtain a safety detection result, wherein the safety detection result is used for indicating whether the object to be detected is in a safety state or not.
In a second aspect, the present application provides a security detection device based on cloud security configuration, including:
the feature acquisition unit is used for acquiring configuration risk features in the target cloud security configuration scene;
the object determining unit is used for determining at least one object to be detected by utilizing the configuration risk characteristics and acquiring detection logic for carrying out safety detection on the at least one object to be detected; the detection logic is configured to indicate at least one of a detection order of the at least one object to be detected and a detection content item of the object to be detected;
A condition acquisition unit configured to acquire a detection condition for performing security detection on the at least one object to be detected; the detection condition is used for indicating whether to trigger the safety detection of the at least one object to be detected;
and the data detection unit is used for carrying out safety detection on the at least one object to be detected according to the detection logic under the condition that the detection condition is met to obtain a safety detection result, and the safety detection result is used for indicating whether the object to be detected is in a safety state or not.
In a third aspect, the present application provides a computer device, including a processor, and a memory, where the memory is configured to store a computer program, the computer program including program instructions, and the processor is configured to invoke the program instructions to perform the security detection method based on cloud security configuration.
In a fourth aspect, the present application provides a computer readable storage medium having stored therein a computer program adapted to be loaded and executed by a processor to cause a computer device having the processor to perform the above-described cloud security configuration based security detection method.
In a fifth aspect, the present application provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the security detection method based on the cloud security configuration provided in various optional manners in the first aspect of the present application.
In the embodiment of the application, the configuration risk characteristics of the target cloud under the security configuration scene are acquired, so that at least one object to be detected can be determined by utilizing the configuration risk characteristics, the detection logic for carrying out security detection on the at least one object to be detected is acquired, and the detection condition for carrying out security detection on the at least one object to be detected is acquired, so that the at least one object to be detected can be subjected to security detection according to the detection logic under the condition that the detection condition is met, and a security detection result is obtained, and whether the object to be detected is in a security state or not is determined based on the security detection result. Under the condition that the object to be detected in the target cloud security configuration scene is obtained and the detection condition is met, the security detection flow aiming at the object to be detected is triggered, the security detection flow does not need to be triggered manually, the detection efficiency can be improved, and the detection cost is saved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a network architecture schematic diagram of a security detection system based on cloud security configuration according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a security detection method based on cloud security configuration according to an embodiment of the present application;
FIG. 3 is an interface schematic diagram of a time trigger setup according to an embodiment of the present application;
fig. 4 is a schematic flow chart of another security detection method based on cloud security configuration according to an embodiment of the present application;
FIG. 5 is a schematic diagram of an internal structure of a visual editor according to an embodiment of the present application;
FIG. 6 is a schematic diagram of the internal architecture of a workflow engine according to an embodiment of the present application;
FIG. 7 is an interface diagram of a security detection result according to an embodiment of the present application;
FIG. 8 is a flow chart of a method for security detection workflow according to an embodiment of the present application;
fig. 9 is a schematic diagram of a composition structure of a security detection device based on cloud security configuration according to an embodiment of the present application;
fig. 10 is a schematic diagram of a composition structure of a computer device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Cloud technology (Cloud technology) refers to a hosting technology for integrating hardware, software, network and other series resources in a wide area network or a local area network to realize calculation, storage, processing and sharing of data. The cloud technology is based on the general names of network technology, information technology, integration technology, management platform technology, application technology and the like applied by the cloud computing business mode, can form a resource pool, and is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing. The scheme provided by the embodiment of the application belongs to cloud computing, cloud security and artificial intelligent cloud services belonging to the field of cloud technology.
Cloud computing (closed computing) refers to the delivery and usage mode of an IT infrastructure, meaning that required resources are obtained in an on-demand, easily scalable manner through a network; generalized cloud computing refers to the delivery and usage patterns of services, meaning that the required services are obtained in an on-demand, easily scalable manner over a network. Such services may be IT, software, internet related, or other services. Cloud Computing is a product of fusion of traditional computer and network technology developments such as Grid Computing (Grid Computing), distributed Computing (Distributed Computing), parallel Computing (Parallel Computing), utility Computing (Utility Computing), network storage (Network Storage Technologies), virtualization (Virtualization), load balancing (Load balancing), and the like. With the development of the internet, real-time data flow and diversification of connected devices, and the promotion of demands of search services, social networks, mobile commerce, open collaboration and the like, cloud computing is rapidly developed. Unlike the previous parallel distributed computing, the generation of cloud computing will promote the revolutionary transformation of the whole internet mode and enterprise management mode in concept. For example, the detection frequency of each object to be detected in the target cloud security configuration scene can be calculated in a cloud computing mode, and the like.
Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, institutions, secure Cloud platforms based on Cloud computing business model applications. Cloud security fuses emerging technologies and concepts such as parallel processing, grid computing, unknown virus behavior judgment and the like, acquires the latest information of Trojan horse and malicious programs in the Internet through abnormal monitoring of a large number of network clients on software behaviors, sends the latest information to a server for automatic analysis and processing, and distributes solutions of viruses and Trojan horse to each client.
The main research directions of cloud security include: 1. cloud computing security, namely, how to guarantee security of cloud and various applications on the cloud, including cloud computer system security, security storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. clouding of a safety infrastructure, mainly researching how to build and integrate safety infrastructure resources by adopting cloud computing, and optimizing a safety protection mechanism, wherein the cloud computing technology is used for constructing a super-large-scale safety event and an information acquisition and processing platform, realizing acquisition and association analysis of mass information, and improving the control capability and risk control capability of the whole-network safety event; 3. cloud security services, mainly research on various security services provided for users based on cloud computing platforms, such as anti-virus services and the like. For example, the present application may determine whether various applications are secure in the target cloud security configuration scenario, whether network attack protection exists, and so on in a cloud computing security manner.
Artificial intelligence cloud services, also commonly referred to as AIaaS (AI as Service, chinese is "AI as Service"). The service mode of the artificial intelligent platform is the mainstream at present, and particularly, the AIaaS platform can split several common AI services and provide independent or packaged services at the cloud. This service mode is similar to an AI theme mall: all developers can access one or more artificial intelligence services provided by the use platform through an API interface, and partial deep developers can also use an AI framework and AI infrastructure provided by the platform to deploy and operate and maintain self-proprietary cloud artificial intelligence services. For example, the present application may employ an artificial intelligence cloud service to screen at least one security component from a component database, thereby constructing a target security application, and so on.
It should be specifically noted that, in the embodiment of the present application, data related to the target object information (such as configuration risk features or other features related to the target object information), when the embodiment of the present application is applied to a specific product or technology, permission or consent of a user needs to be obtained, and collection, use and processing of the related data need to comply with related laws and regulations and standards of related countries and regions. The target object may refer to a user of the terminal device or the computer device.
The technical scheme of the application can be applied to the scene of carrying out security detection on the objects to be detected in the cloud security configuration scene, for example, the host state, network protection and access authority waiting detection objects in the cloud security configuration scene can be subjected to security detection, and whether the objects to be detected are in the security state or not can be determined by carrying out security detection on the objects to be detected, so that the security of the cloud security configuration is ensured. The technical scheme of the application can be applied to various scenes, including but not limited to cloud technology, artificial intelligence, intelligent traffic, auxiliary driving and the like.
Referring to fig. 1, fig. 1 is a network architecture diagram of a security detection system based on cloud security configuration according to an embodiment of the present application, as shown in fig. 1, a computer device may perform data interaction with terminal devices, and the number of terminal devices may be one or at least two, for example, when the number of terminal devices is multiple, the terminal devices may include terminal device 101a, terminal device 101b, and terminal device 101c in fig. 1. Taking the terminal device 101a as an example, the computer device 102 may determine at least one object to be detected, and acquire detection logic for performing security detection on the at least one object to be detected, for example, may acquire configuration risk features in a target cloud security configuration scenario, and determine at least one object to be detected and the detection logic by using the configuration risk features. The computer device 102 may also obtain a detection condition for performing security detection on at least one object to be detected. In the case that the detection condition is satisfied, the computer device 102 performs security detection on at least one object to be detected according to the detection logic, so as to obtain a security detection result, thereby determining whether the object to be detected is in a security state. Alternatively, the computer device 102 may also transmit the security detection result to the terminal device 101a, so that the terminal device 101a displays the security detection result. Further, the related management object can determine the detection object which is not in the safety state based on the safety detection result, so that the related object to be detected can be processed, and the data safety is improved.
The configuration risk characteristics of the target cloud under the security configuration scene are obtained, so that at least one object to be detected can be determined by utilizing the configuration risk characteristics, the detection logic for carrying out security detection on the at least one object to be detected is obtained, and the detection conditions for carrying out security detection on the at least one object to be detected are obtained. If the object to be detected is not in a safe state, the object to be detected can be further processed, and the data safety is improved. By acquiring the object to be detected in the target cloud security configuration scene and triggering the security detection flow aiming at the object to be detected under the condition that the detection condition is met, the security detection flow does not need to be triggered manually, the detection efficiency can be improved, the detection cost is saved, and the detection flexibility and reliability are improved.
It is understood that the computer devices mentioned in the embodiments of the present application include, but are not limited to, terminal devices or servers. In other words, the computer device may be a server or a terminal device, or may be a system formed by the server and the terminal device. The above-mentioned terminal device may be an electronic device, including, but not limited to, a mobile phone, a tablet computer, a desktop computer, a notebook computer, a palm computer, a vehicle-mounted device, an intelligent voice interaction device, an augmented Reality (AR/VR) device, a head mounted display, a wearable device, a smart speaker, a smart home appliance, an aircraft, a digital camera, a camera, and other mobile internet devices (mobile internet device, MID) with network access capability, etc. The above mentioned computer devices (such as servers) may be independent physical servers, server clusters or distributed systems formed by a plurality of physical servers, and cloud devices (such as cloud servers) that provide basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, vehicle-road collaboration, content distribution networks (Content Delivery Network, CDNs), big data and artificial intelligence platforms, and the like.
Further, referring to fig. 2, fig. 2 is a schematic flow chart of a security detection method based on cloud security configuration according to an embodiment of the present application; as shown in fig. 2, the security detection method based on the cloud security configuration may be applied to a cloud device, and the security detection method based on the cloud security configuration includes, but is not limited to, the following steps:
s101, acquiring configuration risk characteristics in a target cloud security configuration scene.
In the embodiment of the application, the cloud equipment can receive the detection feature list sent by any terminal equipment, and obtain the configuration risk feature in the target cloud security configuration scene from the detection feature list. Or the cloud equipment can also download a configuration risk feature list from the configuration risk feature library, and acquire the configuration risk feature under the target cloud security configuration scene from the detection feature list. Or, the cloud device may further obtain a detection feature list from the local storage, obtain a configuration risk feature in the target cloud security configuration scenario from the detection feature list, and so on, which is not limited by the embodiment of the present application. Optionally, the cloud device may further acquire a device operation parameter in the cloud device operation process, perform an anomaly analysis on the device operation parameter, for example, determine whether the device operation parameter belongs to an anomaly parameter range, and if the device operation parameter belongs to the anomaly parameter range, determine that a configuration risk feature exists. The configuration risk feature is used for reflecting possible risk situations in the target cloud security configuration scene. The cloud device can determine which risks possibly exist in the target cloud security configuration scene by acquiring configuration risk characteristics of the target cloud security configuration scene, so that the detection of the object to be detected possibly existing in the target cloud security configuration scene can be subsequently determined, whether the risks exist or not and the risk generation reasons are analyzed, and the targeted risk processing is facilitated.
Alternatively, in determining the scene, the target cloud security configuration scene may be determined based on the scene selection instruction of the target object. For example, when a selection instruction of a target object for a scene is detected, a target cloud security configuration scene is determined. Or, the target cloud security configuration scene can be determined according to the acquired risk feature category. For example, when the acquired risk feature class belongs to the risk feature class corresponding to the target cloud security configuration scene, determining that the risk feature class belongs to the target cloud security configuration scene. Or, the target cloud security configuration scene may also be determined according to the acquired device type, and so on. For example, when the device type is a host asset, i.e., there is a host asset on the cloud, it may be determined to belong to a target cloud security configuration scenario. In one possible implementation, the configuration risk features in the target cloud security configuration scenario may include, but are not limited to, one or more of a protection feature, a host status monitoring feature, an access rights feature, and an access control feature, which is not limited by the embodiments of the present application. The protection features may include, but are not limited to, an application layer protection feature that may be used to reflect protection of the application layer and a network layer protection feature that may be used to reflect protection of the network layer. For example, the application layer protection feature may be a feature related to a global Wide area network application service, where the global Wide area network is a generic term of the internet, and the global Wide area network is generally referred to as World Wide Web, abbreviated as WWW, and is generally referred to as Web (hereinafter, the global Wide area network is referred to as Web in the embodiment of the present application). The network layer guard feature may be a feature related to a network service of a server on the cloud. Host state monitoring features may be used to reflect the state of the computer system as well as dynamic behavior, and so on. The access rights feature may be used to reflect access rights of each COS object in the cloud object store (Cloud Object Storage, COS). The access control features may be used to reflect network access control for edge computing machine (Edge Computing Machine, ECM) instances, elastic load balancing ELBs (Elastic Load Balance, ELBs), elastic network cards, and the like. That is, the application layer protection feature may reflect a risk situation in terms of Web application services; the network layer protection features can reflect the risk situation of the network service aspect of the server on the cloud; the host state monitoring features can reflect the state of the computer system, the risk conditions of dynamic behaviors and the like; the access right characteristics can reflect the risk condition of each COS object in terms of access right; the access control feature may reflect a risk situation in terms of network access control of resources on the cloud.
In the embodiment of the application, whether the safety risks exist in the aspects or not can be determined by analyzing the characteristics of the Web application service aspect, the network service aspect of the server on the cloud, the state and dynamic behavior aspect of the computer system, the access authority aspect of the COS object and the resource network access control aspect in the target cloud safety configuration scene, so that the targeted risk processing is realized. Other aspects of the features may be analyzed to determine whether other aspects have a security risk, which is not limited by the embodiments of the present application.
S102, determining at least one object to be detected by using the configuration risk characteristics, and acquiring detection logic for carrying out safety detection on the at least one object to be detected.
In the embodiment of the application, as the configuration risk characteristics in the target cloud security configuration scene are acquired, one or more objects to be detected can be determined by utilizing the acquired configuration risk characteristics. By acquiring detection logic for performing security detection on each object to be detected, the security detection can be performed on each object to be detected based on the detection logic. The object to be detected refers to configuration items needing to be subjected to security detection in the target cloud security configuration scene, namely, which configuration items need to be subjected to security detection.
Wherein the detection logic may be adapted to indicate at least one of a detection order of the at least one object to be detected, a detection order of the respective content items comprised by the object to be detected, and a detection content item of the object to be detected. For example, the detection logic may be to indicate a detected content item for at least one object to be detected; alternatively, the detection logic may be configured to indicate a detection order for the at least one object to be detected; alternatively, the detection logic may be further configured to indicate a detection content item for the at least one object to be detected and a detection order for the at least one object to be detected; alternatively, the detection logic may be further configured to indicate a detection order of the detected content item of the at least one object to be detected and the respective content item comprised by the object to be detected; alternatively, the detection logic may be further configured to indicate a detection order for at least one object to be detected, a detection order for each content item comprised by the object to be detected, and a detection content item of the object to be detected, etc. Wherein each content item included in the object to be detected refers to all content items included in the object to be detected. The detected content item of the object to be detected may refer to a detected content item to be detected among all content items included in the object to be detected. That is, detecting content items may refer to one or more of the objects to be detected that need to be detected, e.g., in some scenarios only one or more of the content items included in the objects to be detected need to be detected. For example, the object to be detected may comprise 8 content items, and detecting a content item may refer to one or more of the 8 content items.
In one possible implementation, if the configuration risk feature in the target cloud security configuration scenario includes a protection feature, the object to be detected may include an application layer protection object and/or a network layer protection object. The application layer guard object may refer to, for example, a WAF (Web Application Firewall, web application level intrusion prevention system), also referred to as a Web application guard system, which may provide protection for Web applications by executing a series of security policies for HTTP (Hypertext Transfer Protocol ) and/or HTTPs (Secure Hypertext Transfer Protocol, secure hypertext transfer protocol). The network layer protection object may be, for example, a Cloud Firewall (Cloud Firewall), where the Cloud Firewall may be a SaaS (Software-as-a-Service) Firewall based on a public Cloud environment, and is mainly used for providing protection of an internet boundary, and solving the security and management requirements of unified management of access control and log audit on the Cloud. The cloud firewall not only has the traditional firewall function, but also supports the multi-tenant and elastic capacity expansion functions on the cloud, and is a network security infrastructure of the cloud on the business of the target object. The cloud firewall is different from the WAF, the WAF mainly aims at the protection of an application layer, for example, the WAF mainly aims at Web application service, the cloud firewall aims at the protection of a network layer, and if a server on the cloud uses the network service, the cloud firewall can be protected, so that the attack of the network layer can be resisted.
In one possible implementation, if the configuration risk feature in the target cloud security configuration scenario includes a host state monitoring feature, the object to be detected may include a host state monitoring object. Host state monitoring objects may refer, for example, to Host-based intrusion detection systems (HIDS), which may be monitors and analyzers of a computer system that may focus on the system interior, monitoring the dynamic behavior of all or part of the system, and the state of the entire computer system.
In one possible implementation, if the configuration risk feature in the target cloud security configuration scenario includes an access rights feature, the object to be detected may include an access rights object. The access rights object may refer to, for example, an object storage (Cloud Object Storage, COS), which may be a distributed storage service for storing mass files provided in a cloud computing environment, and has advantages of high expandability, low cost, reliability, safety, and the like. The target object can be simply and quickly accessed into COS through various modes such as a console, an API (Application Programming Interface, an application programming interface), an SDK (Software Development Kit, a software development kit), a tool and the like, uploading, downloading and managing of the multi-format file are carried out, and mass data storage and management are realized. In the use process of the COS, in order to ensure the security of the COS data, the access authority of the COS object may be limited, and the COS object may refer to a target object that needs to access the COS, for example, a user that needs to access the COS object.
In one possible implementation, if the configuration risk feature in the target cloud security configuration scenario includes an access control feature, the object to be detected may include an access control object. The access control object may be, for example, a host security group, which may be a virtual firewall, and has a stateful data packet filtering function, so as to be used for setting network access control of resources such as an edge computing machine instance, an elastic load balancing, an elastic network card, and the like, and controlling the access flow of the instance level, which is an important network security isolation means. By configuring security group rules, it is possible to implement enabling or disabling the egress and ingress traffic of instances within the security group. Under the default condition or the misoperation condition aiming at a target object, security group policy can be leaked, and an attacker can launch attack aiming at a service system by any IP (Internet Protocol, protocol interconnected between networks) after the security group is not limited.
In one embodiment, the detection logic for performing security detection on at least one object to be detected may refer to a detection order of the at least one object to be detected, for example, a detection order of each object to be detected. For example, the object to be detected includes an application layer protection object, a network layer protection object, a host state monitoring object, an access right object, and an access control object, and the detection sequence may be the application layer protection object, the host state monitoring object, the network layer protection object, the access right object, and the access control object sequentially from front to back. It will be appreciated that the detection order may be adjusted according to specific requirements, for example, the adjusted detection order is a host status monitor object, an application layer protection object, a network layer protection object, an access rights object, an access control object, and so on, from front to back. The detection sequence in the embodiment of the present application may be other sequences, which is not limited in the embodiment of the present application.
Alternatively, when determining at least one object to be detected using the configuration risk feature, the determination may be based on an association relationship table between the configuration risk feature and the object to be detected. For example, the risk feature is configured as a host status monitoring feature, the corresponding object to be detected is a host status monitoring object, the risk feature is configured as an access rights feature, the corresponding object to be detected is an access rights object, and so on. By acquiring the configuration risk characteristics in the target cloud security configuration scene, the object to be detected corresponding to the configuration risk characteristics can be searched from the association relation table. Because the association relation table between the configuration risk characteristics and the objects to be detected is constructed in advance, the objects to be detected can be directly determined by using the association relation table, and the data query efficiency is improved.
In one implementation, the content items of the application layer protection object may include, but are not limited to, a rule engine, an AI engine, an IP blocking penalty, application access control, region blocking, CC protection (Challenge Collapsar, challenge black hole), web page tamper resistance, information leakage resistance, API security, which is not limited by the embodiments of the present application. The detected content item of the application layer protection object may include one or more of a rules engine, an AI engine, an IP blocking penalty, application access control, zone blocking, CC protection, web page tamper resistance, information leakage resistance, API security.
Among other things, the rules engine can be used to provide protection against OWASP (Open Web Application Security Project ) TOP10 attacks. TOP10 attacks may refer to 10 attacks in the current guard Web attack. Current guard Web attacks include, but are not limited to, SQL (Structured Query Language ) injection, XSS (Cross Site Script, cross site scripting) attacks, malicious scanning, command injection attacks, web application vulnerabilities, webshell (a code execution environment) upload, non-compliance protocols, trojan backdoors.
The AI engine can be used for providing a Web attack detection technology based on machine learning, reduces false alarm to the maximum extent through self-learning, self-evolution and self-adaptation capability of the AI engine, improves the detection rate and the capture rate of known and unknown Web threats, and flexibly adapts to continuously-changing Web applications. The IP blocking penalty can be used for providing an attack IP penalty function, can rapidly intercept malicious Web attack IP, rapidly respond to actions such as malicious scanning, proxy, web attack threat and the like, and can improve attack and defense countermeasure efficiency.
The application access control may provide a combination of multiple features such as a request path of an HTTP packet, a GET parameter (a request parameter manner), a POST parameter (a transmission parameter manner), a reference (indicating a current access source), and a User-Agent (a message header may reflect a browser supported by a website, a browser used for accessing the website, and a browser version), which may be flexibly handled by using an access control policy, and a targeted rule may be combined to block various attack behaviors. By combining rules, access to public network users can be managed through feature matching in the face of various attacks from the internet. I.e. the attack from the internet, is blocked when the rule is satisfied.
The regional blocking can be used for providing blacklist blocking for the region conforming to the regional rule and blocking all access sources of the region. CC protection may be used to provide access protection to website specific URLs (uniform resource locators, uniform Resource Locator), integrate source station abnormal response conditions (timeouts, response delays) and website historical access big data analysis, emergency mode decision generation defense strategies, and intercept high frequency access requests in real time.
The CC protection may formulate a protection rule according to the target object access source IP or SESSION frequency (access frequency of the target object), and handle the access, where the handling measures include alarm, man-machine recognition and blocking. For example, the target object needs to access a certain interface to query object information, the interface involves various logic in the background, the large data volume of data query can cause abnormal occupation of resources, if the target object accesses the interface differently, when the access frequency is higher than the threshold value, the access of the target object can be blocked.
The webpage tamper resistance can be used for providing a function of protecting webpage content, for example, can be used for protecting a website core static webpage, and can protect the negative influence of a website caused by malicious tampering of a source webpage by caching the webpage and locking an access request, and meanwhile, tamper resistance rules can be configured according to requirements. For example, the content on the web page can be periodically crawled down for storage, and the target object accesses the cache first, for example, one-hour cache is performed, so that the content of the page accessed by the target object is the content before one hour, and even if the malicious terminal falsifies the web page content within one hour, the content accessed by the target object is the content before one hour, so that the access of the target object is not affected.
The information leakage prevention function can support filtering (supporting replacement, desensitization display and interception) of contents returned by the website, wherein the filtering contents comprise sensitive information (such as identity related information, contact information related information and the like), keywords and response codes. By setting the rule for preventing sensitive information leakage, the requirements of data security protection, compliance and the like can be met. API security is used to provide protection capability for the API interface, and the WAF can perform security checking on the API request before the API conforming to the definition specification can be executed. The API safety protection module can link the management of the AI engine and the BOT behavior (an attack behavior) to protect an API interface.
In another implementation, the content items of the host state monitoring object may include, but are not limited to, core file monitoring, file killing, abnormal login, password cracking, malicious request, high-risk command, local override, and rebound shell, which are not limited by the embodiment of the present application. The detected content items of the host state monitoring object may include one or more of core file monitoring, file killing, abnormal logging, password cracking, malicious requests, high-risk commands, local nomination, and anti-cartridge case.
The core file monitoring can be used for finding out the invaded characteristics of the host through real-time monitoring of the core file, so as to judge the occurrence of the attack behavior. The file searching and killing can be used for periodically checking the safety of the files in the system, and the safety searching and killing can be carried out when the dangerous files are found, so that the danger of the dangerous files to the whole safety of the host is avoided. Abnormal login can be that a host safely collects login records of a missed white list, and marks the login records as suspicious or high-risk according to an intelligent algorithm, namely marks the login records of the missed white list. The password cracking can be used for providing password violent cracking behavior real-time monitoring for the host computer, and realizing an automatic blocking defense function. The malicious request can be used for identifying the malicious request behavior through the real-time monitoring and processing capacity of the external request behavior. The high-risk command can be used for realizing real-time monitoring of commands in the system by the host safety based on a safety technology and a plurality of means in multiple dimensions, and the command risk degree can be graded and notified by the configuration rule. Local authority raising can be that if the system is accessed with low authority, the authority is raised by some means, and an event with high authority is obtained, the event is considered as an attack action of a hacker, and the action can jeopardize the security of a host. The local right-raising function can monitor right-raising events on the cloud server in real time and can check and process the details of the right-raising events. The shell-rebounding shell can be used for identifying and recording shell reverse connection behaviors on a server based on a security technology and multidimensional multi-means, and provides real-time monitoring capability of the shell-rebounding behaviors for the cloud server.
In yet another implementation, the content items of the network layer protection object may include, but are not limited to, network access control, intrusion protection, and network honeypot, which are not limited by the embodiments of the present application. The detected content items of the network layer protected object may include one or more of network access control, intrusion protection, network honeypots.
Wherein the network access control can exclude unauthorized target objects and devices from the business network, allow trusted devices or target objects outside the business to access the business network, and enable the devices to meet security compliance regulations by using the network access control. The intrusion prevention can be used for actively intercepting malicious traffic such as hacking, worm, network virus, backdoor Trojan, doS (Denial Of Service ) and the like in real time, protecting enterprise information systems and network architecture from being infringed, and preventing operating systems and application programs from being damaged or down. The network honeypot can refer to a simulation service system running on the internet, and does not actually bear any real service. The network honeypot is exposed in the network of the user through the probe, for example, when the network honeypot is stepped on by an attacker, the attacker information can be actively recorded, the attack method can be traced, and the accurate attacker information and the counterattack traceability can be provided for the defense of the service. Meanwhile, in the network honeypot protection scene, enough time is striven for real business, and the purpose of successful defending can be achieved.
In yet another implementation, the content items of the access rights object may include, but are not limited to, public rights and user rights, to which embodiments of the present application are not limited. The detected content item of the access rights object may include one or more of public rights and user rights.
The public authority may include private read-write, public read-private write and public read-write. The private read-write operation can be performed only after the identity authentication is performed, and the private read-write operation is the default access right of the storage bucket and is the safest access right. Public read-private writing can perform anonymous read operation, and the write operation needs identity verification. Public reads and writes can be performed anonymously for both reads and writes. User permissions may refer to the primary account number defaulting to have all the permissions of the bucket (i.e., full control).
In yet another implementation, the content items of the access control object may include, but are not limited to, policies for service-opening security groups and security groups that do not have any source IP access, which embodiments of the application do not limit. The detected content item of the access control object may include one or more of a service-open security group and a policy that the security group does not have any source IP access.
The service-open security group may refer to all servers, CLBs (Cloud Load Balancer, load balancing), and database services are configured with security groups, where no security group may cause exposure to the public network. The policy that the security group does not have any source IP access may be a pointer to limit access to the source IP, checking whether all security groups have any containing any release policy.
In this embodiment, when the detection logic is configured to indicate the detected content items of the at least one object to be detected, the detected content items included in each object to be detected may be subsequently detected securely by acquiring the detected content items in each object to be detected. When the detection logic is configured to indicate a detection order of at least one object to be detected, by obtaining the detection order of each object to be detected, the at least one object to be detected may be subsequently security detected based on the detection order. When the detection logic is to indicate a detection order of the respective content items included in the objects to be detected, each content item may subsequently be detected based on the detection order by obtaining the detection order of the respective content items included in each object to be detected. When the detection logic is configured to indicate a detection order of at least one object to be detected, a detection order of each content item included in the object to be detected, and a detection content item of the object to be detected, it may be determined which content items in each object to be detected need to be detected, that is, determine the detection content item in each object to be detected, and the detection order of the detection content item in each object to be detected, and then perform security detection in combination with the detection order of at least one object to be detected.
In the embodiment of the application, the detection logic corresponding to each object to be detected is obtained, and then the safety detection can be carried out on each object to be detected based on the detection logic, so that the data detection efficiency is improved. And when the detection sequence of at least one object to be detected is set, the detection sequence can be set based on the association relation between the objects to be detected, the association relation can reflect whether the execution of each object to be detected can affect the execution of other objects to be detected, for example, after a certain object to be detected is detected first, the detection of other objects to be detected can be realized, otherwise, the detection condition of other objects to be detected can be affected, and the detection sequence of the object to be detected can be set to be larger than the detection sequence of other objects to be detected. For example, if the first object to be detected needs to be detected before the second object to be detected, the detection sequence of the first object to be detected may be set to be greater than the detection sequence of the second object to be detected, so as to avoid affecting the accuracy of data detection. Or, if a certain object to be detected needs to be subjected to security detection after other objects to be detected, the detection sequence of the object to be detected can be set to be smaller than that of the other objects to be detected, so that the normal operation of security detection is ensured. Further, by setting the detection order of each content item in each object to be detected, it is possible to avoid affecting the security detection result of other content items due to the fact that a certain content item in the object to be detected is not detected, thereby ensuring the accuracy of security detection.
In one implementation manner, detection logic for performing security detection on at least one object to be detected can be obtained based on a corresponding API interface on the cloud device by calling the API interface, the cloud device can open an API interface of any object to be detected, and the cloud application can obtain the detection logic of the corresponding object to be detected by sending an API request for the object to be detected to the cloud device. For example, the detection logic may be obtained from an API interface of the object to be detected, and may be configured in advance by a developer. Alternatively, the detection logic may be matched from a detection logic library, in which detection logic of each object to be detected may be stored in advance, or the detection logic in the detection logic library may be determined based on history detection logic of the object to be detected, or the like, which is not limited by the embodiment of the present application.
S103, acquiring detection conditions for carrying out safety detection on at least one object to be detected.
In the embodiment of the application, the detection condition can be used for indicating whether to trigger the safety detection of at least one object to be detected. By acquiring the detection conditions for carrying out safety detection on at least one object to be detected, whether the detection conditions are met currently can be judged, and further safety detection on the object to be detected is realized.
In one implementation, the detection condition may include a time trigger condition; alternatively, the detection condition may include a status trigger condition; alternatively, the detection conditions may include a time trigger condition and a state trigger condition. The state triggering condition may be that a certain state is met, and the state triggering condition includes, but is not limited to, that an abnormality occurs in a certain device, that certain external information is received, that a manual triggering instruction is received, and so on. The time trigger condition may refer to a trigger time or trigger period being met, triggering a security check, and so on. When the state triggering condition is met, triggering the safety detection of at least one object to be detected.
In one implementation, the manner of determining that the detection condition is a time trigger condition or a state trigger condition may be: acquiring a first detection abnormal frequency for safety detection based on a time trigger condition, and acquiring a second detection abnormal frequency for safety detection based on a state trigger condition; if the first detection abnormal frequency is higher than the second detection abnormal frequency, determining that the detection condition is a time triggering condition; and if the first detection abnormal frequency is lower than the second detection abnormal frequency, determining that the detection condition is a state trigger condition.
The first abnormal detection frequency can be determined according to the historical abnormal times detected by safety detection under the use time triggering condition, and the second abnormal detection frequency can be determined according to the historical abnormal times detected by safety detection under the use state triggering condition. If the first abnormal detection frequency is equal to the second abnormal detection frequency, a time triggering condition or a state triggering condition can be optionally selected as the detection condition. Since the higher the detection abnormality frequency is, it can be expressed that the reliability of safety detection using such detection conditions is higher. By comparing the magnitudes of the two detection anomaly frequencies, it is possible to determine which detection conditions are used for safety detection, and the reliability of safety detection can be improved to a greater extent. By determining specific detection conditions, when the detection conditions are met, at least one object to be detected can be safely detected without manually triggering the safety detection, so that the safety detection efficiency is improved.
In the embodiment of the application, the detection condition is set as the time triggering condition, and the safety detection flow is triggered when the triggering time is met, so that the resource expenditure can be reduced. Further, by setting the detection condition as a state triggering condition, the security detection flow can be triggered when a certain state is satisfied, for example, when abnormal information for a certain device is received, the security detection flow is triggered, and the instantaneity of security detection can be improved. Further, by setting the detection conditions as the time trigger condition and the state trigger condition, the security detection can be periodically performed according to the time trigger condition, so that the resource overhead is reduced. And when the state trigger condition is met, the safety detection can be further carried out by combining the state trigger condition, so that the accuracy of the safety detection is improved under the condition of reducing the resource expenditure.
In one implementation, security detection for an object to be detected may be triggered by configuring a trigger. The trigger may be used to actively trigger the security detection or passively trigger the security detection, and the active trigger may be triggered by external information, such as triggering the security detection for the object to be detected when an access request is received, i.e. such a trigger condition may be a finger trigger condition. Passive triggering may refer to triggering that does not require an external trigger, but rather is active by itself, such as time periodic triggering, i.e., such triggering conditions may refer to time triggering conditions. Optionally, when the trigger is a time trigger, the triggering time in the configured time trigger may be determined as a detection condition for performing security detection on at least one object to be detected, that is, when the triggering time of the time trigger is satisfied, the security detection is performed on the at least one object to be detected. The time trigger may be set to any time trigger, for example, may be triggered at 0 min 0 s per hour, or at 30 min intervals, at 10 min intervals, or the like. As shown in fig. 3, fig. 3 is a schematic diagram of an interface for setting a time trigger according to an embodiment of the present application, where by setting the name of the trigger, for example, the time trigger, and setting the trigger time, for example, 0 minutes and 0 seconds per hour, the security detection may be triggered at the beginning of each hour, and once every 1 hour. The trigger triggers the safety detection, so that the safety detection can be performed when the trigger condition is met, and the resource cost is reduced.
In the embodiment of the present application, the steps S101 to S102 may be executed first, then the step S103 may be executed, or the step S103 may be executed first, then the steps S101 to S102 may be executed, or the step S103 and the steps S101 to S102 may be executed in parallel, and the execution sequence of the steps S101 to S102 and the step S103 is not limited in the embodiment of the present application.
And S104, under the condition that the detection condition is met, carrying out safety detection on at least one object to be detected according to the detection logic to obtain a safety detection result.
In the embodiment of the application, if the detection condition is a time trigger condition, then at least one object to be detected is safely detected according to the detection logic when the trigger time is satisfied. And if the detection condition is a state triggering condition, performing safety detection on at least one object to be detected according to the detection logic when the triggering state is met. And if the detection conditions are a state triggering condition and a time triggering condition, performing safety detection on at least one object to be detected according to the detection logic when the triggering state is met and the triggering time is met. For example, when the state trigger condition is that external information is received and the current time meets the trigger time corresponding to the time trigger condition, safety detection is performed. The security detection result is used for indicating whether the object to be detected is in a security state. Optionally, if the object to be detected is not in a safe state, the object to be detected may be further processed, for example, the object to be detected is detected manually, so as to improve data security.
In one embodiment, performing security detection on at least one object to be detected may refer to detecting whether each object to be detected is in a preset logic state, and if the object to be detected is in the preset logic state, determining that the object to be detected is in the security state. The security detection result may indicate whether each of the at least one object to be detected is in a secure state. If the object to be detected is in the preset logic state, the object to be detected may be indicated to be in the safe state. If the object to be detected is not in the preset logic state, the object to be detected can be indicated to be not in the safety state, namely, a large safety risk exists. The preset logic state may be used to indicate that the detected content item is in an on state, i.e. that the detected content item is in the preset logic state, then the detected content item is indicated to be in the on state; detecting that the content item is not in the preset logic state indicates that the content item is in the off state. Wherein detecting that the content item is in an on state indicates that the detected content item has a guard function.
In one possible implementation manner, a host exists on the cloud, that is, a host asset exists on the cloud device, at least one object to be detected includes a host state monitoring object, and security detection is performed on the host state monitoring object according to detection logic of the host state monitoring object, so as to obtain a security detection result. And if a host exists on the cloud, indicating that the cloud has a server host asset, performing the HIDS service to resist the attack of the target as the host, and the object to be detected comprises a host state monitoring object. By performing security detection on the host state monitoring object, the security of the server host assets on the cloud can be ensured.
Further, the host status monitoring object includes a plurality of content items; the detection logic is configured to instruct to detect the content item of the host state monitoring object, and then perform security detection on the host state monitoring object according to the detection logic of the host state monitoring object, where obtaining the security detection result may be: detecting each detection content item of the host state monitoring object respectively; if each detection content item is in a preset logic state, the security detection result is used for indicating that the host state monitoring object is in a security state; if the detected content item is not in the preset logic state, the security detection result is used for indicating that the host state monitoring object is not in the security state.
That is, the plurality of detected content items included in the host state monitoring object are all in the on state, which indicates that the host state monitoring object is in the secure state. If one or more detected content items in the plurality of detected content items included in the host state monitoring object are in a closed state, the host state monitoring object is not in a safe state.
For example, the detected content items of the host state monitoring object may include core file monitoring, file killing, abnormal login, password cracking, malicious request, high risk command, local authority raising, and rebound shell, and then the core file monitoring, file killing, abnormal login, password cracking, malicious request, high risk command, local authority raising, and rebound shell are respectively detected to be in the preset logic states. Specifically, it may be detected whether the core file monitoring is in a preset logic state; detecting whether the file searching and killing is in a preset logic state or not; detecting whether the abnormal login is in a preset logic state or not; detecting whether the password cracking is in a preset logic state or not; detecting whether a malicious request is in a preset logic state; whether the high-risk command is in a preset logic state or not is detected; detecting whether the local right of the user is in a preset logic state or not; detecting whether the cartridge case is in a preset logic state; if the core file monitoring, file searching and killing, abnormal login, password cracking, malicious request, high-risk command, local weight lifting and rebound shell are all in the preset logic state, determining that the security detection result indicates that the host state monitoring object is in the security state; if the detected content item is not in the preset logic state, determining that the security detection result indicates that the host state monitoring object is not in the security state.
In one possible implementation manner, if a Web application service exists on the cloud, and at least one object to be detected includes an application layer protection object, security detection is performed on the application layer protection object according to detection logic of the application layer protection object, so as to obtain a security detection result. If there is a Web application service on the cloud, which indicates that there may be an attack on the Web service, and therefore a WAF service may be performed to defend against the attack, the object to be detected may include an application layer protection object. By carrying out security detection on the application layer protection object, the security of Web application service on the cloud can be ensured.
Optionally, because the cloud device includes multiple API interfaces, configuration information can be obtained by calling the corresponding API interfaces on the cloud device, and if a certain item of configuration information is obtained, it indicates that a service corresponding to the item of configuration information exists on the cloud device; if a certain item of configuration information is not acquired, the fact that the service corresponding to the item of configuration information does not exist on the cloud equipment is indicated, so that the fact that the service and the equipment exist on the cloud can be determined, and further the fact that the objects to be detected are detected safely can be determined.
In one possible implementation manner, the at least one object to be detected includes an application layer protection object, a network layer protection object, a host state monitoring object, an access right object, and an access control object, the detection logic includes detection logic of the application layer protection object, the network layer protection object, the host state monitoring object, the access right object, and the access control object, the detection logic includes a detection sequence of the application layer protection object, the network layer protection object, the host state monitoring object, the access right object, and the access control object, and a detection content item of the application layer protection object, the network layer protection object, the host state monitoring object, the access right object, and the access control object, and then the security detection is performed on the at least one object to be detected according to the detection logic, so as to obtain a security detection result, where a manner may be that:
And carrying out safety detection on the application layer protection object, the network layer protection object, the host state monitoring object, the access right object and the access control object according to the detection sequence of the application layer protection object, the network layer protection object, the access right object and the access control object and the detection content items of the application layer protection object, the network layer protection object, the host state monitoring object, the access right object and the access control object to respectively obtain detection results of the application layer protection object, the network layer protection object, the host state monitoring object, the access right object and the access control object. And fusing detection results of the application layer protection object, the network layer protection object, the host state monitoring object, the access right object and the access control object to obtain a security detection result. The fusion may be to add or aggregate the detection results of the objects to be detected, so as to obtain a safety detection result.
In some possible scenarios, the detection frequencies corresponding to the application layer protection object, the network layer protection object, the host state monitoring object, the access right object and the access control object respectively can be further determined, and each object to be detected is safely detected according to the respective detection frequencies. Specifically, if the detection conditions include a time trigger condition of each object to be detected, a detection frequency of each object to be detected may be obtained, the time trigger condition of each object to be detected is updated based on the detection frequency of each object to be detected, and safety detection is performed on each object to be detected based on the updated time trigger condition of each object to be detected. Wherein the detection frequency is determined based on at least one of an abnormality record table of each object to be detected and an importance level of each object to be detected.
The anomaly record table may be determined according to the historical anomaly times or anomaly periods of the respective objects to be detected. For example, the anomaly record table is determined based on the historical anomaly times of the objects to be detected, and if the historical anomaly times are greater than the frequency threshold, the detection frequency of the objects to be detected is determined to be greater than the frequency threshold. And if the historical abnormal times are smaller than or equal to the times threshold, determining that the detection frequency of the object to be detected is smaller than or equal to the frequency threshold. The importance level of the object to be detected can be determined based on the object type of each object to be detected, the object type of the object to be detected can be used for indicating the importance degree of equipment of the object to be detected, and the higher the importance level of the object to be detected is, the greater the influence of abnormality of the object to be detected on the system is. The lower the importance level of the object to be detected, the smaller the influence of the abnormality of the object to be detected on the system. For example, some anomalies in the object to be detected may render the entire system unusable, some anomalies in the object to be detected may render some of the functions in the system usable, and so on.
Alternatively, the detection frequency of each object to be detected may also be determined according to the device time of each object to be detected. The device time may refer to a factory time of a device corresponding to the object to be detected, for example, a server host factory time. The earlier the equipment time, the higher the detection frequency of the corresponding object to be detected is set. The earlier the equipment leaves the factory, the higher the probability of the equipment abnormality is, so the accuracy of safety detection can be improved by increasing the detection frequency. Alternatively, input parameters of the target object may also be acquired, and the detection frequency of each object to be detected may be determined based on the input parameters of the target object.
In the embodiment of the application, since the detection frequency of each object to be detected may be different, the time trigger condition of each object can be updated based on the detection frequency of each object to be detected, and the safety detection can be performed on each object to be detected based on the updated time trigger condition of each object to be detected. By setting different detection time for each object to be detected, targeted safety detection can be realized, and resource overhead is reduced.
In one embodiment, the target security application may be automatically built, invoking the target security application and security detecting the at least one object to be detected according to the detection logic. Alternatively, the target security application may be built by: acquiring configuration demand characteristics in a target cloud security configuration scene; screening at least one safety component matched with the configuration requirement characteristics from the component database, and constructing a target safety application by utilizing the screened at least one safety component; the component database stores security components which are packaged in advance and have different functional logics.
The configuration requirement feature may be used to indicate a security detection requirement in a target cloud security configuration scenario, where the configuration requirement feature in the target cloud security configuration scenario may include, but is not limited to, an application layer protection feature, a host state monitoring feature, a network layer protection feature, an access right feature, and an access control feature, which is not limited in the embodiment of the present application. By acquiring the configuration requirement characteristics of the target cloud in the security configuration scene, the security detection requirement in the scene can be determined, for example, the configuration requirement characteristics comprise application layer protection characteristics, and the security detection requirement on the application layer protection exists in the scene. The configuration requirement feature includes a host status monitoring feature, then indicates that there is a security detection requirement for host status monitoring in this scenario, and so on. The configuration requirement features can be preconfigured by a developer, the configuration requirement features corresponding to the target cloud security configuration scene can be obtained from a requirement feature library, and the like.
Optionally, if the configuration requirement feature includes an application layer protection feature, the security component that is selected from the component database to match the configuration requirement feature may be an application layer protection component. If the configuration requirement feature includes a host status monitoring feature, then screening the component database for security components that match the configuration requirement feature may be host status monitoring components. If the configuration requirement feature includes a network layer protection feature, the security component that is selected from the component database to match the configuration requirement feature may be a network layer protection component. If the configuration requirement feature includes an access rights feature, then the security component that is screened from the component database for matches to the configuration requirement feature may be an access rights component. If the configuration requirement feature includes an access control feature, then screening the component database for security components that match the configuration requirement feature may be the access control component. Alternatively, the application layer guard component may include, for example, but not limited to, a WAF component; the host status monitoring component may include, for example, but is not limited to, an HIDS component; the network layer guard component may include, for example, but not limited to, a cloud firewall component, the access rights component may include, for example, but not limited to, a COS storage component, the access control component may include, for example, but not limited to, a host security group component.
For example, if the WAF component, the HIDS component, and the cloud firewall component are selected from the component database, the three selected security components may be utilized to construct a target security application, so as to perform security detection on at least one object to be detected according to detection logic based on the target security application. For example, the detection logic is used for detecting content items of the object to be detected, and then the security detection can be performed on each detected content item in the application layer protection object based on the WAF component; performing security detection on each detection content item in the host state monitoring object based on the HIDS component; the security detection is performed on each detection content item in the network layer protection object based on the cloud firewall component. Or if the WAF component, the HIDS component, the cloud firewall component, the COS storage component and the host security group component are screened from the component database, and the detection logic is the detection content item of the object to be detected, the security detection can be carried out on each detection content item in the application layer protection object based on the WAF component; performing security detection on each detection content item in the host state monitoring object based on the HIDS component; performing security detection on each detection content item in the network layer protection object based on the cloud firewall component; performing security detection on each detected content item in the access rights object based on the COS storage component; the security detection is performed on each detected content item in the access control rights object based on the host security group component.
In the embodiment of the application, the configuration requirement characteristics in the target cloud security configuration scene are acquired, so that the security components matched with the configuration requirement characteristics can be screened out from the component database, and the target security application is constructed. The process does not need to be participated manually, and the triggering conditions can include but are not limited to time triggering conditions and/or state triggering conditions by setting the triggering conditions for acquiring the configuration requirement characteristics, so that the configuration requirement characteristics can be triggered and acquired when the triggering conditions are met, and the safety components are acquired from the component database so as to be packaged to obtain the target safety application, thereby realizing the safety detection of the object to be detected. In addition, the developer can pre-package the security components with different functional logics, and store the packaged security components in the component database, so that the required components can be directly obtained from the component database later. Through writing some general components in advance, packaging and storing the components in a component database, the components can be directly obtained and used later, and corresponding codes are not required to be rewritten when the components are needed to be used each time, so that time can be saved, and the data processing efficiency can be improved.
Optionally, after the target security application is built, a security component in the target security application may be updated, and security detection may be performed using the updated target security application. Specifically, when a scene switching instruction is received, acquiring a switching requirement characteristic indicated by the scene switching instruction, wherein the switching requirement characteristic is used for indicating a security detection requirement for a security configuration scene change relative to a target cloud, and the change comprises at least one of a new addition and a modification; screening a safety component matched with the switching requirement characteristic from a component database, and adjusting the safety component in the target safety application based on the safety component matched with the switching requirement characteristic to obtain an updated target safety application; and carrying out security detection by using the updated target security application.
Wherein, since the change includes at least one of an addition and a modification, adjusting the security components in the target security application based on the security components matching the handover requirement feature may include modifying one or more security components in the target security application, adding one or more security components to the target security application. Because the target security application is constructed according to at least one component, the security components in the target security application can be directly modified and added when the target security application is regulated, and the connecting lines among the security components are modified, so that the code of each security component does not need to be rewritten, and the target security application is constructed based on the rewritten code. Because each component is a packaged component with independent logic processing capability, the functions of other components are not affected when the components in the target security application are adjusted, and therefore the application updating efficiency can be improved.
Optionally, the changing may further include deleting, when the scene switching instruction is received, acquiring a switching requirement feature indicated by the scene switching instruction, and deleting a security component matched with the switching requirement feature in the target security application to obtain an updated target security application; and carrying out security detection by using the updated target security application. By deleting the security components in the target security application, the connection between the security components is deleted, and the code of each security component does not need to be rewritten. Because each component is a packaged component with independent logic processing capability, the functions of other components are not affected when the components in the target security application are deleted, and therefore the application updating efficiency can be improved.
In one possible scenario, the handover required feature may be obtained based on the operation of the target object. For example, when a scene switching operation of a target object is detected, it may be determined that a scene switching instruction is received, a scene switching page is output through an output device such as a display screen, input data corresponding to the input operation of the target object with respect to the scene switching page is obtained, or selection data corresponding to a selection operation is obtained, and the input data or the selection data is used as a switching requirement feature. If the target security configuration scene change comprises deletion, deleting the security component in the target security application to obtain an updated target security application; and carrying out security detection by using the updated target security application. Since the scene switching instruction is directed to different scenes, one or more components in the target security application can be changed, such as new, modified and deleted, so that the target security application can be built based on the rest security components in the changed target security application. The method and the device can realize adjustment of the security component in the target security application and improve the application updating efficiency. By using the updated target security application to perform security detection, the accuracy of data detection can be improved.
In another possible scenario, the handover required feature may be obtained based on external information. For example, when it is determined that a scene change instruction is received when change information indicating a certain device is received, a configuration risk feature corresponding to the change information of the device is acquired as a change demand feature. For example, the target security application is constructed based on the HIDS component and the cloud firewall component, and when receiving the change information for indicating that the Web application service exists in the asset on the cloud, the configuration risk feature, such as the application layer protection feature, corresponding to the change information of the Web application service can be obtained as the switching requirement feature. Further, a security component, such as a WAF component, that matches the application layer protection feature may be screened from the component database, and an updated target security application may be obtained based on the screened security component and the target security application, that is, the updated target security application may be constructed based on the WAF component, the HIDS component, and the cloud firewall component. The corresponding safety components can be determined from the component database based on the switching requirement characteristics, so that the change of the application components in the target safety application is realized, the application updating efficiency can be improved, the data detection pertinence can be improved by using the updated target safety application to carry out safety detection, and the data detection accuracy is further improved.
That is, according to the method of functional assembly disassembly, the commonly used functional logic is abstracted into a general assembly, and the general assembly is packaged and stored in the assembly database, so that the application operation main body and the configuration are separated, and the flexible change of the assembly can be supported under the condition that the main body functional logic is stable and unchanged (namely, the main functional logic of the security application is stable and unchanged) in different application scenes, the security application can be updated rapidly, and the application updating efficiency is improved.
In one embodiment, configuration requirement characteristics in different cloud security configuration scenes can be obtained respectively, security detection requirements in each cloud security configuration scene are determined through the configuration requirement characteristics in each cloud security configuration scene, and security applications in each cloud security configuration scene are built based on the security detection requirements in each cloud security configuration scene. That is, when multiple cloud security configuration scenes exist, by acquiring the configuration requirement characteristics in each scene, one or more security components in each scene can be screened out from the component database according to the configuration requirement characteristics in each scene, and security applications in each scene are built based on the one or more security components in each scene, so that when security detection is performed subsequently, different security applications can be selected according to different cloud security configuration scenes to achieve targeted security detection, and security detection efficiency can be improved. And the security application under each cloud security configuration scene can be multiplexed, so that the data detection efficiency is improved.
In another embodiment, when the target security application is constructed, the customized target security application can also be realized through the operation of the target object. Specifically, a security configuration interface may be output, the security configuration interface including a canvas area and a component area, the component area including a plurality of pre-packaged security components having different functional logic; detecting an operation on at least one security component in the canvas area, the operation comprising at least one of a drag operation on the security component, a connect operation between different security components; the target security application is obtained based on the operation of the at least one security component.
In the embodiment of the application, through outputting the safety configuration interface, as the safety configuration interface comprises the canvas area and the component area, the target object can drag the safety components in the component area, select at least one safety component from the component area, and further connect the safety components after selecting a plurality of safety components, thereby setting the operation sequence among the safety components. When an operation on at least one security component in the canvas area is detected, such as a drag operation on the security component, the dragged security component may be rendered in the canvas area. When a connection operation for at least one security component in the canvas area is detected, a connection relationship between the at least one security component may be rendered and exposed in the canvas area. By customizing the target security application, the flexibility of application construction can be improved.
In the embodiment of the application, the configuration risk characteristics of the target cloud under the security configuration scene are acquired, so that at least one object to be detected can be determined by utilizing the configuration risk characteristics, the detection logic for carrying out security detection on the at least one object to be detected is acquired, and the detection condition for carrying out security detection on the at least one object to be detected is acquired, so that the at least one object to be detected can be subjected to security detection according to the detection logic under the condition that the detection condition is met, and a security detection result is obtained, and whether the object to be detected is in a security state or not is determined based on the security detection result. If the object to be detected is not in a safe state, the object to be detected can be further processed, and the data safety is improved. By acquiring the object to be detected in the target cloud security configuration scene and triggering the security detection flow aiming at the object to be detected under the condition that the detection condition is met, the security detection flow does not need to be triggered manually, the detection efficiency can be improved, and the detection cost is saved.
Optionally, referring to fig. 4, fig. 4 is a flow chart of another security detection method based on cloud security configuration according to an embodiment of the present application. The security detection method based on the cloud security configuration can be applied to cloud equipment, as shown in fig. 4, and includes, but is not limited to, the following steps:
S201, configuring a time trigger.
In one implementation, the entire security detection method may be determined as a workflow, such that automation may be implemented to trigger the workflow for various security detections. Wherein, the workflow can refer to the automation of part or whole of the workflow business process in the computer application environment, and is the abstract and general description of the workflow and business rules between the operation steps. The security components in the workflow (i.e. the components constituting the target security application) may refer to application components that abstract some common functions or interface services, and the user only needs to configure through graphics when implementing the target object function, and does not need to start from writing code. Workflow instances may refer to all functions that implement a complete workflow by concatenating security components in a number of workflows in a flow order.
In one embodiment, the core component of the workflow may include two parts: a visualization editor and a workflow engine. The visual editor can edit, sort and the like the components in the workflow. Because the components can be packaged and stored in advance, the target object can drag and connect the components through the visual editor to complete the arrangement of the workflow, and the workflow can be quickly constructed in a dragging and connecting mode without a great deal of investment of developers. Functional logic among all components is realized through configuration of the graphical interface, so that the use cost of the components can be reduced, and non-professional code developers can also perform application development, thereby improving development flexibility. The workflow engine can abstract the commonly used functional logic into a general component according to the mode of functional component disassembly, package and store the general component in a component database, separate the security application operation main body from the configuration, and support the flexible change of the component under the condition that the main body functional logic is stable and unchanged in different application scenes, thereby realizing the rapid update of the security application.
As shown in FIG. 5, FIG. 5 is a schematic diagram of the internal architecture of a visual editor provided by an embodiment of the application, wherein the visual editor may include, but is not limited to, an application parameter configurator, an application selector, a debugger, a graphics rendering engine, a version controller, and a stream orchestration canvas. The application parameter configurator is used for transmitting the configured parameters to the back end; the application selector is used for enabling the graph dragged by the front end to correspond to the component of the rear end; the debugger is used for removing faults and errors; the graphic rendering engine is used for rendering the object dragged in the dragging process into an image; the version controller is used for recording the version through the back end when each drag is carried out. The stream orchestration canvas is a front end canvas that can be used to drag all images into the canvas.
In the specific implementation, through outputting a security configuration interface, a visual editor can be preconfigured in the security configuration interface, then an application selector can detect the dragging operation of a target object, the front-end dragged image corresponds to the rear-end component, and a graphic rendering engine can render the dragged object into an image and display the image in a stream arranging canvas. The connection among the components can be further detected, and the connection parameters are transmitted to the back end through the application parameter configurator, so that the selected at least one component and the connection among the components can be displayed on the stream layout canvas.
Further, as shown in fig. 6, fig. 6 is a schematic diagram of an internal structure of a workflow engine according to an embodiment of the present application, where the workflow engine may include, but is not limited to, a logic processing engine, a syntax parsing engine, an application execution engine, a credential authentication engine, a trigger monitor, and a flow execution engine. The logic processing engine is used for performing logic related processing when the workflow runs to the condition judgment needs to be performed to determine different flow directions; the grammar analysis engine is used for indicating that values in other applications are used across components through grammar analysis when variable references exist; the application execution engine is used for running codes; the credential authentication engine is used for acquiring credential information to realize login application by firstly logging in an account password when the application is logged in. The trigger monitor is used for monitoring the start of the workflow, and the flow execution engine is used for executing the workflow.
In a specific implementation, the trigger monitor can monitor whether the workflow needs to be started currently, and when the workflow starting condition is met, the workflow is started. The application execution engine is used for running codes, namely corresponding components in the running workflow execute the workflow; when the workflow runs to different flow directions requiring condition judgment, the logic processing engine is used for condition judgment to determine which workflow node is executed next.
In the embodiment of the present application, the method for specifically configuring the time trigger may refer to the method in step S103, which is not described herein.
S202, security detection is carried out on the application layer protection object based on the WAF component.
In the embodiment of the application, WAF components, HIDS components, cloud firewall components, COS storage components and host security group components can be screened from the component database to construct the target security application. And when the constructed target security application is operated, each component in the target security application is used for carrying out security detection on different objects to be detected. The method for performing security detection on the application layer protection object based on the WAF component may refer to the implementation manner in step S104, which is not described herein.
The security detection of the application layer protection object based on the WAF component may refer to detecting whether the application layer protection object is in a preset logic state. For example, it may refer to that each detected content item included in the application layer protection object is in a preset logic state. For example, the detected content items of the application layer guard object may include one or more of a rules engine, an AI engine, an IP blocking penalty, application access control, a geographic blocking, CC guard, web page tamper resistance, information leakage resistance, API security. The preset logic state may be "True". If the detected content item of the application layer protection object comprises a rule engine, an AI engine, an IP (Internet protocol) blocking penalty, application access control, region blocking, CC (component control) protection, webpage tamper resistance, information leakage resistance and API (application program interface) safety, when { "rule engine": "True", "AI engine": "True", "IP blocking penalty": "True", "access control": "True", "region blocking": "True", "CC protection": "True", "webpage tamper resistance": "True", "information leakage resistance": "True", "API safety": "True" }, the application layer protection object is indicated to be in a preset logic state. Wherein, "True" and "False" respectively denote the switch of the WAF protection policy, and when the configuration of all detected content items in the WAF component is "True", it indicates that the WAF is safe, that is, the application layer protection object is in a safe state. When there is a configuration of the detected content item in the WAF component as "False", it indicates that the WAF is not secure, i.e. the application layer protection object is not in a secure state.
S203, performing security detection on the host state monitoring object based on the HIDS component.
In the embodiment of the present application, the method for performing security detection on the host state monitoring object based on the HIDS module may refer to the implementation manner in step S104, which is not described herein again.
Wherein, the security detection of the host state monitoring object based on the HIDS component may refer to detecting whether the host state monitoring object is in a preset logic state. For example, it may refer to each detected content item included in the host status monitor object being in a preset logic state. For example, the detected content items of the host state monitoring object may include one or more of core file monitoring, file killing, abnormal login, password cracking, malicious requests, high-risk commands, local nomination, rebound shell. If the detected content item of the host state monitoring object comprises core file monitoring, file searching and killing, abnormal login, password cracking, malicious request, high-risk command, local authority raising and rebound shell, when { "core file monitoring": "True", "file searching and killing": "True", "abnormal login": "True", "password cracking": "True", "malicious request": "True", "local authority raising": "True", "rebound shell": "True", the host state monitoring object is in a preset logic state. Wherein, "True" and "False" respectively represent the switch of the HIDS protection policy, and when the configuration of all the detected content items in the HIDS component is "True", it indicates HIDS security, that is, the host state monitoring object is in a security state. When there is a configuration of "False" of the detected content item in the HIDS component, it indicates that the HIDS is not secure, i.e., the host status monitor object is not in a secure state.
S204, security detection is carried out on the network layer protection object based on the cloud firewall component.
In the embodiment of the present application, the method for performing security detection on the network layer protection object based on the cloud firewall component may refer to the implementation manner in step S104, which is not described herein again.
The security detection of the network layer protection object based on the cloud firewall component may refer to detecting whether the network layer protection object is in a preset logic state. For example, it may refer to that each detected content item included in the detected content item of the network layer protection object is in a preset logic state. For example, the detected content items of the network layer guard object may include one or more of network access control, intrusion protection, network honeypots. If the detected content items of the network layer protection object comprise network access control, intrusion protection and network honeypot, when { "access control": "True", "intrusion protection": "True", "network honeypot": "True" }, the network layer protection object is indicated to be in a preset logic state. The "True" and "False" respectively represent the switch of the cloud firewall protection policy, and when the configuration of all the detected content items in the cloud firewall component is "True", the cloud firewall security is indicated, that is, the network layer protection object is in a security state. When there is a configuration of "False" of the detected content item in the cloud firewall component, it indicates that the cloud firewall is not secure, i.e., the network layer protection object is not in a secure state.
S205, security detection is carried out on the access rights object based on the COS storage component.
In the embodiment of the present application, the method for security detection of the access rights object based on the COS storage component may refer to the implementation manner in step S104, which is not described herein.
Wherein, security detection of the access rights object based on the COS storage component may refer to detecting whether the access rights object is in a preset logic state. For example, it may mean that each detected content item included in the detected content item of the access rights object is in a preset logic state. The detected content items, e.g. access rights objects, may comprise one or more of public rights and user rights. If the detected content item of the access rights object comprises public rights and user rights, the access rights object is indicated to be in a preset logic state when { "limit public rights": "True", "limit user rights": "True" }. Where "True" indicates that the rights have been restricted and "False" indicates that the rights have not been restricted, when the configuration of all detected content items in the COS storage component is "True", it indicates that the COS storage is secure, i.e. the access rights object is in a secure state. When there is a configuration of "False" of the detected content item in the COS storage component, it means that the COS storage is not secure, i.e. the access rights object is not in a secure state.
S206, security detection is carried out on the access control object based on the host security group component.
In the embodiment of the present application, the method for performing security detection on the access control object based on the host security group component may refer to the implementation manner in step S104, which is not described herein.
Wherein, security detection of the access control object based on the host security group component may refer to detecting whether the access control object is in a preset logic state. For example, it may be meant that each detected content item comprised by the access control object is in a preset logic state. For example, the detected content items of the access control object may include one or more of a service-open security group and a policy that the security group does not have any source IP access. If the detected content item of the access control object comprises a service opening security group and a policy that the security group does not have any source IP access, the access control object is indicated to be in a preset logic state when { "all service opening security group": "True" } "," security group does not have any source IP access policy ":" True "}. Wherein "True" indicates that the related security requirement has reached the standard, and "False" indicates that the related security requirement has not reached the standard, and when all the detected content items in the host security group are configured as "True", it indicates that the host security group is secure, that is, the access control object is in a secure state. When there is a configuration of "False" of the detected content item in the host security group component, this indicates that the host security group is not secure, i.e. the access control object is not in a secure state.
S207, a safety detection result is obtained.
In the embodiment of the application, the detection results are obtained by carrying out security detection on the objects to be detected, so that the detection results of each object to be detected can be spliced, for example summarized, to obtain the final security detection result. For each object to be detected in at least one object to be detected, when the detection logic of the detection content item in each object to be detected is True, namely, the protection of each detection content item in each object to be detected is opened, the detection result of the object to be detected is a safe state, otherwise, the information of the detection content item in the object to be detected with the protection opened is output, so that relevant personnel can process the information conveniently.
And S208, sending the security detection result to the client.
In the embodiment of the application, the security detection result can be sent to the client through any social platform or content delivery platform. The security detection result may include a detection result of each of the at least one object to be detected. As shown in fig. 7, fig. 7 is an interface schematic diagram of a security detection result provided by the embodiment of the present application, where the detection result of the cloud firewall configuration check is unsafe, because the cloud firewall intrusion prevention is not opened, and the network honeypot service is not opened.
In the implementation process of the application, the workflow can periodically carry out security detection by starting the cloud security configuration checking workflow, namely, the cloud security configuration checking is carried out periodically, and the automatic security detection can be realized by triggering the workflow starting switch.
In the embodiment of the application, through configuration of the automatic workflow, manual active operation is not needed in use, but the workflow automatically and periodically performs cloud security configuration check, and when abnormality is found, a message is sent to the client, so that the data processing efficiency can be improved, the application is more convenient, and the labor cost is reduced. Further, in the construction process of the workflow, the logical relationship of component operation is set in a connecting line mode by rapidly arranging the components in a component dragging mode, and compared with the traditional code writing mode, the efficiency is greatly improved. And by automatically calling the cloud API, whether the configuration is safe or not is judged according to a built-in security policy (such as determining whether the protection function of the detection content item of each object to be detected is started or not) after the relevant security configuration is read, and batch detection of a large number of cloud accounts can be performed. Compared with the traditional configuration checking mode, the security checking efficiency is greatly improved through manual security checking. In addition, the application can realize quick construction based on an automatic workflow technology without independently constructing a flow platform, and the business flows are all operated on the same flow service platform, so that the code introduction can be reduced, the safety checking efficiency is improved, and the labor cost is saved.
In the embodiment of the application, the configuration risk characteristics of the target cloud under the security configuration scene are acquired, so that at least one object to be detected can be determined by utilizing the configuration risk characteristics, the detection logic for carrying out security detection on the at least one object to be detected is acquired, and the detection condition for carrying out security detection on the at least one object to be detected is acquired, so that the at least one object to be detected can be subjected to security detection according to the detection logic under the condition that the detection condition is met, and a security detection result is obtained, and whether the object to be detected is in a security state or not is determined based on the security detection result. If the object to be detected is not in a safe state, the object to be detected can be further processed, and the data safety is improved. By acquiring the object to be detected in the target cloud security configuration scene and triggering the security detection flow aiming at the object to be detected under the condition that the detection condition is met, the security detection flow does not need to be triggered manually, the detection efficiency can be improved, and the detection cost is saved.
Optionally, referring to fig. 8, fig. 8 is a flow chart of a security detection workflow method according to an embodiment of the present application, where the method includes, but is not limited to, steps S301 to S317:
S301, when the trigger condition of the trigger is met, calling an API interface to acquire WAF configuration, HIDS configuration, cloud firewall configuration, COS storage configuration and host security group configuration.
In the embodiment of the application, the object to be detected comprises one or more of WAF configuration, HIDS configuration, cloud firewall configuration, COS storage configuration and host security group configuration. The trigger, such as one or more of a time trigger and a state trigger, may be preconfigured, and when the trigger condition of the trigger is satisfied, an API interface on the cloud device may be called to obtain a WAF configuration, an HIDS configuration, a cloud firewall configuration, a COS storage configuration, and a host security group configuration, respectively, so as to perform security detection based on the obtained configurations. Optionally, the cloud device may include multiple API interfaces, for example, an API interface corresponding to WAF configuration, an API interface corresponding to HIDS configuration, an API interface corresponding to cloud firewall configuration, an API interface corresponding to COS storage configuration, and an API interface corresponding to host security group configuration may be called to obtain WAF configuration, where the WAF configuration is an application layer protection object, and the corresponding API interface may be called to obtain corresponding configuration.
By acquiring one or more of WAF configuration, HIDS configuration, cloud firewall configuration, COS storage configuration and host security group configuration, security detection can be performed for each acquired configuration later, for example, whether each configuration is in a preset logic state is detected, so that a state detection result corresponding to each configuration is obtained, and a final security detection result is determined based on the state detection result corresponding to each configuration.
S302, determining whether the WAF is in a preset logic state.
If the WAF is in the preset logic state, step S303 is executed to determine that the WAF is in the safe state; if the WAF is not in the preset logic state, step S304 is performed to determine that the WAF is not in the safe state.
S303, determining that the WAF is in a safe state.
If the WAF is in the preset logic state, the WAF is in the on state. Since the WAF configuration includes one or more detected content items, security detection may be performed for each detected content item in the WAF configuration to determine whether each detected content item is in a preset logic state, and if each detected content item in the WAF configuration is in the preset logic state, indicating that each detected content item in the WAF configuration is secure, the WAF configuration is determined to be secure.
S304, determining that the WAF is not in a safe state.
If the WAF is not in the preset logic state, the WAF is in the off state. Since the WAF configuration includes one or more detected content items, if there is one detected content item in the WAF configuration that is not in the preset logic state, indicating that the detected content item in the WAF configuration is not secure, determining that the WAF configuration is secure.
In the embodiment of the application, the attack on the Web application service can be detected to intercept by starting the WAF service, namely starting each detection content item in the WAF service, so that the safety of the Web application service is ensured.
S305, determining whether the HIDS is in a preset logic state.
If the HIDS is in the preset logic state, step S306 is executed to determine that the HIDS is in the secure state; if the HIDS is not in the preset logic state, step S307 is executed to determine that the HIDS is not in the preset logic state.
S306, determining that the HIDS is in a safe state.
If the HIDS is in the preset logic state, it indicates that the HIDS is in the on state. Since the HIDS configuration includes one or more detected content items, security detection can be performed for each detected content item in the HIDS configuration, so as to determine whether each detected content item is in a preset logic state, and if each detected content item in the HIDS configuration is in the preset logic state, which indicates that each detected content item in the HIDS configuration is secure, the HIDS configuration is determined to be secure.
S307, determining that the HIDS is not in a safe state.
If the HIDS is not in the preset logic state, it indicates that the HIDS is in the off state. Since the HIDS configuration includes one or more detected content items, if there is one detected content item in the HIDS configuration that is not in the preset logic state, it is determined that the detected content item in the HIDS configuration is not secure, and the HIDS configuration is secure.
In the embodiment of the application, the detected attack on the host can be resisted by starting the HIDS, namely starting each detected content item in the HIDS.
S308, determining whether the cloud firewall is in a preset logic state.
If the cloud firewall is in the preset logic state, step S309 is executed to determine that the cloud firewall is in the security state; if the cloud firewall is not in the preset logic state, step S310 is executed to determine that the cloud firewall is not in the security state.
And if the cloud firewall is in the preset logic state, indicating that the cloud firewall is in the open state. Because the cloud firewall configuration comprises one or more detection content items, security detection can be performed for each detection content item in the cloud firewall configuration, so that whether each detection content item is in a preset logic state or not is determined, and if each detection content item in the cloud firewall configuration is in the preset logic state, which means that each detection content item in the cloud firewall configuration is safe, the cloud firewall configuration is determined to be safe.
S309, determining that the cloud firewall is in a safe state.
And if the cloud firewall is in the preset logic state, indicating that the cloud firewall is in the open state. Because the cloud firewall configuration comprises one or more detection content items, security detection can be performed for each detection content item in the cloud firewall configuration, so that whether each detection content item is in a preset logic state or not is determined, and if each detection content item in the cloud firewall configuration is in the preset logic state, which means that each detection content item in the cloud firewall configuration is safe, the cloud firewall configuration is determined to be safe.
S310, determining that the cloud firewall is not in a safe state.
If the cloud firewall is not in the preset logic state, the cloud firewall is in the closed state. Because the cloud firewall configuration comprises one or more detection content items, if one detection content item in the cloud firewall configuration is not in a preset logic state, the detection content item in the cloud firewall configuration is unsafe, and the cloud firewall configuration safety is determined.
In the embodiment of the application, the attack behavior of the network layer can be intercepted by opening the cloud firewall, and the attack behavior of the network layer can be resisted.
S311, determining whether COS storage is in a preset logic state.
If the COS storage is in the preset logic state, step S312 is executed to determine that the COS storage is in the safe state; if the COS storage is not in the preset logic state, step S313 is executed to determine that the COS storage is not in the safe state.
S312, determining that COS storage is in a safe state.
If the COS storage is in the preset logic state, the COS storage is in an open state. Since the COS storage configuration includes one or more detected content items, security detection may be performed for each detected content item in the COS storage configuration to determine whether each detected content item is in a preset logic state, and if each detected content item in the COS storage configuration is in the preset logic state, indicating that each detected content item in the COS storage configuration is secure, the COS storage configuration is determined to be secure.
S313, determining that the COS storage is not in a safe state.
If the COS storage is not in the preset logic state, the COS storage is in the closed state. Since the COS storage configuration includes one or more detected content items, if one detected content item exists in the COS storage configuration and is not in a preset logic state, the detected content item in the COS storage configuration is unsafe, and the COS storage configuration is determined to be safe.
In the embodiment of the application, the access authority of the COS object can be limited by starting the COS storage, so that the security of COS data can be ensured.
S314, determining whether the host security group is in a preset logic state.
If the host security group is in the preset logic state, step S315 is executed; if the host security group is not in the preset logic state, step S316 is performed.
S315, determining that the host security group is in a secure state.
If the host security group is in the preset logic state, the host security group is in the on state. Because the host security group configuration includes one or more detected content items, security detection can be performed for each detected content item in the host security group configuration, so as to determine whether each detected content item is in a preset logic state, and if each detected content item in the host security group configuration is in the preset logic state, which indicates that each detected content item in the host security group configuration is secure, the host security group configuration is determined to be secure.
S316, determining that the host security group is not in a secure state.
If the host security group is not in the preset logic state, it indicates that the host security group is in the off state. Since the host security group configuration includes one or more detected content items, if there is one detected content item in the host security group configuration that is not in the preset logic state, the detected content item in the host security group configuration is not secure, and the host security group configuration is determined to be secure.
In the embodiment of the application, the access flow can be controlled by starting the host security group, namely starting each detection content item in the host security group, so as to realize network security isolation.
In the embodiment of the present application, step S302, step S305, step S308, step S311, and step S314 may be executed in parallel, or may also be executed in sequential order, or may set other execution orders according to the requirement, and execute according to the set execution order, which is not limited in the embodiment of the present application.
S317, determining a security detection result based on the WAF, the HIDS, the cloud firewall, the COS storage and the state detection result of the host security group.
The state detection result of the WAF is used for indicating that the WAF is in a safe state or the WAF is not in a safe state, the state detection result of the HIDS is used for indicating that the HIDS is in a safe state or the HIDS is not in a safe state, the state detection result of the cloud firewall is used for indicating that the cloud firewall is in a safe state or the cloud firewall is not in a safe state, the state detection result of the COS storage is used for indicating that the COS storage is in a safe state or the COS storage is not in a safe state, and the state detection result of the host security group is used for indicating that the host security group is in a safe state or the host security group is not in a safe state. If the state detection results of the WAF, the HIDS, the cloud firewall, the COS storage and the host security group are all indicated to be in the security state, determining that the security detection results are used for indicating that all objects to be detected are in the security state. If one state detection result is in the state detection results of the WAF, the HIDS, the cloud firewall, the COS storage and the host security group, and the state detection results indicate that the state is not in the security state, the security detection results are determined to be used for indicating that the object to be detected is not in the security state.
In an alternative implementation, the detection weights of the detected content items of each object to be detected may be acquired separately, and the security detection result is determined in combination with the detection weights. Specifically, a first detection weight of the application layer protection object, a second detection weight of the host state monitoring object, a third detection weight of the network layer protection object, a fourth detection weight of the access right object, and a fifth detection weight of the access control object may be respectively acquired, and a security detection result is determined based on the first detection weight, the second detection weight, the third detection weight, the fourth detection weight, the fifth detection weight, and the state detection result.
Wherein the first detection weight of the application layer protection object may include detection weights of respective detection content items in the application layer protection object, the second detection weight of the host state monitoring object may include detection weights of respective detection content items in the host state monitoring object, the third detection weight of the network layer protection object may include detection weights of respective detection content items in the network layer protection object, the fourth detection weight of the access rights object may include detection weights of respective detection content items in the access rights object, and the fifth detection weight of the access control object may include detection weights of respective detection content items in the access control object. It will be appreciated that the corresponding detection weight may be determined according to the importance level of the respective detection content item in each object to be detected, e.g. the greater the influence of the detection content item unsafety on the cloud device, the higher the importance level, the higher the corresponding detection weight. For example, the cloud device is delayed due to unsafe detection content item 1 in the object to be detected, and the cloud device is down due to unsafe detection content item 2 in the object to be detected, the importance level of the detection content item 1 is lower than that of the detection content item 2, and the detection weight of the detection content item 1 is lower than that of the detection content item 2. The security detection result may include a detection score for each object to be detected.
For example, the detection score of the detected content item 1 in the application layer protection object is a1, and the detection weight is b1; the detection score of the detected content item 2 in the application layer protection object is a2, and the detection weight is b2; the application layer protection object comprises a detection score of a3 and a detection weight of b3 of the detection content item 3. The detection score of the detected content item 4 in the host state monitoring object is a4, and the detection weight is b4; the detection score of the detected content item 5 in the host state monitoring object is a5, and the detection weight is b5. The detection score of the detection content item 6 in the network layer protection object is a6, and the detection weight is b6; the detection score of the detected content item 7 in the network layer protection object is a7, and the detection weight is b7. The detection score of the detection content item 8 in the access right object is a8, and the detection weight is b8; the detection score of the detected content item 9 in the access rights object is a9 and the detection weight is b9. The detection score of the detected content item 10 in the access control object is a10, and the detection weight is b10; the detection score of the detected content item 11 in the access control object is a11, and the detection weight is b11. The detection result of the application layer protection object is: a1×b1+a2×b2+a3×b3; the detection result of the host state monitoring object is as follows: a4+a5+b5; the detection result of the network layer protection object is as follows: a6+a7+b7; the detection result of the access rights object is: a8+a9+b9; the detection result of the access control object is: a10+a11, the security detection result may include [ application layer protection object a1+b1+a2+b2+a3, host state monitoring object a4+b4+a5, network layer protection object a6+a7+b7, access rights object a8+b8+a9; access control object a10×b10+a11×b11].
Optionally, it may further determine whether an abnormal detection object with a security score greater than a score threshold exists in the security detection result, and if an abnormal detection object with a security score greater than the score threshold exists, the output security detection result includes the abnormal detection object and a detection result corresponding to the abnormal detection object. If no abnormal detection object with the safety score being greater than the score threshold exists, the output safety detection result is safety. Therefore, the safety detection result is output in a targeted mode, resources are saved, and the safety detection result is convenient to view.
In the embodiment of the application, when the security detection result is determined, the detection weight of each detection content item in each object to be detected is combined, and the final detection score of each object to be detected is determined by combining the detection weight of each detection content item, so that the final security detection result is determined, the accuracy of security detection can be improved, and for certain detection content items with lower importance level, detection is not needed even if abnormality exists (such as not in an on state), or the detection times are reduced, so that resources can be saved.
The method of the embodiment of the application is described above, and the device of the embodiment of the application is described below.
Referring to fig. 9, fig. 9 is a schematic diagram of a composition structure of a security detection device based on cloud security configuration according to an embodiment of the present application, where the security detection device based on cloud security configuration may be deployed on a cloud device; the security detection device based on the cloud security configuration can be used for executing corresponding steps in the security detection method based on the cloud security configuration. The security detection device 90 based on the cloud security configuration includes:
the feature acquisition unit 901 is used for acquiring configuration risk features in a target cloud security configuration scene;
an object determining unit 902, configured to determine at least one object to be detected using the feature to be detected, and obtain detection logic for performing security detection on the at least one object to be detected; the detection condition is used for indicating whether to trigger the safety detection of the at least one object to be detected;
a condition acquisition unit 903 configured to acquire a detection condition for performing security detection on the at least one object to be detected; the detection condition is used for indicating whether to trigger the safety detection of the at least one object to be detected;
and the data detection unit 904 is configured to perform security detection on the at least one object to be detected according to the detection logic to obtain a security detection result, where the security detection result is used to indicate whether the object to be detected is in a security state or not.
Optionally, the security detection device 90 based on the cloud security configuration further includes: a component screening unit 905 for:
acquiring configuration demand characteristics of the target cloud under the security configuration scene, wherein the configuration demand characteristics are used for indicating security detection demands of the target cloud under the security configuration scene;
screening at least one security component matched with the configuration requirement characteristics from a component database, and constructing a target security application by utilizing the screened at least one security component; the assembly database stores security assemblies which are packaged in advance and have different functional logics;
and calling the target security application and performing security detection on the at least one object to be detected according to the detection logic.
Optionally, the security detection device 90 based on the cloud security configuration further includes: an application updating unit 906 for:
when a scene switching instruction is received, acquiring a switching requirement characteristic indicated by the scene switching instruction, wherein the switching requirement characteristic is used for indicating a safety detection requirement of a scene change of safety configuration relative to the target cloud, and the change comprises at least one of an addition and a modification;
screening a safety component matched with the switching requirement characteristic from the component database, and adjusting the safety component in the target safety application based on the safety component matched with the switching requirement characteristic to obtain an updated target safety application;
And carrying out security detection by using the updated target security application.
Optionally, the security detection device 90 based on the cloud security configuration further includes: a component configuration unit 907 for:
outputting a security configuration interface, wherein the security configuration interface comprises a canvas area and a component area, and the component area comprises a plurality of pre-packaged security components with different functional logics;
detecting an operation on at least one security component in the canvas area, the operation comprising at least one of a drag operation on the security component and a connect operation between different security components;
a target security application is obtained based on the operation of the at least one security component.
Optionally, the detection condition includes a time trigger condition and a state trigger condition; the data detection unit 904 is further configured to:
acquiring a first detection abnormal frequency for safety detection based on a time trigger condition, and acquiring a second detection abnormal frequency for safety detection based on a state trigger condition;
if the first detection abnormal frequency is higher than the second detection abnormal frequency, determining the detection condition as the time triggering condition;
if the first detection abnormal frequency is lower than the second detection abnormal frequency, determining the detection condition as the state trigger condition.
Optionally, the detection condition includes a time trigger condition of each object to be detected; the data detection unit 904 is specifically configured to:
acquiring a detection frequency of each object to be detected, wherein the detection frequency is determined according to at least one of an abnormal record table of each object to be detected and an importance level of each object to be detected;
updating the time triggering condition of each object to be detected based on the detection frequency of each object to be detected;
and carrying out safety detection on each object to be detected based on the updated time triggering condition of the object to be detected.
Optionally, the at least one object to be detected includes an application layer protection object, a network layer protection object, a host state monitoring object, an access rights object, and an access control object, and the detection logic includes a detection sequence of the at least one object to be detected and a detection content item of each object to be detected; the data detection unit 904 is specifically configured to:
performing security detection on the at least one object to be detected according to the detection sequence of the at least one object to be detected and the detection content item of each object to be detected to respectively obtain detection results of the application layer protection object, the network layer protection object, the host state monitoring object, the access right object and the access control object;
And fusing detection results of the application layer protection object, the network layer protection object, the host state monitoring object, the access right object and the access control object to obtain the security detection result.
It should be noted that, in the embodiment corresponding to fig. 9, the content not mentioned may be referred to the description of the method embodiment, and will not be repeated here.
In the embodiment of the application, the configuration risk characteristics of the target cloud under the security configuration scene are acquired, so that at least one object to be detected can be determined by utilizing the configuration risk characteristics, the detection logic for carrying out security detection on the at least one object to be detected is acquired, and the detection condition for carrying out security detection on the at least one object to be detected is acquired, so that the at least one object to be detected can be subjected to security detection according to the detection logic under the condition that the detection condition is met, and a security detection result is obtained, and whether the object to be detected is in a security state or not is determined based on the security detection result. Under the condition that the object to be detected in the target cloud security configuration scene is obtained and the detection condition is met, the security detection flow aiming at the object to be detected is triggered, the security detection flow does not need to be triggered manually, the detection efficiency can be improved, and the detection cost is saved.
Referring to fig. 10, fig. 10 is a schematic diagram of a composition structure of a computer device according to an embodiment of the present application. As shown in fig. 10, the above-mentioned computer device may include: a processor 1001 and a memory 1002. Optionally, the computer device may further include a network interface or a power module. Data may be exchanged between the processor 1001 and the memory 1002.
The processor 1001 may be a central processing unit (Central Processing Unit, CPU) which may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The network interface may include input devices, such as a control panel, microphone, receiver, etc., and/or output devices, such as a display screen, transmitter, etc., which are not shown.
The memory 1002 may include read only memory and random access memory, and provides program instructions and data to the processor 1001. A portion of memory 1002 may also include non-volatile random access memory. Wherein the processor 1001 is configured to execute, when calling the program instructions:
acquiring configuration risk characteristics in a target cloud security configuration scene;
determining at least one object to be detected by utilizing the configuration risk characteristics, and acquiring detection logic for carrying out safety detection on the at least one object to be detected; the detection logic is configured to indicate at least one of a detection order of the at least one object to be detected and a detection content item of the object to be detected;
acquiring detection conditions for carrying out safety detection on the at least one object to be detected; the detection condition is used for indicating whether to trigger the safety detection of the at least one object to be detected;
and under the condition that the detection condition is met, carrying out safety detection on the at least one object to be detected according to the detection logic to obtain a safety detection result, wherein the safety detection result is used for indicating whether the object to be detected is in a safety state or not.
Optionally, the program instructions may further implement other steps of the method in the above embodiment when executed by the processor, which is not described herein.
In the embodiment of the application, the configuration risk characteristics of the target cloud under the security configuration scene are acquired, so that at least one object to be detected can be determined by utilizing the configuration risk characteristics, the detection logic for carrying out security detection on the at least one object to be detected is acquired, and the detection condition for carrying out security detection on the at least one object to be detected is acquired, so that the at least one object to be detected can be subjected to security detection according to the detection logic under the condition that the detection condition is met, and a security detection result is obtained, and whether the object to be detected is in a security state or not is determined based on the security detection result. Under the condition that the object to be detected in the target cloud security configuration scene is obtained and the detection condition is met, the security detection flow aiming at the object to be detected is triggered, the security detection flow does not need to be triggered manually, the detection efficiency can be improved, and the detection cost is saved.
The embodiments of the present application also provide a computer readable storage medium storing a computer program comprising program instructions which, when executed by a computer, cause the computer to perform a method as in the previous embodiments, the computer being part of a computer device as mentioned above. As an example, the program instructions may be executed on one computer device or on multiple computer devices located at one site, or alternatively, on multiple computer devices distributed across multiple sites and interconnected by a communication network, which may constitute a blockchain network.
Those skilled in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, may include processes of the embodiments of the methods as described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random-access Memory (Random Access Memory, RAM), or the like.
The foregoing disclosure is illustrative of the present application and is not to be construed as limiting the scope of the application, which is defined by the appended claims.
Claims (11)
1. A security detection method based on cloud security configuration, the method comprising:
acquiring configuration risk characteristics in a target cloud security configuration scene;
determining at least one object to be detected by utilizing the configuration risk characteristics, and acquiring detection logic for carrying out safety detection on the at least one object to be detected; the detection logic is configured to indicate at least one of a detection order of the at least one object to be detected and a detection content item of the object to be detected;
Acquiring detection conditions for carrying out safety detection on the at least one object to be detected; the detection condition is used for indicating whether to trigger the safety detection of the at least one object to be detected;
and under the condition that the detection condition is met, carrying out safety detection on the at least one object to be detected according to the detection logic to obtain a safety detection result, wherein the safety detection result is used for indicating whether the object to be detected is in a safety state or not.
2. The method according to claim 1, wherein the method further comprises:
acquiring configuration requirement characteristics of the target cloud in a security configuration scene, wherein the configuration requirement characteristics are used for indicating security detection requirements of the target cloud in the security configuration scene;
screening at least one security component matched with the configuration requirement characteristics from a component database, and constructing a target security application by utilizing the screened at least one security component; the component database stores security components which are packaged in advance and have different functional logics;
the security detection of the at least one object to be detected according to the detection logic includes:
And calling the target security application and performing security detection on the at least one object to be detected according to the detection logic.
3. The method according to claim 2, wherein the method further comprises:
when a scene switching instruction is received, acquiring switching requirement characteristics indicated by the scene switching instruction, wherein the switching requirement characteristics are used for indicating the safety detection requirement of scene change of the target cloud safety configuration, and the change comprises at least one of new addition and modification;
screening the safety components matched with the switching requirement characteristics from the component database, and adjusting the safety components in the target safety application based on the safety components matched with the switching requirement characteristics to obtain updated target safety application;
and carrying out security detection by using the updated target security application.
4. The method according to claim 1, wherein the method further comprises:
outputting a security configuration interface, wherein the security configuration interface comprises a canvas area and a component area, and the component area comprises a plurality of pre-packaged security components with different functional logics;
detecting an operation on at least one security component in the canvas area, the operation comprising at least one of a drag operation on a security component and a connect operation between different security components;
A target security application is obtained based on the operation of the at least one security component.
5. The method according to claim 1, wherein the method further comprises:
acquiring a first detection abnormal frequency for safety detection based on a time trigger condition, and acquiring a second detection abnormal frequency for safety detection based on a state trigger condition;
if the first detection abnormal frequency is higher than the second detection abnormal frequency, determining that the detection condition is the time triggering condition;
and if the first detection abnormal frequency is lower than the second detection abnormal frequency, determining the detection condition as the state triggering condition.
6. The method of claim 5, wherein the detection conditions include a time-triggered condition for each object to be detected; the method further comprises the steps of:
acquiring a detection frequency of each object to be detected, wherein the detection frequency is determined according to at least one of an abnormal record table of each object to be detected and an importance level of each object to be detected;
updating the time triggering condition of each object to be detected based on the detection frequency of each object to be detected;
And carrying out safety detection on each object to be detected based on the updated time triggering condition of each object to be detected.
7. The method of any of claims 1-6, wherein the at least one object to be detected comprises an application layer guard object, a network layer guard object, a host status monitor object, an access rights object, an access control object, the detection logic comprising a detection order for the at least one object to be detected and a detection content item for each object to be detected;
the step of performing security detection on the at least one object to be detected according to the detection logic to obtain a security detection result includes:
performing security detection on the at least one object to be detected according to the detection sequence of the at least one object to be detected and the detection content item of each object to be detected to respectively obtain detection results of the application layer protection object, the network layer protection object, the host state monitoring object, the access right object and the access control object;
and fusing detection results of the application layer protection object, the network layer protection object, the host state monitoring object, the access right object and the access control object to obtain the security detection result.
8. A security detection device based on cloud security configuration, the device comprising:
the feature acquisition unit is used for acquiring configuration risk features in the target cloud security configuration scene;
the object determining unit is used for determining at least one object to be detected by utilizing the configuration risk characteristics and acquiring detection logic for carrying out safety detection on the at least one object to be detected; the detection logic is configured to indicate at least one of a detection order of the at least one object to be detected and a detection content item of the object to be detected;
a condition acquisition unit configured to acquire a detection condition for performing security detection on the at least one object to be detected; the detection condition is used for indicating whether to trigger the safety detection of the at least one object to be detected;
and the data detection unit is used for carrying out safety detection on the at least one object to be detected according to the detection logic under the condition that the detection condition is met, so as to obtain a safety detection result, wherein the safety detection result is used for indicating whether the object to be detected is in a safety state or not.
9. A computer device comprising a processor, a memory, wherein the memory is for storing a computer program, the computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of any of claims 1-7.
10. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program adapted to be loaded and executed by a processor to cause a computer device having the processor to perform the method of any of claims 1-7.
11. A computer program product comprising computer instructions which, when executed by a processor, implement the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211411416.3A CN116980157A (en) | 2022-11-11 | 2022-11-11 | Security detection method, device, equipment and storage medium based on cloud security configuration |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211411416.3A CN116980157A (en) | 2022-11-11 | 2022-11-11 | Security detection method, device, equipment and storage medium based on cloud security configuration |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116980157A true CN116980157A (en) | 2023-10-31 |
Family
ID=88480313
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211411416.3A Pending CN116980157A (en) | 2022-11-11 | 2022-11-11 | Security detection method, device, equipment and storage medium based on cloud security configuration |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116980157A (en) |
-
2022
- 2022-11-11 CN CN202211411416.3A patent/CN116980157A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10855700B1 (en) | Post-intrusion detection of cyber-attacks during lateral movement within networks | |
| US20170163675A1 (en) | Distributed split browser content inspection and analysis | |
| KR101442654B1 (en) | Systems and methods for behavioral sandboxing | |
| RU2446459C1 (en) | System and method for checking web resources for presence of malicious components | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| Firoozjaei et al. | An evaluation framework for industrial control system cyber incidents | |
| KR20140113705A (en) | Method and System for Ensuring Authenticity of IP Data Served by a Service Provider | |
| CN113704767A (en) | Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system | |
| JP2013540303A (en) | Systems and methods for server-bound malware prevention | |
| EP3987728B1 (en) | Dynamically controlling access to linked content in electronic communications | |
| CN112653655A (en) | Automobile safety communication control method and device, computer equipment and storage medium | |
| RU2762528C1 (en) | Method for processing information security events prior to transmission for analysis | |
| De Palma et al. | Self-protection in a clustered distributed system | |
| Kolli et al. | Remote desktop backdoor implementation with reverse TCP payload using open source tools for instructional use | |
| CN116708033B (en) | Terminal security detection method and device, electronic equipment and storage medium | |
| Alsmadi | Cyber threat analysis | |
| RU2514137C1 (en) | Method for automatic adjustment of security means | |
| Sasi et al. | A Comprehensive Survey on IoT Attacks: Taxonomy, Detection Mechanisms and Challenges | |
| Perumal et al. | Cybercrime issues in smart cities networks and prevention using ethical hacking | |
| Xu et al. | Identification of ICS security risks toward the analysis of packet interaction characteristics using state sequence matching based on SF-FSM | |
| CN116980157A (en) | Security detection method, device, equipment and storage medium based on cloud security configuration | |
| Arul et al. | Supervised deep learning vector quantization to detect MemCached DDOS malware attack on cloud | |
| CN115801292A (en) | Access request authentication method and device, storage medium and electronic equipment | |
| Kaushik et al. | An approach for exploiting and mitigating Log4J using Log4Shell vulnerability | |
| JP2022541250A (en) | Inline malware detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |