CN118157922A - Host security depth defense method and device - Google Patents
Host security depth defense method and device Download PDFInfo
- Publication number
- CN118157922A CN118157922A CN202410228896.2A CN202410228896A CN118157922A CN 118157922 A CN118157922 A CN 118157922A CN 202410228896 A CN202410228896 A CN 202410228896A CN 118157922 A CN118157922 A CN 118157922A
- Authority
- CN
- China
- Prior art keywords
- host
- security
- monitoring
- network
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 230000007123 defense Effects 0.000 title claims abstract description 48
- 238000012544 monitoring process Methods 0.000 claims abstract description 81
- 230000008569 process Effects 0.000 claims abstract description 27
- 230000006399 behavior Effects 0.000 claims abstract description 25
- 238000007405 data analysis Methods 0.000 claims abstract description 20
- 238000001514 detection method Methods 0.000 claims abstract description 15
- 230000009545 invasion Effects 0.000 claims abstract description 7
- 238000004891 communication Methods 0.000 claims description 18
- 241000700605 Viruses Species 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 10
- 230000002787 reinforcement Effects 0.000 claims description 7
- 238000005336 cracking Methods 0.000 claims description 6
- 231100000279 safety data Toxicity 0.000 claims description 6
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 4
- 230000002159 abnormal effect Effects 0.000 claims description 4
- 238000012217 deletion Methods 0.000 claims description 4
- 230000037430 deletion Effects 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 230000004044 response Effects 0.000 abstract description 4
- 230000000694 effects Effects 0.000 abstract description 2
- 238000012423 maintenance Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 238000005457 optimization Methods 0.000 description 4
- 239000000243 solution Substances 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure relates to the technical field of network security, and in particular relates to a host security deep defense method and device. Performing security monitoring on the host based on the endpoint detection; the method comprises the steps that a white list is adopted to conduct security monitoring on network traffic, a host process and a host folder respectively; performing intrusion data analysis and network data flow monitoring on the deployed virtualized host; monitoring malicious attack behaviors of website applications; and when illegal invasion and/or risk are detected, sending out early warning. The present disclosure is based on the profound defenses of prediction, detection, collaboration, defenses, response, traceability concepts, trampling a multi-dimensional security overlay to the OSI seven-layer model. When one security measure fails, the latter security measure takes effect immediately, the network security measure is strengthened along with the increase of the defending chain, and the reliability of the host is obviously enhanced.
Description
Technical Field
The disclosure relates to the technical field of network security, and in particular relates to a host security deep defense method and device.
Background
The enterprise unit is an booster for economic and social development, and the normal operation of the enterprise cannot leave the support of information resources, including the operation of important systems and data such as operation planning, production support, intellectual property, office OA and the like of the enterprise. The rise of the information industry brings unlimited development space and opportunity to human society, simultaneously makes enterprise security face unprecedented challenges, and enterprises often introduce more and more security threats in the process of acquiring abundant shared resources in the network environment using open interconnection. Aiming at the trend that the number of times of enterprise network security increases every year, the situation is an increasing trend year by year, the network security attack modes are increasingly diversified, the concealment of attack techniques is also gradually revealed, the network security is the basis of the information system for normally providing services, and no network security is available without informatization.
The server host is a direct carrier for bearing the information system, is a direct core of network security defense, enterprises deploy the application of the server host in a public cloud, private cloud or hybrid cloud mode for meeting the requirement of quick deployment of the information system, and the quick popularization of the cloud computing technology also promotes more network security problems different from the traditional network security problems, and is more obvious in the aspect of the server host.
In the prior art, server host boundaries become obscured: the traditional network architecture generally has obvious north-south traffic distinction, under the technical architecture of a cloud server host, a network structure is changed into 'north-south+east-west' traffic, a firewall on the traditional network boundary can not support the network boundary of a virtualized environment, under the public cloud multi-tenant environment, resources can not be effectively isolated and safely protected, and attack means such as newly added virtual machine escape and the like aiming at the cloud server can further make host security insufficient;
System and application risk increase: the application of different tenants is increased continuously, the application configuration risk is increased continuously, web middleware, a database, a development architecture and the like are listed in order, and the security threat is from the aspects of network Trojan, malicious programs, hacking, database injection, DDOS attack, system loopholes and the like, so that how to dynamically deploy a security scheme to cope with the increased application risk is also a necessary consideration factor of enterprise network security work;
The analysis of the security log data is increased, namely, along with the deployment of a large-scale clustered virtualization system, the running state of a server is changed all the time, the security log data volume of the server is also exploded, massive running data and security data cannot be effectively analyzed, security events cannot be comprehensively known and responded in time, the network security operation and maintenance difficulty is increased, and the network security event handling accuracy is reduced.
Disclosure of Invention
In view of the above, the present disclosure provides a host security deep defense method and device.
A host security depth defense method, the method comprising:
performing security monitoring on the host based on the endpoint detection;
The method comprises the steps that a white list is adopted to conduct security monitoring on network traffic, a host process and a host folder respectively;
performing intrusion data analysis and network data flow monitoring on the deployed virtualized host;
monitoring malicious attack behaviors of website applications;
and when illegal invasion and/or risk are detected, sending out early warning.
Further, security monitoring of the host based on endpoint detection includes:
the method for acquiring the data and information of the host terminal and acquiring threat information and analyzing big data specifically comprises the following steps:
collecting the safety data on the host, carrying out unified classification and encryption, and transmitting the safety data to a big data analysis module;
Acquiring position threats based on cloud data processing, and importing threat information into a big data analysis module;
And analyzing the security data set acquired by the host endpoint based on the threat information big data of the position threat, and identifying the threat event.
Further, the adoption of the white list to respectively carry out security monitoring on the network traffic, the host process and the host folder comprises the following steps:
Detecting the network traffic from end point to end point, and configuring an access strategy in each information system by adopting a push traffic white list IP+ port mode;
Monitoring the process of the host application system, and alarming when an abnormal process is newly added;
and monitoring the file integrity, monitoring the behaviors affecting the file integrity, including deleting, modifying and/or adding files, measuring the hot spot area of system data read-write, and closing the uploading file authority of the idle file system.
Further, performing intrusion data analysis and network data flow monitoring on the deployed virtualized host includes:
Analyzing and defending network intrusion data, and intercepting malicious scanning, violent cracking and/or network vulnerability utilization multiple network layer attacks of hackers;
And monitoring the network data flow, and finding out the abnormal behavior flow of the virtual machine and the virtual machine directly.
Further, the malicious attack behavior monitoring for the website application includes:
Monitoring malicious attack behaviors, and intercepting various website vulnerability exploitation, webpage backdoor attack and or library collision attack malicious attack behaviors initiated by hackers aiming at website applications; while actively recognizing and accessing the interception engine.
Further, the method further comprises the following steps:
And (3) performing virus killing on the host, wherein the virus killing comprises binary virus killing, webShell back door killing and active interception.
Further, the method further comprises the following steps:
And carrying out security reinforcement and setting on the host system, wherein the security reinforcement and setting comprises updating system vulnerability patches, updating application program risk configuration, system risk account discovery and deletion, system weak password discovery, database weak password, updating process permission and/or updating directory permission.
A host security deep defense device, comprising: the system comprises a host monitoring unit, a white list monitoring unit, a virtualized host monitoring unit, an application monitoring unit and an early warning unit;
the host monitoring unit is used for carrying out security monitoring on the host based on endpoint detection;
the white list monitoring unit is used for adopting a white list to respectively carry out security monitoring on network traffic, a host process and a host folder;
The virtualized host monitoring unit is used for carrying out intrusion data analysis and network data flow monitoring on the deployed virtualized hosts;
the application monitoring unit is used for monitoring malicious attack behaviors of the website application;
and the early warning unit is used for sending out early warning when illegal invasion and/or risk are detected.
An electronic device comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
a memory storing a computer program;
And the processor is used for realizing the host security deep defense method when executing the computer program stored in the memory.
A computer readable storage medium storing a computer program which when executed by a processor implements a host security depth defense method as described above.
The present disclosure has at least the following beneficial effects:
The present disclosure is based on the profound defenses of prediction, detection, collaboration, defenses, response, traceability concepts, trampling a multi-dimensional security overlay to the OSI seven-layer model. When one security measure fails, the latter security measure takes effect immediately, the network security measure is strengthened along with the increase of the defending chain, and the reliability of the host is obviously enhanced.
The deep defense can automatically complete blocking of network abnormality at each defense ring node, suspicious network security log flow can be reduced, and from the perspective of a network security operation and maintenance manager, network security situations are gradually clear and orderly, time and energy of network security input by operation and maintenance personnel can be properly reduced, and network security operation and maintenance cost can be saved in the long term.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the disclosure. The objectives and other advantages of the disclosure may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, a brief description will be given below of the drawings required for the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a defense method according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of a defense device according to an embodiment of the disclosure;
Fig. 3 is a schematic structural diagram of an electronic device.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. Based on the embodiments in this disclosure, all other embodiments that a person of ordinary skill in the art would obtain without making any inventive effort are within the scope of protection of this disclosure.
The OSI model, i.e. the Open communication system interconnection reference model (Open SYSTEM INTERFACE), is a standard framework proposed by the international organization for standardization (ISO) in an attempt to interconnect various computers into a network worldwide, and divides the network into seven models, i.e. an application layer, a presentation layer, a session layer, a transport layer, a network layer, a link layer, and a physical layer, each layer performing a certain function, one layer to a third layer belonging to the lower three layers of the OSI reference model and responsible for creating links for network communication connection, and the fourth layer to the seventh layer being the upper four layers of the OSI reference model and specifically responsible for end-to-end data communication. Each layer directly serves its upper layers and all layers support each other, while network communication can be bi-directional from top to bottom (at the sender) or bottom to top (at the receiver). The OSI model is truly a reference model that provides a high degree of decoupling for all information asset communications, each of which encapsulates/disassembles data packets following established rules, and then completes data exchanges.
The present disclosure provides a host security deep defense mechanism, which forms a multi-layer, three-dimensional and omnibearing defense system to defend external attack by multiple "fortification" to the OSI seven-layer model, thereby guaranteeing the overall security of itself.
As shown in fig. 1, a host security deep defense method, the method includes:
S101, performing security monitoring on a host based on endpoint detection;
s102, adopting a white list to respectively carry out security monitoring on network traffic, a host process and a host folder;
s103, carrying out intrusion data analysis and network data flow monitoring on the deployed virtualized host;
s104, monitoring malicious attack behaviors of the website application;
s105, when illegal invasion and/or risk are detected, an early warning is sent out.
In specific implementation, the steps may be sequentially performed, or one of the steps may be omitted according to actual situations. The host security operation can be divided into a deep defense thinking, and once complete and effective hacking attack is carried out, the flow of the hacking attack is certainly in accordance with the protocol of an OSI seven-layer model, on the long attack chain, a network security operator can set a defense strategy on each model layer, and the network boundary, the network layer, the server side and the database layer of the host security layer are realized to construct a host security deep defense system. The deep defense system is an improvement on the boundary defense system, and is emphasized that any defense system is not universal, and the probability that a hacker can break through the defense measures exists, so that the essence of the deep defense system is multi-layer defense, more than a plurality of defenses are built around a castle, the castle is divided into an outer city and an inner city, the important facilities in the inner city are further provided with special first-order Russia, and the hacker can only break through a plurality of layers to contact with the core data asset, so that the cost can be greatly increased. The concept of deep defense has been successful for a long time, because hacking is also costly, and many hackers cannot attack for a long time, but can only work out ways.
In one embodiment, security monitoring of a host based on endpoint detection includes:
the method for acquiring the data and information of the host terminal and acquiring threat information and analyzing big data specifically comprises the following steps:
collecting the safety data on the host, carrying out unified classification and encryption, and transmitting the safety data to a big data analysis module;
Acquiring position threats based on cloud data processing, and importing threat information into a big data analysis module;
And analyzing the security data set acquired by the host endpoint based on the threat information big data of the position threat, and identifying the threat event.
In the specific implementation, the operation state of the host equipment is focused and monitored, analyzed and displayed throughout the whole attack chain of a hacker, so as to find various intrusion behaviors and perform measures such as corresponding analysis, blocking and countermeasures.
And (3) host data acquisition: the security data on the host is summarized to the data acquisition module through the clear agent installed on the host endpoint to be uniformly classified and encrypted, and is transmitted to the big data analysis module;
Threat information acquisition: acquiring position threats based on mass cloud data processing, and importing threat information into a system big data analysis module;
big data analysis: threat information acquired by the security data set acquired by the host endpoint is subjected to threat information big data analysis, and threat events are accurately identified;
alarming and responding: alarm notification and response treatment are carried out on the threat event which is sent out.
In one embodiment, the security monitoring of the network traffic, the host process, and the host folder using the whitelist includes:
Detecting the network traffic from end point to end point, and configuring an access strategy in each information system by adopting a push traffic white list IP+ port mode;
Monitoring the process of the host application system, and alarming when an abnormal process is newly added;
and monitoring the file integrity, monitoring the behaviors affecting the file integrity, including deleting, modifying and/or adding files, measuring the hot spot area of system data read-write, and closing the uploading file authority of the idle file system.
In particular, the network traffic whitelist is the first technical protection of the information system. The purpose of the white list technique is not to prevent certain specific things, it is to do in reverse with the black list technique, to send "traffic" for network objects known to be good, and to prevent other objects that do not have traffic. The network white list method can accurately control the traffic data packet of the network flow, avoid most of 0day attacks, and belongs to the active defending behavior. The difficulty of the flow white list is that the flow of each information asset is combed, the flow detection mechanism from end point to end point is realized, a network security operator can rapidly comb the access flow and issue an access strategy in a mode that each information system is stacked with the flow white list (IP+port), thereby realizing the accurate management and control of the network flow.
The host process white list is the second technical protection of the information system after the traffic white list is assumed to be broken through. In the key link of intrusion of a system, a hacker often injects a right-raising tool into the host operating system, so as to obtain a higher level control right of the operating system, and the right-raising targets of administrator, linux of the two general operating system windows are Root. The host detection system can perform self-learning on the process of the application system, and after the system is stable, if an abnormal process is newly added, an alarm can be given, and after learning for a period of time, the information system process can be manually locked, so that an illegal process cannot form another stove.
The host folder white list is the third technical protection of the information system after the process white list policy is assumed to be broken through. The former hacker can upload some extracting tools to the file directory of the information system operating system on the premise of adding a new process. The actual information system operation and maintenance is usually that after the system is on line, most of file systems basically cannot generate newly added reading and writing except some system log files, information system databases or file transmission folders and the like. By means of a self-learning mechanism, the file integrity is monitored, the actions affecting the file integrity, such as deleting, modifying, adding files and the like, can be monitored, the system data read-write hot spot area can be measured after a period of time, and on the premise of ensuring that the system stability is not affected, the uploading file authority of other incoherent file systems is closed, so that an attack script or tool cannot fall to the ground.
In one embodiment, performing intrusion data analysis and network data flow monitoring on deployed virtualized hosts includes:
Analyzing and defending network intrusion data, and intercepting malicious scanning, violent cracking and/or network vulnerability utilization multiple network layer attacks of hackers;
And monitoring the network data flow, and finding out the abnormal behavior flow of the virtual machine and the virtual machine directly.
In the implementation, the virtualization protection is divided into two parts, namely, the first part is to realize the security protection and access isolation of the virtual machine system through an API interface provided by a virtualization layer, and the second part is to detect and analyze the network traffic (east-west direction and north-south direction) through a virtual network interface. The virtualized host security protection mainly provides two parts of functions: the method has the advantages that firstly, the analysis and the defense of network intrusion data in the north-south flow direction and the east-west flow direction are realized, and a plurality of network layer attacks such as malicious scanning, violent cracking, network vulnerability exploitation and the like of a hacker can be intercepted at the first time; and secondly, monitoring the network data flow of the east-west flow direction, and finding out abnormal behavior flow of the virtual machine and the virtual machine directly.
In one embodiment, malicious attack behavior monitoring for a website application includes:
Monitoring malicious attack behaviors, and intercepting various website vulnerability exploitation, webpage backdoor attack and or library collision attack malicious attack behaviors initiated by hackers aiming at website applications; while actively recognizing and accessing the interception engine.
In implementation, application systems based on B/S mode are now becoming a mainstream trend, and users can obtain multiple sets of information system services on the premise of using only one browser. The website security protection is the protection aiming at an application layer in the EDR deep defense system, can intercept malicious attack behaviors such as various website loopholes, webpage backdoor attacks, library collision attacks and the like initiated by hackers aiming at website applications at the first time, and meanwhile, the embedded webshell actively identifies and accesses an interception engine, identifies encryption and deformation webshells and effectively intercepts the webshell.
In one embodiment, the method further comprises:
And (3) performing virus killing on the host, wherein the virus killing comprises binary virus killing, webShell back door killing and active interception.
In one embodiment, the method further comprises:
And carrying out security reinforcement and setting on the host system, wherein the security reinforcement and setting comprises updating system vulnerability patches, updating application program risk configuration, system risk account discovery and deletion, system weak password discovery, database weak password, updating process permission and/or updating directory permission.
In specific implementation, the EDR deep defense system focuses on each dimension of the host security protection, and the enhanced function realizes the security management enhancement of the host, so that the host defense capability is further improved.
Virus checking and killing: binary virus killing and WebShell back door killing and active interception (lightweight engine is adopted to avoid virtual machine storm)
System safety reinforcement and optimization: system vulnerability patch, application program risk configuration optimization, system risk account discovery and deletion, system weak password discovery, database weak password, process permission optimization and directory permission optimization;
Active defense of the system: active protection, locking (tamper resistance) of system critical catalogs and registries and protection and locking of monitoring system account numbers;
Anti-riot cracking: intercepting violent cracking behaviors for applications such as remote desktop, SSH, database and FTP
Malicious scanning prevention: malicious scanning and vulnerability scanning behaviors aiming at various ports are intercepted.
As shown in fig. 2, a host security deep defense device includes: a host monitoring unit 201, a white list monitoring unit 202, a virtualized host monitoring unit 203, an application monitoring unit 204, and an early warning unit 205;
a host monitoring unit 201 for performing security monitoring on the host based on endpoint detection;
a whitelist monitoring unit 202, configured to use a whitelist to perform security monitoring on network traffic, host processes, and host folders, respectively;
A virtualized host monitoring unit 203, configured to perform intrusion data analysis and network data flow monitoring on a deployed virtualized host;
An application monitoring unit 204, configured to monitor a website application for malicious attack behavior;
and the early warning unit 205 is used for sending out early warning when illegal invasion and/or risk are detected.
As shown in fig. 3, the present disclosure provides an electronic device including a processor 301, a communication interface 302, a memory 303, and a communication bus 304, wherein the processor 301, the communication interface 302, and the memory 303 complete communication with each other through the communication bus 304;
a memory 303 storing a computer program;
the processor 301 is configured to implement the above-described method when executing the computer program stored on the memory 303.
The present disclosure provides a computer readable storage medium storing a computer program which when executed by a processor implements the method described above.
The computer-readable storage medium may be embodied in the apparatus/means described in the above embodiments; or may exist alone without being assembled into the apparatus/device. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The host security depth defense system based on the self-adaptive EDR detection and response mechanism is provided by the present disclosure, and by stepping into camping and layer-by-layer fortification, an attacker can move within a controllable range even entering the system, and the scheme is suitable for a general type enterprise local area network, has the remarkable characteristics of high reliability and low cost, and has great popularization value.
Although the present disclosure has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present disclosure.
Claims (10)
1. A host security depth defense method, the method comprising:
performing security monitoring on the host based on the endpoint detection;
The method comprises the steps that a white list is adopted to conduct security monitoring on network traffic, a host process and a host folder respectively;
performing intrusion data analysis and network data flow monitoring on the deployed virtualized host;
monitoring malicious attack behaviors of website applications;
and when illegal invasion and/or risk are detected, sending out early warning.
2. The host security deep defense method of claim 1, wherein,
Security monitoring of a host based on endpoint detection, comprising:
the method for acquiring the data and information of the host terminal and acquiring threat information and analyzing big data specifically comprises the following steps:
collecting the safety data on the host, carrying out unified classification and encryption, and transmitting the safety data to a big data analysis module;
Acquiring position threats based on cloud data processing, and importing threat information into a big data analysis module;
And analyzing the security data set acquired by the host endpoint based on the threat information big data of the position threat, and identifying the threat event.
3. The host security deep defense method of claim 1, wherein,
The adoption of the white list to respectively carry out security monitoring on the network traffic, the host process and the host folder comprises the following steps:
Detecting the network traffic from end point to end point, and configuring an access strategy in each information system by adopting a push traffic white list IP+ port mode;
Monitoring the process of the host application system, and alarming when an abnormal process is newly added;
and monitoring the file integrity, monitoring the behaviors affecting the file integrity, including deleting, modifying and/or adding files, measuring the hot spot area of system data read-write, and closing the uploading file authority of the idle file system.
4. The host security deep defense method of claim 1, wherein,
Performing intrusion data analysis and network data flow monitoring on deployed virtualized hosts, comprising:
Analyzing and defending network intrusion data, and intercepting malicious scanning, violent cracking and/or network vulnerability utilization multiple network layer attacks of hackers;
And monitoring the network data flow, and finding out the abnormal behavior flow of the virtual machine and the virtual machine directly.
5. The host security deep defense method of claim 1, wherein,
Malicious attack behavior monitoring is carried out on the website application, and the malicious attack behavior monitoring method comprises the following steps:
Monitoring malicious attack behaviors, and intercepting various website vulnerability exploitation, webpage backdoor attack and or library collision attack malicious attack behaviors initiated by hackers aiming at website applications; while actively recognizing and accessing the interception engine.
6. The host security deep defense method of claim 1, wherein,
Further comprises:
And (3) performing virus killing on the host, wherein the virus killing comprises binary virus killing, webShell back door killing and active interception.
7. The host security deep defense method of claim 1, wherein,
Further comprises:
And carrying out security reinforcement and setting on the host system, wherein the security reinforcement and setting comprises updating system vulnerability patches, updating application program risk configuration, system risk account discovery and deletion, system weak password discovery, database weak password, updating process permission and/or updating directory permission.
8. A host security deep defense device, comprising: the system comprises a host monitoring unit, a white list monitoring unit, a virtualized host monitoring unit, an application monitoring unit and an early warning unit;
the host monitoring unit is used for carrying out security monitoring on the host based on endpoint detection;
the white list monitoring unit is used for adopting a white list to respectively carry out security monitoring on network traffic, a host process and a host folder;
The virtualized host monitoring unit is used for carrying out intrusion data analysis and network data flow monitoring on the deployed virtualized hosts;
the application monitoring unit is used for monitoring malicious attack behaviors of the website application;
and the early warning unit is used for sending out early warning when illegal invasion and/or risk are detected.
9. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
a memory storing a computer program;
A processor for implementing a host security depth defense method as claimed in any one of claims 1 to 7 when executing a computer program stored on a memory.
10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements a host security depth defense method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410228896.2A CN118157922A (en) | 2024-02-29 | 2024-02-29 | Host security depth defense method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410228896.2A CN118157922A (en) | 2024-02-29 | 2024-02-29 | Host security depth defense method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118157922A true CN118157922A (en) | 2024-06-07 |
Family
ID=91294281
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410228896.2A Pending CN118157922A (en) | 2024-02-29 | 2024-02-29 | Host security depth defense method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118157922A (en) |
-
2024
- 2024-02-29 CN CN202410228896.2A patent/CN118157922A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10454950B1 (en) | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks | |
| Kholidy et al. | CIDS: A framework for intrusion detection in cloud systems | |
| Modi et al. | A survey of intrusion detection techniques in cloud | |
| Sandhu et al. | A survey of intrusion detection & prevention techniques | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| Yaacoub et al. | Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| CN112398844A (en) | Flow analysis implementation method based on internal and external network real-time drainage data | |
| AL-Dahasi et al. | Attack tree model for potential attacks against the scada system | |
| CN115694928A (en) | Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method | |
| KR20170091989A (en) | System and method for managing and evaluating security in industry control network | |
| Miloslavskaya et al. | Taxonomy for unsecure big data processing in security operations centers | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
| Georgina et al. | Deception based techniques against ransomwares: a systematic review | |
| Lakh et al. | Using Honeypot Programs for Providing Defense of Banking Network Infrastructure | |
| CN118157922A (en) | Host security depth defense method and device | |
| Sandhu et al. | A study of the novel approaches used in intrusion detection and prevention systems | |
| CN113824678A (en) | System and method for processing information security events to detect network attacks | |
| Kumar | Intrusion detection and prevention system in enhancing security of cloud environment | |
| Javid et al. | Honeypots vulnerabilities to backdoor attack | |
| Banyal et al. | 7 Cyber Attack Analysis | |
| CN112637217B (en) | Active defense method and device of cloud computing system based on bait generation | |
| Tsochev et al. | Using Machine Learning Reacted with Honeypot Systems for Securing Network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |