WO2016091086A1 - Virtualization security detection method and system - Google Patents

Virtualization security detection method and system Download PDF

Info

Publication number
WO2016091086A1
WO2016091086A1 PCT/CN2015/095821 CN2015095821W WO2016091086A1 WO 2016091086 A1 WO2016091086 A1 WO 2016091086A1 CN 2015095821 W CN2015095821 W CN 2015095821W WO 2016091086 A1 WO2016091086 A1 WO 2016091086A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
server
detected
killing
security
Prior art date
Application number
PCT/CN2015/095821
Other languages
French (fr)
Chinese (zh)
Inventor
汪圣平
杨晓东
徐锐波
王院生
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2016091086A1 publication Critical patent/WO2016091086A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors

Definitions

  • the present invention relates to the field of computer technologies, and in particular, to a virtualization security detection method and system.
  • Virtualization refers to virtualizing a computer into multiple logical computers through virtualization technology. Running multiple logical computers on a single computer, each running a different operating system, and the applications can run in separate spaces without affecting each other, significantly improving the efficiency of the computer.
  • each virtual machine contains the same or similar information, and the killing servers are also identical to each other, if multiple virtual machines simultaneously perform the same security detection, it is bound to increase the resource consumption of the physical machines where multiple virtual machines are located. .
  • the present invention has been proposed to provide an overcoming of the above problems or at least partially solving the above problems. Virtualization security detection methods and systems.
  • a virtualization security detection method including:
  • the light proxy client obtains the to-be-detected information, and sends the to-be-detected information to the cache server through the network;
  • the cache server sends the to-be-detected information to the network through the network. Performing security detection of the information to be detected by the server; determining a security level of the information to be detected according to the detection result of the killing server;
  • the light proxy client is set in the virtual machine.
  • the light proxy client obtains information to be detected, including:
  • the light proxy client obtains to-be-detected information from at least one virtual machine in the physical machine where the light proxy client is located, where multiple virtual machines are set in the physical machine;
  • the light proxy client obtains to-be-detected information from at least one virtual machine of at least one physical machine in the same cluster as the physical machine where the light proxy client is located, where the cluster includes at least one physical machine Each of the physical machines includes at least one virtual machine.
  • the to-be-detected information includes at least one of file information, web address information, access path information, and registry read/write information.
  • the step of performing the security detection of the information to be detected by the killing server includes:
  • the killing server scans the feature value by the killing engine to perform security detection on the to-be-detected information.
  • the method further includes:
  • the killing server scans the feature value to perform security detection on the to-be-detected information, and the detection result is not obtained, the killing server sends the feature value to the cluster of the light proxy client.
  • the private cloud server performs security detection, obtains a detection result, and returns the detection result to the killing server.
  • the method further includes:
  • the private cloud server performs the security detection on the to-be-detected information
  • the feature value is sent to the public cloud server outside the cluster for security detection, the detection result is obtained, and the detection result is obtained. Returning to the private cloud server, and returning the detection result to the killing server by using the private cloud server.
  • the killing server sends the feature value to the private cloud server of the cluster where the light proxy client is located for security detection, including:
  • the killing server sends the feature value to the private cloud server of the cluster where the light proxy client is located for security detection according to a preset scanning sequence.
  • the method further includes:
  • the killing server sends the security detection result to the cache server for storage.
  • the method further includes:
  • the private cloud server obtains update information from the public cloud server according to a setting rule, where the update information includes a correspondence between a feature value periodically updated by the public cloud server and a security level;
  • the private cloud server updates the correspondence between the feature value and the security level stored in the private cloud server according to the update information.
  • a virtualization security detection system including: a cache server, a kill server, and a light proxy client disposed in the virtual machine;
  • the light proxy client is configured to obtain information to be detected, and send the to-be-detected information to the cache server through a network;
  • the cache server is configured to determine whether a correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information is cached; if not, the information to be detected is sent to the check through the network. Killing the server; if yes, determining the security level of the to-be-detected information according to the corresponding relationship;
  • the killing server is configured to receive the to-be-detected information sent by the cache server, and perform security detection on the to-be-detected information to obtain a detection result;
  • the cache server is further configured to determine a security level of the to-be-detected information according to the detection result of the killing server.
  • the light proxy client is from the physical machine where the light proxy client is located One less virtual machine obtains information to be detected, wherein the physical machine is provided with multiple virtual machines;
  • the light proxy client obtains to-be-detected information from at least one virtual machine of at least one physical machine in the same cluster as the physical machine where the light proxy client is located, where the cluster includes at least one physical machine Each of the physical machines includes at least one virtual machine.
  • the to-be-detected information includes at least one of file information, web address information, access path information, and registry read/write information.
  • the killing server includes:
  • the feature value obtaining module is configured to acquire the feature value of the information to be detected
  • the security detection module is configured to perform security detection on the to-be-detected information by scanning the feature value by using a killing engine.
  • the killing server further includes:
  • the private cloud detection module is configured to send the feature value to the light proxy client if the security detection module performs security detection on the to-be-detected information by scanning the feature value by the killing engine.
  • the private cloud server of the cluster performs security detection, obtains a detection result, and returns the detection result to the killing server.
  • the killing server further includes:
  • the public cloud detection module is configured to: if the private cloud server performs security detection on the to-be-detected information, the feature value is sent to the public cloud server outside the cluster for security detection, and the detection result is obtained. And returning the detection result to the private cloud server, and returning the detection result to the killing server by using the private cloud server.
  • the private cloud detecting module sends the feature value to a private cloud server of the cluster where the light proxy client is located for security detection according to a preset scanning sequence.
  • the killing server further includes:
  • the cache storage module is configured to send the security detection result to the cache server for storage after the private cloud detection module obtains the detection result and returns the detection result to the detection server.
  • the private cloud server obtains update information from the public cloud server according to a setting rule, where the update information includes a correspondence between a feature value periodically updated by the public cloud server and a security level;
  • the private cloud server updates the correspondence between the feature value and the security level stored in the private cloud server according to the update information.
  • a computer program comprising computer readable code which, when executed on a computer, causes the computer to perform any of the virtualization security described above Detection method.
  • the killing server in each virtual machine starts to perform security detection on the information, thereby increasing the resource occupancy rate of the physical machine.
  • the light proxy client is set in the virtual machine, and the information to be detected in the virtual machine is obtained by the light proxy client, and sent to the cache server for security level judgment, and the cache server determines whether Cache the correspondence between the information to be detected and the security level corresponding to the information to be detected. If yes, determine the security level of the information to be detected according to the corresponding relationship; if not, send the information to be detected to the killing server for security detection, and The security level is determined based on the results of the security test.
  • the cache server By setting a cache server that caches the correspondence between the information to be detected and its security level, the cache server is first used for judgment, and the security detection efficiency is improved without checking the server security detection.
  • FIG. 1 is a flow chart showing the steps of a virtualization security detection method according to Embodiment 1 of the present invention
  • FIG. 2 is a flow chart showing the steps of a virtualization security detection method according to Embodiment 2 of the present invention.
  • FIG. 3 is a structural block diagram of a virtualization security detection system according to Embodiment 3 of the present invention.
  • FIG. 4 is a structural block diagram of a virtualization security detection system according to Embodiment 4 of the present invention.
  • FIG. 5 is a block diagram schematically showing a structure of a computer for executing a virtualization security detecting method according to the present invention
  • Fig. 6 schematically shows a storage unit for holding or carrying program code implementing the virtualization security detection method according to the present invention.
  • a virtualization security detection method provided by an embodiment of the present invention is described in detail.
  • FIG. 1 a flow chart of steps of a virtualization security detection method in an embodiment of the present invention is shown.
  • the virtualization security detection method in the embodiment of the present invention can be applied to a system including a light proxy client, a cache server, and a kill server.
  • the light proxy client may be disposed in a virtual machine, and the cache server and the kill server may be disposed in a virtual machine or a physical machine.
  • the light proxy client may be disposed in one virtual machine of the plurality of virtual machines, and the cache server and the killing server may be disposed only in one physical machine, or may be disposed in one In the virtual machine.
  • the light proxy client, the cache server, and the killing server may be disposed in the same virtual machine among the multiple virtual machines, and the other virtual machines need not be set.
  • Step 100 The light proxy client obtains the to-be-detected information, and sends the to-be-detected information to the cache server through the network.
  • the information to be detected may be from the same virtual machine, or may be derived from multiple virtual machines, that is, the light proxy client in one virtual machine can obtain the information to be detected in other virtual machines. .
  • the file information can be transmitted due to the limitation of the underlying physical layer itself, and the information to be detected transmitted through the network, in addition to the file information, may include but is not limited to the URL information. , access path information, registry read and write information.
  • Step 102 The cache server determines whether a correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information is cached. If not, step 104 is performed; if yes, step 106 is performed.
  • the corresponding relationship between the to-be-detected information and its corresponding security level can be cached in the cache server.
  • the cache server caches the correspondence between the to-be-detected information A and its corresponding security level “dangerous”; the cache server caches the correspondence between the to-be-detected information B and its corresponding security level “security”.
  • Step 104 The cache server sends the to-be-detected information to the killing server through the network to perform security detection of the to-be-detected information.
  • the security level of the to-be-detected information is determined according to the detection result of the killing server. .
  • the cache server receives the to-be-detected information C from the light proxy client, and the cache server does not have the correspondence between the to-be-detected information C and its corresponding security level, and the cache server sends the to-be-detected information C to the killing server.
  • Detection information C security detection by The killing server obtains the detection result of the information C to be detected, and the cache server can determine the security level of the information C to be detected according to the detection result.
  • the cache server when there is no correspondence between the to-be-detected information and the corresponding security level in the cache server, the cache server sends the to-be-detected information to the killing server for security detection, and the detection result obtained by the killing server is determined.
  • the security level of the information to be detected when there is no correspondence between the to-be-detected information and the corresponding security level in the cache server, the cache server sends the to-be-detected information to the killing server for security detection, and the detection result obtained by the killing server is determined. The security level of the information to be detected.
  • Step 106 Determine a security level of the to-be-detected information according to the correspondence.
  • the security level corresponding to the to-be-detected information is directly determined.
  • the embodiment of the present invention sets a light proxy client in the virtual machine, and the light proxy client obtains the to-be-detected information in the virtual machine, and sends the information to the cache server for security level judgment, and the cache server determines whether the cache is to be cached. Corresponding relationship between the detection information and the security level corresponding to the information to be detected, if yes, determining the security level of the information to be detected according to the corresponding relationship; if not, sending the information to be detected to the killing server for security detection, and according to security The test results determine the level of security.
  • the cache server By setting a cache server that caches the correspondence between the information to be detected and its security level, the cache server is first used for judgment, and the security detection efficiency is improved without checking the server security detection.
  • a virtualization security detection method provided by an embodiment of the present invention is described in detail.
  • FIG. 2 a flow chart of steps of a virtualization security detection method in an embodiment of the present invention is shown.
  • the virtualization security detection method in the embodiment of the present invention can be applied to a system including a light proxy client, a cache server, and a kill server.
  • the light proxy client can be set in a virtual machine, and the cache server and the server
  • the killing server can be set in a virtual machine or in a physical machine.
  • the light proxy client may be disposed in one virtual machine of the plurality of virtual machines, and the cache server and the killing server may be disposed only in one physical machine, or may be disposed in one In the virtual machine, the light proxy client, the cache server, and the killing server may be set in the same virtual machine among the multiple virtual machines, and the other virtual machines need not be set.
  • Step 200 The light proxy client obtains the to-be-detected information, and sends the to-be-detected information to the cache server through the network.
  • the information to be detected may be from the same virtual machine, or may be derived from multiple virtual machines, that is, the light proxy client in one virtual machine can obtain the information to be detected in other virtual machines. .
  • the process of obtaining the information to be detected by the light proxy client in step 200 according to different sources of the information to be detected may be:
  • the light proxy client obtains to-be-detected information from at least one virtual machine in the physical machine where the light proxy client is located, where multiple virtual machines are disposed in the physical machine.
  • the light proxy client Q1 can obtain the to-be-detected information from the virtual machines X1 and X2, and can separately obtain the to-be-detected from the virtual machine X1.
  • the information can be separately obtained from the virtual machine X2 to be detected.
  • the light proxy client obtains information to be detected from at least one virtual machine of at least one physical machine in the same cluster as the physical machine where the light proxy client is located, wherein the cluster includes at least one A physical machine, each of the physical machines including at least one virtual machine.
  • the physical machine W1 where the light proxy client Q1 is located is located in the cluster J1, the cluster J1 further includes the physical machine W2, the physical machine W1 includes the virtual machines X1 and X2, and the physical machine W2 includes the virtual machines X3 and X4, and the light proxy client Q1 can obtain the information to be detected from the virtual machines X1, X2, X3, and X4, and can obtain the information to be detected from the virtual machine X1 separately, or obtain the information to be detected from the virtual machine X2 separately, or separately from the virtual machine.
  • Obtaining information to be detected in X3, the same The information to be detected may also be obtained from the virtual machine X4 alone.
  • the light proxy client obtains the information to be detected, and may separately select the manner in the above 1), and may also separately select the manner in the above 2), or may select the manners in the above 1) and 2) at the same time.
  • the information to be detected may include at least one of file information, web address information, access path information, and registry read and write information.
  • file information may include at least one of file information, web address information, access path information, and registry read and write information.
  • the specific content of the information to be detected in the embodiment of the present invention is not limited.
  • Step 202 The cache server determines whether a correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information is cached. If not, step 204 is performed; if yes, step 206 is performed.
  • the corresponding relationship between the to-be-detected information and its corresponding security level can be cached in the cache server.
  • the cache server caches the correspondence between the to-be-detected information A and its corresponding security level “dangerous”; the cache server caches the correspondence between the to-be-detected information B and its corresponding security level “security”.
  • Step 204 The cache server sends the to-be-detected information to the killing server through the network to perform security detection of the to-be-detected information.
  • the security level of the to-be-detected information is determined according to the detection result of the killing server. .
  • the cache server receives the to-be-detected information C from the light proxy client, and the cache server does not have the correspondence between the to-be-detected information C and its corresponding security level, and the cache server sends the to-be-detected information C to the killing server.
  • the security detection of the detection information C is obtained by the killing server, and the cache server can determine the security level of the information C to be detected according to the detection result.
  • the cache server when there is no correspondence between the to-be-detected information and the corresponding security level in the cache server, the cache server sends the to-be-detected information to the killing server for security detection, and the detection result obtained by the killing server is determined.
  • the security level of the information to be detected when there is no correspondence between the to-be-detected information and the corresponding security level in the cache server, the cache server sends the to-be-detected information to the killing server for security detection, and the detection result obtained by the killing server is determined. The security level of the information to be detected.
  • the step of performing the security detection of the information to be detected by the server in the above step 204 may include:
  • Step 041 the killing server acquires a feature value of the to-be-detected information.
  • the feature value of the information to be detected is an attribute letter for identifying that the information to be detected is unique.
  • the information of the detection server can be calculated by performing operations such as the detection of the detection information to obtain the feature value.
  • the embodiment of the present invention does not limit the technical means for the server to obtain the feature value of the information to be detected.
  • Step 042 The killing server scans the feature value by a killing engine to perform security detection on the to-be-detected information.
  • the killing engine is a core component of the killing server, and the killing engine can scan and identify the feature values to realize the security detection of the detected information.
  • step 042 the killing server scans the feature value to perform security detection on the to-be-detected information, and the detection result is not obtained, step 043 is performed.
  • Step 043 The killing server sends the feature value to the private cloud server of the cluster where the light proxy client is located to perform security detection, obtain a detection result, and return the detection result to the killing server.
  • the cluster in which the light proxy client is located is provided with a private cloud server, and the private cloud server is generally configured to be accessed by a physical machine and a virtual machine in the cluster, and a large number of the clusters are stored on the private cloud server.
  • Information about the information to be detected including the feature value of the information to be detected, the corresponding security level, and the like.
  • the process of the security detection by the killing server to send the feature value to the private cloud server of the cluster where the light proxy client is located may be:
  • the killing server sends the feature value to the private cloud server of the cluster where the light proxy client is located for security detection according to a preset scanning sequence.
  • the killing server may send multiple feature values to the private cloud server for security detection according to a preset scanning sequence.
  • the killing server may further send the security detection result to the cache server.
  • the killing server may further send the security detection result to the cache server.
  • the purpose of the security server is to send the security detection result to the cache server for storage.
  • the purpose is to increase the correspondence between the information to be detected and the corresponding security level of the cache server, and the efficiency of the cache server in the above step 202 can be improved.
  • the step 044 is performed.
  • Step 044 Send the feature value to a public cloud server outside the cluster for security detection, obtain a detection result, and return the detection result to the private cloud server, and use the private cloud server to The detection result is returned to the killing server.
  • the security detection capability of the private cloud server is weaker than that of the public cloud server.
  • the private cloud server does not receive the detection result, the feature value is sent to the public cloud server for security detection, and the detection result can be obtained, and the detection result is obtained.
  • the success rate of subsequent private cloud servers and killing servers can be increased.
  • the private cloud server may obtain update information from the public cloud server according to a setting rule, where the update information may include a correspondence between a feature value periodically updated by the public cloud server and a security level.
  • the private cloud server may update the correspondence between the feature value and the security level stored in the private cloud server according to the update information.
  • Step 206 Determine a security level of the to-be-detected information according to the correspondence.
  • the security level corresponding to the to-be-detected information is directly determined.
  • the embodiment of the present invention sets a light proxy client, a cache server, and a killing server in a virtual machine of a plurality of virtual machines, and the light proxy client obtains the to-be-detected information in the virtual machine and sends the information.
  • the cache server determines the security level of the information to be detected and the security level corresponding to the information to be detected. If yes, the security level of the information to be detected is determined according to the corresponding relationship; if not, the security level of the information to be detected is determined; The information to be detected is sent to the killing server for security detection, and the security level is determined according to the security detection result.
  • the cache server By setting a cache server that caches the correspondence between the information to be detected and its security level, the cache server is first used for judgment, and the security detection efficiency is improved without checking the server security detection.
  • the light proxy client, the cache server, and the killing server are set in one virtual machine of multiple virtual machines, which only occupy system resources in one virtual machine, thereby reducing the resource occupancy rate of the physical machine.
  • a virtualization security detection system provided by an embodiment of the present invention is described in detail.
  • FIG. 3 a block diagram of a virtualized security detection system in an embodiment of the present invention is shown.
  • the system may include: a light proxy client 300 disposed in the virtual machine, and a cache server 302 and a kill server 304;
  • the cache server 302 and the kill server 304 may be disposed in a physical machine or a virtual machine.
  • the light proxy client 300 may be disposed in one virtual machine of the plurality of virtual machines, and the cache server 302 and the killing server 304 may be disposed only in one physical machine, or
  • the virtual agent client 300, the cache server 302, and the killing server 304 may be disposed in the same virtual machine among multiple virtual machines, and other virtual devices are disposed in a virtual machine. There is no need to set it in the machine.
  • the light proxy client 300 is configured to obtain information to be detected, and send the to-be-detected information to the cache server 302 through the network.
  • the cache server 302 is configured to determine whether a correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information is cached; if not, the to-be-detected information is sent to the The server 304 is detected; if yes, the security level of the information to be detected is determined according to the correspondence.
  • the killing server 304 is configured to receive the to-be-detected information sent by the cache server 302, and perform security detection on the to-be-detected information to obtain a detection result.
  • the cache server 302 is further configured to determine a security level of the to-be-detected information according to the detection result of the killing server 304.
  • the embodiment of the present invention sets a light proxy client in a virtual machine, and is a light proxy.
  • the client obtains the to-be-detected information in the virtual machine and sends it to the cache server to determine the security level.
  • the cache server determines whether to cache the correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information.
  • the security level of the information to be detected if not, the information to be detected is sent to the killing server for security detection, and the security level is determined according to the security detection result.
  • the cache server By setting a cache server that caches the correspondence between the information to be detected and its security level, the cache server is first used for judgment, and the security detection efficiency is improved without checking the server security detection.
  • a virtualization security detection system provided by an embodiment of the present invention is described in detail.
  • FIG. 4 a block diagram of a virtualized security detection system in an embodiment of the present invention is shown.
  • the system may include: a light proxy client 400 disposed in the virtual machine, and a cache server 402 and a kill server 404; wherein the cache server 402 and the kill server 404 may be disposed in a physical machine or a virtual machine.
  • the light proxy client 400 may be disposed in one virtual machine of the plurality of virtual machines, and the cache server 402 and the killing server 404 may be disposed only in one physical machine, or
  • the virtual proxy client 400, the cache server 402, and the cache server 404 may be disposed in the same virtual machine among multiple virtual machines, and other virtual There is no need to set it in the machine.
  • the killing server 404 may include: a feature value obtaining module 4041, a security detecting module 4042, a private cloud detecting module 4043, a public cloud detecting module 4044, and a cache storage module 4045.
  • the light proxy client 400 is configured to acquire information to be detected, and send the to-be-detected information to the cache server 402 through the network.
  • the information to be detected may include file information, web address information, and access path information. At least one of information, registry read and write information.
  • the light proxy client 400 acquires to-be-detected information from at least one of the physical machines in which the light proxy client 400 is located, wherein the plurality of virtual machines are disposed in the physical machine.
  • the light proxy client 400 obtains information to be detected from at least one virtual machine of at least one physical machine in the same cluster as the physical machine where the light proxy client 400 is located, wherein the cluster includes at least one A physical machine, each of the physical machines including at least one virtual machine.
  • the cache server 402 is configured to determine whether a correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information is cached; if not, the to-be-detected information is sent to the The server 404 is detected; if yes, the security level of the information to be detected is determined according to the correspondence.
  • the killing server 404 is configured to receive the to-be-detected information sent by the cache server 402, and perform security detection on the to-be-detected information to obtain a detection result.
  • the killing server 404 can include:
  • the feature value obtaining module 4041 is configured to acquire the feature value of the information to be detected.
  • the security detection module 4042 is configured to perform security detection on the to-be-detected information by scanning the feature value by using a killing engine.
  • the private cloud detecting module 4043 is configured to send the feature value to the light proxy client if the security detecting module 4042 performs a security detection on the to-be-detected information by scanning the feature value by the killing engine without obtaining a detection result.
  • the private cloud server in the cluster where the terminal 400 is located performs security detection, obtains a detection result, and returns the detection result to the killing server 404.
  • the private cloud detecting module 4043 sends the feature value to the private cloud server of the cluster where the light proxy client 400 is located for security detection according to a preset scanning sequence.
  • the public cloud detection module 4044 is configured to: if the private cloud server performs security detection on the to-be-detected information, the feature value is sent to the public cloud server outside the cluster for security detection, and the detection is performed. Result and return the test result Giving the private cloud server, and returning the detection result to the killing server 404 through the private cloud server.
  • the cache storage module 4045 is configured to: after the private cloud detection module 4043 obtains the detection result, and returns the detection result to the killing server 404, send the security detection result to the cache server for storage. .
  • the private cloud server obtains update information from the public cloud server according to a setting rule, where the update information includes a correspondence between a feature value periodically updated by the public cloud server and a security level.
  • the private cloud server updates the correspondence between the feature value and the security level stored in the private cloud server according to the update information.
  • the cache server 402 is further configured to determine a security level of the to-be-detected information according to the detection result of the killing server 404.
  • the embodiment of the present invention sets a light proxy client in the virtual machine, and the light proxy client obtains the to-be-detected information in the virtual machine, and sends the information to the cache server for security level judgment, and the cache server determines whether the cache is to be cached. Corresponding relationship between the detection information and the security level corresponding to the information to be detected, if yes, determining the security level of the information to be detected according to the corresponding relationship; if not, sending the information to be detected to the killing server for security detection, and according to security The test results determine the level of security.
  • the cache server By setting a cache server that caches the correspondence between the information to be detected and its security level, the cache server is first used for judgment, and the security detection efficiency is improved without checking the server security detection.
  • the light proxy client, the cache server, and the killing server are set in one virtual machine of multiple virtual machines, which only occupy system resources in one virtual machine, thereby reducing the resource occupancy rate of the physical machine.
  • the virtualization security detection scheme provided herein is not inherently related to any particular computer, virtual system, or other device.
  • Various general purpose systems can also be used with the teaching based on the teachings herein. Root From the above description, it is apparent that the structure required to construct the system having the solution of the present invention is apparent. Moreover, the invention is not directed to any particular programming language. It is to be understood that the invention may be embodied in a variety of programming language, and the description of the specific language has been described above in order to disclose the preferred embodiments of the invention.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of some or all of the components of the virtualization security detection scheme in accordance with embodiments of the present invention.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 5 illustrates a computer in which a virtualization security detection method in accordance with the present invention can be implemented.
  • the computer traditionally includes a processor 510 and a computer program product or computer readable medium in the form of a memory 520.
  • the memory 520 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • Memory 520 has a memory space 530 for program code 531 for performing any of the method steps described above.
  • storage space 530 for program code may include various program code 531 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such computer program products are typically portable or fixed storage units as described with reference to FIG.
  • the storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 520 in the mobile terminal of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 531', code that can be read by a processor, such as 510, which when executed by a computer causes the computer to perform various steps in the methods described above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Investigating Or Analysing Materials By Optical Means (AREA)
  • Computing Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

Provided are a virtualization security detection method and system. The method comprises: a lightweight agent client acquiring information to be detected and sending the information to be detected to a caching server via a network; the caching server judging whether there is a cached correlation between the information to be detected and a security level corresponding to the information to be detected or not; if the correlation does not exist, the caching server sending the information to be detected to a checking and killing server via the network to detect the security of the information to be detected; determining the security level of the information to be detected according to a detection result of the checking and killing server; and if the correlation exists, determining the security level of the information to be detected according to the correlation, wherein the lightweight agent client is arranged in a virtual machine. The present invention increases the security detection efficiency and decreases a resource occupation rate of a physical machine.

Description

虚拟化安全检测方法与系统Virtualization security detection method and system 技术领域Technical field
本发明涉及计算机技术领域,特别是涉及一种虚拟化安全检测方法与系统。The present invention relates to the field of computer technologies, and in particular, to a virtualization security detection method and system.
背景技术Background technique
虚拟化,是指通过虚拟化技术将一台计算机虚拟为多台逻辑计算机。在一台计算机上同时运行多个逻辑计算机,每个逻辑计算机可运行不同的操作系统,并且应用程序都可以在相互独立的空间内运行而互不影响,从而显著提高计算机的工作效率。Virtualization refers to virtualizing a computer into multiple logical computers through virtualization technology. Running multiple logical computers on a single computer, each running a different operating system, and the applications can run in separate spaces without affecting each other, significantly improving the efficiency of the computer.
现有的虚拟化安全检测方案中,若同一台物理机上存在多台虚拟的逻辑计算机(虚拟机),对多台虚拟机中的信息进行安全检测时,需要在每台虚拟机中设置查杀服务器,将每台虚拟机中的信息在各自的查杀服务器中进行安全检测。In the existing virtualization security detection scheme, if there are multiple virtual logical computers (virtual machines) on the same physical machine, it is necessary to set the killing in each virtual machine when performing security detection on the information in multiple virtual machines. The server performs security detection on the information in each virtual machine in its own killing server.
由于每台虚拟机中包含有相同或相似的信息,而且查杀服务器也彼此相同,如果多台虚拟机同时对相同的信息进行安全检测,势必增加了多台虚拟机所在的物理机的资源占用。Since each virtual machine contains the same or similar information, and the killing servers are also identical to each other, if multiple virtual machines simultaneously perform the same security detection, it is bound to increase the resource consumption of the physical machines where multiple virtual machines are located. .
发明内容Summary of the invention
鉴于上述现有的虚拟化安全检测方法对多台虚拟机中的信息进行安全,容易造成物理机的资源占用高的问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的虚拟化安全检测方法与系统。In view of the above-mentioned existing virtualization security detection method for securing information in multiple virtual machines, which easily causes a high resource occupation of the physical machine, the present invention has been proposed to provide an overcoming of the above problems or at least partially solving the above problems. Virtualization security detection methods and systems.
依据本发明的一个方面,提供了一种虚拟化安全检测方法,包括:According to an aspect of the present invention, a virtualization security detection method is provided, including:
轻代理客户端获取待检测信息,将所述待检测信息通过网络发送至缓存服务器;The light proxy client obtains the to-be-detected information, and sends the to-be-detected information to the cache server through the network;
所述缓存服务器判断是否缓存有所述待检测信息与所述待检测信息对应的安全级别的对应关系;Determining, by the cache server, whether a correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information is cached;
若不存在,则所述缓存服务器通过所述网络将所述待检测信息发送给 查杀服务器进行所述待检测信息的安全检测;根据所述查杀服务器的检测结果确定所述待检测信息的安全级别;If not, the cache server sends the to-be-detected information to the network through the network. Performing security detection of the information to be detected by the server; determining a security level of the information to be detected according to the detection result of the killing server;
若存在,则根据所述对应关系确定所述待检测信息的安全级别;If yes, determining a security level of the to-be-detected information according to the correspondence relationship;
其中,所述轻代理客户端设置于虚拟机中。The light proxy client is set in the virtual machine.
可选地,所述轻代理客户端获取待检测信息,包括:Optionally, the light proxy client obtains information to be detected, including:
所述轻代理客户端从所述轻代理客户端所在的物理机中的至少一台虚拟机获取待检测信息,其中,所述物理机中设置有多台虚拟机;The light proxy client obtains to-be-detected information from at least one virtual machine in the physical machine where the light proxy client is located, where multiple virtual machines are set in the physical machine;
和/或,and / or,
所述轻代理客户端从与所述轻代理客户端所在的物理机位于同一集群的至少一台物理机的至少一台虚拟机中获取待检测信息,其中,所述集群包括至少一台物理机,每台所述物理机包括至少一台虚拟机。The light proxy client obtains to-be-detected information from at least one virtual machine of at least one physical machine in the same cluster as the physical machine where the light proxy client is located, where the cluster includes at least one physical machine Each of the physical machines includes at least one virtual machine.
可选地,所述待检测信息包括文件信息、网址信息、访问路径信息、注册表读写信息中的至少一种。Optionally, the to-be-detected information includes at least one of file information, web address information, access path information, and registry read/write information.
可选地,所述查杀服务器进行所述待检测信息的安全检测的步骤,包括:Optionally, the step of performing the security detection of the information to be detected by the killing server includes:
所述查杀服务器获取所述待检测信息的特征值;Obtaining, by the killing server, a feature value of the to-be-detected information;
所述查杀服务器通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测。The killing server scans the feature value by the killing engine to perform security detection on the to-be-detected information.
可选地,所述方法还包括:Optionally, the method further includes:
若所述查杀服务器通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测未得到检测结果,所述查杀服务器将所述特征值发送至所述轻代理客户端所在集群的私有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述查杀服务器。If the killing server scans the feature value to perform security detection on the to-be-detected information, and the detection result is not obtained, the killing server sends the feature value to the cluster of the light proxy client. The private cloud server performs security detection, obtains a detection result, and returns the detection result to the killing server.
可选地,所述方法还包括:Optionally, the method further includes:
若所述私有云端服务器对所述待检测信息进行安全检测未得到检测结果,则将所述特征值发送至所述集群外部的公有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述私有云端服务器,并通过所述私有云端服务器将所述检测结果返回给所述查杀服务器。 If the private cloud server performs the security detection on the to-be-detected information, the feature value is sent to the public cloud server outside the cluster for security detection, the detection result is obtained, and the detection result is obtained. Returning to the private cloud server, and returning the detection result to the killing server by using the private cloud server.
可选地,所述查杀服务器将所述特征值发送至所述轻代理客户端所在集群的私有云端服务器进行安全检测,包括:Optionally, the killing server sends the feature value to the private cloud server of the cluster where the light proxy client is located for security detection, including:
所述查杀服务器按照预设的扫描顺序,将所述特征值发送至所述轻代理客户端所在集群的私有云端服务器进行安全检测。The killing server sends the feature value to the private cloud server of the cluster where the light proxy client is located for security detection according to a preset scanning sequence.
可选地,在所述获得检测结果,并将所述检测结果返回给所述查杀服务器之后,所述方法还包括:Optionally, after the obtaining the detection result, and returning the detection result to the killing server, the method further includes:
所述查杀服务器将所述安全检测结果发送至所述缓存服务器中进行存储。The killing server sends the security detection result to the cache server for storage.
可选地,所述方法还包括:Optionally, the method further includes:
所述私有云端服务器按照设定规则从所述公有云端服务器获取更新信息,其中,所述更新信息中包含有所述公有云端服务器定期更新的特征值与安全级别的对应关系;The private cloud server obtains update information from the public cloud server according to a setting rule, where the update information includes a correspondence between a feature value periodically updated by the public cloud server and a security level;
所述私有云端服务器根据所述更新信息更新所述私有云端服务器中存储的特征值与安全级别的对应关系。The private cloud server updates the correspondence between the feature value and the security level stored in the private cloud server according to the update information.
根据本发明的另一方面,提供了一种虚拟化安全检测系统,包括:缓存服务器、查杀服务器以及设置于虚拟机中的轻代理客户端;其中According to another aspect of the present invention, a virtualization security detection system is provided, including: a cache server, a kill server, and a light proxy client disposed in the virtual machine;
所述轻代理客户端,配置为获取待检测信息,将所述待检测信息通过网络发送至所述缓存服务器;The light proxy client is configured to obtain information to be detected, and send the to-be-detected information to the cache server through a network;
所述缓存服务器,配置为判断是否缓存有所述待检测信息与所述待检测信息对应的安全级别的对应关系;若不存在,则通过所述网络将所述待检测信息发送给所述查杀服务器;若存在,则根据所述对应关系确定所述待检测信息的安全级别;The cache server is configured to determine whether a correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information is cached; if not, the information to be detected is sent to the check through the network. Killing the server; if yes, determining the security level of the to-be-detected information according to the corresponding relationship;
所述查杀服务器,配置为接收所述缓存服务器发送的所述待检测信息,对所述待检测信息进行安全检测得到检测结果;The killing server is configured to receive the to-be-detected information sent by the cache server, and perform security detection on the to-be-detected information to obtain a detection result;
所述缓存服务器,还配置为根据所述查杀服务器的检测结果确定所述待检测信息的安全级别。The cache server is further configured to determine a security level of the to-be-detected information according to the detection result of the killing server.
可选地,所述轻代理客户端从所述轻代理客户端所在的物理机中的至 少一台虚拟机获取待检测信息,其中,所述物理机中设置有多台虚拟机;Optionally, the light proxy client is from the physical machine where the light proxy client is located One less virtual machine obtains information to be detected, wherein the physical machine is provided with multiple virtual machines;
和/或,and / or,
所述轻代理客户端从与所述轻代理客户端所在的物理机位于同一集群的至少一台物理机的至少一台虚拟机中获取待检测信息,其中,所述集群包括至少一台物理机,每台所述物理机包括至少一台虚拟机。The light proxy client obtains to-be-detected information from at least one virtual machine of at least one physical machine in the same cluster as the physical machine where the light proxy client is located, where the cluster includes at least one physical machine Each of the physical machines includes at least one virtual machine.
可选地,所述待检测信息包括文件信息、网址信息、访问路径信息、注册表读写信息中的至少一种。Optionally, the to-be-detected information includes at least one of file information, web address information, access path information, and registry read/write information.
可选地,所述查杀服务器,包括:Optionally, the killing server includes:
特征值获取模块,配置为获取所述待检测信息的特征值;The feature value obtaining module is configured to acquire the feature value of the information to be detected;
安全检测模块,配置为通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测。The security detection module is configured to perform security detection on the to-be-detected information by scanning the feature value by using a killing engine.
可选地,所述查杀服务器,还包括:Optionally, the killing server further includes:
私有云端检测模块,配置为若所述安全检测模块通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测未得到检测结果,将所述特征值发送至所述轻代理客户端所在集群的私有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述查杀服务器。The private cloud detection module is configured to send the feature value to the light proxy client if the security detection module performs security detection on the to-be-detected information by scanning the feature value by the killing engine. The private cloud server of the cluster performs security detection, obtains a detection result, and returns the detection result to the killing server.
可选地,所述查杀服务器,还包括:Optionally, the killing server further includes:
公有云端检测模块,配置为若所述私有云端服务器对所述待检测信息进行安全检测未得到检测结果,则将所述特征值发送至所述集群外部的公有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述私有云端服务器,并通过所述私有云端服务器将所述检测结果返回给所述查杀服务器。The public cloud detection module is configured to: if the private cloud server performs security detection on the to-be-detected information, the feature value is sent to the public cloud server outside the cluster for security detection, and the detection result is obtained. And returning the detection result to the private cloud server, and returning the detection result to the killing server by using the private cloud server.
可选地,所述私有云端检测模块按照预设的扫描顺序,将所述特征值发送至所述轻代理客户端所在集群的私有云端服务器进行安全检测。Optionally, the private cloud detecting module sends the feature value to a private cloud server of the cluster where the light proxy client is located for security detection according to a preset scanning sequence.
可选地,所述查杀服务器,还包括:Optionally, the killing server further includes:
缓存存储模块,用于在所述私有云端检测模块获得检测结果,并将所述检测结果返回给所述查杀服务器之后,将所述安全检测结果发送至所述缓存服务器中进行存储。 The cache storage module is configured to send the security detection result to the cache server for storage after the private cloud detection module obtains the detection result and returns the detection result to the detection server.
可选地,所述私有云端服务器按照设定规则从所述公有云端服务器获取更新信息,其中,所述更新信息中包含有所述公有云端服务器定期更新的特征值与安全级别的对应关系;Optionally, the private cloud server obtains update information from the public cloud server according to a setting rule, where the update information includes a correspondence between a feature value periodically updated by the public cloud server and a security level;
所述私有云端服务器根据所述更新信息更新所述私有云端服务器中存储的特征值与安全级别的对应关系。The private cloud server updates the correspondence between the feature value and the security level stored in the private cloud server according to the update information.
根据本发明的又一方面,提供了一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算机上运行时,导致所述计算机执行上文所述的任一种虚拟化安全检测方法。According to still another aspect of the present invention, there is provided a computer program comprising computer readable code which, when executed on a computer, causes the computer to perform any of the virtualization security described above Detection method.
根据本发明的再一方面,提供了一种计算机可读介质,其中存储了权利要求书中所述的计算机程序。According to still another aspect of the present invention, there is provided a computer readable medium storing the computer program recited in the claims.
本发明的有益效果为:The beneficial effects of the invention are:
现有的虚拟化安全检测方案中,当同时对多台虚拟机中的信息进行安全检测时,每台虚拟机中的查杀服务器均启动对信息进行安全检测,增加了物理机的资源占用率。而根据本发明的虚拟机安全检测方案,在虚拟机中设置轻代理客户端,由轻代理客户端获取虚拟机中的待检测信息,并发送至缓存服务器进行安全级别的判断,缓存服务器判断是否缓存有待检测信息与待检测信息对应的安全级别的对应关系,若存在,则根据对应关系确定待检测信息的安全级别;若不存在,则将待检测信息发送至查杀服务器进行安全检测,并根据安全检测结果确定安全级别。In the existing virtualization security detection scheme, when the information in multiple virtual machines is detected at the same time, the killing server in each virtual machine starts to perform security detection on the information, thereby increasing the resource occupancy rate of the physical machine. . According to the virtual machine security detection scheme of the present invention, the light proxy client is set in the virtual machine, and the information to be detected in the virtual machine is obtained by the light proxy client, and sent to the cache server for security level judgment, and the cache server determines whether Cache the correspondence between the information to be detected and the security level corresponding to the information to be detected. If yes, determine the security level of the information to be detected according to the corresponding relationship; if not, send the information to be detected to the killing server for security detection, and The security level is determined based on the results of the security test.
通过设置缓存有待检测信息与其安全级别的对应关系的缓存服务器,先利用缓存服务器进行判断,不经过查杀服务器安全检测,提高了安全检测的效率。By setting a cache server that caches the correspondence between the information to be detected and its security level, the cache server is first used for judgment, and the security detection efficiency is improved without checking the server security detection.
将轻代理客户端设置于多台虚拟机中的一台虚拟机内,只占用一台虚拟机中的系统资源,降低了物理机的资源占用率。Setting the light proxy client to a virtual machine in multiple virtual machines only occupies system resources in one virtual machine, which reduces the resource occupancy rate of the physical machine.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方 式。The above description is only an overview of the technical solutions of the present invention, and the above-described and other objects, features and advantages of the present invention can be more clearly understood. Specific embodiments of the present invention are as follows formula.
附图说明DRAWINGS
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not to be construed as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:
图1是根据本发明实施例一的一种虚拟化安全检测方法的步骤流程图;1 is a flow chart showing the steps of a virtualization security detection method according to Embodiment 1 of the present invention;
图2是根据本发明实施例二的一种虚拟化安全检测方法的步骤流程图;2 is a flow chart showing the steps of a virtualization security detection method according to Embodiment 2 of the present invention;
图3是根据本发明实施例三的一种虚拟化安全检测系统的结构框图;3 is a structural block diagram of a virtualization security detection system according to Embodiment 3 of the present invention;
图4是根据本发明实施例四的一种虚拟化安全检测系统的结构框图;4 is a structural block diagram of a virtualization security detection system according to Embodiment 4 of the present invention;
图5示意性地示出了用于执行根据本发明的虚拟化安全检测方法的计算机的结构框图;以及FIG. 5 is a block diagram schematically showing a structure of a computer for executing a virtualization security detecting method according to the present invention;
图6示意性地示出了用于保持或者携带实现根据本发明的虚拟化安全检测方法的程序代码的存储单元。Fig. 6 schematically shows a storage unit for holding or carrying program code implementing the virtualization security detection method according to the present invention.
具体实施方式detailed description
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the embodiments of the present invention have been shown in the drawings, the embodiments Rather, these embodiments are provided so that this disclosure will be more fully understood and the scope of the disclosure will be fully disclosed.
实施例一Embodiment 1
详细介绍本发明实施例提供的一种虚拟化安全检测方法。A virtualization security detection method provided by an embodiment of the present invention is described in detail.
参照图1,示出了本发明实施例中的一种虚拟化安全检测方法的步骤流程图。Referring to FIG. 1, a flow chart of steps of a virtualization security detection method in an embodiment of the present invention is shown.
本发明实施例中的虚拟化安全检测方法可以应用于包括轻代理客户端、缓存服务器和查杀服务器在内的系统中。 The virtualization security detection method in the embodiment of the present invention can be applied to a system including a light proxy client, a cache server, and a kill server.
其中,所述轻代理客户端可以设置于虚拟机中,所述缓存服务器和所述查杀服务器可以设置于虚拟机或物理机中。例如,所述轻代理客户端可以设置于多台虚拟机中的一台虚拟机中,所述缓存服务器和所述查杀服务器可以仅设置于一台物理机中,或者,也可以设置于一台虚拟机中。可选地,所述轻代理客户端、所述缓存服务器和所述查杀服务器可以设置于多台虚拟机中的同一台虚拟机中,而其它虚拟机中则无需设置。The light proxy client may be disposed in a virtual machine, and the cache server and the kill server may be disposed in a virtual machine or a physical machine. For example, the light proxy client may be disposed in one virtual machine of the plurality of virtual machines, and the cache server and the killing server may be disposed only in one physical machine, or may be disposed in one In the virtual machine. Optionally, the light proxy client, the cache server, and the killing server may be disposed in the same virtual machine among the multiple virtual machines, and the other virtual machines need not be set.
本发明实施例的虚拟化安全检测方法包括以下步骤:The virtualization security detection method of the embodiment of the present invention includes the following steps:
步骤100,轻代理客户端获取待检测信息,将所述待检测信息通过网络发送至缓存服务器。Step 100: The light proxy client obtains the to-be-detected information, and sends the to-be-detected information to the cache server through the network.
所述待检测信息可以来源于同一台虚拟机中,也可以来源于多台虚拟机中,也就是说,通过在一台虚拟机中的轻代理客户端可以获取其他虚拟机中的待检测信息。与通过底层物理层传输待检测信息相比,因底层物理层本身的局限,仅能传输文件信息,而通过网络传输的待检测信息,除了可以是文件信息外,还可以包括但不限于网址信息、访问路径信息、注册表读写信息等。The information to be detected may be from the same virtual machine, or may be derived from multiple virtual machines, that is, the light proxy client in one virtual machine can obtain the information to be detected in other virtual machines. . Compared with the information to be detected by the underlying physical layer, only the file information can be transmitted due to the limitation of the underlying physical layer itself, and the information to be detected transmitted through the network, in addition to the file information, may include but is not limited to the URL information. , access path information, registry read and write information.
步骤102,所述缓存服务器判断是否缓存有所述待检测信息与所述待检测信息对应的安全级别的对应关系;若不存在,则执行步骤104;若存在,则执行步骤106。Step 102: The cache server determines whether a correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information is cached. If not, step 104 is performed; if yes, step 106 is performed.
在缓存服务器中可以缓存待检测信息与其对应的安全级别的对应关系。例如,缓存服务器中缓存有待检测信息A与其对应的安全级别“危险”的对应关系;缓存服务器中缓存有待检测信息B与其对应的安全级别“安全”的对应关系。The corresponding relationship between the to-be-detected information and its corresponding security level can be cached in the cache server. For example, the cache server caches the correspondence between the to-be-detected information A and its corresponding security level “dangerous”; the cache server caches the correspondence between the to-be-detected information B and its corresponding security level “security”.
步骤104,所述缓存服务器通过所述网络将所述待检测信息发送给查杀服务器进行所述待检测信息的安全检测;根据所述查杀服务器的检测结果确定所述待检测信息的安全级别。Step 104: The cache server sends the to-be-detected information to the killing server through the network to perform security detection of the to-be-detected information. The security level of the to-be-detected information is determined according to the detection result of the killing server. .
例如,缓存服务器接收到来自轻代理客户端的待检测信息C,在缓存服务器中不存在待检测信息C与其对应的安全级别的对应关系,则缓存服务器将待检测信息C发送至查杀服务器进行待检测信息C的安全检测,由 查杀服务器得到待检测信息C的检测结果,缓存服务器可以根据检测结果确定待检测信息C的安全级别。For example, the cache server receives the to-be-detected information C from the light proxy client, and the cache server does not have the correspondence between the to-be-detected information C and its corresponding security level, and the cache server sends the to-be-detected information C to the killing server. Detection information C security detection, by The killing server obtains the detection result of the information C to be detected, and the cache server can determine the security level of the information C to be detected according to the detection result.
也就是说,在缓存服务器中不存在某待检测信息与其对应的安全级别的对应关系时,缓存服务器将该待检测信息发送至查杀服务器进行安全检测,由查杀服务器得到的检测结果判断出该待检测信息的安全级别。That is, when there is no correspondence between the to-be-detected information and the corresponding security level in the cache server, the cache server sends the to-be-detected information to the killing server for security detection, and the detection result obtained by the killing server is determined. The security level of the information to be detected.
步骤106,根据所述对应关系确定所述待检测信息的安全级别。Step 106: Determine a security level of the to-be-detected information according to the correspondence.
若缓存服务器中存在某待检测信息与其对应的安全级别的对应关系,则直接确定出该待检测信息对应的安全级别。If the correspondence between the to-be-detected information and the corresponding security level exists in the cache server, the security level corresponding to the to-be-detected information is directly determined.
综上所述,本发明实施例在虚拟机中设置轻代理客户端,由轻代理客户端获取虚拟机中的待检测信息,并发送至缓存服务器进行安全级别的判断,缓存服务器判断是否缓存有待检测信息与待检测信息对应的安全级别的对应关系,若存在,则根据对应关系确定待检测信息的安全级别;若不存在,则将待检测信息发送至查杀服务器进行安全检测,并根据安全检测结果确定安全级别。In summary, the embodiment of the present invention sets a light proxy client in the virtual machine, and the light proxy client obtains the to-be-detected information in the virtual machine, and sends the information to the cache server for security level judgment, and the cache server determines whether the cache is to be cached. Corresponding relationship between the detection information and the security level corresponding to the information to be detected, if yes, determining the security level of the information to be detected according to the corresponding relationship; if not, sending the information to be detected to the killing server for security detection, and according to security The test results determine the level of security.
通过设置缓存有待检测信息与其安全级别的对应关系的缓存服务器,先利用缓存服务器进行判断,不经过查杀服务器安全检测,提高了安全检测的效率。By setting a cache server that caches the correspondence between the information to be detected and its security level, the cache server is first used for judgment, and the security detection efficiency is improved without checking the server security detection.
将轻代理客户端设置于多台虚拟机中的一台虚拟机内,只占用一台虚拟机中的系统资源,降低了物理机的资源占用率。Setting the light proxy client to a virtual machine in multiple virtual machines only occupies system resources in one virtual machine, which reduces the resource occupancy rate of the physical machine.
实施例二Embodiment 2
详细介绍本发明实施例提供的一种虚拟化安全检测方法。A virtualization security detection method provided by an embodiment of the present invention is described in detail.
参照图2,示出了本发明实施例中的一种虚拟化安全检测方法的步骤流程图。Referring to FIG. 2, a flow chart of steps of a virtualization security detection method in an embodiment of the present invention is shown.
本发明实施例中的虚拟化安全检测方法可以应用于包括轻代理客户端、缓存服务器和查杀服务器在内的系统中。The virtualization security detection method in the embodiment of the present invention can be applied to a system including a light proxy client, a cache server, and a kill server.
其中,所述轻代理客户端可以设置于虚拟机中,所述缓存服务器和所 述查杀服务器可以设置于虚拟机中或物理机中。例如,所述轻代理客户端可以设置于多台虚拟机中的一台虚拟机中,所述缓存服务器和所述查杀服务器可以仅设置于一台物理机中,或者,也可以设置于一台虚拟机中,可选地,所述轻代理客户端、所述缓存服务器和所述查杀服务器可以设置于多台虚拟机中的同一台虚拟机中,而其它虚拟机中则无需设置。The light proxy client can be set in a virtual machine, and the cache server and the server The killing server can be set in a virtual machine or in a physical machine. For example, the light proxy client may be disposed in one virtual machine of the plurality of virtual machines, and the cache server and the killing server may be disposed only in one physical machine, or may be disposed in one In the virtual machine, the light proxy client, the cache server, and the killing server may be set in the same virtual machine among the multiple virtual machines, and the other virtual machines need not be set.
本实施例的虚拟化安全检测方法包括以下步骤:The virtualization security detection method of this embodiment includes the following steps:
步骤200,轻代理客户端获取待检测信息,将所述待检测信息通过网络发送至缓存服务器。Step 200: The light proxy client obtains the to-be-detected information, and sends the to-be-detected information to the cache server through the network.
所述待检测信息可以来源于同一台虚拟机中,也可以来源于多台虚拟机中,也就是说,通过在一台虚拟机中的轻代理客户端可以获取其他虚拟机中的待检测信息。The information to be detected may be from the same virtual machine, or may be derived from multiple virtual machines, that is, the light proxy client in one virtual machine can obtain the information to be detected in other virtual machines. .
优选地,根据待检测信息的不同来源,所述步骤200中轻代理客户端获取待检测信息的过程可以为:Preferably, the process of obtaining the information to be detected by the light proxy client in step 200 according to different sources of the information to be detected may be:
1)、所述轻代理客户端从所述轻代理客户端所在的物理机中的至少一台虚拟机获取待检测信息,其中,所述物理机中设置有多台虚拟机。1) The light proxy client obtains to-be-detected information from at least one virtual machine in the physical machine where the light proxy client is located, where multiple virtual machines are disposed in the physical machine.
例如,轻代理客户端Q1所在的物理机W1中包括虚拟机X1和X2,则轻代理客户端Q1可以从虚拟机X1和X2中获取待检测信息,既可以单独从虚拟机X1中获取待检测信息,又可以单独从虚拟机X2中获取待检测信息。For example, if the physical machine W1 where the light proxy client Q1 is located includes the virtual machines X1 and X2, the light proxy client Q1 can obtain the to-be-detected information from the virtual machines X1 and X2, and can separately obtain the to-be-detected from the virtual machine X1. The information can be separately obtained from the virtual machine X2 to be detected.
和/或,and / or,
2)、所述轻代理客户端从与所述轻代理客户端所在的物理机位于同一集群的至少一台物理机的至少一台虚拟机中获取待检测信息,其中,所述集群包括至少一台物理机,每台所述物理机包括至少一台虚拟机。2) The light proxy client obtains information to be detected from at least one virtual machine of at least one physical machine in the same cluster as the physical machine where the light proxy client is located, wherein the cluster includes at least one A physical machine, each of the physical machines including at least one virtual machine.
例如,轻代理客户端Q1所在的物理机W1位于集群J1中,集群J1还包括物理机W2,物理机W1包括虚拟机X1和X2,物理机W2包括虚拟机X3和X4,则轻代理客户端Q1可以从虚拟机X1、X2、X3和X4中获取待检测信息,既可以单独从虚拟机X1中获取待检测信息,又可以单独从虚拟机X2中获取待检测信息,还可以单独从虚拟机X3中获取待检测信息,同 时,也可以单独从虚拟机X4中获取待检测信息。For example, the physical machine W1 where the light proxy client Q1 is located is located in the cluster J1, the cluster J1 further includes the physical machine W2, the physical machine W1 includes the virtual machines X1 and X2, and the physical machine W2 includes the virtual machines X3 and X4, and the light proxy client Q1 can obtain the information to be detected from the virtual machines X1, X2, X3, and X4, and can obtain the information to be detected from the virtual machine X1 separately, or obtain the information to be detected from the virtual machine X2 separately, or separately from the virtual machine. Obtaining information to be detected in X3, the same The information to be detected may also be obtained from the virtual machine X4 alone.
所述轻代理客户端获取待检测信息可以单独选择上述1)中的方式,还可以单独选择上述2)中的方式,也可以同时选择上述1)和2)中的方式。The light proxy client obtains the information to be detected, and may separately select the manner in the above 1), and may also separately select the manner in the above 2), or may select the manners in the above 1) and 2) at the same time.
优选地,所述待检测信息可以包括文件信息、网址信息、访问路径信息、注册表读写信息中的至少一种,本发明实施例对待检测信息的具体内容不作限制。Preferably, the information to be detected may include at least one of file information, web address information, access path information, and registry read and write information. The specific content of the information to be detected in the embodiment of the present invention is not limited.
步骤202,所述缓存服务器判断是否缓存有所述待检测信息与所述待检测信息对应的安全级别的对应关系;若不存在,则执行步骤204;若存在,则执行步骤206。Step 202: The cache server determines whether a correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information is cached. If not, step 204 is performed; if yes, step 206 is performed.
在缓存服务器中可以缓存待检测信息与其对应的安全级别的对应关系。例如,缓存服务器中缓存有待检测信息A与其对应的安全级别“危险”的对应关系;缓存服务器中缓存有待检测信息B与其对应的安全级别“安全”的对应关系。The corresponding relationship between the to-be-detected information and its corresponding security level can be cached in the cache server. For example, the cache server caches the correspondence between the to-be-detected information A and its corresponding security level “dangerous”; the cache server caches the correspondence between the to-be-detected information B and its corresponding security level “security”.
步骤204,所述缓存服务器通过所述网络将所述待检测信息发送给查杀服务器进行所述待检测信息的安全检测;根据所述查杀服务器的检测结果确定所述待检测信息的安全级别。Step 204: The cache server sends the to-be-detected information to the killing server through the network to perform security detection of the to-be-detected information. The security level of the to-be-detected information is determined according to the detection result of the killing server. .
例如,缓存服务器接收到来自轻代理客户端的待检测信息C,在缓存服务器中不存在待检测信息C与其对应的安全级别的对应关系,则缓存服务器将待检测信息C发送至查杀服务器进行待检测信息C的安全检测,由查杀服务器得到待检测信息C的检测结果,缓存服务器可以根据检测结果确定待检测信息C的安全级别。For example, the cache server receives the to-be-detected information C from the light proxy client, and the cache server does not have the correspondence between the to-be-detected information C and its corresponding security level, and the cache server sends the to-be-detected information C to the killing server. The security detection of the detection information C is obtained by the killing server, and the cache server can determine the security level of the information C to be detected according to the detection result.
也就是说,在缓存服务器中不存在某待检测信息与其对应的安全级别的对应关系时,缓存服务器将该待检测信息发送至查杀服务器进行安全检测,由查杀服务器得到的检测结果判断出该待检测信息的安全级别。That is, when there is no correspondence between the to-be-detected information and the corresponding security level in the cache server, the cache server sends the to-be-detected information to the killing server for security detection, and the detection result obtained by the killing server is determined. The security level of the information to be detected.
优选地,上述步骤204中查杀服务器进行所述待检测信息的安全检测的步骤可以包括:Preferably, the step of performing the security detection of the information to be detected by the server in the above step 204 may include:
步骤041,所述查杀服务器获取所述待检测信息的特征值。 Step 041, the killing server acquires a feature value of the to-be-detected information.
所述待检测信息的特征值为用于标识待检测信息具有唯一性的属性信 息,查杀服务器可以对待检测信息进行计算等操作得到特征值,本发明实施例对查杀服务器获取待检测信息的特征值的技术手段不作限制。The feature value of the information to be detected is an attribute letter for identifying that the information to be detected is unique. The information of the detection server can be calculated by performing operations such as the detection of the detection information to obtain the feature value. The embodiment of the present invention does not limit the technical means for the server to obtain the feature value of the information to be detected.
步骤042,所述查杀服务器通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测。Step 042: The killing server scans the feature value by a killing engine to perform security detection on the to-be-detected information.
所述查杀引擎为查杀服务器的核心组件,利用查杀引擎可以对特征值进行扫描和识别,实现对待检测信息的安全检测。The killing engine is a core component of the killing server, and the killing engine can scan and identify the feature values to realize the security detection of the detected information.
优选地,若上述步骤042中,所述查杀服务器通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测未得到检测结果,则执行步骤043。Preferably, if in step 042, the killing server scans the feature value to perform security detection on the to-be-detected information, and the detection result is not obtained, step 043 is performed.
步骤043,所述查杀服务器将所述特征值发送至所述轻代理客户端所在集群的私有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述查杀服务器。Step 043: The killing server sends the feature value to the private cloud server of the cluster where the light proxy client is located to perform security detection, obtain a detection result, and return the detection result to the killing server.
所述轻代理客户端所在的集群设置有私有云端服务器,所述私有云端服务器通常设置为供所述集群内的物理机和虚拟机连接访问,在私有云端服务器上存储有所述集群内的大量待检测信息的相关信息,包括待检测信息的特征值、对应的安全级别等等。The cluster in which the light proxy client is located is provided with a private cloud server, and the private cloud server is generally configured to be accessed by a physical machine and a virtual machine in the cluster, and a large number of the clusters are stored on the private cloud server. Information about the information to be detected, including the feature value of the information to be detected, the corresponding security level, and the like.
优选地,上述步骤043中,所述查杀服务器将所述特征值发送至所述轻代理客户端所在集群的私有云端服务器进行安全检测的过程可以为:Preferably, in the above step 043, the process of the security detection by the killing server to send the feature value to the private cloud server of the cluster where the light proxy client is located may be:
所述查杀服务器按照预设的扫描顺序,将所述特征值发送至所述轻代理客户端所在集群的私有云端服务器进行安全检测。The killing server sends the feature value to the private cloud server of the cluster where the light proxy client is located for security detection according to a preset scanning sequence.
若存在多个需要发送至私有云端服务器进行安全检测的特征值,则查杀服务器可以按照预设的扫描顺序,发送多个特征值至私有云端服务器进行安全检测。If there are multiple feature values that need to be sent to the private cloud server for security detection, the killing server may send multiple feature values to the private cloud server for security detection according to a preset scanning sequence.
优选地,上述步骤043中,在所述获得检测结果,并将所述检测结果返回给所述查杀服务器之后,所述查杀服务器还可以将所述安全检测结果发送至所述缓存服务器中进行存储。Preferably, in step 043, after the obtaining the detection result and returning the detection result to the killing server, the killing server may further send the security detection result to the cache server. Store.
查杀服务器将安全检测结果发送至缓存服务器进行储存的目的是,增加了缓存服务器上待检测信息与其对应的安全级别的对应关系库,可以提高缓存服务器在上述步骤202中判断的效率。 The purpose of the security server is to send the security detection result to the cache server for storage. The purpose is to increase the correspondence between the information to be detected and the corresponding security level of the cache server, and the efficiency of the cache server in the above step 202 can be improved.
优选地,若上述步骤043中,所述私有云端服务器对所述待检测信息进行安全检测未得到检测结果,则执行步骤044。Preferably, if the private cloud server performs security detection on the to-be-detected information in the above step 043, the step 044 is performed.
步骤044,将所述特征值发送至所述集群外部的公有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述私有云端服务器,并通过所述私有云端服务器将所述检测结果返回给所述查杀服务器。Step 044: Send the feature value to a public cloud server outside the cluster for security detection, obtain a detection result, and return the detection result to the private cloud server, and use the private cloud server to The detection result is returned to the killing server.
通常,私有云端服务器的安全检测能力较公有云端服务器的安全检测能力弱,在私有云端服务器未得到检测结果时,将特征值发送至公有云端服务器进行安全检测,可以得到检测结果,再将检测结果返回给私有云端服务器和查杀服务器,可以增加后续私有云端服务器和查杀服务器的检测成功率。Generally, the security detection capability of the private cloud server is weaker than that of the public cloud server. When the private cloud server does not receive the detection result, the feature value is sent to the public cloud server for security detection, and the detection result can be obtained, and the detection result is obtained. Returning to the private cloud server and killing the server, the success rate of subsequent private cloud servers and killing servers can be increased.
优选地,所述私有云端服务器可以按照设定规则从所述公有云端服务器获取更新信息,其中,所述更新信息中可以包含有所述公有云端服务器定期更新的特征值与安全级别的对应关系。Preferably, the private cloud server may obtain update information from the public cloud server according to a setting rule, where the update information may include a correspondence between a feature value periodically updated by the public cloud server and a security level.
优选地,所述私有云端服务器可以根据所述更新信息更新所述私有云端服务器中存储的特征值与安全级别的对应关系。Preferably, the private cloud server may update the correspondence between the feature value and the security level stored in the private cloud server according to the update information.
步骤206,根据所述对应关系确定所述待检测信息的安全级别。Step 206: Determine a security level of the to-be-detected information according to the correspondence.
若缓存服务器中存在某待检测信息与其对应的安全级别的对应关系,则直接确定出该待检测信息对应的安全级别。If the correspondence between the to-be-detected information and the corresponding security level exists in the cache server, the security level corresponding to the to-be-detected information is directly determined.
综上所述,本发明实施例在多台虚拟机中的一台虚拟机中设置轻代理客户端、缓存服务器和查杀服务器,由轻代理客户端获取虚拟机中的待检测信息,并发送至缓存服务器进行安全级别的判断,缓存服务器判断是否缓存有待检测信息与待检测信息对应的安全级别的对应关系,若存在,则根据对应关系确定待检测信息的安全级别;若不存在,则将待检测信息发送至查杀服务器进行安全检测,并根据安全检测结果确定安全级别。In summary, the embodiment of the present invention sets a light proxy client, a cache server, and a killing server in a virtual machine of a plurality of virtual machines, and the light proxy client obtains the to-be-detected information in the virtual machine and sends the information. The cache server determines the security level of the information to be detected and the security level corresponding to the information to be detected. If yes, the security level of the information to be detected is determined according to the corresponding relationship; if not, the security level of the information to be detected is determined; The information to be detected is sent to the killing server for security detection, and the security level is determined according to the security detection result.
通过设置缓存有待检测信息与其安全级别的对应关系的缓存服务器,先利用缓存服务器进行判断,不经过查杀服务器安全检测,提高了安全检测的效率。 By setting a cache server that caches the correspondence between the information to be detected and its security level, the cache server is first used for judgment, and the security detection efficiency is improved without checking the server security detection.
将轻代理客户端、缓存服务器和查杀服务器设置于多台虚拟机中的一台虚拟机内,只占用一台虚拟机中的系统资源,降低了物理机的资源占用率。The light proxy client, the cache server, and the killing server are set in one virtual machine of multiple virtual machines, which only occupy system resources in one virtual machine, thereby reducing the resource occupancy rate of the physical machine.
实施例三Embodiment 3
详细介绍本发明实施例提供的一种虚拟化安全检测系统。A virtualization security detection system provided by an embodiment of the present invention is described in detail.
参照图3,示出了本发明实施例中的一种虚拟化安全检测系统的结构框图。Referring to FIG. 3, a block diagram of a virtualized security detection system in an embodiment of the present invention is shown.
所述系统可以包括:设置于虚拟机中的轻代理客户端300,以及缓存服务器302和查杀服务器304;The system may include: a light proxy client 300 disposed in the virtual machine, and a cache server 302 and a kill server 304;
其中,缓存服务器302和查杀服务器304可以设置于物理机或虚拟机中。例如,所述轻代理客户端300可以设置于多台虚拟机中的一台虚拟机中,所述缓存服务器302和所述查杀服务器304可以仅设置于一台物理机中,或者,也可以设置于一台虚拟机中,可选地,所述轻代理客户端300、所述缓存服务器302和所述查杀服务器304可以设置于多台虚拟机中的同一台虚拟机中,而其它虚拟机中则无需设置。The cache server 302 and the kill server 304 may be disposed in a physical machine or a virtual machine. For example, the light proxy client 300 may be disposed in one virtual machine of the plurality of virtual machines, and the cache server 302 and the killing server 304 may be disposed only in one physical machine, or The virtual agent client 300, the cache server 302, and the killing server 304 may be disposed in the same virtual machine among multiple virtual machines, and other virtual devices are disposed in a virtual machine. There is no need to set it in the machine.
所述轻代理客户端300,配置为获取待检测信息,将所述待检测信息通过网络发送至所述缓存服务器302。The light proxy client 300 is configured to obtain information to be detected, and send the to-be-detected information to the cache server 302 through the network.
所述缓存服务器302,配置为判断是否缓存有所述待检测信息与所述待检测信息对应的安全级别的对应关系;若不存在,则通过所述网络将所述待检测信息发送给所述查杀服务器304;若存在,则根据所述对应关系确定所述待检测信息的安全级别。The cache server 302 is configured to determine whether a correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information is cached; if not, the to-be-detected information is sent to the The server 304 is detected; if yes, the security level of the information to be detected is determined according to the correspondence.
所述查杀服务器304,配置为接收所述缓存服务器302发送的所述待检测信息,对所述待检测信息进行安全检测得到检测结果。The killing server 304 is configured to receive the to-be-detected information sent by the cache server 302, and perform security detection on the to-be-detected information to obtain a detection result.
所述缓存服务器302,还配置为根据所述查杀服务器304的检测结果确定所述待检测信息的安全级别。The cache server 302 is further configured to determine a security level of the to-be-detected information according to the detection result of the killing server 304.
综上所述,本发明实施例在虚拟机中设置轻代理客户端,由轻代理客 户端获取虚拟机中的待检测信息,并发送至缓存服务器进行安全级别的判断,缓存服务器判断是否缓存有待检测信息与待检测信息对应的安全级别的对应关系,若存在,则根据对应关系确定待检测信息的安全级别;若不存在,则将待检测信息发送至查杀服务器进行安全检测,并根据安全检测结果确定安全级别。In summary, the embodiment of the present invention sets a light proxy client in a virtual machine, and is a light proxy. The client obtains the to-be-detected information in the virtual machine and sends it to the cache server to determine the security level. The cache server determines whether to cache the correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information. The security level of the information to be detected; if not, the information to be detected is sent to the killing server for security detection, and the security level is determined according to the security detection result.
通过设置缓存有待检测信息与其安全级别的对应关系的缓存服务器,先利用缓存服务器进行判断,不经过查杀服务器安全检测,提高了安全检测的效率。By setting a cache server that caches the correspondence between the information to be detected and its security level, the cache server is first used for judgment, and the security detection efficiency is improved without checking the server security detection.
将轻代理客户端设置于多台虚拟机中的一台虚拟机内,只占用一台虚拟机中的系统资源,降低了物理机的资源占用率。Setting the light proxy client to a virtual machine in multiple virtual machines only occupies system resources in one virtual machine, which reduces the resource occupancy rate of the physical machine.
实施例四Embodiment 4
详细介绍本发明实施例提供的一种虚拟化安全检测系统。A virtualization security detection system provided by an embodiment of the present invention is described in detail.
参照图4,示出了本发明实施例中的一种虚拟化安全检测系统的结构框图。Referring to FIG. 4, a block diagram of a virtualized security detection system in an embodiment of the present invention is shown.
所述系统可以包括:设置于虚拟机中的轻代理客户端400,以及缓存服务器402和查杀服务器404;其中,缓存服务器402和查杀服务器404可以设置于物理机或虚拟机中。例如,所述轻代理客户端400可以设置于多台虚拟机中的一台虚拟机中,所述缓存服务器402和所述查杀服务器404可以仅设置于一台物理机中,或者,也可以设置于一台虚拟机中,可选地,所述轻代理客户端400、所述缓存服务器402和所述查杀服务器404可以设置于多台虚拟机中的同一台虚拟机中,而其它虚拟机中则无需设置。The system may include: a light proxy client 400 disposed in the virtual machine, and a cache server 402 and a kill server 404; wherein the cache server 402 and the kill server 404 may be disposed in a physical machine or a virtual machine. For example, the light proxy client 400 may be disposed in one virtual machine of the plurality of virtual machines, and the cache server 402 and the killing server 404 may be disposed only in one physical machine, or The virtual proxy client 400, the cache server 402, and the cache server 404 may be disposed in the same virtual machine among multiple virtual machines, and other virtual There is no need to set it in the machine.
其中,所述查杀服务器404可以包括:特征值获取模块4041,安全检测模块4042,私有云端检测模块4043,公有云端检测模块4044,缓存存储模块4045。The killing server 404 may include: a feature value obtaining module 4041, a security detecting module 4042, a private cloud detecting module 4043, a public cloud detecting module 4044, and a cache storage module 4045.
所述轻代理客户端400,配置为获取待检测信息,将所述待检测信息通过网络发送至所述缓存服务器402。The light proxy client 400 is configured to acquire information to be detected, and send the to-be-detected information to the cache server 402 through the network.
其中,所述待检测信息可以包括文件信息、网址信息、访问路径信 息、注册表读写信息中的至少一种。The information to be detected may include file information, web address information, and access path information. At least one of information, registry read and write information.
优选地,所述轻代理客户端400从所述轻代理客户端400所在的物理机中的至少一台虚拟机获取待检测信息,其中,所述物理机中设置有多台虚拟机。Preferably, the light proxy client 400 acquires to-be-detected information from at least one of the physical machines in which the light proxy client 400 is located, wherein the plurality of virtual machines are disposed in the physical machine.
和/或,and / or,
所述轻代理客户端400从与所述轻代理客户端400所在的物理机位于同一集群的至少一台物理机的至少一台虚拟机中获取待检测信息,其中,所述集群包括至少一台物理机,每台所述物理机包括至少一台虚拟机。The light proxy client 400 obtains information to be detected from at least one virtual machine of at least one physical machine in the same cluster as the physical machine where the light proxy client 400 is located, wherein the cluster includes at least one A physical machine, each of the physical machines including at least one virtual machine.
所述缓存服务器402,配置为判断是否缓存有所述待检测信息与所述待检测信息对应的安全级别的对应关系;若不存在,则通过所述网络将所述待检测信息发送给所述查杀服务器404;若存在,则根据所述对应关系确定所述待检测信息的安全级别。The cache server 402 is configured to determine whether a correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information is cached; if not, the to-be-detected information is sent to the The server 404 is detected; if yes, the security level of the information to be detected is determined according to the correspondence.
所述查杀服务器404,配置为接收所述缓存服务器402发送的所述待检测信息,对所述待检测信息进行安全检测得到检测结果。The killing server 404 is configured to receive the to-be-detected information sent by the cache server 402, and perform security detection on the to-be-detected information to obtain a detection result.
优选地,所述查杀服务器404可以包括:Preferably, the killing server 404 can include:
特征值获取模块4041,配置为获取所述待检测信息的特征值。The feature value obtaining module 4041 is configured to acquire the feature value of the information to be detected.
安全检测模块4042,用于通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测。The security detection module 4042 is configured to perform security detection on the to-be-detected information by scanning the feature value by using a killing engine.
私有云端检测模块4043,配置为若所述安全检测模块4042通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测未得到检测结果,将所述特征值发送至所述轻代理客户端400所在集群的私有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述查杀服务器404。The private cloud detecting module 4043 is configured to send the feature value to the light proxy client if the security detecting module 4042 performs a security detection on the to-be-detected information by scanning the feature value by the killing engine without obtaining a detection result. The private cloud server in the cluster where the terminal 400 is located performs security detection, obtains a detection result, and returns the detection result to the killing server 404.
优选地,所述私有云端检测模块4043按照预设的扫描顺序,将所述特征值发送至所述轻代理客户端400所在集群的私有云端服务器进行安全检测。Preferably, the private cloud detecting module 4043 sends the feature value to the private cloud server of the cluster where the light proxy client 400 is located for security detection according to a preset scanning sequence.
公有云端检测模块4044,配置为若所述私有云端服务器对所述待检测信息进行安全检测未得到检测结果,则将所述特征值发送至所述集群外部的公有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回 给所述私有云端服务器,并通过所述私有云端服务器将所述检测结果返回给所述查杀服务器404。The public cloud detection module 4044 is configured to: if the private cloud server performs security detection on the to-be-detected information, the feature value is sent to the public cloud server outside the cluster for security detection, and the detection is performed. Result and return the test result Giving the private cloud server, and returning the detection result to the killing server 404 through the private cloud server.
缓存存储模块4045,配置为在所述私有云端检测模块4043获得检测结果,并将所述检测结果返回给所述查杀服务器404之后,将所述安全检测结果发送至所述缓存服务器中进行存储。The cache storage module 4045 is configured to: after the private cloud detection module 4043 obtains the detection result, and returns the detection result to the killing server 404, send the security detection result to the cache server for storage. .
优选地,所述私有云端服务器按照设定规则从所述公有云端服务器获取更新信息,其中,所述更新信息中包含有所述公有云端服务器定期更新的特征值与安全级别的对应关系。Preferably, the private cloud server obtains update information from the public cloud server according to a setting rule, where the update information includes a correspondence between a feature value periodically updated by the public cloud server and a security level.
优选地,所述私有云端服务器根据所述更新信息更新所述私有云端服务器中存储的特征值与安全级别的对应关系。Preferably, the private cloud server updates the correspondence between the feature value and the security level stored in the private cloud server according to the update information.
所述缓存服务器402,还配置为根据所述查杀服务器404的检测结果确定所述待检测信息的安全级别。The cache server 402 is further configured to determine a security level of the to-be-detected information according to the detection result of the killing server 404.
综上所述,本发明实施例在虚拟机中设置轻代理客户端,由轻代理客户端获取虚拟机中的待检测信息,并发送至缓存服务器进行安全级别的判断,缓存服务器判断是否缓存有待检测信息与待检测信息对应的安全级别的对应关系,若存在,则根据对应关系确定待检测信息的安全级别;若不存在,则将待检测信息发送至查杀服务器进行安全检测,并根据安全检测结果确定安全级别。In summary, the embodiment of the present invention sets a light proxy client in the virtual machine, and the light proxy client obtains the to-be-detected information in the virtual machine, and sends the information to the cache server for security level judgment, and the cache server determines whether the cache is to be cached. Corresponding relationship between the detection information and the security level corresponding to the information to be detected, if yes, determining the security level of the information to be detected according to the corresponding relationship; if not, sending the information to be detected to the killing server for security detection, and according to security The test results determine the level of security.
通过设置缓存有待检测信息与其安全级别的对应关系的缓存服务器,先利用缓存服务器进行判断,不经过查杀服务器安全检测,提高了安全检测的效率。By setting a cache server that caches the correspondence between the information to be detected and its security level, the cache server is first used for judgment, and the security detection efficiency is improved without checking the server security detection.
将轻代理客户端、缓存服务器和查杀服务器设置于多台虚拟机中的一台虚拟机内,只占用一台虚拟机中的系统资源,降低了物理机的资源占用率。The light proxy client, the cache server, and the killing server are set in one virtual machine of multiple virtual machines, which only occupy system resources in one virtual machine, thereby reducing the resource occupancy rate of the physical machine.
在此提供的虚拟化安全检测方案不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根 据上面的描述,构造具有本发明方案的系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The virtualization security detection scheme provided herein is not inherently related to any particular computer, virtual system, or other device. Various general purpose systems can also be used with the teaching based on the teachings herein. Root From the above description, it is apparent that the structure required to construct the system having the solution of the present invention is apparent. Moreover, the invention is not directed to any particular programming language. It is to be understood that the invention may be embodied in a variety of programming language, and the description of the specific language has been described above in order to disclose the preferred embodiments of the invention.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, the various features of the invention are sometimes grouped together into a single embodiment, in the above description of the exemplary embodiments of the invention, Figure, or a description of it. However, the method disclosed is not to be interpreted as reflecting the intention that the claimed invention requires more features than those recited in the claims. Rather, as the following claims reflect, inventive aspects lie in less than all features of the single embodiments disclosed herein. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the embodiments, and each of the claims as a separate embodiment of the invention.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components. In addition to such features and/or at least some of the processes or units being mutually exclusive, any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined. Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来 使用。In addition, those skilled in the art will appreciate that, although some embodiments described herein include certain features that are included in other embodiments and not in other features, combinations of features of different embodiments are intended to be within the scope of the present invention. Different embodiments are formed and formed. For example, in the claims, any one of the claimed embodiments may be in any combination. use.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的虚拟化安全检测方案中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or digital signal processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components of the virtualization security detection scheme in accordance with embodiments of the present invention. The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
例如,图5示出了可以实现根据本发明的虚拟化安全检测方法的计算机。该计算机传统上包括处理器510和以存储器520形式的计算机程序产品或者计算机可读介质。存储器520可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器520具有用于执行上述方法中的任何方法步骤的程序代码531的存储空间530。例如,用于程序代码的存储空间530可以包括分别用于实现上面的方法中的各种步骤的各个程序代码531。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如参考图6所述的便携式或者固定存储单元。该存储单元可以具有与图5的移动终端中的存储器520类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常,存储单元包括计算机可读代码531’,即可以由例如诸如510之类的处理器读取的代码,这些代码当由计算机运行时,导致该计算机执行上面所描述的方法中的各个步骤。For example, Figure 5 illustrates a computer in which a virtualization security detection method in accordance with the present invention can be implemented. The computer traditionally includes a processor 510 and a computer program product or computer readable medium in the form of a memory 520. The memory 520 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM. Memory 520 has a memory space 530 for program code 531 for performing any of the method steps described above. For example, storage space 530 for program code may include various program code 531 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such computer program products are typically portable or fixed storage units as described with reference to FIG. The storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 520 in the mobile terminal of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit includes computer readable code 531', code that can be read by a processor, such as 510, which when executed by a computer causes the computer to perform various steps in the methods described above.
本文中所称的“一个实施例”、“实施例”或者“一个或者多个实施例”意味着,结合实施例描述的特定特征、结构或者特性包括在本发明的至少一个实施例中。此外,请注意,这里“在一个实施例中”的词语例子不一定全 指同一个实施例。"an embodiment," or "an embodiment," or "an embodiment," In addition, please note that the examples of the words "in one embodiment" are not necessarily all Refers to the same embodiment.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下被实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。 It is to be noted that the above-described embodiments are illustrative of the invention and are not intended to be limiting, and that the invention may be devised without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or steps that are not recited in the claims. The word "a" or "an" The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.

Claims (20)

  1. 一种虚拟化安全检测方法,包括:A virtualization security detection method includes:
    轻代理客户端获取待检测信息,将所述待检测信息通过网络发送至缓存服务器;The light proxy client obtains the to-be-detected information, and sends the to-be-detected information to the cache server through the network;
    所述缓存服务器判断是否缓存有所述待检测信息与所述待检测信息对应的安全级别的对应关系;Determining, by the cache server, whether a correspondence between the to-be-detected information and the security level corresponding to the to-be-detected information is cached;
    若不存在,则所述缓存服务器通过所述网络将所述待检测信息发送给查杀服务器进行所述待检测信息的安全检测;根据所述查杀服务器的检测结果确定所述待检测信息的安全级别;If not, the cache server sends the to-be-detected information to the killing server through the network to perform security detection of the to-be-detected information; and determining the to-be-detected information according to the detection result of the killing server. Security Level;
    若存在,则根据所述对应关系确定所述待检测信息的安全级别;If yes, determining a security level of the to-be-detected information according to the correspondence relationship;
    其中,所述轻代理客户端设置于虚拟机中。The light proxy client is set in the virtual machine.
  2. 根据权利要求1所述的方法,其中,所述轻代理客户端获取待检测信息,包括:The method of claim 1, wherein the light proxy client obtains information to be detected, including:
    所述轻代理客户端从所述轻代理客户端所在的物理机中的至少一台虚拟机获取待检测信息,其中,所述物理机中设置有多台虚拟机;The light proxy client obtains to-be-detected information from at least one virtual machine in the physical machine where the light proxy client is located, where multiple virtual machines are set in the physical machine;
    和/或,and / or,
    所述轻代理客户端从与所述轻代理客户端所在的物理机位于同一集群的至少一台物理机的至少一台虚拟机中获取待检测信息,其中,所述集群包括至少一台物理机,每台所述物理机包括至少一台虚拟机。The light proxy client obtains to-be-detected information from at least one virtual machine of at least one physical machine in the same cluster as the physical machine where the light proxy client is located, where the cluster includes at least one physical machine Each of the physical machines includes at least one virtual machine.
  3. 根据权利要求1或2所述的方法,其中,所述待检测信息包括文件信息、网址信息、访问路径信息、注册表读写信息中的至少一种。The method according to claim 1 or 2, wherein the information to be detected includes at least one of file information, web address information, access path information, and registry read and write information.
  4. 根据权利要求3所述的方法,其中,所述查杀服务器进行所述待检测信息的安全检测的步骤,包括:The method of claim 3, wherein the step of performing a security detection of the information to be detected by the killing server comprises:
    所述查杀服务器获取所述待检测信息的特征值;Obtaining, by the killing server, a feature value of the to-be-detected information;
    所述查杀服务器通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测。The killing server scans the feature value by the killing engine to perform security detection on the to-be-detected information.
  5. 根据权利要求4所述的方法,其中,所述方法还包括:The method of claim 4 wherein the method further comprises:
    若所述查杀服务器通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测未得到检测结果,所述查杀服务器将所述特征值发送至所述轻 代理客户端所在集群的私有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述查杀服务器。If the killing server scans the feature value to perform security detection on the to-be-detected information, and the detection result is not obtained, the killing server sends the feature value to the light The private cloud server of the cluster where the proxy client is located performs security detection, obtains the detection result, and returns the detection result to the killing server.
  6. 根据权利要求5所述的方法,其中,所述方法还包括:The method of claim 5 wherein the method further comprises:
    若所述私有云端服务器对所述待检测信息进行安全检测未得到检测结果,则将所述特征值发送至所述集群外部的公有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述私有云端服务器,并通过所述私有云端服务器将所述检测结果返回给所述查杀服务器。If the private cloud server performs the security detection on the to-be-detected information, the feature value is sent to the public cloud server outside the cluster for security detection, the detection result is obtained, and the detection result is obtained. Returning to the private cloud server, and returning the detection result to the killing server by using the private cloud server.
  7. 根据权利要求5所述的方法,其中,所述查杀服务器将所述特征值发送至所述轻代理客户端所在集群的私有云端服务器进行安全检测,包括:The method of claim 5, wherein the killing server sends the feature value to a private cloud server of the cluster where the light proxy client is located for security detection, including:
    所述查杀服务器按照预设的扫描顺序,将所述特征值发送至所述轻代理客户端所在集群的私有云端服务器进行安全检测。The killing server sends the feature value to the private cloud server of the cluster where the light proxy client is located for security detection according to a preset scanning sequence.
  8. 根据权利要求5所述的方法,其中,在所述获得检测结果,并将所述检测结果返回给所述查杀服务器之后,所述方法还包括:The method according to claim 5, wherein after the obtaining the detection result and returning the detection result to the killing server, the method further comprises:
    所述查杀服务器将所述安全检测结果发送至所述缓存服务器中进行存储。The killing server sends the security detection result to the cache server for storage.
  9. 根据权利要求6所述的方法,其中,所述方法还包括:The method of claim 6 wherein the method further comprises:
    所述私有云端服务器按照设定规则从所述公有云端服务器获取更新信息,其中,所述更新信息中包含有所述公有云端服务器定期更新的特征值与安全级别的对应关系;The private cloud server obtains update information from the public cloud server according to a setting rule, where the update information includes a correspondence between a feature value periodically updated by the public cloud server and a security level;
    所述私有云端服务器根据所述更新信息更新所述私有云端服务器中存储的特征值与安全级别的对应关系。The private cloud server updates the correspondence between the feature value and the security level stored in the private cloud server according to the update information.
  10. 一种虚拟化安全检测系统,包括:缓存服务器、查杀服务器以及设置于虚拟机中的轻代理客户端;其中A virtualization security detection system includes: a cache server, a killing server, and a light proxy client disposed in the virtual machine;
    所述轻代理客户端,配置为获取待检测信息,将所述待检测信息通过网络发送至所述缓存服务器;The light proxy client is configured to obtain information to be detected, and send the to-be-detected information to the cache server through a network;
    所述缓存服务器,配置为判断是否缓存有所述待检测信息与所述待检 测信息对应的安全级别的对应关系;若不存在,则通过所述网络将所述待检测信息发送给所述查杀服务器;若存在,则根据所述对应关系确定所述待检测信息的安全级别;The cache server is configured to determine whether the information to be detected and the to-be-checked are cached Corresponding relationship of the security level corresponding to the information; if not, sending the to-be-detected information to the killing server through the network; if yes, determining the security of the to-be-detected information according to the corresponding relationship level;
    所述查杀服务器,配置为接收所述缓存服务器发送的所述待检测信息,对所述待检测信息进行安全检测得到检测结果;The killing server is configured to receive the to-be-detected information sent by the cache server, and perform security detection on the to-be-detected information to obtain a detection result;
    所述缓存服务器,还配置为根据所述查杀服务器的检测结果确定所述待检测信息的安全级别。The cache server is further configured to determine a security level of the to-be-detected information according to the detection result of the killing server.
  11. 根据权利要求10所述的系统,其中,所述轻代理客户端从所述轻代理客户端所在的物理机中的至少一台虚拟机获取待检测信息,其中,所述物理机中设置有多台虚拟机;The system according to claim 10, wherein the light proxy client obtains information to be detected from at least one of the physical machines in which the light proxy client is located, wherein the physical machine has a plurality of settings Virtual machine
    和/或,and / or,
    所述轻代理客户端从与所述轻代理客户端所在的物理机位于同一集群的至少一台物理机的至少一台虚拟机中获取待检测信息,其中,所述集群包括至少一台物理机,每台所述物理机包括至少一台虚拟机。The light proxy client obtains to-be-detected information from at least one virtual machine of at least one physical machine in the same cluster as the physical machine where the light proxy client is located, where the cluster includes at least one physical machine Each of the physical machines includes at least one virtual machine.
  12. 根据权利要求10或11所述的系统,其中,A system according to claim 10 or 11, wherein
    所述待检测信息包括文件信息、网址信息、访问路径信息、注册表读写信息中的至少一种。The information to be detected includes at least one of file information, web address information, access path information, and registry read and write information.
  13. 根据权利要求12所述的系统,其中,所述查杀服务器,包括:The system of claim 12 wherein said killing server comprises:
    特征值获取模块,配置为获取所述待检测信息的特征值;The feature value obtaining module is configured to acquire the feature value of the information to be detected;
    安全检测模块,配置为通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测。The security detection module is configured to perform security detection on the to-be-detected information by scanning the feature value by using a killing engine.
  14. 根据权利要求13所述的系统,其中,所述查杀服务器,还包括:The system of claim 13 wherein the killing server further comprises:
    私有云端检测模块,配置为若所述安全检测模块通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测未得到检测结果,将所述特征值发送至所述轻代理客户端所在集群的私有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述查杀服务器。The private cloud detection module is configured to send the feature value to the light proxy client if the security detection module performs security detection on the to-be-detected information by scanning the feature value by the killing engine. The private cloud server of the cluster performs security detection, obtains a detection result, and returns the detection result to the killing server.
  15. 根据权利要求14所述的系统,其中,所述查杀服务器,还包括:The system of claim 14, wherein the killing server further comprises:
    公有云端检测模块,配置为若所述私有云端服务器对所述待检测信息 进行安全检测未得到检测结果,则将所述特征值发送至所述集群外部的公有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述私有云端服务器,并通过所述私有云端服务器将所述检测结果返回给所述查杀服务器。The public cloud detection module is configured to: if the private cloud server pairs the to-be-detected information If the security detection fails to obtain the detection result, the feature value is sent to the public cloud server outside the cluster for security detection, the detection result is obtained, and the detection result is returned to the private cloud server, and the The private cloud server returns the detection result to the killing server.
  16. 根据权利要求14所述的系统,其中,所述私有云端检测模块按照预设的扫描顺序,将所述特征值发送至所述轻代理客户端所在集群的私有云端服务器进行安全检测。The system according to claim 14, wherein the private cloud detecting module sends the feature value to a private cloud server of the cluster where the light agent client is located for security detection according to a preset scanning order.
  17. 根据权利要求14所述的系统,其中,所述查杀服务器,还包括:The system of claim 14, wherein the killing server further comprises:
    缓存存储模块,配置为在所述私有云端检测模块获得检测结果,并将所述检测结果返回给所述查杀服务器之后,将所述安全检测结果发送至所述缓存服务器中进行存储。The cache storage module is configured to send the security detection result to the cache server for storage after the private cloud detection module obtains the detection result and returns the detection result to the killing server.
  18. 根据权利要求15所述的系统,其中,The system of claim 15 wherein
    所述私有云端服务器按照设定规则从所述公有云端服务器获取更新信息,其中,所述更新信息中包含有所述公有云端服务器定期更新的特征值与安全级别的对应关系;The private cloud server obtains update information from the public cloud server according to a setting rule, where the update information includes a correspondence between a feature value periodically updated by the public cloud server and a security level;
    所述私有云端服务器根据所述更新信息更新所述私有云端服务器中存储的特征值与安全级别的对应关系。The private cloud server updates the correspondence between the feature value and the security level stored in the private cloud server according to the update information.
  19. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算机上运行时,导致所述计算机执行根据权利要求1-9中的任一个所述的虚拟化安全检测方法。A computer program comprising computer readable code causing the computer to perform the virtualization security detection method of any of claims 1-9 when the computer readable code is run on a computer.
  20. 一种计算机可读介质,其中存储了如权利要求19所述的计算机程序。 A computer readable medium storing the computer program of claim 19.
PCT/CN2015/095821 2014-12-12 2015-11-27 Virtualization security detection method and system WO2016091086A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410773774.8 2014-12-12
CN201410773774.8A CN104504330B (en) 2014-12-12 2014-12-12 Virtualize safety detection method and system

Publications (1)

Publication Number Publication Date
WO2016091086A1 true WO2016091086A1 (en) 2016-06-16

Family

ID=52945726

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/095821 WO2016091086A1 (en) 2014-12-12 2015-11-27 Virtualization security detection method and system

Country Status (2)

Country Link
CN (1) CN104504330B (en)
WO (1) WO2016091086A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104504330B (en) * 2014-12-12 2017-12-08 北京奇安信科技有限公司 Virtualize safety detection method and system
CN107682333B (en) * 2017-09-30 2022-02-25 北京奇虎科技有限公司 Virtualization security defense system and method based on cloud computing environment
CN109922054A (en) * 2019-02-25 2019-06-21 贵阳忆联网络有限公司 A kind of network security shielding system and method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103761480A (en) * 2014-01-13 2014-04-30 北京奇虎科技有限公司 Method and device for detecting file security
CN103902910A (en) * 2013-12-30 2014-07-02 北京奇虎科技有限公司 Method and device for detecting malicious codes in intelligent terminal
CN104077532A (en) * 2014-06-20 2014-10-01 中标软件有限公司 Linux virtualization platform safety detection method and system
CN104504330A (en) * 2014-12-12 2015-04-08 北京奇虎科技有限公司 Virtual safety detecting method and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090178131A1 (en) * 2008-01-08 2009-07-09 Microsoft Corporation Globally distributed infrastructure for secure content management
US8176311B1 (en) * 2009-01-23 2012-05-08 Juniper Networks, Inc. Initializing platform-specific features of a platform during early stages of booting the kernel
FR2977050A1 (en) * 2011-06-24 2012-12-28 France Telecom METHOD OF DETECTING ATTACKS AND PROTECTION
CN103812894B (en) * 2012-11-12 2017-09-01 中国石油天然气集团公司 The management method of web file publishings version in a kind of real-time monitoring system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103902910A (en) * 2013-12-30 2014-07-02 北京奇虎科技有限公司 Method and device for detecting malicious codes in intelligent terminal
CN103761480A (en) * 2014-01-13 2014-04-30 北京奇虎科技有限公司 Method and device for detecting file security
CN104077532A (en) * 2014-06-20 2014-10-01 中标软件有限公司 Linux virtualization platform safety detection method and system
CN104504330A (en) * 2014-12-12 2015-04-08 北京奇虎科技有限公司 Virtual safety detecting method and system

Also Published As

Publication number Publication date
CN104504330B (en) 2017-12-08
CN104504330A (en) 2015-04-08

Similar Documents

Publication Publication Date Title
US10165001B2 (en) Method and device for processing computer viruses
JP5094928B2 (en) Method and apparatus for intelligent bot using fake virtual machine information
US9742774B2 (en) Method and apparatus for determining phishing website
JP5976020B2 (en) System and method for performing anti-malware metadata lookup
WO2016095687A1 (en) Virtualisation security detection method and system
JP6181860B2 (en) Storage apparatus, data processing method thereof, and storage system
WO2016107340A1 (en) Service request processing method and device
US9430395B2 (en) Grouping and dispatching scans in cache
CN106384048B (en) Threat information processing method and device
US20120192273A1 (en) Malware detection
CN105814577A (en) Segregating executable files exhibiting network activity
US20170295251A1 (en) Device and session identification
US9292341B2 (en) RPC acceleration based on previously memorized flows
JP6995211B2 (en) Enhanced online privacy
WO2016091086A1 (en) Virtualization security detection method and system
RU2018118828A (en) SYSTEMS AND METHODS FOR DETECTING MALICIOUS APPLICATIONS WITH DOMAIN GENERATION ALGORITHM (DGA)
WO2016206605A1 (en) Client terminal data collection method and apparatus
US9772881B2 (en) Hardware resource allocation for applications
US20160028819A1 (en) Data path selection for network transfer using high speed rdma or non-rdma data paths
JP6154960B2 (en) Method and apparatus for scanning a file
JP6859518B2 (en) How to prevent attacks on servers and devices
WO2018113728A1 (en) Method and device for determining risk of phishing attack in public wifi network
US20210176274A1 (en) System and method for blocking phishing attempts in computer networks
WO2017157145A1 (en) Data pre-fetching method and device
RU2017105533A (en) CROSS SURVEILLANCE DETECTION DETECTION

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15866824

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15866824

Country of ref document: EP

Kind code of ref document: A1