WO2016095687A1 - 虚拟化安全检测方法与系统 - Google Patents

虚拟化安全检测方法与系统 Download PDF

Info

Publication number
WO2016095687A1
WO2016095687A1 PCT/CN2015/095820 CN2015095820W WO2016095687A1 WO 2016095687 A1 WO2016095687 A1 WO 2016095687A1 CN 2015095820 W CN2015095820 W CN 2015095820W WO 2016095687 A1 WO2016095687 A1 WO 2016095687A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
information
killing
physical machine
detected
Prior art date
Application number
PCT/CN2015/095820
Other languages
English (en)
French (fr)
Inventor
汪圣平
杨晓东
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2016095687A1 publication Critical patent/WO2016095687A1/zh

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present invention relates to the field of computer technologies, and in particular, to a virtualization security detection method and system.
  • Virtualization refers to virtualizing a computer into multiple logical computers through virtualization technology. Running multiple logical computers on a single computer, each running a different operating system, and the applications can run in separate spaces without affecting each other, significantly improving the efficiency of the computer.
  • each virtual machine contains the same or similar information, and the killing servers are also identical to each other, if multiple virtual machines simultaneously perform the same security detection, it is bound to increase the resource consumption of the physical machines where multiple virtual machines are located. .
  • the present invention has been proposed in order to provide an overcoming of the above problems or at least partially The problem of virtualized security detection methods and systems.
  • a virtualization security detection method including:
  • the security detection template includes basic configuration information of the cache server And/or killing the basic configuration information of the server;
  • the cache server and/or the killing server perform security detection of the to-be-detected information
  • the cluster includes at least one physical machine, and each of the physical machines includes at least one virtual machine, and the cache server and/or the killing server are disposed in a virtual machine of a physical machine.
  • a virtualization security detection system comprising: a cluster, a cache server, and/or a killing server, wherein the cluster includes at least one physical machine, and each of the physical machines includes At least one virtual machine, the cache server and/or the killing server are disposed in a virtual machine of a physical machine; the system further includes:
  • a cache server and/or a killing server generating module configured to generate a cache server and/or a killing server according to hardware information of the physical machine in the same cluster, configuration information of the virtual machine in the physical machine, and a security detection template;
  • the security detection template includes basic configuration information of the cache server and/or basic configuration information of the server;
  • the to-be-detected information acquiring module is configured to obtain the to-be-detected information from the physical machine, and send the to-be-detected information to the cache server and/or the killing server to perform security detection of the to-be-detected information.
  • the security level determining module is configured to determine a security level of the to-be-detected information according to the detection result of the cache server and/or the killing server.
  • a computer program comprising computer readable code causing the computer to execute the virtual Safety monitoring methods.
  • the killing server in each virtual machine starts to perform security detection on the information, which increases the resource occupancy rate of the physical machine.
  • the cache server and/or the killing server are generated according to the hardware information of the physical machine in the same cluster, the configuration information of the virtual machine in the physical machine, and the security detection template, wherein the cluster includes at least A physical machine, each physical machine includes at least one virtual machine, and the cache server and/or the killing server are disposed in a virtual machine of a physical machine.
  • the information to be detected is obtained from the physical machine, and is sent to the cache server and/or the killing server through the network for security detection of the information to be detected, and the security level of the information to be detected is determined according to the detection result of the cache server and/or the killing server.
  • the configuration information of the virtual machine in the physical machine, and the security detection template to generate the cache server and/or the killing server, the number of the cache server and/or the killing server can be dynamically configured according to the actual situation. And location, reducing the resource utilization of physical machines.
  • FIG. 1 is a flow chart showing the steps of a virtualization security detection method according to Embodiment 1 of the present invention
  • FIG. 2 is a flow chart showing the steps of a virtualization security detection method according to Embodiment 2 of the present invention.
  • FIG. 3 is a structural block diagram of a virtualization security detection system according to Embodiment 3 of the present invention.
  • FIG. 4 is a structural block diagram of a virtualization security detection system according to Embodiment 4 of the present invention.
  • FIG. 5 is a block diagram schematically showing a structure of a computer for executing a virtualization security detecting method according to the present invention
  • Figure 6 is a schematic illustration of a virtualized security check for maintaining or carrying in accordance with the present invention.
  • the storage unit of the measured program code is a schematic illustration of a virtualized security check for maintaining or carrying in accordance with the present invention.
  • a virtualization security detection method provided by an embodiment of the present invention is described in detail.
  • FIG. 1 a flow chart of steps of a virtualization security detection method in an embodiment of the present invention is shown.
  • the virtualization security detection method in the embodiment of the present invention may be applied to a cluster including at least one physical machine, where each physical machine includes at least one virtual machine, and the cache server and/or the killing server are disposed on one physical machine.
  • the cache server and/or the killing server may be disposed only in one virtual machine of one physical machine, and the other virtual machines need not be set, or may be set in one physical machine. In the virtual machine.
  • Step 100 Generate a cache server and/or a kill server according to hardware information of the physical machine in the same cluster, configuration information of the virtual machine in the physical machine, and a security detection template.
  • the configuration information of the virtual machine in the physical machine may include resource information of a physical machine occupied by the virtual machine; the security detection template includes basic configuration information of the cache server and/or basic configuration information of the server.
  • the basic configuration information of the cache server may include information such as a cache space of the cache server, an index, and the like; and the basic configuration information of the killing server may include information such as a setting of a killing engine of the server.
  • Step 102 Obtain information to be detected from the physical machine, and pass the information to be detected through the network.
  • the network sends to the cache server and/or the killing server to perform security detection of the information to be detected.
  • the information to be detected may be derived from the same physical machine, or may be derived from multiple physical machines, may be derived from one virtual machine or multiple virtual machines in the same physical machine, or may be derived from multiple physical machines. Multiple virtual machines.
  • the information to be detected transmitted through the network is compared with the information to be detected through the underlying physical layer. Due to the limitation of the underlying physical layer itself, only the file information can be transmitted, and the information to be detected transmitted through the network can be in addition to the file information. Including but not limited to URL information, access path information, registry read and write information, and so on.
  • Step 104 Determine a security level of the to-be-detected information according to the detection result of the cache server and/or the killing server.
  • the cache server can cache the correspondence between the information to be detected and its corresponding security level.
  • the detection result of the cache server can be the corresponding relationship between the information to be detected and its corresponding security level. For example, the cache server caches the correspondence between the to-be-detected information A and its corresponding security level “dangerous”; the cache server caches the correspondence between the to-be-detected information B and its corresponding security level “security”.
  • the detection and killing server can perform detection operations such as security killing and detection on the detection information, and the detection result can include the security level corresponding to the information to be detected.
  • the embodiment of the present invention generates a cache server and/or a killing server according to the hardware information of the physical machine in the same cluster, the configuration information of the virtual machine in the physical machine, and the security detection template, wherein the cluster includes at least one The physical machine, each physical machine includes at least one virtual machine, and the cache server and/or the killing server are disposed in a virtual machine of a physical machine.
  • the information to be detected is obtained from the physical machine, and is sent to the cache server and/or the killing server through the network for security detection of the information to be detected, and the security level of the information to be detected is determined according to the detection result of the cache server and/or the killing server.
  • the configuration information of the virtual machine in the physical machine, and the security detection template to generate the cache server and/or the killing server, the number of the cache server and/or the killing server can be dynamically configured according to the actual situation. And location, reducing the resource utilization of physical machines rate.
  • a virtualization security detection method provided by an embodiment of the present invention is described in detail.
  • FIG. 2 a flow chart of steps of a virtualization security detection method in an embodiment of the present invention is shown.
  • the virtualization security detection method in the embodiment of the present invention may be applied to a cluster including at least one physical machine, where each physical machine includes at least one virtual machine, and the cache server and/or the killing server are disposed on one physical machine.
  • the cache server and/or the killing server may be disposed only in one virtual machine of one physical machine, and the other virtual machines need not be set, or may be set in one physical machine. In the virtual machine.
  • Step 200 Generate a cache server and/or a kill server according to hardware information of the physical machine in the same cluster, configuration information of the virtual machine in the physical machine, and a security detection template.
  • the configuration information of the virtual machine in the physical machine may include resource information of the physical machine occupied by the virtual machine.
  • the configuration information of the virtual machines in the physical machine includes configuration information of multiple virtual machines in the plurality of physical machines, and the plurality of physical machines
  • the configuration information of multiple virtual machines is information that multiple virtual machines occupy hardware resources in multiple physical machines.
  • the security detection template includes basic configuration information of the cache server and/or basic configuration information of the server.
  • the basic configuration information of the cache server may include information such as a cache space of the cache server, an index, and the like; and the basic configuration information of the killing server may include information such as a setting of a killing engine of the server.
  • the step 200 may include:
  • Sub-step 2001 determining the number and generation of the cache server and/or the killing server according to the hardware information of the physical machine in the same cluster and the configuration information of the virtual machine in the physical machine. Into the position.
  • the hardware information of the physical machine in the same cluster and the configuration information of the virtual machine in the physical machine affect the operating efficiency of the virtual machine, and also affect the security detection efficiency of the information to be detected.
  • the virtual machine occupies less resources of the physical machine, and accordingly, the amount of information to be detected is also small, and the number of generations of the cache server and/or the killing server can be appropriately reduced. Conversely, the number of generations of the cache server and/or the kill server can be appropriately increased.
  • the virtual machines in the physical machine occupy less resources, and the hardware configurations of other physical machines in the cluster are lower.
  • the virtual machines in other physical machines occupy higher resources. Then, the generation location of the cache server and/or the killing server can be set in the virtual machine of the physical machine.
  • the generated number of cache servers and/or the killing server have a corresponding relationship with the virtual machines in the physical machines in the cluster.
  • the virtual machine in the physical machine in the cluster affects the number of generations of the cache server and/or the killing server. If the number of virtual machines in the physical machine in the cluster is small, the server and/or the corresponding server are cached accordingly. The number of generations of the killing server is small; if the number of virtual machines in the physical machine in the cluster is large, the number of generated cache servers and/or the killing server is relatively large.
  • the number of generations and the generation location of the cache server and/or the killing server may be set according to actual conditions.
  • the embodiment of the present invention does not limit the detailed process of generating the cache server and/or the killing server and generating the location.
  • Sub-step 2002 creating the generated number of cache servers and/or killing servers in the generated location according to the security detection template.
  • the security detection template may be divided into a cache template and a killing template, which are respectively corresponding to the cache server and the kill server.
  • a fixed configuration is set in the security detection template to create a basic information for caching the server and/or killing the server.
  • the step 200 can be:
  • Detecting that hardware information of a physical machine in the cluster is changed, and/or in the physical machine The configuration information of the virtual machine is changed, and the cache server is generated according to the security detection template, the hardware information of the physical machine in the changed cluster, and the configuration information of the virtual machine in the changed physical machine. / or kill the server.
  • the generation of the cache server and/or the killing server is also easy with the hardware information of the physical machine in the cluster. / or the configuration information of the virtual machine in the physical machine changes.
  • the step 200 may also be:
  • the hardware information, the configuration information of the virtual machine in the physical machine, and the security detection template generate a cache server and/or a kill server.
  • the current cache server and/or the kill server may fail or all of them may fail.
  • the hardware information of the physical machine in the cluster and the configuration information of the virtual machine in the physical machine, Security detection templates, generate new cache servers and/or kill servers.
  • the hardware information of the physical machine in the cluster, the configuration information and the security of the virtual machine in the physical machine may be used. Detect templates, generate new cache servers and/or kill servers, increase the number of cache servers and/or kill servers.
  • Step 202 Obtain information to be detected from the physical machine, and send the to-be-detected information to the cache server and/or the killing server to perform security detection of the to-be-detected information.
  • the information to be detected may be derived from the same physical machine, or may be derived from multiple physical machines, may be derived from one virtual machine or multiple virtual machines in the same physical machine, or may be derived from multiple physical machines. Multiple virtual machines.
  • the information to be detected transmitted through the network is compared with the information to be detected through the underlying physical layer. Due to the limitation of the underlying physical layer itself, only the file information can be transmitted, and the information to be detected transmitted through the network can be in addition to the file information. Including but not limited to URL information, access path information, registry read and write information, and so on.
  • the process of obtaining the information to be detected from the physical machine in the step 202 may be: according to different sources of information to be detected:
  • the information to be detected may be obtained from the virtual machines X1 and X2, and the information to be detected may be separately obtained from the virtual machine X1, or may be separately obtained from the virtual machine X1.
  • the information to be detected is obtained in the virtual machine X2.
  • the physical machine W1 where the killing server C1 is located is located in the cluster J1, the cluster J1 further includes the physical machine W2, the physical machine W1 includes the virtual machines X1 and X2, and the physical machine W2 includes the virtual machines X3 and X4, and the virtual machine X1 can be obtained from the virtual machine X1.
  • the information to be detected is obtained from the virtual machine X1, and the information to be detected is obtained from the virtual machine X2, and the information to be detected is separately obtained from the virtual machine X3.
  • the information to be detected can also be obtained from the virtual machine X4 alone.
  • the manner of obtaining the information to be detected from the physical machine may be individually selected in the above 1), and the manner in the above 2) may be separately selected, or the manners in the above 1) and 2) may be simultaneously selected.
  • the information to be detected may include at least one of file information, web address information, access path information, and registry read and write information.
  • file information may include at least one of file information, web address information, access path information, and registry read and write information.
  • the specific content of the information to be detected in the embodiment of the present invention is not limited.
  • Step 204 Determine a security level of the to-be-detected information according to the detection result of the cache server and/or the killing server.
  • the cache server can cache the correspondence between the information to be detected and its corresponding security level.
  • the detection result of the cache server can be the corresponding relationship between the information to be detected and its corresponding security level. For example, the cache server caches the correspondence between the to-be-detected information A and its corresponding security level “dangerous”; the cache server caches the security level of the information to be detected B and its corresponding The correspondence of "security”.
  • the detection and killing server can perform detection operations such as security killing and detection on the detection information, and the detection result can include the security level corresponding to the information to be detected.
  • the step of performing the security detection of the information to be detected by the server in the above step 204 may include:
  • Step 041 the killing server acquires a feature value of the to-be-detected information.
  • the feature value of the to-be-detected information is used to identify the uniqueness of the information to be detected, and the killing server may perform the operation of calculating the information to obtain the feature value, and the embodiment of the present invention obtains the to-be-detected information by the killing server.
  • the technical means of the eigenvalues are not limited.
  • Step 042 The killing server scans the feature value by a killing engine to perform security detection on the to-be-detected information.
  • the killing engine is a core component of the killing server, and the killing engine can scan and identify the feature values to realize the security detection of the detected information.
  • step 042 the killing server scans the feature value to perform security detection on the to-be-detected information, and the detection result is not obtained, step 043 is performed.
  • Step 043 The killing server sends the feature value to the private cloud server of the cluster for security detection, obtains a detection result, and returns the detection result to the killing server.
  • the cluster is configured with a private cloud server, where the private cloud server is generally configured to be connected to the physical machine and the virtual machine in the cluster, and the private cloud server stores information about a large amount of information to be detected in the cluster. , including the feature value of the information to be detected, the corresponding security level, and the like.
  • the process of the security detection by the killing server sending the feature value to the private cloud server of the cluster may be:
  • the killing server sends the feature value to the private cloud server of the cluster for security detection according to a preset scanning sequence.
  • the killing server can send multiple feature values to the private cloud server according to the preset scanning order. Line security testing.
  • the killing server may further send the security detection result to the cache server.
  • the killing server may further send the security detection result to the cache server.
  • the purpose of the security server is to send the security detection result to the cache server for storage.
  • the purpose is to increase the correspondence between the information to be detected and the corresponding security level on the cache server.
  • the step 044 is performed.
  • Step 044 Send the feature value to a public cloud server outside the cluster for security detection, obtain a detection result, and return the detection result to the private cloud server, and use the private cloud server to The detection result is returned to the killing server.
  • the security detection capability of the private cloud server is weaker than that of the public cloud server.
  • the private cloud server does not receive the detection result, the feature value is sent to the public cloud server for security detection, and the detection result can be obtained, and the detection result is obtained.
  • the success rate of subsequent private cloud servers and killing servers can be increased.
  • the private cloud server may obtain update information from the public cloud server according to a setting rule, where the update information may include a correspondence between a feature value periodically updated by the public cloud server and a security level.
  • the private cloud server may update the correspondence between the feature value and the security level stored in the private cloud server according to the update information.
  • the embodiment of the present invention generates a cache server and/or a killing server according to the hardware information of the physical machine in the same cluster, the configuration information of the virtual machine in the physical machine, and the security detection template, wherein the cluster includes at least one The physical machine, each physical machine includes at least one virtual machine, and the cache server and/or the killing server are disposed in a virtual machine of a physical machine.
  • the level of security of the information is the level of security of the information.
  • the configuration information of the virtual machine in the physical machine, and the security detection template to generate the cache server and/or the killing server, the number of the cache server and/or the killing server can be dynamically configured according to the actual situation. And location, reducing the resource utilization of physical machines.
  • a virtualization security detection system provided by an embodiment of the present invention is described in detail.
  • FIG. 3 a block diagram of a virtualized security detection system in an embodiment of the present invention is shown.
  • the system may include: a cluster, a cache server, and/or a killing server, a cache server, and/or a killing server generating module 300, a to-be-detected information acquiring module 302, and a security level determining module 304.
  • the cluster includes at least one physical machine, and each of the physical machines includes at least one virtual machine, and the cache server and/or the killing server are disposed in a virtual machine of a physical machine.
  • the cache server and/or the killing server generating module 300 are configured to generate a cache server and/or a killing server according to hardware information of the physical machine in the same cluster, configuration information of the virtual machine in the physical machine, and a security detection template;
  • the security detection template includes basic configuration information of the cache server and/or basic configuration information of the server.
  • the to-be-detected information obtaining module 302 is configured to obtain the to-be-detected information from the physical machine, and send the to-be-detected information to the cache server and/or the killing server to perform security detection of the to-be-detected information.
  • the security level determining module 304 is configured to determine a security level of the to-be-detected information according to the detection result of the cache server and/or the killing server.
  • the embodiment of the present invention generates a cache server and/or a killing server according to the hardware information of the physical machine in the same cluster, the configuration information of the virtual machine in the physical machine, and the security detection template, wherein the cluster includes at least one Physical machine, each physical machine includes at least one virtual machine, The cache server and/or the kill server are set in a virtual machine of a physical machine.
  • the information to be detected is obtained from the physical machine, and is sent to the cache server and/or the killing server through the network for security detection of the information to be detected, and the security level of the information to be detected is determined according to the detection result of the cache server and/or the killing server.
  • the configuration information of the virtual machine in the physical machine, and the security detection template to generate the cache server and/or the killing server, the number of the cache server and/or the killing server can be dynamically configured according to the actual situation. And location, reducing the resource utilization of physical machines.
  • a virtualization security detection system provided by an embodiment of the present invention is described in detail.
  • FIG. 4 a block diagram of a virtualized security detection system in an embodiment of the present invention is shown.
  • the system may include: a cluster, a cache server, and/or a killing server, a cache server, and/or a killing server generating module 400, a to-be-detected information acquiring module 402, and a security level determining module 404.
  • the cache server and/or the kill server generation module 400 may include: a quantity and location determination sub-module 4001, and a creation sub-module 4002.
  • the killing server may include: a feature value obtaining module 406, a security detecting module 408, a private cloud detecting module 410, and a public cloud detecting module 412.
  • the cluster includes at least one physical machine, each of the physical machines includes at least one virtual machine, and the cache server and/or the killing server are disposed in a virtual machine of a physical machine.
  • the cache server and/or the killing server generating module 400 are configured to generate a cache server and/or a killing server according to hardware information of the physical machine in the same cluster, configuration information of the virtual machine in the physical machine, and a security detection template;
  • the security detection template includes basic configuration information of the cache server and/or basic configuration information of the server.
  • configuration information of the virtual machines in the physical machine includes configuration information of multiple virtual machines in the plurality of physical machines, and the plurality of physical machines
  • the configuration information of multiple virtual machines in the middle is information that multiple virtual machines occupy hardware resources in multiple physical machines.
  • the cache server and/or the kill server generation module 400 may include:
  • the quantity and location determining sub-module 4001 is configured to determine the number of generated and generated locations of the cache server and/or the killing server according to hardware information of the physical machine in the same cluster and configuration information of the virtual machine in the physical machine. .
  • the creating submodule 4002 is configured to create the generated number of cache servers and/or kill servers in the generated location according to the security detection template.
  • the generated number of cache servers and/or the killing servers have a corresponding relationship with the virtual machines in the physical machines in the cluster.
  • the cache server and/or the kill server generation module 400 detects that the hardware information of the physical machine in the cluster changes, and/or the configuration information of the virtual machine in the physical machine changes, according to The security detection template, the hardware information of the physical machine in the changed cluster, and the configuration information of the virtual machine in the changed physical machine, generate a cache server and/or a kill server.
  • the cache server and/or the killing server generating module 400 determines that the cache server and/or the killing server is faulty, or the amount of information of the information to be detected exceeds the cache server and/or the killing server.
  • the workload can be tolerated, and the cache server and/or the kill server are generated according to the hardware information of the physical machine in the same cluster, the configuration information of the virtual machine in the physical machine, and the security detection template.
  • the to-be-detected information obtaining module 402 is configured to obtain the to-be-detected information from the physical machine, and send the to-be-detected information to the cache server and/or the killing server to perform security detection of the to-be-detected information.
  • the to-be-detected information obtaining module 402 acquires to-be-detected information from at least one of the virtual machine in which the cache server and/or the killing server is located, wherein the cache server and/or the kill server There are multiple virtual machines in the physical machine.
  • the to-be-detected information obtaining module 402 is located from the cache server and/or the killing server.
  • the physical machine is located in at least one virtual machine of at least one physical machine in the same cluster to obtain information to be detected.
  • the to-be-detected information includes at least one of file information, web address information, access path information, and registry read/write information.
  • the security level determining module 404 is configured to determine a security level of the to-be-detected information according to the detection result of the cache server and/or the killing server.
  • the killing server may include:
  • the feature value obtaining module 406 is configured to acquire the feature value of the information to be detected.
  • the security detection module 408 is configured to perform security detection on the to-be-detected information by scanning the feature value by the killing engine.
  • the private cloud detecting module 410 is configured to send the feature value to the private group of the cluster if the security detecting module 404 performs security detection on the to-be-detected information by scanning the feature value by the killing engine and does not obtain a detection result.
  • the cloud server performs security detection, obtains a detection result, and returns the detection result to the killing server.
  • the private cloud detection module 410 sends the feature value to the private cloud server of the cluster for security detection according to a preset scanning sequence.
  • the public cloud detecting module 412 is configured to: if the private cloud server performs security detection on the to-be-detected information, the feature value is sent to the public cloud server outside the cluster for security detection, and the detection is performed. As a result, the detection result is returned to the private cloud server, and the detection result is returned to the killing server by the private cloud server.
  • the private cloud server obtains update information from the public cloud server according to a setting rule, where the update information includes a correspondence between a feature value periodically updated by the public cloud server and a security level.
  • the private cloud server updates the correspondence between the feature value and the security level stored in the private cloud server according to the update information.
  • the embodiment of the present invention is based on hardware information and physics of a physical machine in the same cluster.
  • the configuration information and the security detection template of the virtual machine in the machine generate a cache server and/or a kill server.
  • the cluster includes at least one physical machine, each physical machine includes at least one virtual machine, a cache server, and/or a killer.
  • the server is set in a virtual machine of a physical machine.
  • the information to be detected is obtained from the physical machine, and is sent to the cache server and/or the killing server through the network for security detection of the information to be detected, and the security level of the information to be detected is determined according to the detection result of the cache server and/or the killing server.
  • the configuration information of the virtual machine in the physical machine, and the security detection template to generate the cache server and/or the killing server, the number of the cache server and/or the killing server can be dynamically configured according to the actual situation. And location, reducing the resource utilization of physical machines.
  • the virtualization security detection scheme provided herein is not inherently related to any particular computer, virtual system, or other device.
  • Various general purpose systems can also be used with the teaching based on the teachings herein. According to the above description, it is obvious that the structure required to construct the system having the solution of the present invention is obvious.
  • the invention is not directed to any particular programming language. It is to be understood that the invention may be embodied in a variety of programming language, and the description of the specific language has been described above in order to disclose the preferred embodiments of the invention.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of some or all of the components of the virtualization security detection scheme in accordance with embodiments of the present invention.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 5 illustrates a computer in which a virtualization security detection method in accordance with the present invention can be implemented.
  • the computer traditionally includes a processor 510 and a computer program product or computer readable medium in the form of a memory 520.
  • the memory 520 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • the memory 520 has a storage space for the program code 531 for performing any of the above method steps. 530.
  • storage space 530 for program code may include various program code 531 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such computer program products are typically portable or fixed storage units as described with reference to FIG.
  • the storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 520 in the mobile terminal of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 531', code that can be read by a processor, such as 510, which when executed by a computer causes the computer to perform various steps in the methods described above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Hardware Redundancy (AREA)
  • Testing Or Calibration Of Command Recording Devices (AREA)
  • Debugging And Monitoring (AREA)

Abstract

一种虚拟化安全检测方法与系统,其中,所述方法包括:根据同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器(100);其中,安全检测模板包括缓存服务器的基础配置信息和/或查杀服务器的基础配置信息;从所述物理机中获取待检测信息,将所述待检测信息通过网络发送至缓存服务器和/或查杀服务器进行待检测信息的安全检测(102);根据所述缓存服务器和/或查杀服务器的检测结果确定所述待检测信息的安全级别(104);其中,集群包括至少一台物理机,每台物理机包括至少一台虚拟机,缓存服务器和/或所述查杀服务器设置于一台物理机的虚拟机中。该方法与系统提高了物理机的资源利用率。

Description

虚拟化安全检测方法与系统 技术领域
本发明涉及计算机技术领域,特别是涉及一种虚拟化安全检测方法与系统。
背景技术
虚拟化,是指通过虚拟化技术将一台计算机虚拟为多台逻辑计算机。在一台计算机上同时运行多个逻辑计算机,每个逻辑计算机可运行不同的操作系统,并且应用程序都可以在相互独立的空间内运行而互不影响,从而显著提高计算机的工作效率。
现有的虚拟化安全检测方案中,若同一台物理机上存在多台虚拟的逻辑计算机(虚拟机),对多台虚拟机中的信息进行安全检测时,需要在每台虚拟机中设置查杀服务器,将每台虚拟机中的信息在各自的查杀服务器中进行安全检测。
由于每台虚拟机中包含有相同或相似的信息,而且查杀服务器也彼此相同,如果多台虚拟机同时对相同的信息进行安全检测,势必增加了多台虚拟机所在的物理机的资源占用。
发明内容
鉴于上述现有的虚拟化安全检测方法对多台虚拟机中的信息进行安全检测,容易造成物理机的资源占用高的问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的虚拟化安全检测方法与系统。
依据本发明的一个方面,提供了一种虚拟化安全检测方法,包括:
根据同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器;其中,所述安全检测模板包括缓存服务器的基础配置信息和/或查杀服务器的基础配置信息;
从所述物理机中获取待检测信息,将所述待检测信息通过网络发送至 所述缓存服务器和/或查杀服务器进行所述待检测信息的安全检测;
根据所述缓存服务器和/或查杀服务器的检测结果确定所述待检测信息的安全级别;
其中,所述集群包括至少一台物理机,每台所述物理机包括至少一台虚拟机,所述缓存服务器和/或所述查杀服务器设置于一台物理机的虚拟机中。
根据本发明的另一方面,提供了一种虚拟化安全检测系统,包括:集群、缓存服务器和/或查杀服务器,其中,所述集群包括至少一台物理机,每台所述物理机包括至少一台虚拟机,所述缓存服务器和/或查杀服务器设置于一台物理机的虚拟机中;所述系统还包括:
缓存服务器和/或查杀服务器生成模块,配置为根据同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器;其中,所述安全检测模板包括缓存服务器的基础配置信息和/或查杀服务器的基础配置信息;
待检测信息获取模块,配置为从所述物理机中获取待检测信息,将所述待检测信息通过网络发送至所述缓存服务器和/或查杀服务器进行所述待检测信息的安全检测;
安全级别确定模块,配置为根据所述缓存服务器和/或查杀服务器的检测结果确定所述待检测信息的安全级别。
根据本发明的又一方面,提供了一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算机上运行时,导致所述计算机执行权利要求书中的任一个所述的虚拟化安全监测方法。
根据本发明的再一方面,提供了一种计算机可读介质,其中存储了权利要求书中要求保护的所述的计算机程序。
本发明的有益效果为:
现有的虚拟化安全检测方案中,当同时对多台虚拟机中的信息进行安 全检测时,每台虚拟机中的查杀服务器均启动对信息进行安全检测,增加了物理机的资源占用率。而根据本发明的虚拟机安全检测方案,根据同一集群中的物理机的硬件信息、物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,其中,集群包括至少一台物理机,每台物理机包括至少一台虚拟机,缓存服务器和/或查杀服务器设置于一台物理机的虚拟机中。从物理机中获取待检测信息,并通过网络发送至缓存服务器和/或查杀服务器进行待检测信息的安全检测,根据缓存服务器和/或查杀服务器的检测结果确定待检测信息的安全级别。
根据同一集群中的物理机的硬件信息、物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,可以根据实际情况动态配置缓存服务器和/或查杀服务器的数量和位置,降低了物理机的资源利用率。
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。
附图说明
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:
图1是根据本发明实施例一的一种虚拟化安全检测方法的步骤流程图;
图2是根据本发明实施例二的一种虚拟化安全检测方法的步骤流程图;
图3是根据本发明实施例三的一种虚拟化安全检测系统的结构框图;
图4是根据本发明实施例四的一种虚拟化安全检测系统的结构框图;
图5示意性地示出了用于执行根据本发明的虚拟化安全检测方法的计算机的结构框图;以及
图6示意性地示出了用于保持或者携带实现根据本发明的虚拟化安全检 测的程序代码的存储单元。
具体实施方式
下面将参照附图更详细地描述本发明公开的示例性实施例。虽然附图中显示了本发明公开的示例性实施例,然而应当理解,可以以各种形式实现本发明公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本发明公开的范围完整的传达给本领域的技术人员。
实施例一
详细介绍本发明实施例提供的一种虚拟化安全检测方法。
参照图1,示出了本发明实施例中的一种虚拟化安全检测方法的步骤流程图。
本发明实施例中的虚拟化安全检测方法可以应用于包括至少一台物理机的集群中,每台物理机包括至少一台虚拟机,缓存服务器和/或查杀服务器设置于一台物理机的虚拟机中。例如,所述缓存服务器和/或所述查杀服务器可以仅设置于一台物理机的一台虚拟机中,而其它虚拟机中则无需设置,或者,也可以设置于一台物理机的多台虚拟机中。
本发明实施例的虚拟化安全检测方法包括以下步骤:
步骤100,根据同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器。
其中,所述物理机中的虚拟机的配置信息可以包括虚拟机所占用的物理机的资源信息;所述安全检测模板包括缓存服务器的基础配置信息和/或查杀服务器的基础配置信息。
所述缓存服务器的基础配置信息可以包括缓存服务器的缓存空间,索引等信息;所述查杀服务器的基础配置信息可以包括查杀服务器的查杀引擎的设置等信息。
步骤102,从所述物理机中获取待检测信息,将所述待检测信息通过网 络发送至所述缓存服务器和/或查杀服务器进行所述待检测信息的安全检测。
所述待检测信息可以来源于同一台物理机,也可以来源于多台物理机,可以来源于同一台物理机中的一台虚拟机或多台虚拟机,也可以来源于多台物理机中的多台虚拟机。通过网络传输待检测信息与通过底层物理层传输待检测信息相比,因底层物理层本身的局限,仅能传输文件信息,而通过网络传输的待检测信息,除了可以是文件信息外,还可以包括但不限于网址信息、访问路径信息、注册表读写信息等。
步骤104,根据所述缓存服务器和/或查杀服务器的检测结果确定所述待检测信息的安全级别。
在缓存服务器中可以缓存待检测信息与其对应的安全级别的对应关系,缓存服务器的检测结果可以为待检测信息与其对应的安全级别的对应关系。例如,缓存服务器中缓存有待检测信息A与其对应的安全级别“危险”的对应关系;缓存服务器中缓存有待检测信息B与其对应的安全级别“安全”的对应关系。
查杀服务器可以对待检测信息进行安全查杀等检测操作得到检测结果,检测结果中可以包括待检测信息对应的安全级别。
综上所述,本发明实施例根据同一集群中的物理机的硬件信息、物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,其中,集群包括至少一台物理机,每台物理机包括至少一台虚拟机,缓存服务器和/或查杀服务器设置于一台物理机的虚拟机中。从物理机中获取待检测信息,并通过网络发送至缓存服务器和/或查杀服务器进行待检测信息的安全检测,根据缓存服务器和/或查杀服务器的检测结果确定待检测信息的安全级别。
根据同一集群中的物理机的硬件信息、物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,可以根据实际情况动态配置缓存服务器和/或查杀服务器的数量和位置,降低了物理机的资源利用 率。
实施例二
详细介绍本发明实施例提供的一种虚拟化安全检测方法。
参照图2,示出了本发明实施例中的一种虚拟化安全检测方法的步骤流程图。
本发明实施例中的虚拟化安全检测方法可以应用于包括至少一台物理机的集群中,每台物理机包括至少一台虚拟机,缓存服务器和/或查杀服务器设置于一台物理机的虚拟机中。例如,所述缓存服务器和/或所述查杀服务器可以仅设置于一台物理机的一台虚拟机中,而其它虚拟机中则无需设置,或者,也可以设置于一台物理机的多台虚拟机中。
本实施例的虚拟化安全检测方法包括以下步骤:
步骤200,根据同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器。
其中,所述物理机中的虚拟机的配置信息可以包括虚拟机所占用的物理机的资源信息。
优选地,当所述集群包括多台物理机时,所述物理机中的虚拟机的配置信息包括所述多台物理机中的多台虚拟机的配置信息,所述多台物理机中的多台虚拟机的配置信息为多台虚拟机占用多台物理机中硬件资源的信息。
所述安全检测模板包括缓存服务器的基础配置信息和/或查杀服务器的基础配置信息。
所述缓存服务器的基础配置信息可以包括缓存服务器的缓存空间,索引等信息;所述查杀服务器的基础配置信息可以包括查杀服务器的查杀引擎的设置等信息。
优选地,所述步骤200可以包括:
子步骤2001,根据所述同一集群中的物理机的硬件信息和所述物理机中的虚拟机的配置信息,确定缓存服务器和/或查杀服务器的生成数量和生 成位置。
所述同一集群中的物理机的硬件信息和物理机中虚拟机的配置信息影响着虚拟机的运行效率,同样也影响着待检测信息的安全检测效率。
若集群中物理机的硬件配置较低,虚拟机占用物理机的资源较少,相应地,待检测信息的信息量也较少,则可以适当地减少缓存服务器和/或查杀服务器的生成数量;反之,可以适当地增加缓存服务器和/或查杀服务器的生成数量。
若集群中某台物理机的硬件配置较高,该台物理机中的虚拟机占用的资源较少,集群中其他物理机的硬件配置较低,其他物理机中的虚拟机占用的资源较高,则可以将缓存服务器和/或查杀服务器的生成位置设定在该台物理机的虚拟机中。
优选地,所述生成数量的缓存服务器和/或查杀服务器与所述集群中的物理机中的虚拟机存在对应关系。
也就是说,集群中的物理机中的虚拟机影响着缓存服务器和/或查杀服务器的生成数量,若集群中的物理机中的虚拟机的数量较少,则相应地缓存服务器和/或查杀服务器的生成数量较少;若集群中的物理机中的虚拟机的数量较多,则相应地缓存服务器和/或查杀服务器的生成数量较多。
具体地,缓存服务器和/或查杀服务器的生成数量和生成位置可以根据实际情况进行设定,本发明实施例对缓存服务器和/或查杀服务器的生成数量和生成位置的详细过程不作限制。
子步骤2002,根据所述安全检测模板在所述生成位置创建所述生成数量的缓存服务器和/或查杀服务器。
其中,所述安全检测模板可以分为缓存模板和查杀模板,依次分别对应缓存服务器和查杀服务器。
安全检测模板中设置有固定的配置,用来创建缓存服务器和/或查杀服务器的基础信息。
优选地,所述步骤200可以为:
检测到所述集群中的物理机的硬件信息发生改变,和/或所述物理机中 的虚拟机的配置信息发生改变,则根据所述安全检测模板、改变后的所述集群中的物理机的硬件信息和改变后的所述物理机中的虚拟机的配置信息,生成缓存服务器和/或查杀服务器。
由于集群中物理机的硬件配置不固定,同时,物理机中虚拟机的配置信息也容易发生变化,所以,缓存服务器和/或查杀服务器的生成情况也容易随集群中物理机的硬件信息和/或物理机中虚拟机的配置信息而变化。
优选地,所述步骤200还可以为:
确定所述缓存服务器和/或查杀服务器发生故障,或所述待检测信息的信息量超出所述缓存服务器和/或查杀服务器的可承受任务量,则根据所述同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器。
若当前的缓存服务器和/或查杀服务器发生故障,可以为其中一台发生故障,也可以为全部发生故障,则可以根据集群中物理机的硬件信息、物理机中的虚拟机的配置信息和安全检测模板,生成新的缓存服务器和/或查杀服务器。
若获取到的待检测信息的信息量超出了当前的缓存服务器和/或查杀服务器的可承受任务量,则可以根据集群中物理机的硬件信息、物理机中的虚拟机的配置信息和安全检测模板,生成新的缓存服务器和/或查杀服务器,增加缓存服务器和/或查杀服务器的数量。
步骤202,从所述物理机中获取待检测信息,将所述待检测信息通过网络发送至所述缓存服务器和/或查杀服务器进行所述待检测信息的安全检测。
所述待检测信息可以来源于同一台物理机,也可以来源于多台物理机,可以来源于同一台物理机中的一台虚拟机或多台虚拟机,也可以来源于多台物理机中的多台虚拟机。通过网络传输待检测信息与通过底层物理层传输待检测信息相比,因底层物理层本身的局限,仅能传输文件信息,而通过网络传输的待检测信息,除了可以是文件信息外,还可以包括但不限于网址信息、访问路径信息、注册表读写信息等。
优选地,根据待检测信息的不同来源,所述步骤202中从所述物理机中获取待检测信息的过程可以为:
1)、从所述缓存服务器和/或查杀服务器所在的物理机中的至少一台虚拟机获取待检测信息,其中,所述缓存服务器和/或查杀服务器所在的物理机中设置有多台虚拟机。
例如,查杀服务器C1所在的物理机W1中包括虚拟机X1和X2,则可以从虚拟机X1和X2中获取待检测信息,既可以单独从虚拟机X1中获取待检测信息,又可以单独从虚拟机X2中获取待检测信息。
和/或,
2)、从所述缓存服务器和/或查杀服务器所在的物理机位于同一集群的至少一台物理机的至少一台虚拟机中获取待检测信息。
例如,查杀服务器C1所在的物理机W1位于集群J1中,集群J1还包括物理机W2,物理机W1包括虚拟机X1和X2,物理机W2包括虚拟机X3和X4,则可以从虚拟机X1、X2、X3和X4中获取待检测信息,既可以单独从虚拟机X1中获取待检测信息,又可以单独从虚拟机X2中获取待检测信息,还可以单独从虚拟机X3中获取待检测信息,同时,也可以单独从虚拟机X4中获取待检测信息。
从所述物理机中获取待检测信息可以单独选择上述1)中的方式,还可以单独选择上述2)中的方式,也可以同时选择上述1)和2)中的方式。
优选地,所述待检测信息可以包括文件信息、网址信息、访问路径信息、注册表读写信息中的至少一种,本发明实施例对待检测信息的具体内容不作限制。
步骤204,根据所述缓存服务器和/或查杀服务器的检测结果确定所述待检测信息的安全级别。
在缓存服务器中可以缓存待检测信息与其对应的安全级别的对应关系,缓存服务器的检测结果可以为待检测信息与其对应的安全级别的对应关系。例如,缓存服务器中缓存有待检测信息A与其对应的安全级别“危险”的对应关系;缓存服务器中缓存有待检测信息B与其对应的安全级别 “安全”的对应关系。
查杀服务器可以对待检测信息进行安全查杀等检测操作得到检测结果,检测结果中可以包括待检测信息对应的安全级别。
优选地,上述步骤204中查杀服务器进行所述待检测信息的安全检测的步骤可以包括:
步骤041,所述查杀服务器获取所述待检测信息的特征值。
所述待检测信息的特征值为用于标识待检测信息具有唯一性的属性信息,查杀服务器可以对待检测信息进行计算等操作得到特征值,本发明实施例对查杀服务器获取待检测信息的特征值的技术手段不作限制。
步骤042,所述查杀服务器通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测。
所述查杀引擎为查杀服务器的核心组件,利用查杀引擎可以对特征值进行扫描和识别,实现对待检测信息的安全检测。
优选地,若上述步骤042中,所述查杀服务器通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测未得到检测结果,则执行步骤043。
步骤043,所述查杀服务器将所述特征值发送至所述集群的私有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述查杀服务器。
所述集群设置有私有云端服务器,所述私有云端服务器通常设置为供所述集群内的物理机和虚拟机连接访问,在私有云端服务器上存储有所述集群内的大量待检测信息的相关信息,包括待检测信息的特征值、对应的安全级别等等。
优选地,上述步骤043中,所述查杀服务器将所述特征值发送至所述集群的私有云端服务器进行安全检测的过程可以为:
所述查杀服务器按照预设的扫描顺序,将所述特征值发送至所述集群的私有云端服务器进行安全检测。
若存在多个需要发送至私有云端服务器进行安全检测的特征值,则查杀服务器可以按照预设的扫描顺序,发送多个特征值至私有云端服务器进 行安全检测。
优选地,上述步骤043中,在所述获得检测结果,并将所述检测结果返回给所述查杀服务器之后,所述查杀服务器还可以将所述安全检测结果发送至所述缓存服务器中进行存储。
查杀服务器将安全检测结果发送至缓存服务器进行储存的目的是,增加了缓存服务器上待检测信息与其对应的安全级别的对应关系库。
优选地,若上述步骤043中,所述私有云端服务器对所述待检测信息进行安全检测未得到检测结果,则执行步骤044。
步骤044,将所述特征值发送至所述集群外部的公有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述私有云端服务器,并通过所述私有云端服务器将所述检测结果返回给所述查杀服务器。
通常,私有云端服务器的安全检测能力较公有云端服务器的安全检测能力弱,在私有云端服务器未得到检测结果时,将特征值发送至公有云端服务器进行安全检测,可以得到检测结果,再将检测结果返回给私有云端服务器和查杀服务器,可以增加后续私有云端服务器和查杀服务器的检测成功率。
优选地,所述私有云端服务器可以按照设定规则从所述公有云端服务器获取更新信息,其中,所述更新信息中可以包含有所述公有云端服务器定期更新的特征值与安全级别的对应关系。
优选地,所述私有云端服务器可以根据所述更新信息更新所述私有云端服务器中存储的特征值与安全级别的对应关系。
综上所述,本发明实施例根据同一集群中的物理机的硬件信息、物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,其中,集群包括至少一台物理机,每台物理机包括至少一台虚拟机,缓存服务器和/或查杀服务器设置于一台物理机的虚拟机中。从物理机中获取待检测信息,并通过网络发送至缓存服务器和/或查杀服务器进行待检测信息的安全检测,根据缓存服务器和/或查杀服务器的检测结果确定待检测 信息的安全级别。
根据同一集群中的物理机的硬件信息、物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,可以根据实际情况动态配置缓存服务器和/或查杀服务器的数量和位置,降低了物理机的资源利用率。
实施例三
详细介绍本发明实施例提供的一种虚拟化安全检测系统。
参照图3,示出了本发明实施例中的一种虚拟化安全检测系统的结构框图。
所述系统可以包括:集群、缓存服务器和/或查杀服务器、缓存服务器和/或查杀服务器生成模块300、待检测信息获取模块302、安全级别确定模块304。
其中,所述集群包括至少一台物理机,每台所述物理机包括至少一台虚拟机,所述缓存服务器和/或查杀服务器设置于一台物理机的虚拟机中。
缓存服务器和/或查杀服务器生成模块300,配置为根据同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器;其中,所述安全检测模板包括缓存服务器的基础配置信息和/或查杀服务器的基础配置信息。
待检测信息获取模块302,配置为从所述物理机中获取待检测信息,将所述待检测信息通过网络发送至所述缓存服务器和/或查杀服务器进行所述待检测信息的安全检测。
安全级别确定模块304,配置为根据所述缓存服务器和/或查杀服务器的检测结果确定所述待检测信息的安全级别。
综上所述,本发明实施例根据同一集群中的物理机的硬件信息、物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,其中,集群包括至少一台物理机,每台物理机包括至少一台虚拟机, 缓存服务器和/或查杀服务器设置于一台物理机的虚拟机中。从物理机中获取待检测信息,并通过网络发送至缓存服务器和/或查杀服务器进行待检测信息的安全检测,根据缓存服务器和/或查杀服务器的检测结果确定待检测信息的安全级别。
根据同一集群中的物理机的硬件信息、物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,可以根据实际情况动态配置缓存服务器和/或查杀服务器的数量和位置,降低了物理机的资源利用率。
实施例四
详细介绍本发明实施例提供的一种虚拟化安全检测系统。
参照图4,示出了本发明实施例中的一种虚拟化安全检测系统的结构框图。
所述系统可以包括:集群、缓存服务器和/或查杀服务器、缓存服务器和/或查杀服务器生成模块400、待检测信息获取模块402、安全级别确定模块404。
其中,所述缓存服务器和/或查杀服务器生成模块400可以包括:数量和位置确定子模块4001,创建子模块4002。
所述查杀服务器可以包括:特征值获取模块406,安全检测模块408,私有云端检测模块410,公有云端检测模块412。
所述集群包括至少一台物理机,每台所述物理机包括至少一台虚拟机,所述缓存服务器和/或查杀服务器设置于一台物理机的虚拟机中。
缓存服务器和/或查杀服务器生成模块400,配置为根据同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器;其中,所述安全检测模板包括缓存服务器的基础配置信息和/或查杀服务器的基础配置信息。
优选地,当所述集群包括多台物理机时,所述物理机中的虚拟机的配置信息包括所述多台物理机中的多台虚拟机的配置信息,所述多台物理机 中的多台虚拟机的配置信息为多台虚拟机占用多台物理机中硬件资源的信息。
优选地,所述缓存服务器和/或查杀服务器生成模块400可以包括:
数量和位置确定子模块4001,配置为根据所述同一集群中的物理机的硬件信息和所述物理机中的虚拟机的配置信息,确定缓存服务器和/或查杀服务器的生成数量和生成位置。
创建子模块4002,配置为根据所述安全检测模板在所述生成位置创建所述生成数量的缓存服务器和/或查杀服务器。
其中,所述生成数量的缓存服务器和/或查杀服务器与所述集群中的物理机中的虚拟机存在对应关系。
优选地,所述缓存服务器和/或查杀服务器生成模块400检测到所述集群中的物理机的硬件信息发生改变,和/或所述物理机中的虚拟机的配置信息发生改变,则根据所述安全检测模板、改变后的所述集群中的物理机的硬件信息和改变后的所述物理机中的虚拟机的配置信息,生成缓存服务器和/或查杀服务器。
优选地,所述缓存服务器和/或查杀服务器生成模块400确定所述缓存服务器和/或查杀服务器发生故障,或所述待检测信息的信息量超出所述缓存服务器和/或查杀服务器的可承受任务量,则根据所述同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板,生成缓存服务器和/或查杀服务器。
待检测信息获取模块402,配置为从所述物理机中获取待检测信息,将所述待检测信息通过网络发送至所述缓存服务器和/或查杀服务器进行所述待检测信息的安全检测。
优选地,所述待检测信息获取模块402从所述缓存服务器和/或查杀服务器所在的物理机中的至少一台虚拟机获取待检测信息,其中,所述缓存服务器和/或查杀服务器所在的物理机中设置有多台虚拟机。
和/或,
所述待检测信息获取模块402从所述缓存服务器和/或查杀服务器所在 的物理机位于同一集群的至少一台物理机的至少一台虚拟机中获取待检测信息。
优选地,所述待检测信息包括文件信息、网址信息、访问路径信息、注册表读写信息中的至少一种。
安全级别确定模块404,配置为根据所述缓存服务器和/或查杀服务器的检测结果确定所述待检测信息的安全级别。
优选地,所述查杀服务器可以包括:
特征值获取模块406,配置为获取所述待检测信息的特征值。
安全检测模块408,配置为通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测。
私有云端检测模块410,配置为若所述安全检测模块404通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测未得到检测结果,将所述特征值发送至所述集群的私有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述查杀服务器。
优选地,所述私有云端检测模410块按照预设的扫描顺序,将所述特征值发送至所述集群的私有云端服务器进行安全检测。
公有云端检测模块412,配置为若所述私有云端服务器对所述待检测信息进行安全检测未得到检测结果,则将所述特征值发送至所述集群外部的公有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述私有云端服务器,并通过所述私有云端服务器将所述检测结果返回给所述查杀服务器。
优选地,所述私有云端服务器按照设定规则从所述公有云端服务器获取更新信息,其中,所述更新信息中包含有所述公有云端服务器定期更新的特征值与安全级别的对应关系。
优选地,所述私有云端服务器根据所述更新信息更新所述私有云端服务器中存储的特征值与安全级别的对应关系。
综上所述,本发明实施例根据同一集群中的物理机的硬件信息、物理 机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,其中,集群包括至少一台物理机,每台物理机包括至少一台虚拟机,缓存服务器和/或查杀服务器设置于一台物理机的虚拟机中。从物理机中获取待检测信息,并通过网络发送至缓存服务器和/或查杀服务器进行待检测信息的安全检测,根据缓存服务器和/或查杀服务器的检测结果确定待检测信息的安全级别。
根据同一集群中的物理机的硬件信息、物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,可以根据实际情况动态配置缓存服务器和/或查杀服务器的数量和位置,降低了物理机的资源利用率。
在此提供的虚拟化安全检测方案不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造具有本发明方案的系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的虚拟化安全检测方案中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。
例如,图5示出了可以实现根据本发明的虚拟化安全检测方法的计算机。该计算机传统上包括处理器510和以存储器520形式的计算机程序产品或者计算机可读介质。存储器520可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器520具有用于执行上述方法中的任何方法步骤的程序代码531的存储空间 530。例如,用于程序代码的存储空间530可以包括分别用于实现上面的方法中的各种步骤的各个程序代码531。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如参考图6所述的便携式或者固定存储单元。该存储单元可以具有与图5的移动终端中的存储器520类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常,存储单元包括计算机可读代码531’,即可以由例如诸如510之类的处理器读取的代码,这些代码当由计算机运行时,导致该计算机执行上面所描述的方法中的各个步骤。
本文中所称的“一个实施例”、“实施例”或者“一个或者多个实施例”意味着,结合实施例描述的特定特征、结构或者特性包括在本发明的至少一个实施例中。此外,请注意,这里“在一个实施例中”的词语例子不一定全指同一个实施例。
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下被实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。

Claims (26)

  1. 一种虚拟化安全检测方法,包括:
    根据同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器;其中,所述安全检测模板包括缓存服务器的基础配置信息和/或查杀服务器的基础配置信息;
    从所述物理机中获取待检测信息,将所述待检测信息通过网络发送至所述缓存服务器和/或查杀服务器进行所述待检测信息的安全检测;
    根据所述缓存服务器和/或查杀服务器的检测结果确定所述待检测信息的安全级别;
    其中,所述集群包括至少一台物理机,每台所述物理机包括至少一台虚拟机,所述缓存服务器和/或所述查杀服务器设置于一台物理机的虚拟机中。
  2. 根据权利要求1所述的方法,其中,当所述集群包括多台物理机时,所述物理机中的虚拟机的配置信息包括所述多台物理机中的多台虚拟机的配置信息,所述多台物理机中的多台虚拟机的配置信息为多台虚拟机占用多台物理机中硬件资源的信息。
  3. 根据权利要求1或2所述的方法,其中,所述根据同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,包括:
    根据所述同一集群中的物理机的硬件信息和所述物理机中的虚拟机的配置信息,确定缓存服务器和/或查杀服务器的生成数量和生成位置;
    根据所述安全检测模板在所述生成位置创建所述生成数量的缓存服务器和/或查杀服务器;
    其中,所述生成数量的缓存服务器和/或查杀服务器与所述集群中的物理机中的虚拟机存在对应关系。
  4. 根据权利要求1所述的方法,其中,所述根据同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,包括:
    检测到所述集群中的物理机的硬件信息发生改变,和/或所述物理机中 的虚拟机的配置信息发生改变,则根据所述安全检测模板、改变后的所述集群中的物理机的硬件信息和改变后的所述物理机中的虚拟机的配置信息,生成缓存服务器和/或查杀服务器。
  5. 根据权利要求1所述的方法,其中,所述根据同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器,包括:
    确定所述缓存服务器和/或查杀服务器发生故障,或所述待检测信息的信息量超出所述缓存服务器和/或查杀服务器的可承受任务量,则根据所述同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器。
  6. 根据权利要求1所述的方法,其中,所述从所述物理机中获取待检测信息,包括:
    从所述缓存服务器和/或查杀服务器所在的物理机中的至少一台虚拟机获取待检测信息,其中,所述缓存服务器和/或查杀服务器所在的物理机中设置有多台虚拟机;
    和/或,
    从所述缓存服务器和/或查杀服务器所在的物理机位于同一集群的至少一台物理机的至少一台虚拟机中获取待检测信息。
  7. 根据权利要求1或6所述的方法,其中,所述待检测信息包括文件信息、网址信息、访问路径信息、注册表读写信息中的至少一种。
  8. 根据权利要求1所述的方法,其中,所述查杀服务器进行所述待检测信息的安全检测的步骤,包括:
    所述查杀服务器获取所述待检测信息的特征值;
    所述查杀服务器通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测。
  9. 根据权利要求8所述的方法,其中,所述方法还包括:
    若所述查杀服务器通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测未得到检测结果,所述查杀服务器将所述特征值发送至所述集 群的私有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述查杀服务器。
  10. 根据权利要求9所述的方法,其中,所述方法还包括:
    若所述私有云端服务器对所述待检测信息进行安全检测未得到检测结果,则将所述特征值发送至所述集群外部的公有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述私有云端服务器,并通过所述私有云端服务器将所述检测结果返回给所述查杀服务器。
  11. 根据权利要求9所述的方法,其中,所述查杀服务器将所述特征值发送至所述集群的私有云端服务器进行安全检测,包括:
    所述查杀服务器按照预设的扫描顺序,将所述特征值发送至所述集群的私有云端服务器进行安全检测。
  12. 根据权利要求10所述的方法,所述方法还包括:
    所述私有云端服务器按照设定规则从所述公有云端服务器获取更新信息,其中,所述更新信息中包含有所述公有云端服务器定期更新的特征值与安全级别的对应关系;
    所述私有云端服务器根据所述更新信息更新所述私有云端服务器中存储的特征值与安全级别的对应关系。
  13. 一种虚拟化安全检测系统,包括:集群、缓存服务器和/或查杀服务器,其中,所述集群包括至少一台物理机,每台所述物理机包括至少一台虚拟机,所述缓存服务器和/或查杀服务器设置于一台物理机的虚拟机中;所述系统还包括:
    缓存服务器和/或查杀服务器生成模块,配置为根据同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板生成缓存服务器和/或查杀服务器;其中,所述安全检测模板包括缓存服务器的基础配置信息和/或查杀服务器的基础配置信息;
    待检测信息获取模块,配置为从所述物理机中获取待检测信息,将所述待检测信息通过网络发送至所述缓存服务器和/或查杀服务器进行所述待 检测信息的安全检测;
    安全级别确定模块,配置为根据所述缓存服务器和/或查杀服务器的检测结果确定所述待检测信息的安全级别。
  14. 根据权利要求13所述的系统,其中,当所述集群包括多台物理机时,所述物理机中的虚拟机的配置信息包括所述多台物理机中的多台虚拟机的配置信息,所述多台物理机中的多台虚拟机的配置信息为多台虚拟机占用多台物理机中硬件资源的信息。
  15. 根据权利要求13或14所述的系统,其中,所述缓存服务器和/或查杀服务器生成模块,包括:
    数量和位置确定子模块,配置为根据所述同一集群中的物理机的硬件信息和所述物理机中的虚拟机的配置信息,确定缓存服务器和/或查杀服务器的生成数量和生成位置;
    创建子模块,配置为根据所述安全检测模板在所述生成位置创建所述生成数量的缓存服务器和/或查杀服务器;
    其中,所述生成数量的缓存服务器和/或查杀服务器与所述集群中的物理机中的虚拟机存在对应关系。
  16. 根据权利要求13所述的系统,其中,所述缓存服务器和/或查杀服务器生成模块检测到所述集群中的物理机的硬件信息发生改变,和/或所述物理机中的虚拟机的配置信息发生改变,则根据所述安全检测模板、改变后的所述集群中的物理机的硬件信息和改变后的所述物理机中的虚拟机的配置信息,生成缓存服务器和/或查杀服务器。
  17. 根据权利要求13所述的系统,其中,所述缓存服务器和/或查杀服务器生成模块确定所述缓存服务器和/或查杀服务器发生故障,或所述待检测信息的信息量超出所述缓存服务器和/或查杀服务器的可承受任务量,则根据所述同一集群中的物理机的硬件信息、所述物理机中的虚拟机的配置信息和安全检测模板,生成缓存服务器和/或查杀服务器。
  18. 根据权利要求13所述的系统,其中,
    所述待检测信息获取模块从所述缓存服务器和/或查杀服务器所在的物 理机中的至少一台虚拟机获取待检测信息,其中,所述缓存服务器和/或查杀服务器所在的物理机中设置有多台虚拟机;
    和/或,
    所述待检测信息获取模块从所述缓存服务器和/或查杀服务器所在的物理机位于同一集群的至少一台物理机的至少一台虚拟机中获取待检测信息。
  19. 根据权利要求13或18所述的系统,其中,
    所述待检测信息包括文件信息、网址信息、访问路径信息、注册表读写信息中的至少一种。
  20. 根据权利要求13所述的系统,其中,所述查杀服务器,包括:
    特征值获取模块,配置为获取所述待检测信息的特征值;
    安全检测模块,配置为通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测。
  21. 根据权利要求20所述的系统,其中,所述查杀服务器,还包括:
    私有云端检测模块,配置为若所述安全检测模块通过查杀引擎扫描所述特征值对所述待检测信息进行安全检测未得到检测结果,将所述特征值发送至所述集群的私有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述查杀服务器。
  22. 根据权利要求21所述的系统,其中,所述查杀服务器,还包括:
    公有云端检测模块,配置为若所述私有云端服务器对所述待检测信息进行安全检测未得到检测结果,则将所述特征值发送至所述集群外部的公有云端服务器进行安全检测,获得检测结果,并将所述检测结果返回给所述私有云端服务器,并通过所述私有云端服务器将所述检测结果返回给所述查杀服务器。
  23. 根据权利要求21所述的系统,其中,所述私有云端检测模块按照预设的扫描顺序,将所述特征值发送至所述集群的私有云端服务器进行安全检测。
  24. 根据权利要求22所述的系统,其中,
    所述私有云端服务器按照设定规则从所述公有云端服务器获取更新信息,其中,所述更新信息中包含有所述公有云端服务器定期更新的特征值与安全级别的对应关系;
    所述私有云端服务器根据所述更新信息更新所述私有云端服务器中存储的特征值与安全级别的对应关系。
  25. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算机上运行时,导致所述计算机执行根据权利要求1-12中的任一个所述的虚拟化安全监测方法。
  26. 一种计算机可读介质,其中存储了如权利要求25所述的计算机程序。
PCT/CN2015/095820 2014-12-19 2015-11-27 虚拟化安全检测方法与系统 WO2016095687A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410805872.5A CN104504331B (zh) 2014-12-19 2014-12-19 虚拟化安全检测方法与系统
CN201410805872.5 2014-12-19

Publications (1)

Publication Number Publication Date
WO2016095687A1 true WO2016095687A1 (zh) 2016-06-23

Family

ID=52945727

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/095820 WO2016095687A1 (zh) 2014-12-19 2015-11-27 虚拟化安全检测方法与系统

Country Status (2)

Country Link
CN (1) CN104504331B (zh)
WO (1) WO2016095687A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116595384A (zh) * 2023-07-14 2023-08-15 支付宝(杭州)信息技术有限公司 模型训练方法及装置

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104504331B (zh) * 2014-12-19 2017-12-08 北京奇安信科技有限公司 虚拟化安全检测方法与系统
CN108667771B (zh) * 2017-03-29 2021-10-15 北京宸信征信有限公司 一种用于处理不信任数据的数据处理系统及处理方法
CN107545183A (zh) * 2017-09-15 2018-01-05 郑州云海信息技术有限公司 一种杀毒方法、装置及系统
CN112596825B (zh) * 2020-11-26 2022-04-01 新华三大数据技术有限公司 一种云桌面启动方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102467637A (zh) * 2011-07-28 2012-05-23 中标软件有限公司 一种虚拟化环境下的反病毒系统及其反病毒方法
CN102708325A (zh) * 2012-05-17 2012-10-03 中国科学院计算技术研究所 虚拟桌面环境文件杀毒的方法和系统
US20130312096A1 (en) * 2012-05-18 2013-11-21 Vmware, Inc. On-demand data scan in a virtual machine
CN104504331A (zh) * 2014-12-19 2015-04-08 北京奇虎科技有限公司 虚拟化安全检测方法与系统

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8619971B2 (en) * 2005-04-01 2013-12-31 Microsoft Corporation Local secure service partitions for operating system security
CN101593249B (zh) * 2008-05-30 2011-08-03 成都市华为赛门铁克科技有限公司 一种可疑文件分析方法及系统
US20130152076A1 (en) * 2011-12-07 2013-06-13 Cisco Technology, Inc. Network Access Control Policy for Virtual Machine Migration
CN103761480A (zh) * 2014-01-13 2014-04-30 北京奇虎科技有限公司 一种检测文件安全的方法和装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102467637A (zh) * 2011-07-28 2012-05-23 中标软件有限公司 一种虚拟化环境下的反病毒系统及其反病毒方法
CN102708325A (zh) * 2012-05-17 2012-10-03 中国科学院计算技术研究所 虚拟桌面环境文件杀毒的方法和系统
US20130312096A1 (en) * 2012-05-18 2013-11-21 Vmware, Inc. On-demand data scan in a virtual machine
CN104504331A (zh) * 2014-12-19 2015-04-08 北京奇虎科技有限公司 虚拟化安全检测方法与系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116595384A (zh) * 2023-07-14 2023-08-15 支付宝(杭州)信息技术有限公司 模型训练方法及装置
CN116595384B (zh) * 2023-07-14 2023-11-24 支付宝(杭州)信息技术有限公司 模型训练方法及装置

Also Published As

Publication number Publication date
CN104504331A (zh) 2015-04-08
CN104504331B (zh) 2017-12-08

Similar Documents

Publication Publication Date Title
WO2016095687A1 (zh) 虚拟化安全检测方法与系统
US8972465B1 (en) Burst buffer appliance with small file aggregation
US9311248B2 (en) Methods and apparatuses for monitoring activities of virtual machines
US8683596B2 (en) Detection of DOM-based cross-site scripting vulnerabilities
US11704036B2 (en) Deduplication decision based on metrics
US11503070B2 (en) Techniques for classifying a web page based upon functions used to render the web page
US11347808B1 (en) Dynamically-adaptive bloom-filter
JP2013541774A (ja) ウェブサイトスキャンデバイスおよびウェブサイトスキャン方法
US8732703B2 (en) Verifying virtual machines
US20140101106A1 (en) Log server and log file storage method
US20210160253A1 (en) Methods and systems for identifying an iot device
RU2018118828A (ru) Системы и способы обнаружения вредоносных программ с алгоритмом генерации доменов (dga)
US10049113B2 (en) File scanning method and apparatus
US20150331733A1 (en) Tag based selection of test scripts for failure analysis
WO2016091086A1 (zh) 虚拟化安全检测方法与系统
US20150106827A1 (en) Rpc acceleration based on previously memorized flows
JP6859518B2 (ja) サーバへの攻撃を防ぐ方法及びデバイス
WO2018113728A1 (zh) 公共WiFi钓鱼风险的检测方法和装置
WO2015117405A1 (zh) Xen虚拟化系统的全映射方法及装置
WO2016082763A1 (zh) 一种内存访问的方法、相关装置和系统
CN111831389B (zh) 一种数据处理方法、装置以及存储介质
CN105610906A (zh) 转发请求的方法、装置及系统
US9619168B2 (en) Memory deduplication masking
CN105516053B (zh) 网站安全检测方法及装置
US10552456B2 (en) Deriving dependency information from tracing data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15869195

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15869195

Country of ref document: EP

Kind code of ref document: A1