WO2021072877A1 - Procédé et appareil de démarrage sécurisé pour hôte en nuage, et dispositif informatique et support de stockage - Google Patents

Procédé et appareil de démarrage sécurisé pour hôte en nuage, et dispositif informatique et support de stockage Download PDF

Info

Publication number
WO2021072877A1
WO2021072877A1 PCT/CN2019/118430 CN2019118430W WO2021072877A1 WO 2021072877 A1 WO2021072877 A1 WO 2021072877A1 CN 2019118430 W CN2019118430 W CN 2019118430W WO 2021072877 A1 WO2021072877 A1 WO 2021072877A1
Authority
WO
WIPO (PCT)
Prior art keywords
cloud host
designated
specified
host
vulnerability
Prior art date
Application number
PCT/CN2019/118430
Other languages
English (en)
Chinese (zh)
Inventor
沈勇
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021072877A1 publication Critical patent/WO2021072877A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • G06F9/4416Network booting; Remote initial program loading [RIPL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45575Starting, stopping, suspending or resuming virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Definitions

  • This application relates to the technical field of cloud computing, and in particular to a secure startup method, device, computer equipment, and storage medium of a cloud host.
  • Cloud computing is currently an important field and direction in the development of IT technology, and it is gradually infiltrating all areas of society.
  • Cloud host is an important part of cloud computing in infrastructure applications. It is located at the bottom of the cloud computing industry chain and its products are derived from cloud computing platforms.
  • the platform integrates the three core elements of Internet applications: computing, storage, and network, and provides users with public Internet infrastructure services.
  • Cloud hosting is a kind of similar to VPS (Virtual Private Server, virtual private server) the virtualization technology of the host, VPS uses virtual software (such as VZ or VM) to virtualize multiple parts similar to independent hosts on a host, which can realize single-machine multi-user, and each part can be used.
  • VPS Virtual Private Server, virtual private server
  • VPS uses virtual software (such as VZ or VM) to virtualize multiple parts similar to independent hosts on a host, which can realize single-machine multi-user, and each part can be used.
  • VZ or VM virtual software
  • the cloud host virtualizes multiple parts similar to independent hosts on a group of host machine clusters.
  • Each host machine in the cluster has an image of the cloud host machine, which greatly improves the security and stability of the virtual host machine.
  • cloud hosts can usually be accessed directly from the public network (Internet), and even managed.
  • each cloud host will face the security risk of the protection gap. Specifically, when the cloud host is in the shutdown state, since the cloud host will repair all currently known security vulnerabilities when it is shut down, it can be considered that the cloud host in the shutdown state is also in a safe state. However, when the cloud host is restarted and exposed to the public network, the external environment at this time may change compared to before the shutdown. If there are new security vulnerabilities related to the cloud host, the cloud host may be attacked by attackers on the public network at any time, and the security of the cloud host is greatly threatened.
  • the main purpose of this application is to provide a secure startup method, device, computer equipment and storage medium for a cloud host, which aims to solve the problem that when the cloud host is restarted from the shutdown state and exposed to the existing various cloud computing systems
  • this application proposes a secure startup method for a cloud host.
  • the method includes the steps:
  • asset information corresponding to the specified cloud host Upon receiving a user-triggered start instruction for a specified cloud host, obtain asset information corresponding to the specified cloud host according to preset rules, where the asset information includes at least operating system information; determine whether the preset vulnerability database is Vulnerabilities corresponding to the asset information of the designated cloud host are stored, wherein the number of the vulnerabilities is one or more;
  • This application also provides a secure boot device for a cloud host, including:
  • the first obtaining module is configured to obtain asset information corresponding to the specified cloud host according to preset rules when a user-triggered start instruction for the specified cloud host is received, wherein the asset information includes at least operating system information;
  • the first judgment module is used to judge whether there are vulnerabilities corresponding to the asset information of the designated cloud host stored in the preset vulnerability database, wherein the number of the vulnerabilities is one or more;
  • the second obtaining module is configured to, if yes, obtain the last shutdown time of the designated cloud host and the release time corresponding to each of the vulnerabilities;
  • the second judgment module is used for judging whether there are specified vulnerabilities whose release time is within a specified period of time among all the vulnerabilities according to the last shutdown time and each of the release times;
  • the isolation module is configured to, if yes, start the designated cloud host in a pre-created security isolation area, wherein the network access function of the specified cloud host will be disabled in the security isolation area.
  • the present application also provides a computer device, including a memory and a processor, the memory stores computer-readable instructions, and the processor implements the steps of the above method when the computer-readable instructions are executed by the processor.
  • the present application also provides a computer-readable storage medium on which computer-readable instructions are stored, and when the computer-readable instructions are executed by a processor, the steps of the foregoing method are implemented.
  • the secure startup method, device, computer equipment, and storage medium of a cloud host upon receiving a user-triggered startup instruction for a specified cloud host, acquire asset information corresponding to the specified cloud host according to preset rules , Wherein the asset information includes at least operating system information; it is judged whether there are vulnerabilities corresponding to the asset information of the designated cloud host stored in the preset vulnerability database, wherein the number of the vulnerabilities is one or more; if so , Obtain the last shutdown time of the designated cloud host and the release time corresponding to each of the vulnerabilities; according to the last shutdown time and each release time, determine whether there is a release time in all the vulnerabilities The specified vulnerabilities within a specified time period; if so, the specified cloud host is started in a pre-created security isolation area, wherein the network access function of the specified cloud host will be disabled in the security isolation area.
  • This application will intelligently place the designated cloud host in the pre-created security isolation zone for startup when a new vulnerability related to it occurs during the last shutdown of the designated cloud host, so that after the designated cloud host is started Temporarily disable the network access function of the designated cloud host, effectively avoiding the intrusion or attack of the designated cloud host by vulnerabilities during use, and ensuring the security of the designated cloud host after it is started.
  • FIG. 1 is a schematic flowchart of a method for secure startup of a cloud host according to an embodiment of the present application
  • FIG. 2 is a schematic structural diagram of a secure boot device of a cloud host according to an embodiment of the present application
  • Fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present application.
  • a secure boot method of a cloud host includes:
  • S1 Acquire asset information corresponding to the designated cloud host according to preset rules when receiving a startup instruction for a designated cloud host triggered by a user, where the asset information includes at least operating system information;
  • S2 Determine whether there are vulnerabilities corresponding to the asset information of the designated cloud host stored in the preset vulnerability database, where the number of the vulnerabilities is one or more;
  • S4 According to the last shutdown time and each of the release times, determine whether there are specified vulnerabilities whose release time is within a specified period of time among all the vulnerabilities;
  • the execution subject of the embodiment of the present invention is a secure boot device for a cloud host, specifically a host cluster used to virtual out the cloud host, through which the host cluster can realize the
  • the above-mentioned designated cloud host is any cloud host among all the cloud hosts virtualized by the host cluster. Specifically, it is first judged whether a user-triggered start instruction for the designated cloud host is received; when the start instruction is received, the asset information corresponding to the designated cloud host is obtained according to preset rules, wherein the asset information includes at least the operating system Information, for example, the operating system is windowsserver2012, and the RDP service version 11.0 is used to provide a remote desktop.
  • the asset information may also include cloud host service information and key application information.
  • the foregoing preset rules may include: obtaining asset information corresponding to the specified cloud host by querying the cloud platform corresponding to the specified cloud host, or by invoking the specified scanning tool. Then, according to the above asset information, it is determined whether there are vulnerabilities corresponding to the asset information of the above designated cloud host stored in the preset vulnerability database, wherein the number of the above vulnerabilities is one or more, and the above vulnerability database stores passing The crawler tool crawls the vulnerability information related to various operating systems corresponding to the cloud host and the vulnerability information related to the cloud host service from the target website in real time.
  • the vulnerability database stores the vulnerability corresponding to the asset information of the specified cloud host, the last shutdown time of the specified cloud host and the release time corresponding to each of the aforementioned vulnerabilities are obtained.
  • the form of any vulnerability information crawled can be CVE20190004-rdp vulnerability, released on July 02, 2019.
  • the affected system is all versions of the rdp service before version 12.0, and the release time of the corresponding vulnerability is 2019 /07/02. Then, based on the last shutdown time and each of the above release times, it is determined whether there are specified vulnerabilities in all the vulnerabilities whose release time is within the specified time period, where the above specified time period is included between the above shutdown time and the above current time period.
  • the above-mentioned designated cloud host will be started in the pre-created security quarantine area, and the network access function of the designated cloud host will be disabled in the above-mentioned security quarantine area.
  • the designated cloud host when a new vulnerability related to the designated cloud host occurs during the last shutdown period, the designated cloud host will be intelligently placed in the pre-created security isolation zone for startup, thereby starting on the designated cloud host Then temporarily disable the network access function of the designated cloud host, effectively avoiding the intrusion or attack of the designated cloud host by vulnerabilities during use, and ensuring the security of the designated cloud host after it is started.
  • step S1 includes:
  • S100 Determine whether an asset management tool is installed in the designated cloud host, where the asset management tool is used to periodically synchronize asset information corresponding to the designated cloud host to the designated cloud platform;
  • the asset information may specifically include the operating system information corresponding to the specified cloud host, as well as the cloud host service information and key application information in the specified cloud host.
  • the cloud platform corresponding to the specified cloud host can be queried. Or by calling the specified scanning tool to obtain the asset information corresponding to the specified cloud host.
  • the asset management tool has a synchronization function for asset information of the specified cloud host.
  • the specified cloud host The host will periodically synchronize the internal asset information to the corresponding designated cloud platform through the above asset management tool, so that the designated cloud platform will store the asset information of the designated cloud host.
  • the above asset information can be found from the designated cloud platform corresponding to the above designated cloud host. If there is no asset management tool installed in the designated cloud host, the designated scanning tool can be called to scan the cloud platform to obtain the above asset information.
  • the designated scanning tool can be nmap, and the nmap tool can be used to perform the scanning process on the cloud platform. Specify the cloud host to send the operating system detection command $nmap-O[target IP], so that the designated cloud host will query its own asset information after receiving the system detection command, and then the asset information returned by the designated cloud host can be obtained. After obtaining the asset information of the designated cloud host, it can then intelligently identify whether there are vulnerabilities corresponding to the designated cloud host in the vulnerability database based on the asset information.
  • the method before the foregoing step S2, the method includes:
  • S200 Use crawler tools to grab the first vulnerability information related to various operating systems corresponding to the cloud host and the second vulnerability information related to the cloud host service from the target website in real time;
  • S202 Store the first vulnerability information and the second vulnerability information in the vulnerability database.
  • the process of generating the vulnerability database is also included. Specifically, first, a crawler tool is used to grab the first vulnerability information related to various operating systems corresponding to the cloud host and the second vulnerability information related to the cloud host service from the target website in real time.
  • first vulnerability information may include vulnerability information corresponding to the first vulnerability, and first patch information corresponding to the first vulnerability.
  • second vulnerability information may include vulnerability information corresponding to the second vulnerability, and second patch information corresponding to the second vulnerability.
  • crawler tools refer to web crawlers (also known as web spiders or web robots), which are programs or scripts that automatically crawl information on the World Wide Web in accordance with certain rules.
  • the crawler tool includes but is not limited to the Python crawler tool.
  • the aforementioned target website is an authoritative website at home and abroad for publishing vulnerabilities related to cloud hosting.
  • the host cluster uses a crawler tool to execute a crawler file to crawl vulnerability information that meets the data crawling conditions set by the crawler file.
  • the crawler file includes, but is not limited to, two data crawling conditions of target URL and search keywords.
  • the target URL is the URL of the target website corresponding to the first vulnerability information that needs to be crawled and the second vulnerability information in the crawler file, and the URL (short for Uniform Resource Locator, that is, uniform resource locator) is correct
  • URL short for Uniform Resource Locator, that is, uniform resource locator
  • Search keywords refer to keywords in the crawler file that are used to limit the common characteristics of the first vulnerability information and the second vulnerability information to be crawled by the crawler file.
  • first vulnerability information and the second vulnerability information After obtaining the above-mentioned first vulnerability information and the second vulnerability information, create a vulnerability database, and then store the first vulnerability information and the second vulnerability information in the above-mentioned vulnerability database to form a subsequent use to determine whether there is a possible threat Specify the vulnerability database of the security vulnerabilities of the cloud host.
  • the method before the above step S4, the method includes:
  • S401 Determine the time period included between the last shutdown time and the current time as the designated time period.
  • the step of determining the specified period of time is also included.
  • the current time is first obtained.
  • the above-mentioned current time has the same accuracy as the above-mentioned last shutdown time, but the accuracy is not specifically limited.
  • the above-mentioned accuracy can be accurate to year, month and day, for example, the current time can be 2019/07/11, or even It can be accurate to the year, month, day, and so on, so I won’t go into too much detail here.
  • the time period included between the last shutdown time and the aforementioned current time is determined as the aforementioned designated time period. For example, if the current time is 2019/07/11 and the last shutdown time is 2019/07/01, it can be determined that the above specified time period includes: 2019/07/01-2019/07/11.
  • This embodiment determines the specified time period based on the current time and the last shutdown time of the specified cloud host, which is beneficial to subsequently accurately identifying whether there are specified vulnerabilities in the vulnerability database that threaten the security of the specified cloud host based on the specified time period. , And then intelligently select the opening method for the designated cloud host based on the recognition result.
  • the method includes:
  • S500 Determine whether the specified patch corresponding to the specified vulnerability is stored in the vulnerability database
  • S502 Send an installation instruction for installing the specified patch to the specified cloud host, so that the specified cloud host installs the specified patch according to the installation instruction, and returns a corresponding patch installation result, where the patch Installation results include successful or failed installation;
  • S503 Determine whether the specified patch is successfully installed according to the patch installation result returned by the specified cloud host;
  • the designated cloud host will be removed from the security only after the designated cloud host has successfully installed the designated patch corresponding to the above-mentioned specified vulnerability. Remove from the quarantine area to ensure the safety of the designated cloud host. Specifically, it is first determined whether the vulnerability database stores the designated patch corresponding to the designated vulnerability. If the above specified patch is stored in the vulnerability database, the specified patch will be downloaded, and the specified patch will be stored in the specified storage area in the specified cloud host through the specified transmission method.
  • the above-mentioned designated transmission method is the local area network transmission method or the Bluetooth transmission method.
  • the host cluster downloads the above-mentioned designated patch, it transmits the downloaded designated patch to the designated storage area in the designated cloud host by using the designated transmission method internally.
  • the designated cloud host Since the transmission process does not need to use network resources, the designated cloud host will not be attacked by attackers on the public network when receiving the designated patch, which effectively guarantees the security of the designated cloud host in the process of storing the designated patch
  • the installation process of the designated cloud host to install the designated patch does not require a network, which further increases the security of the designated cloud host.
  • the above-mentioned designated storage area is not specifically limited, and can be set according to actual needs. For example, it can be a newly created area dedicated to storing the designated patch, or an area with a larger storage space in the designated cloud host.
  • an installation instruction to install the specified patch will be sent to the specified cloud host, so that the specified cloud host can download and install the specified patch according to the above installation instruction, and return to the corresponding patch installation
  • the patch installation result includes installation success or installation failure.
  • the specified cloud host will return the patch installation result that the installation failed.
  • the specified cloud host will not be transferred out of the security quarantine area, but the reason for the failure of the specified patch installation will be found first; Then, according to the failure reason of the failure of the specified patch installation, control the specified cloud host to re-download and install the above specified patch, and after confirming that the specified patch is successfully installed in the specified cloud host, transfer the specified cloud host out of the above security
  • the quarantine area enables the normal network access function of the designated cloud host to be restored only when the designated patch is successfully installed, effectively ensuring the security of the designated cloud host.
  • the method includes:
  • S5040 Acquire first usage data of a first host machine corresponding to the designated cloud host according to a first preset period, where the first usage data includes at least a CPU usage rate, a memory usage rate, and a network interface bandwidth usage rate ;
  • S5041 Analyze and process the first usage data, and determine whether the first usage data is greater than a preset standard threshold
  • S5043 Migrate the designated cloud host from the first host to the second host.
  • the host cluster also has the function of intelligent migration for the specified cloud host. Specifically, after the startup of the specified cloud host is completed, the first usage data of the first host corresponding to the specified cloud host is acquired according to the first preset period, where the first preset period is not specifically limited, for example Can be set to one hour.
  • the aforementioned usage data includes CPU usage, memory usage, and network interface bandwidth usage. Then analyze and process the first usage data, and determine whether the above-mentioned first usage data is greater than a preset standard threshold.
  • the same number of standard thresholds corresponding to the type are set.
  • the specific value of the standard threshold is not specifically limited, and can be set by the host cluster, or can also be set by the user according to requirements.
  • the standard threshold corresponding to CPU usage can be set to 80%
  • the standard threshold corresponding to memory usage can be set to 75%
  • the standard threshold corresponding to network interface bandwidth usage can be set to 85%. If the above-mentioned first usage data is greater than the preset standard threshold value, it indicates that the first host machine corresponding to the designated cloud host is currently in a high-load state, and the first host machine has fewer computable resources.
  • the second host with the second usage data less than the above standard threshold will be found from all the hosts in the host cluster, and the designated cloud host will be migrated from the above first host to the above second host to achieve Intelligently migrate the designated cloud host from the first host with excessive load to the second host with lower load, so that the computing resources of the designated cloud host are optimized, thereby effectively improving the operating efficiency and response speed of the designated cloud host. It also guarantees the safety of the first host. Further, if the number of second host machines is more than one, the designated host machine with the lowest data value corresponding to the second usage data is selected from all the second host machines, and then the designated cloud host machine is selected from the above-mentioned first host machine. The host machine is migrated to the above specified host machine. By filtering out the designated host with the lowest data value corresponding to the second usage data from all the second hosts, not only the operating efficiency and response speed of the designated cloud host can be improved, but also the load balance for all the hosts can be achieved.
  • the method includes:
  • S5045 Analyze and process the available resource space, and determine whether the available resource space is less than a preset resource space threshold
  • S5047 Send a garbage removal instruction to the designated cloud host to control the designated cloud host to clear the junk data according to the garbage removal instruction.
  • the available resource space in the designated cloud host in a normal working state will be monitored and processed to ensure that the designated cloud host can have Sufficient available resource space.
  • the available resource space in the cloud hard disk corresponding to the specified cloud host is acquired according to a second preset period, where the second preset period is not specifically limited, for example, it can be set to One hour. Then it is judged whether the above-mentioned available resource space is less than the preset resource space threshold.
  • the specific value of the above-mentioned resource space threshold is not specifically limited.
  • the resource space The threshold can be set to 5g. If the available resource space is less than the preset resource space threshold, it indicates that the current available resource space of the designated cloud host is small, and the cloud hard disk corresponding to the designated cloud host is under high pressure. At this time, the junk data in the cloud hard disk will be filtered out.
  • the junk data includes the remaining designated cloud host configuration files, useless temporary files, useless files that have been deleted/uninstalled, and the hard disk and/or volume have not been formatted. Successfully leftover files, etc. After the junk data is filtered out, the garbage removal instruction is sent to the designated cloud host to control the designated cloud host to clean up the junk data according to the garbage removal instruction.
  • the management tool or the designated cloud host can be used to clean up the junk data.
  • This embodiment automatically and intelligently removes junk data in the cloud hard disk corresponding to the specified cloud host when the current available resources of the specified cloud host are low, effectively reducing the pressure and burden of the specified cloud host, and releasing the specified cloud host.
  • the redundant and useless resources on the cloud host can be used to process the junk data in the cloud hard disk corresponding to the designated cloud host in an orderly and timely manner, avoid unnecessary waste of resources, improve the utilization efficiency of the internal resources of the designated cloud host, and finally improve the designated cloud The operating efficiency and response speed of the host.
  • an embodiment of the present application also provides a secure boot device for a cloud host, including:
  • the first obtaining module 1 is configured to obtain asset information corresponding to the specified cloud host according to a preset rule when a user-triggered start instruction for a specified cloud host is received, wherein the asset information includes at least operating system information;
  • the first judgment module 2 is used for judging whether there are vulnerabilities corresponding to the asset information of the designated cloud host stored in the preset vulnerability database, wherein the number of the vulnerabilities is one or more;
  • the second obtaining module 3 is configured to, if yes, obtain the last shutdown time of the designated cloud host and the release time corresponding to each of the vulnerabilities;
  • the second judgment module 4 is used for judging whether there are specified vulnerabilities whose release time is within a specified period of time among all the vulnerabilities according to the last shutdown time and each of the release times;
  • the isolation module 5 is configured to, if yes, start the designated cloud host in a pre-created security isolation area, wherein the network access function of the specified cloud host will be disabled in the security isolation area.
  • the realization process of the functions and functions of the first acquisition module, the first judgment module, the second acquisition module, the second judgment module, and the isolation module in the secure boot device of the cloud host is detailed in the above cloud host The implementation process corresponding to steps S1 to S5 in the safe boot method will not be repeated here.
  • the above-mentioned first acquisition module includes:
  • the first determining unit is configured to determine whether an asset management tool is installed in the designated cloud host, wherein the asset management tool is used to periodically synchronize asset information corresponding to the designated cloud host to the designated cloud platform;
  • the first searching unit is configured to search for the asset information from the designated cloud platform if an asset management tool is installed;
  • the first calling unit is configured to, if the asset management tool is not installed, call a designated scanning tool to perform scanning processing on the designated cloud host, so as to obtain the asset information.
  • the implementation process of the functions and roles of the first determining unit, the first searching unit, and the first calling unit in the secure boot device of the cloud host is detailed in the corresponding steps S100 to S100 to the secure boot method of the cloud host.
  • the implementation process of S102 will not be repeated here.
  • the secure boot device of the cloud host includes:
  • the crawling module is used to grab the first vulnerability information related to various operating systems corresponding to the cloud host and the second vulnerability information related to the cloud host service from the target website in real time through a crawler tool;
  • the first storage module is used to store the first vulnerability information and the second vulnerability information in the vulnerability database.
  • the implementation process of the functions and roles of the grab module, creation module, and first storage module in the secure boot device of the cloud host is detailed in the implementation of corresponding steps S200 to S202 in the secure boot method of the cloud host. The process will not be repeated here.
  • the secure boot device of the cloud host includes:
  • the third obtaining module is used to obtain the current time
  • the first determining module is configured to determine the time period included between the last shutdown time and the current time as the designated time period.
  • the implementation process of the functions and roles of the third acquiring module and the first determining module in the secure startup device of the cloud host is detailed in the implementation process corresponding to steps S400 to S401 in the secure startup method of the cloud host. I won't repeat them here.
  • the secure boot device of the cloud host includes:
  • the second determining module is used to determine whether the specified patch corresponding to the specified vulnerability is stored in the vulnerability database
  • the second storage module is configured to download the specified patch if it is, and store the specified patch in a specified storage area in the specified cloud host through a specified transmission method;
  • the first sending module is configured to send an installation instruction for installing the specified patch to the specified cloud host, so that the specified cloud host installs the specified patch according to the installation instruction, and returns the corresponding patch installation result,
  • the patch installation result includes installation success or installation failure
  • the third judgment module is configured to judge whether the specified patch is successfully installed according to the patch installation result returned by the specified cloud host;
  • the transfer module is used for transferring the designated cloud host out of the security isolation area, so as to restore the normal network access function of the designated cloud host.
  • the realization process of the functions and roles of the second determination module, the second storage module, the first sending module, the third judgment module, and the transfer module in the secure boot device of the cloud host is detailed in the above cloud host
  • the implementation process corresponding to steps S500 to S504 in the secure boot method will not be repeated here.
  • the secure boot device of the cloud host includes:
  • the fourth acquiring module is configured to acquire the first usage data of the first host machine corresponding to the designated cloud host according to the first preset period, where the first usage data includes at least a CPU usage rate, a memory usage rate, and Network interface bandwidth usage rate;
  • the fourth judgment module is configured to analyze and process the first usage data, and judge whether the first usage data is greater than a preset standard threshold
  • the searching module is configured to, if yes, find out the second host machine whose second usage data is less than the standard threshold value from all the host machines;
  • the migration module is used to migrate the designated cloud host from the first host to the second host.
  • the implementation process of the functions and roles of the fourth acquisition module, the fourth judgment module, the search module, and the migration module in the secure boot device of the cloud host is detailed in the corresponding step S5040 in the secure boot method of the cloud host.
  • the implementation process to S5043 will not be repeated here.
  • the secure boot device of the cloud host includes:
  • a fifth acquiring module configured to acquire the available resource space in the cloud hard disk corresponding to the designated cloud host according to a second preset period
  • the fifth judgment module is configured to analyze and process the available resource space, and judge whether the available resource space is less than a preset resource space threshold;
  • the screening module is used to screen out junk data in the cloud hard disk if so;
  • the second sending module is configured to send a garbage removal instruction to the designated cloud host to control the designated cloud host to clear the junk data according to the garbage removal instruction.
  • the implementation process of the functions and roles of the fifth acquiring module, the fifth determining module, the screening module, and the second sending module in the secure boot device of the cloud host is detailed in the corresponding method in the secure boot method of the cloud host.
  • the implementation process of steps S5044 to S5047 will not be repeated here.
  • an embodiment of the present application also provides a computer device.
  • the computer device may be a server, and its internal structure may be as shown in FIG. 3.
  • the computer equipment includes a processor, a memory, a network interface, and a database connected through a system bus. Among them, the processor designed for the computer equipment is used to provide calculation and control capabilities.
  • the memory of the computer device includes a volatile or non-volatile storage medium and internal memory.
  • the volatile or non-volatile storage medium stores an operating system, computer readable instructions, and a database.
  • the internal memory provides an environment for the operation of the operating system and computer-readable instructions in the volatile or non-volatile storage medium.
  • the database of the computer equipment is used to store data such as asset information and vulnerabilities.
  • the network interface of the computer device is used to communicate with an external terminal through a network connection.
  • the computer-readable instruction is executed by the processor, the method for secure startup of the cloud host shown in any of the above exemplary embodiments is realized.
  • FIG. 3 is only a block diagram of a part of the structure related to the solution of the present application, and does not constitute a limitation on the devices and computer equipment to which the solution of the present application is applied.
  • An embodiment of the present application also provides a computer-readable storage medium.
  • the computer-readable storage medium may be volatile or non-volatile, and computer-readable instructions are stored thereon.
  • the steps in the foregoing embodiment of the secure boot method for a cloud host are realized when executed by one or more processors.
  • the secure startup method, device, computer equipment, and storage medium of the cloud host upon receiving a user-triggered startup instruction for a specified cloud host, obtain the Asset information corresponding to the designated cloud host, where the asset information includes at least operating system information; determine whether a predetermined vulnerability database stores vulnerabilities corresponding to the asset information of the designated cloud host, wherein the number of vulnerabilities Is one or more; if so, obtain the last shutdown time of the designated cloud host and the release time corresponding to each of the vulnerabilities; according to the last shutdown time and each release time, it is determined that all the Whether there are specified vulnerabilities in the vulnerabilities whose release time is within a specified period of time; if so, start the designated cloud host in the pre-created security isolation zone, where the network access function of the specified cloud host is in the security isolation zone Will be disabled.
  • This application will intelligently place the designated cloud host in the pre-created security isolation zone for startup when a new vulnerability related to it occurs during the last shutdown of the designated cloud host, so that after the designated cloud host is started Temporarily disable the network access function of the designated cloud host, effectively avoiding the intrusion or attack of the designated cloud host by vulnerabilities during use, and ensuring the security of the designated cloud host after it is started.
  • Non-volatile memory may include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
  • Volatile memory may include random access memory (RAM) or external cache memory.
  • RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual-rate SDRAM (SSRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)

Abstract

L'invention concerne un procédé et un appareil de démarrage sécurisé pour un hôte en nuage, ainsi qu'un dispositif informatique et un support de stockage. Le procédé comprend les étapes suivantes : lorsqu'une instruction de démarrage, déclenchée par un utilisateur, pour un hôte en nuage spécifié est reçue, acquérir, selon une règle prédéfinie, des informations d'actif correspondant à l'hôte en nuage spécifié ; déterminer s'il existe des vulnérabilités, correspondant aux informations d'actif de l'hôte en nuage spécifié, stockées dans une base de données de vulnérabilité prédéfinie ; si tel est le cas, acquérir le dernier moment de mise à l'arrêt de l'hôte en nuage spécifié et des moments de libération correspondant respectivement aux vulnérabilités ; en fonction du dernier moment de mise à l'arrêt et des moments de libération, déterminer s'il existe une vulnérabilité spécifiée, dont le moment de libération se situe dans une période spécifiée, dans toutes les vulnérabilités ; et si tel est le cas, démarrer l'hôte en nuage spécifié dans une zone d'isolation sécurisée pré-créée. Selon l'application prédéfinie, l'hôte en nuage spécifié peut être protégé efficacement contre une invasion ou une attaque par des vulnérabilités pendant l'utilisation, et la sécurité de l'hôte en nuage spécifié après le démarrage est garantie.
PCT/CN2019/118430 2019-10-15 2019-11-14 Procédé et appareil de démarrage sécurisé pour hôte en nuage, et dispositif informatique et support de stockage WO2021072877A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910979050.1 2019-10-15
CN201910979050.1A CN111090470A (zh) 2019-10-15 2019-10-15 云主机的安全启动方法、装置、计算机设备和存储介质

Publications (1)

Publication Number Publication Date
WO2021072877A1 true WO2021072877A1 (fr) 2021-04-22

Family

ID=70394178

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/118430 WO2021072877A1 (fr) 2019-10-15 2019-11-14 Procédé et appareil de démarrage sécurisé pour hôte en nuage, et dispositif informatique et support de stockage

Country Status (2)

Country Link
CN (1) CN111090470A (fr)
WO (1) WO2021072877A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220342690A1 (en) * 2021-04-26 2022-10-27 Orca Security Forward and Rearward Facing Attack Vector Visualization

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105204902A (zh) * 2015-09-24 2015-12-30 华为技术有限公司 一种虚拟机的安全补丁升级方法,及装置
US20180053001A1 (en) * 2016-08-16 2018-02-22 International Business Machines Corporation Security fix of a container in a virtual machine environment
CN110059007A (zh) * 2019-04-03 2019-07-26 北京奇安信科技有限公司 系统漏洞扫描方法、装置、计算机设备及存储介质

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004102479A (ja) * 2002-09-06 2004-04-02 Hitachi Software Eng Co Ltd 脆弱性検査情報提供システム及び脆弱性検査情報提供方法
US20100175108A1 (en) * 2009-01-02 2010-07-08 Andre Protas Method and system for securing virtual machines by restricting access in connection with a vulnerability audit
US20100199351A1 (en) * 2009-01-02 2010-08-05 Andre Protas Method and system for securing virtual machines by restricting access in connection with a vulnerability audit
US8806621B2 (en) * 2009-11-16 2014-08-12 Noblis, Inc. Computer network security platform
CN103457974A (zh) * 2012-06-01 2013-12-18 中兴通讯股份有限公司 虚拟机镜像的安全控制方法和装置
CN103095599A (zh) * 2013-01-18 2013-05-08 浪潮电子信息产业股份有限公司 一种云计算操作系统中动态反馈加权综合负载调度方法
CN106293871A (zh) * 2016-07-22 2017-01-04 浪潮(北京)电子信息产业有限公司 一种集群虚拟机的资源调度方法
CN107463428B (zh) * 2017-06-29 2020-06-02 北京北信源软件股份有限公司 一种用于虚拟化环境下的补丁管理方法和装置
CN108134842A (zh) * 2018-01-26 2018-06-08 广东睿江云计算股份有限公司 一种云主机根据负载策略进行迁移的系统、方法
CN109218336B (zh) * 2018-11-16 2021-02-19 北京知道创宇信息技术股份有限公司 漏洞防御方法及系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105204902A (zh) * 2015-09-24 2015-12-30 华为技术有限公司 一种虚拟机的安全补丁升级方法,及装置
US20180053001A1 (en) * 2016-08-16 2018-02-22 International Business Machines Corporation Security fix of a container in a virtual machine environment
CN110059007A (zh) * 2019-04-03 2019-07-26 北京奇安信科技有限公司 系统漏洞扫描方法、装置、计算机设备及存储介质

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220342690A1 (en) * 2021-04-26 2022-10-27 Orca Security Forward and Rearward Facing Attack Vector Visualization
US11582257B2 (en) 2021-04-26 2023-02-14 Orca Security Prioritizing internet-accessible workloads for cyber security
US11616803B2 (en) 2021-04-26 2023-03-28 Orca Security LTD. Hybrid deployment of ephemeral scanners
US11627154B2 (en) * 2021-04-26 2023-04-11 Orca Security LTD. Forward and rearward facing attack vector visualization
US11637855B2 (en) 2021-04-26 2023-04-25 Orca Security LTD. Systems and methods for managing cyber vulnerabilities
US11848956B2 (en) 2021-04-26 2023-12-19 Orca Security LTD. Systems and methods for disparate risk information aggregation
US11888888B2 (en) 2021-04-26 2024-01-30 Orca Security LTD. Systems and methods for passive key identification
US11943251B2 (en) 2021-04-26 2024-03-26 Orca Security Systems and methods for malware detection

Also Published As

Publication number Publication date
CN111090470A (zh) 2020-05-01

Similar Documents

Publication Publication Date Title
JP6081925B2 (ja) アプリケーション従属性を満たすこと
US10911479B2 (en) Real-time mitigations for unfamiliar threat scenarios
EP1974264B1 (fr) Procédé et système pour le partage de fichiers entre mages de machine virtuelle différentes
RU2568282C2 (ru) Система и способ обеспечения отказоустойчивости антивирусной защиты, реализуемой в виртуальной среде
AU2015244114B2 (en) Method and system for providing security aware applications
JP2019512791A (ja) クラウド環境における動的かつ一時的な仮想マシンインスタンスの保護
US10318275B2 (en) Software update apparatus and method in virtualized environment
US20150304344A1 (en) System and method for controlling virtual network including security function
US11176244B2 (en) Cloud application detection method and cloud application detection apparatus
CN109379347B (zh) 一种安全防护方法及设备
US20150089655A1 (en) System and method for detecting malware based on virtual host
JP2010524069A (ja) ファイアウォールを構成する方法、システム、およびコンピュータ・プログラム
EP3340099B1 (fr) Dispositif de commande de surveillance d'opération de programme, dispositif de génération et de gestion d'objet distribué, support d'enregistrement et système de surveillance d'opération de programme
CN113835836B (zh) 动态发布容器服务的系统、方法、计算机设备及介质
JP6282217B2 (ja) 不正プログラム対策システムおよび不正プログラム対策方法
CN113886835A (zh) 容器逃逸的防护方法、装置、计算机设备和存储介质
US10466991B1 (en) Computing instance software package installation
WO2021072877A1 (fr) Procédé et appareil de démarrage sécurisé pour hôte en nuage, et dispositif informatique et support de stockage
JP5411966B2 (ja) 監視装置および監視方法
KR101503827B1 (ko) 절대 경로 관리를 통한 악성 프로그램 검사 시스템
US20050102505A1 (en) Method for dynamically changing intrusion detection rule in kernel level intrusion detection system
US9262151B2 (en) Methods and systems for automatic configuration of algorithms in a system based on self aware algorithms
JP6658301B2 (ja) 適用支援プログラム、適用支援装置および適用支援方法
US10684840B1 (en) Software package installation and monitoring
RU2624554C1 (ru) Способ обнаружения скрытого программного обеспечения в вычислительной системе, работающей под управлением POSIX-совместимой операционной системы

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19949521

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19949521

Country of ref document: EP

Kind code of ref document: A1