WO2021097713A1

WO2021097713A1 - Distributed security testing system, method and device, and storage medium

Info

Publication number: WO2021097713A1
Application number: PCT/CN2019/119724
Authority: WO
Inventors: 黄长权; 吴坪; 李新刚
Original assignee: 阿里巴巴集团控股有限公司
Priority date: 2019-11-20
Filing date: 2019-11-20
Publication date: 2021-05-27
Also published as: CN114450920A

Abstract

A distributed security testing system, method and device, and a storage medium. A data security testing scheme of distributed deployment is used to solve the problem of information security in a network environment; collection, scanning and analysis of data are separated, and key links in data security testing are decoupled; and in this way, resources required for data security testing are dispersed onto a plurality of devices, thereby facilitating the testing, analysis and protection of a large volume of network data; furthermore, the entire distributed system is relatively low in terms of complexity and is easily deployed and realized, and has relatively high flexibility.

Description

Distributed safety detection system, method, equipment and storage medium

Technical field

This application relates to the field of Internet security technology, and in particular to a distributed security detection system, method, device, and storage medium.

Background technique

With the rapid development of information technology, more and more enterprises are migrating application data to the network, and more and more assets are informatized, which greatly improves the production efficiency and management level of enterprises. However, while enjoying the advantages of convenience and efficiency brought by informatization, enterprises are also facing severe information security issues.

Summary of the invention

Various aspects of this application provide a distributed security detection system, method, equipment, and storage medium to solve the information security problems faced by the network environment and improve information security.

The embodiment of the present application provides a distributed security detection system, which includes: at least one data collection device, at least one data detection device, and at least one security prevention and control device; the at least one data collection device is configured to pass through Collect the to-be-detected data in the network message of the network node, and distribute the to-be-detected data to the at least one data detection device; the at least one data detection device is configured to detect the to-be-detected data according to the first scanning rule Data is scanned, and first target data in the to-be-detected data that meets the first security analysis rule and attribute information and scanning result information of the first target data are provided to the at least one security prevention and control device; At least one security prevention and control device is configured to perform security analysis on the first target data according to the attribute information and scanning result information of the first target data.

The embodiment of the present application also provides a data processing method, which is suitable for a data detection device in a distributed security detection system. The method includes: receiving data to be detected sent by a data acquisition device in the distributed security detection system; The scanning rules scan the data to be detected to obtain scan result information of the data to be detected; according to the first safety analysis rule, determine the first target data in the data to be detected that meets the first safety analysis rule; The first target data and the attribute information and scan result information of the first target data are provided to at least one security prevention and control device in the distributed security detection system, so that the at least one security prevention and control device can control all The security analysis of the first target data is performed.

The embodiment of the present application also provides a data processing method, which is suitable for the first security prevention and control device in the distributed security detection system, and the method includes: obtaining first target data provided by the data detection device in the distributed security detection system And the attribute information and scanning result information of the first target data; performing security analysis on the first target data according to the attribute information and scanning result information of the first target data; wherein, the first target data Is the data that meets the first safety analysis rule among the data to be detected received by the data detection device, and the scan result information of the first target data is that the data detection device performs the data detection on the first target data according to the first scan rule. Scan it.

The embodiment of the present application also provides a data processing method, which is suitable for the second security prevention and control device in the distributed security detection system. The method includes: receiving a scan request sent by the data detection device in the distributed security detection system, and The scanning request is sent by the data detection device when the data to be detected cannot be successfully scanned according to the first scanning rule; according to the scanning request, all data is read from the data storage system in the distributed security detection system. The data to be detected; scan the data to be detected according to the second scanning rule to obtain scan result information of the data to be detected.

An embodiment of the present application also provides a data detection device, including: a memory, a processor, and a communication component; the memory is used to store a computer program; the processor is coupled to the memory and is used to execute The stored computer program is used to: receive the data to be detected sent by the data collection device in the distributed security detection system through the communication component; scan the data to be detected according to the first scanning rule to obtain the data to be detected Scanning result information of data;

According to the first safety analysis rule, determine the first target data that meets the first safety analysis rule among the data to be detected;

Provide the first target data and the attribute information and scan result information of the first target data to at least one security prevention and control device in the distributed security detection system for the at least one security prevention and control device Perform security analysis on the first target data.

An embodiment of the present application also provides a security prevention and control device, including: a memory and a processor; the memory is used to store a computer program; the processor is coupled to the memory and is used to execute data stored in the memory A computer program for: acquiring first target data provided by a data detection device in a distributed security detection system, and attribute information and scanning result information of the first target data; according to the attribute information and scanning result information of the first target data Scan result information, perform security analysis on the first target data; wherein, the first target data is data that meets the first security analysis rule among the data to be detected received by the data detection device, and the first The scanning result information of the target data is obtained by the data detection device scanning the first target data according to the first scanning rule.

An embodiment of the present application also provides a security prevention and control device, including: can be implemented as a second security prevention and control device in a distributed security detection system, the device includes: a memory, a processor, and a communication component; the memory is used In storing a computer program; the processor, coupled to the memory, for executing the computer program stored in the memory, for: receiving data from the data detection device in the distributed security detection system through the communication component A scan request, the scan request is sent by the data detection device when the data to be detected cannot be successfully scanned according to the first scan rule; according to the scan request from the data storage system in the distributed security detection system The data to be detected is read in the data; the data to be detected is scanned according to the second scanning rule to obtain the scanning result information of the data to be detected.

The embodiment of the present application also provides a distributed security detection system, including: a producer module, a consumer module, a buffer module, and a cloud analysis module; the producer module is used to collect the data to be detected, and the Data is written into the buffer module; the consumer module is used to read the data to be detected from the buffer module when it is detected that the data to be detected is written in the buffer module, and to The data to be detected is scanned, and the first target data that needs to be safely detected in the data to be detected and the attribute information and scanning result information of the first target data are provided to the cloud analysis module; the cloud analysis module , For performing security analysis on the first target data according to the attribute information and scanning result information of the first target data.

The embodiment of the present application also provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, the processor is caused to implement the steps in the method embodiment of the present application.

In the embodiment of this application, a distributed data security detection solution is used to solve the information security problem in the network environment, and data collection, scanning, and analysis are separated, and the key links in data security detection are decoupled, so that data security The resources required for detection are distributed to multiple devices, which is not easy to cause resource bottlenecks, which is conducive to the detection, analysis and protection of large amounts of network data, and the complexity of the entire distributed system is low, easy to deploy and implement, and Have strong flexibility.

Description of the drawings

The drawings described here are used to provide a further understanding of the application and constitute a part of the application. The exemplary embodiments and descriptions of the application are used to explain the application, and do not constitute an improper limitation of the application. In the attached picture:

Fig. 1a is a schematic structural diagram of a distributed security detection system provided by an exemplary embodiment of this application;

FIG. 1b is a schematic structural diagram of another distributed security detection system provided by an exemplary embodiment of this application;

2 is a schematic structural diagram of yet another distributed security detection system provided by an exemplary embodiment of this application;

FIG. 3 is a schematic diagram of the working process of a data detection device provided by an exemplary embodiment of this application;

FIG. 4a is a schematic flowchart of a data processing method provided by an exemplary embodiment of this application;

4b is a schematic flowchart of another data processing method provided by an exemplary embodiment of this application;

FIG. 4c is a schematic flowchart of yet another data processing method provided by an exemplary embodiment of this application;

4d is a schematic structural diagram of yet another distributed security detection system provided by an exemplary embodiment of this application;

FIG. 5 is a schematic structural diagram of a data detection device provided by an exemplary embodiment of this application;

FIG. 6 is a schematic structural diagram of a safety prevention and control device provided by an exemplary embodiment of this application;

FIG. 7 is a schematic structural diagram of another safety prevention and control device provided by an exemplary embodiment of this application.

Detailed ways

In order to make the objectives, technical solutions, and advantages of the present application clearer, the technical solutions of the present application will be described clearly and completely in conjunction with specific embodiments of the present application and the corresponding drawings. Obviously, the described embodiments are only a part of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.

In view of the information security issues faced by the existing network environment, in some embodiments of this application, a distributed deployment data security detection solution is used to solve the information security issues in the network environment, and the data collection, scanning and analysis are separated, and the data is separated. The decoupling of the key links in security detection, so that the resources required for data security detection are distributed to multiple devices, and it is not easy to cause resource bottlenecks, which is conducive to the detection, analysis and protection of large amounts of network data, and the entire distribution is distributed The system has low complexity, is easy to deploy and realize, and has strong flexibility.

The technical solutions provided by the embodiments of the present application will be described in detail below with reference to the accompanying drawings.

An exemplary embodiment of the present application provides a distributed security detection system 100, the structure of which is shown in FIG. 1a. The system 100 of this embodiment can be deployed in various network environments, and is responsible for security detection of data transmitted in the network environment, preventing data leakage, and ensuring information security in the network environment.

The system 100 of this embodiment can perform data security detection for one or more devices, one or more links, one or more subsystems, or the entire system in a network environment according to security detection requirements. For ease of description, in this embodiment, devices, links, subsystems, or systems that require data security detection in various network environments are collectively referred to as network nodes.

Based on the foregoing, the system 100 of this embodiment can collect data to be detected from network packets passing through a network node, and perform security detection on the data to be detected, so as to ensure the data security of the network node and prevent the data passing through the network node from being leaked.

For example, in an application scenario, the system 100 of this embodiment is deployed in a data center system, and is responsible for data security detection of the entire data center system. In this application scenario, the gateway device of the data center system can be used as the network node in the embodiment of this application. In this way, the system 100 of this embodiment can collect the data to be detected from the network packets passing through the gateway device. Conduct security inspections to ensure the data security of the data center system and prevent the data in the data center system from being leaked.

For another example, in another application scenario, the system 100 of this embodiment is deployed in a data center system, and is responsible for performing data security detection on a specific server in the data center system. In this application scenario, a specific server in the data center system can be used as the network node in the embodiment of this application. In this way, the system 100 of this embodiment can collect the data to be detected from the network packets passing through the specific server. Perform security inspections to ensure the data security of the specific server and prevent the data passing through the specific server from being leaked.

For another example, in another application scenario, the system 100 of this embodiment is deployed in an enterprise local area network system, and is responsible for data security detection of the enterprise local area network system. In this application scenario, the gateway device connected to the enterprise local area network system can be used as the network node in the embodiment of this application. In this way, the system 100 of this embodiment can collect the data to be detected from the network packets passing through the gateway device. Data security checks are performed to prevent important company information from being leaked.

The system 100 of this embodiment adopts a distributed data security detection scheme, which separates data collection, scanning, and analysis, and decouples key links in data security detection. As shown in FIG. 1a, the system 100 includes: at least one data collection device 101, at least one data detection device 102, and at least one safety prevention and control device 103.

Among them, at least one data collection device 101 is mainly responsible for collecting data to be detected from network messages passing through network nodes, and is responsible for distributing the device to be detected to at least one data detection device 102. At least one data detection device 102 is mainly responsible for scanning the data to be detected according to the first scanning rule to obtain the scanning result information of the data to be detected, and is responsible for comparing the first target data and the first target data that meet the first safety analysis rule in the data to be detected. The attribute information and scan result information of the target data are provided to at least one security prevention and control device 103. At least one security prevention and control device 103 is mainly responsible for performing security analysis on the first target data according to the received attribute information and scanning result information of the first target data.

Among them, the data to be detected refers to data objects that may be involved in data security and may need to be tested for security. In this embodiment, the manner in which at least one data collection device 101 collects data to be detected from a network message passing through a network node is not limited. According to different application scenarios, the content of data that needs to be tested for data security will be different, and the manner in which the data collection device 101 collects the data to be tested and the collected data to be tested will be different.

For example, in some application scenarios, the data collection device 101 may perform protocol analysis on network messages, parse the load data from the network messages, and generate data to be detected based on the load data parsed from the network messages. Furthermore, if the payload data in a network message can express a certain semantic meaning alone, the payload data in the network message can be directly used as the data to be detected. In more scenarios, data content that can express a certain semantic meaning is usually encapsulated in multiple network packets for transmission. Based on this, the data collection device 101 can parse the payload from multiple network packets in the same data stream. Data, according to the payload data in multiple network packets, combine to produce data to be detected that expresses a certain semantic meaning.

For another example, in other application scenarios, the data collection device 101 can directly use the network packet as the data to be detected; or, it can perform protocol analysis on the network packet, and reprocess all the parsed content according to the set data format. Combine them together as the data to be tested. The data format here refers to the data format required by the data to be detected.

In this embodiment, scanning rules and security analysis rules that can be used by at least one data detection device 102 are pre-configured. For ease of description and distinction, the scanning rules and security analysis rules that can be used by at least one data detection device 102 are referred to as first scanning rules and first security analysis rules, respectively. Optionally, the first scanning rule and the first security analysis rule can be configured at the local end of at least one data detection device 102, but it is not limited to this. Among them, the first scanning rule mainly includes some known data characteristics, which can reflect the characteristics or content of the data to be detected to a certain extent, and can assist in judging whether the data to be detected has a security risk. The first safety analysis rule mainly includes some rules related to subsequent safety analysis. Among these rules, there is a data selection rule that determines which data to be detected need to be provided to the safety prevention and control device 103 for security analysis, which is to provide all the data to be detected to the safety prevention and control device 103 For security analysis, the data to be detected that meets specific conditions is still provided to the security prevention and control device 103 for security analysis. Of course, in addition to data selection rules, these rules may also include other rules. For example, these rules may also include device selection rules, which determine which security prevention and control device(s) 103 to use for security analysis, the priority between these security prevention and control devices 103, and the main Preparation relationship, etc. For another example, these rules may also include user selection rules, which determine which user data needs to be provided to the security prevention and control device 103 for security analysis.

It should be noted that, according to different application scenarios and data security detection requirements, the first scanning rule and the first security analysis rule will also be different, which is not limited in this embodiment.

In this embodiment, the data detection device 102 scans the data to be detected according to the first scanning rule, which is mainly a process of matching the data to be detected with the first scanning rule. In addition, the data detection device 102 also needs to identify data that meets the first safety analysis rule from the data to be detected according to the first safety analysis rule. To facilitate distinction and description, in this embodiment, the data that meets the first safety analysis rule identified by the data detection device 102 from the data to be detected is referred to as the first target data.

In this embodiment, the sequence between the two operations of scanning the data to be detected by the data detection device 102 and identifying the first target data from the data to be detected is not limited. The two operations can be performed sequentially or in parallel. . When the two operations are executed in sequence, the operation of scanning the data to be detected can be performed first, and then the operation of identifying the first target data from the data to be detected; or, the first target data can be identified from the data to be detected. The operation of the target data, and then the operation of scanning the data to be detected.

Further, in the solution of first performing the operation of identifying the first target data from the data to be detected, and then performing the operation of scanning the data to be detected, the first target data can be directly scanned during the scanning of the data to be detected, There is no need to scan all the data to be detected. In other words, for any data to be detected, it can be judged whether the data to be detected conforms to the first safety analysis rule, and if the judgment result is conformed, it is determined that the data to be detected can be used as the first target data, and then according to the first scan The rule scans the data to be tested; if the result of the judgment is non-conformance, it means that there is no need to perform security analysis on the data to be tested, so you can end the operation and no longer scan the data to be tested, which is conducive to saving data. The computing resources of the device 102.

It should be noted that for different data to be detected, the order in which the data to be detected is detected can be used to determine whether the data to be detected meets the first security analysis rule and scan the data to be detected according to the first scanning rule. .

Among them, the attribute information of the first target data refers to some attribute information that the first target data itself has or comes with, such as the type, size, transmission time, quintuple information, and so on of the first target data. The scanning result of the first target data may have two cases, one case is that one or some scanning rules in the first target data match, and the other case is that the first target data does not match any scanning rules in the first target data. For different scan results, the information contained in the scan result information will be different. In the case of one or some scanning rules in the first target data matching, the scanning result information of the first target data may include but not limited to: the name of one or some scanning rules in the first target data matching, and the matching is in progress. What is the data content of a certain rule or certain rules and the context of the data content and other information. In the case that the first target data does not match any scanning rule, the scanning result information of the first target data may include: identifying information or descriptive content indicating that the first target data does not match any scanning rule, but is not limited to this. For example, in the case that the first target data does not match any scanning rules, the scanning result information of the first target data may not carry any information items, that is, blank, which also indicates that the first target data does not match any scanning rules. Among them, the attribute information and scanning result information of the first target data are the basis for performing security analysis on the first target data.

At least one data detection device 102 provides the first target data and the attribute information and scan result information of the first target data to at least one security prevention and control device 103, and the at least one security prevention and control device 103 can be based on the first target data. Attribute information and scan result information, perform security analysis on the first target data. In this embodiment, the security analysis method and type are not limited, and all analysis methods and types that have a security prevention and control effect are applicable to the embodiments of this application. For example, at least one security prevention and control device 103 can perform various types of security analysis such as comprehensive data analysis or burst analysis on the first target data. In addition, at least one security prevention and control device 103 can also use but not limited to the following methods to perform security analysis on the first target data:

Manner 1: According to the attribute information of the first target data and the scanning result information, analyze whether the frequency of the first target data in a certain period of time meets the set threshold requirement, which is referred to as frequency-based security analysis.

Manner 2: According to the attribute information of the first target data and the scanning result information, analyze whether the visit volume of the first target data in a certain period of time meets the set visit volume requirement, referred to as security analysis based on the visit volume.

Method 3: According to the attribute information of the first target data and the scan result information, analyze whether the permission of the visitor of the first target data belongs to the set legal permission, referred to as security analysis based on the access permission.

Manner 4: According to the attribute information of the first target data and the scan result information, analyze whether the receiving address of the first target data belongs to the set legal receiving address, which is referred to as address-based security analysis for short.

Manner 5: Analyze whether the transmission time of the first target data falls within a reasonable time range according to the attribute information of the first target data and the scan result information, which is referred to as time-based security analysis for short.

The above manners 1-5 are only exemplary descriptions of safety analysis, and are not limited thereto. In addition, the above methods 1-5 can be used alternatively, and can also be used in any combination.

In the above methods 1-5, when the analysis result of any one of the analysis operations is negative, at least one security prevention and control device 103 can determine that the first target data has an information leakage risk, and corresponding measures can be taken to further prevent Information leakage. In this embodiment, the measures taken to prevent information leakage are not limited. For example, in a case where it is determined that the first target data has an information leakage risk, the network node through which the first target data passes may be notified to intercept the network message corresponding to the first target data. The interception processing here mainly refers to preventing the network message corresponding to the first target data from being forwarded. Further, information such as the user and device that issued the first target data can also be analyzed, so as to warn the user or device that issued the first target data, restrict authority, or perform key monitoring.

It is explained here that multiple data to be detected can be distributed to different data detection devices 102 for processing. One data to be detected is generally processed by one data detection device 102. Of course, one data to be detected is handled by multiple data detection devices 102 at the same time. Processing is also possible. In the same way, multiple first target data can be processed by different security prevention and control devices 103. One first target data is generally processed by one security prevention and control device 103. Of course, one first target data is processed by multiple security prevention and control devices. It is also possible that 103 is responsible for processing at the same time.

In this embodiment, the device forms of the data collection device 101, the data detection device 102, and the safety prevention and control device 103 are not limited. For the data collection device 101, it can be any computer device with data collection and communication capabilities, such as a notebook computer, a desktop computer, a network data collector, a network splitter, a conventional server or a server array, etc., or it can be ARM chips and some data acquisition chips or modules based on FPGA or CPLD. For the data detection device 102, it can be any computer device with data scanning capabilities and communication capabilities, for example, it can be a terminal device such as a notebook computer, a desktop computer, and a smart phone, or it can be an edge device such as a smart street lamp, a camera, and a traffic monitoring device. Computing equipment can also be server equipment such as conventional servers, cloud servers, server arrays, data centers, etc., and can also be ARM chips and some data detection chips or modules implemented based on FPGA or CPLD. For the security prevention and control device 103, it can be any computer device that can perform security analysis on data and has certain communication capabilities. For example, it can be a terminal device such as a notebook computer, a desktop computer, a smart phone, or a smart street lamp, Edge computing devices such as cameras and traffic monitoring equipment can also be server devices such as conventional servers, cloud servers, server arrays, data centers, etc., and can also be ARM chips and some security prevention and control chips or modules based on FPGA or CPLD.

Optionally, for the data acquisition device 101, the data detection device 102, and the safety prevention and control device 103, software, applications (Application, App) can be installed, or program codes can be written in the corresponding devices, and these software, App or program code to realize the corresponding function.

In this embodiment, the deployment locations of the data collection device 101, the data detection device 102, and the safety prevention and control device 103 are not limited. For example, the data collection device 101 can be deployed close to a network node, which is beneficial for data collection, but is not limited to this. For each data detection device 102, it can be deployed locally or in the cloud. In the case of multiple data detection devices 102, some data detection devices 102 can be deployed on the local end and some data detection devices 102 can be deployed on the cloud; or all data detection devices 102 can be deployed on the local end, or all data detection devices 102 are all deployed in the cloud. For each security prevention and control device 103, it can be deployed locally or in the cloud. In the case of multiple security prevention and control devices 103, the security prevention and control devices 103 can be deployed on the local end, and some security prevention and control devices can be deployed in the cloud; or all security prevention and control devices 103 can be deployed in the cloud, or all The security prevention and control equipment 103 is deployed at the local end. The local end here is relative to the cloud, which can be a location close to the network node in the network environment; the cloud generally refers to any location far away from the network node.

For example, in a data center system, one or more data collection devices 101 can be deployed next to the gateway device of the data center system, one or more data detection devices 102 can be deployed in the computer room of the data center system, and in the data center One or more security prevention and control devices 103 are deployed in the computer room of the system, and security prevention and control devices 103 may also be deployed in the cloud. It should be noted that the deployment implementation of the distributed security detection system 100 in the data center system described in this embodiment is only an exemplary description, and is not limited thereto.

In this embodiment, the number of data collection equipment 101, data detection equipment 102, and safety prevention and control equipment 103 is not limited. Each type of equipment can be deployed one or more, which can be specifically based on the distributed safety detection system 100. Depending on the application scenario. Of course, the data collection device 101 and the data detection device 102 can also be deployed on the same device.

For example, if there is only one network node for data security testing, one data collection device 101 can be deployed; if there are multiple network nodes for data security testing, multiple data collection devices 101 can be deployed to share the data collection pressure Multiple data collection devices 101 are beneficial to reduce the processing burden of each data collection device 101, and the resource requirements for each data collection device 101 are relatively low, which is beneficial to improve the efficiency of data security detection.

For example, if the amount of data required for data security inspection is not large, one data inspection device 102 can be deployed; if the amount of data required for data security inspection is large, multiple data inspection devices 102 can be deployed to reduce the amount of data inspection. The scanning burden of the device 102 and the resource requirements of each data detection device 102 are relatively low, which is beneficial to improving the efficiency of data security detection.

Similarly, if the amount of data required for data security testing is not large, one security prevention and control device 103 can be deployed; if the amount of data required for data security testing is large, multiple security prevention and control devices 103 can be deployed to reduce The analysis burden of the security prevention and control devices 103 and the resource requirements for each security prevention and control device 103 are relatively low, which is beneficial to improve the efficiency of data security detection.

In this embodiment, a data security detection solution is used to solve the information security problem in the network environment, and data collection, scanning, and analysis are completed by data collection equipment, data detection equipment, and security prevention and control equipment, respectively, so that data collection, scanning, and The purpose of separation of analysis and decoupling of key links in data security detection, so as to distribute the resources required for data security detection to multiple devices, compared with the solution implemented by centralized deployment of data security detection solutions on one device In this embodiment, resource bottlenecks are not easily generated, which is beneficial for protecting network data with a large amount of data, and the overall distributed system has low complexity, easy deployment and implementation, and strong flexibility.

To facilitate distributed implementation, as shown in FIG. 1b, the system 100 of this embodiment further includes: a data storage system 104. The data storage system 104 mainly provides data storage functions for the data acquisition device 101, the data detection device 102, and the safety prevention and control device 103 in the system 100.

In this embodiment, the implementation form of the data storage system 104 is not limited. The data storage system 104 can be any system capable of data storage, such as any type of database system, or an object storage service (Object Storage Service). , OSS) system. In FIG. 1b, the data storage system 104 is illustrated by taking OSS as an example, but it is not limited to this. In addition, this embodiment does not limit the deployment location of the data storage system 104, and it can be deployed locally or in the cloud.

In this embodiment, at least one data collection device 101 is mainly responsible for collecting data to be detected from network messages passing through network nodes, and is responsible for distributing the device to be detected to at least one data detection device 102. At least one data detection device 102 is mainly responsible for scanning the data to be detected according to the first scanning rule to obtain scan result information of the data to be detected, and is responsible for identifying the first target data that meets the first safety analysis rule from the data to be detected, The first target data and the attribute information and scan result information of the first target data are provided to at least one security prevention and control device 103.

In this embodiment, with the help of the storage capacity of the data storage system 104, after at least one data detection device 102 recognizes the first target data, it can store the first target data in the data storage system 104 and obtain the first target data. The storage address of the data in the data storage system 104, and the storage address is provided to at least one safety prevention and control device 103, so that at least one safety prevention and control device 103 can read the first data storage system 104 according to the storage address. The target data achieves the purpose of providing the first target data to at least one safety prevention and control device 103.

Optionally, the data detection device 102 may send the first target data to the data storage system 104; the data storage system 104 stores the first target data in the corresponding storage space according to its own data storage mechanism, and returns the first target data to the storage space. The storage address in the data storage system 104 is given to the data detection device 102. For ease of description and distinction, in this embodiment, the storage address of the first target data in the data storage system 104 is referred to as the first storage address.

In this embodiment, the manner in which at least one data detection device 102 provides the attribute information and scan result information of the first target data to at least one security prevention and control device 103 is not limited. For example, at least one data detection device 102 may directly send the encrypted attribute information and scan result information of the first target data to the at least one security prevention and control device 103.

Further, as shown in FIG. 1b, the system 100 of this embodiment further includes a log storage system 105. The log storage system 105 is mainly used to provide a log storage function for the data collection device 101, the data detection device 102, and the security prevention and control device 103 in the system 100.

In this embodiment, the implementation form of the log storage system 105 is not limited. The log storage system 105 may be any system capable of log storage, for example, it may be an SLS. In FIG. 1b, the log storage system 105 is illustrated by taking SLS as an example, but it is not limited to this. In addition, this embodiment does not limit the deployment location of the log storage system 105, and it can be deployed locally or in the cloud.

Optionally, with the help of the storage capacity of the log storage system 105, at least one data detection device 102 can store the attribute information and scan result information of the first target data in the log storage system 105 to obtain the attribute information of the first target data And the storage address of the scan result information in the log storage system 105, and provide the storage address to at least one security prevention and control device 103. In order to facilitate the distinction and description, in this embodiment, the storage address of the attribute information of the first target data and the scan result information in the log storage system 105 is referred to as the second storage address.

For at least one security prevention and control device 103, it can receive the first storage address and the second storage address sent by at least one data detection device 102; according to the first storage address, read the first target from the data storage system 104 Data, and read the attribute information and scanning result information of the first target data from the log storage system 105 according to the second storage address; then, according to the attribute information and scanning result information of the first target data, secure the first target data Sexual analysis.

In this embodiment, data collection, scanning, storage, analysis, and logs are separated in data security detection to achieve a greater degree of distribution. While ensuring information security in the network environment, it is beneficial to reduce distributed security. The complexity of the detection system makes the distributed safety detection system easy to deploy and realize, and improves the flexibility of the distributed safety detection system.

In each embodiment of the present application, the number of safety prevention and control equipment is not limited. In some optional embodiments, as shown in FIG. 2, the system 100 of this embodiment includes two safety prevention and control devices 103, which are referred to as a first safety prevention and control device 1031 and a second safety prevention and control device 1032. Among them, the first security prevention and control device 1031 is deployed on the local end and is a device with security prevention and control functions on the local end; the second security prevention and control device 1032 is deployed on the cloud and is a device with security prevention and control functions on the cloud. In the embodiments of this application, the deployment of security prevention and control equipment in the "network environment that requires security prevention and control" is called deployment at the local end, and security is deployed outside the "network environment that needs security prevention and control". The situation of prevention and control equipment is called deployment in the cloud. In other words, the first security prevention and control device 1031 is deployed in a "network environment requiring security prevention and control", and the second security prevention and control device 1032 is deployed outside the "network environment requiring security prevention and control". In FIG. 2, the data detection device 102 directly reports the attribute information and scan result information of the first target data to the first security prevention and control device 1031 and the second security prevention and control device 1032 as an example for illustration, which is not shown in FIG.出LOG storage system 105.

In this embodiment, the first security prevention and control device 1031 is preferentially used to perform security analysis on the first target data. When the first safety prevention and control device 1031 is heavily loaded or malfunctions, the second safety prevention and control device 1032 can also be used to perform a safety analysis on the first target data.

Based on this, for at least one data detection device 102, the first storage address of the first target data in the data storage system 104 and the attribute information and scan result information of the first target data in the log storage system 105 are obtained. After the second storage address, the first storage address and the second storage address may be sent to the first security prevention and control device 1031 for the first security prevention and control device 1031 to perform security analysis on the first target data. For the first security prevention and control device 1031, after receiving the first storage address and the second storage address, read the first target data from the data storage system 104 according to the first storage address, and read the log according to the second storage address The storage system 105 reads the attribute information and scan result information of the first target data; and performs security analysis on the first target data according to the attribute information and scan result information of the first target data.

Wherein, if the second security prevention and control device 1032 is required to perform security analysis on the first target data, the second security prevention and control device 1032 performs security analysis on the first target data in the same or the same way as the first security prevention and control device 1031. Similar, I won't repeat them here.

Further, in this embodiment, the second security prevention and control device 1032 also has a configuration function, and can perform an operation of issuing configuration information related to data security detection. As shown in Figure 2, the administrator can provide configuration information related to data security detection to the second security prevention and control device 1032. The configuration information includes the first scanning rule and the first security analysis rule; the second security prevention and control device 1032 can The configuration information is delivered to the first security prevention and control device 1031; the first security prevention and control device 1031 forwards the configuration information to the at least one data detection device 102, so that the at least one data detection device 102 locally configures the first scanning rule and the first Safety analysis rules.

In this embodiment, the manner in which the administrator provides configuration information to the second security prevention and control device 1032 is not limited. For example, the second security prevention and control device 1032 may have a human-computer interaction interface, and the management personnel can enter the human-computer interaction interface provided by the second security prevention and control device 1032, and enter the scanning rules and security analysis rules through the human-computer interaction interface. information. Alternatively, the manager can also generate a configuration file on the terminal device he uses. The configuration file contains configuration information, and then sends the configuration file to the second security prevention and control device 1032; the second security prevention and control device 1032 parses out from the configuration file Configuration information.

It should be noted that, in this embodiment, the management and distribution of configuration information through the second security prevention and control device 1032 is taken as an example, but it is not limited to this. The configuration information can also be managed and issued through the first security prevention and control device 1031. The specific implementation manner is similar to the implementation manner through the second security prevention and control device 1032, and details are not described herein again.

Based on the separation of data collection, scanning, and analysis, this embodiment can flexibly change the configuration information. The change of configuration information has basically no impact on the data collection process of the data collection device and the safety analysis process of the first safety prevention and control device. , There is basically no impact on data transmission in these processes, and the system of this embodiment has manageability and scalability.

Further, in the case where the administrator updates the scanning rules, if the second security prevention and control device 1032 fails to deliver the updated scanning rules to the data detection device 102 in time, then the data detection device 102 may fail to comply with the first A situation where the scanning rule succeeds in scanning the data to be detected. For example, the first scanning rule of the data detection device 102 only supports text type data, and does not support multimedia data such as pictures or small videos. Therefore, the data detection device 102 cannot successfully complete the scan for the data to be detected whose data types are pictures or small videos. For the data detection device 102, if the data to be detected cannot be successfully scanned according to the first scanning rule, the data to be detected can be stored in the data storage system 104, and a scan request can be sent to the second security prevention and control device 1032, The second security prevention and control device 1032 is requested to use the second scanning rule to scan the data to be detected. The scan request carries the storage address of the data to be detected in the data storage system 104. Among them, the second scanning rule refers to a scanning rule that can be used by the second security prevention and control device 1032; compared to the first scanning rule, the second scanning rule may be the latest scanning rule, or it may be more comprehensive and complete. In an optional embodiment, the first scan rule is a scan rule configured on the local end of the data detection device 102; the second scan rule is a scan rule configured on the cloud.

For the second security prevention and control device 1032, it is also possible to read the data to be detected from the data storage system 104 according to the scan request sent by the data detection device 102, and scan the data to be detected according to the second scanning rule to obtain the data to be detected Scan result information.

Further, in the case that the second scan rule is matched by the data to be detected, the second security prevention and control device 1032 may also send the scan rule in the second scan rule that is matched by the data to be detected to at least one data detection device 102 , So that at least one data detection device 102 can update the first scanning rule.

In an optional embodiment, in addition to scanning the data to be detected according to the second scanning rule, the second safety prevention and control device 1032 can also identify second target data that meets the second safety analysis rule from the data to be detected. , Write the attribute information and scan result information of the second target data into the log storage system 105, and notify the first security prevention and control device 1031 to perform security analysis on the second target data. For the convenience of distinction and description, the data that meets the second safety analysis rule identified by the second safety prevention and control device 1032 from the data to be detected according to the second safety analysis rule is called the second target data. Wherein, the notification message sent by the second security prevention and control device 1032 to the first security prevention and control device 1031 carries the attribute information of the second target data and the storage address of the scan result information in the log storage system 105. For the first security prevention and control device 1031, it is also possible to read the attribute information and scan result information of the second target data from the log storage system 105 according to the notification of the second security prevention and control device 1032, and according to the second target data The security analysis of the second target data is performed on the attribute information and scanning result information of the data. In this alternative embodiment, after the second security prevention and control device 1032 recognizes the second target data, it can use the security analysis capability of the first security prevention and control device 1031 to give priority to the security prevention and control device 1031 deployed at the local end. Perform security analysis on the second target data.

or,

In another optional embodiment, the second security prevention and control device 1032 may not only scan the data to be detected according to the second scanning rule, but also identify a second target that meets the second security analysis rule from the data to be detected. Data, based on the attribute information of the second target data and the scanning result information, perform a security analysis on the second target data. In this optional embodiment, after the second security prevention and control device 1032 recognizes the second target data, it can directly perform security analysis on the second target data with its own security analysis capability.

In the foregoing embodiments of the present application, when there are multiple data detection devices 102, after the data collection device 101 collects the data to be detected, it needs to distribute the data to be detected to the multiple data detection devices 102 to realize the load. Equalization reduces the processing load of each data detection device 102. Optionally, the data collection device 101 may use a hash method to distribute the data to be detected to multiple data detection devices 102. Alternatively, the data collection device 101 may distribute the to-be-detected data from data streams of different attributes to different data detection devices 102 according to the attributes of the data stream. Alternatively, the data detection device 102 may also distribute the data to be detected to different data detection devices 102 according to the processing capabilities and/or load information of each data detection device 102.

In detail, when the data detection device 102 collects the data to be detected, it can determine the target data detection device according to the processing capability and/or load information of each data detection device 102; write the data to be detected into the target data detection device In the data buffer area. As shown in FIG. 3, the data buffer area of the target data detection device may be a file buffer area or a virtual storage pool (pool).

In this embodiment, data collection and scanning are separated. The data collection stage can be regarded as the producer of the data to be tested, and the data scanning stage can be regarded as the consumer of the data to be tested. Therefore, Producer/consumer model. With reference to FIG. 3, the internal working process of the data detection device 102 is exemplified.

As shown in FIG. 3, the data detection device 102 includes multiple threads, including but not limited to: a file monitoring thread FileWatch, a file scanning thread FileScan, a file submission thread Filesubmit, and a cloud submission thread cloudsubmit. Among them, the multi-threading mechanism is adopted, which is adjustable.

The data collection device 101 writes the collected data to be detected into the data buffer area of the data detection device 102, such as a file buffer area or a virtual storage pool;

The file monitoring thread FileWatch monitors whether there is new data to be detected in the data buffer area of the data detection device 102; and when it detects that there is new data to be detected, it reads the newly written data to be detected to the message queue In, concurrently send messages to the file scanning thread FileScan;

The file scanning thread FileScan scans the data to be detected in the message queue according to the locally configured scanning rules when triggered by the message, and obtains the scanning result of the data to be detected, and determines whether it needs to be detected according to the locally configured security analysis rules. Perform security analysis on the data to be detected, and if yes, send a message to the file submission thread Filesubmit;

The file submission thread Filesubmit reads the data to be detected from the message queue, submits the data to be detected as the first target data to the data storage system 104, such as OSS, and obtains the storage address returned by the data storage system 104, and then transfers the first target data to the data storage system 104. The storage address, attribute information, and scan result information of is provided to the cloud submission thread cloudsubmit;

The cloud submission thread cloudsubmit submits the storage address, attribute information, and scan result information of the first target data to the second security prevention and control device 1032 deployed in the cloud, and the second security prevention and control device 1032 performs security analysis on the first target data . Of course, the cloud submission thread cloudsubmit can also submit the storage address, attribute information, and scan result information of the first target data to the first security prevention and control device 1031 deployed on the local end, and the first security prevention and control device 1031 performs the first target data Conduct a safety analysis.

Further, the data detection device 102 may further include a file cleaning thread for cleaning the processed data to be detected in the message queue. Of course, the data storage system 104 also regularly cleans out obsolete or useless data.

Further, the data detection device 102 may also include: a configuration monitoring thread ConfWatch, which is used to monitor whether there are new scanning rules and security analysis rules in the configuration information buffer area, and when new scanning rules and security analysis rules arrive Next, update the locally configured scanning rules and security analysis rules.

Further, as shown in FIG. 3, the data detection device 102 may further include: a log caching thread LocalLogging, which is used to cache log data generated by the data detection device 102 in the process of scanning the data to be detected. The log data here includes but is not limited to: scan time, the name of the scanned data to be detected, whether the data to be detected hits the scan rule, if so, the name of the scan rule that is hit, and the name of the scan rule that is hit in the data to be detected Data content and context information of the data content, etc. The log cache thread can periodically cache the log data of the data detection device 102 locally and upload it to the log storage system 105.

In the above-mentioned system embodiments of this application, a distributed data security detection solution is adopted to solve the information security problem in the network environment, and data collection, scanning and analysis are separated, and the key links in data security detection are decoupled. In this way, the resources required for data security detection are distributed to multiple devices, which is not easy to produce resource bottlenecks, which is conducive to the protection of large amounts of network data, and the complexity of the entire distributed system is low, easy to deploy and implement, and has Strong flexibility. For example, in the distributed security detection system of this embodiment, new functions can be easily added, the scalability is strong, and service chain-style services can be realized, which provides the possibility for the subsequent functionalization of functions.

FIG. 4a is a schematic flowchart of a data processing method provided by an exemplary embodiment of this application. This method is described from the perspective of any data detection device in the distributed security detection system. As shown in Figure 4a, the method includes:

41a. Receive the to-be-detected data sent by the data acquisition device in the distributed safety detection system.

42a. Scan the data to be detected according to the first scanning rule to obtain scan result information of the data to be detected.

43a. According to the first safety analysis rule, determine the first target data in the data to be detected that meets the first safety analysis rule.

44a. Provide the first target data and the attribute information and scan result information of the first target data to at least one security prevention and control device in the distributed security detection system, so that at least one security prevention and control device can perform the first target data Security analysis.

In this embodiment, the data to be detected is collected by the data collection device from the network messages passing through the network node, and refers to data objects that may involve data security and may need to undergo security detection. As time goes by, different network messages will continue to pass through the network nodes, and the data collection device will continue to collect data to be detected from the network messages passing through the network nodes. Among them, network nodes refer to devices, links, subsystems, or entire systems that require data security testing in various network environments. Preferably, the network node may be a flow entry/exit device in various network environments, such as a gateway device.

In this embodiment, the data detection device is locally configured with scanning rules and security analysis rules. The scanning rules mainly include some known data characteristics, which can reflect the characteristics or content of the data to be detected to a certain extent, and can assist in judging whether the data to be detected has security risks. Safety analysis rules mainly include some rules related to subsequent safety analysis. Among these rules, there is a data selection rule that determines which data to be detected need to be provided to the security prevention and control equipment for security analysis, and all the data to be detected are provided to the security prevention and control device for security. For security analysis, the data to be tested that meets specific conditions is still provided to the security prevention and control equipment for security analysis. Of course, in addition to data selection rules, these rules may also include other rules. For example, these rules can also include device selection rules, which determine which security prevention and control device or devices to use for security analysis, the priority between these security prevention and control devices, and the relationship between master and backup Wait.

In this embodiment, the data detection device scans the data to be detected according to the first scanning rule, which is mainly a process of matching the data to be detected with the first scanning rule.

In this embodiment, the execution order of step 42a and step 43a is not limited. The two steps can be executed sequentially as shown in FIG. 4a, or they can be executed in parallel. In the case that the two steps are executed sequentially, the operation described in step 43a can also be performed first, and then the operation described in step 42a is performed.

Further, in the solution that the operation described in step 43a is performed first, and then the operation described in step 42a is performed, the first target data can be directly scanned during the scanning of the data to be detected, without scanning all the data to be detected . In other words, for any data to be detected, it can be judged whether the data to be detected conforms to the first safety analysis rule, and if the judgment result is conformed, it is determined that the data to be detected can be used as the first target data, and then according to the first scan The rule scans the data to be tested; if the result of the judgment is non-conformance, it means that there is no need to perform security analysis on the data to be tested, so you can end the operation and no longer scan the data to be tested, which is conducive to saving data. The computing resources of the device.

In this embodiment, after the data detection device recognizes the first target data, it can provide the first target data and the attribute information and scan result information of the first target data to at least one security prevention and control device for at least one A security prevention and control device performs security analysis on the first target data based on the attribute information of the first target data and the scan result information.

In an optional embodiment, the distributed security detection system includes a data storage system and a log storage system, and the security prevention and control device in the distributed security detection system includes the first security prevention and control device deployed on the local end and the first security prevention and control device deployed on the cloud. The second safety prevention and control equipment. Based on this, an implementation manner of step 44a includes: storing the first target data in the data storage system, and providing the first storage address of the first target data in the data storage system to the first security prevention and control device; The attribute information of the target data and the scanning result information are written into the log storage system, and the second storage address of the attribute information of the first target data and the scanning result information in the log storage system is provided to the first security prevention and control device.

In an optional embodiment, the method of this embodiment further includes: when the data detection device cannot successfully scan the data to be detected according to the first scanning rule, storing the data to be detected in the data storage system; and The security prevention and control device sends a scan request for the second security prevention and control device to scan the to-be-detected data according to the second scanning rule.

Further, the method of this embodiment further includes: receiving the scanning rule that is matched by the data to be detected in the second scanning rule issued by the second security prevention and control device; according to the scanning rule that is matched by the data to be detected in the second scanning rule , Update the first scan rule.

Among them, the second scanning rule refers to a scanning rule that can be used by the second security prevention and control device; compared to the first scanning rule, the second scanning rule may be the latest scanning rule, or it may be more comprehensive and complete. In an optional embodiment, the first scanning rule is a scanning rule configured on the local end of the data detection device; the second scanning rule is a scanning rule configured on the cloud.

In an optional embodiment, the method of this embodiment: before using the first scanning rule and the first security analysis rule, further includes: receiving configuration information from the second security prevention and control device forwarded by the first security prevention and control device , The configuration information includes the first security analysis rule and the first scanning rule; according to the configuration information, the first scanning rule and the first security analysis rule are configured locally.

In this embodiment, the data detection equipment cooperates with the data acquisition equipment and the safety prevention and control equipment, and is mainly responsible for the data scanning in the data safety detection, which can realize the separation between data collection, scanning and analysis, and can be used for data safety detection. The decoupling of the key links of data security detection, so that the resources required for data security detection are distributed to multiple devices, and it is not easy to cause resource bottlenecks, which is conducive to the protection of large amounts of network data.

FIG. 4b is a schematic flowchart of another data processing method provided by an exemplary embodiment of this application. The method is described from the perspective of any safety prevention and control device in the distributed safety detection system, especially the first safety prevention and control device. As shown in Figure 4b, the method includes:

41b. Obtain the first target data provided by the data detection device in the distributed security detection system, as well as the attribute information and scanning result information of the first target data; wherein the first target data is the data to be detected received by the data detection device. The data of the first safety analysis rule.

42b. Perform security analysis on the first target data according to the attribute information and scanning result information of the first target data; the scanning result information of the first target data is obtained by scanning the first target data by the data detection device according to the first scanning rule of.

For descriptions of the first target data, the attribute information of the first target data, and the scanning result information, reference may be made to the description in the foregoing embodiment, and details are not repeated here.

In an optional embodiment, the distributed security detection system includes a data storage system and a log storage system. Based on this, an implementation of step 41b includes: receiving the first storage address sent by the data detection device, and reading the first target data from the data storage system in the distributed security detection system according to the first storage address; receiving data detection The second storage address sent by the device reads the attribute information and scan result information of the first target data from the log storage system in the distributed security detection system according to the second storage address. The first storage address is the storage address of the first target data in the data storage system. The second storage address is the storage address of the attribute information and scan result information of the first target data in the log storage system.

In an optional embodiment, the security prevention and control device in the distributed security detection system includes: a first security prevention and control device deployed on the local end and a second security prevention and control device deployed on the cloud. In this optional embodiment, the second security prevention and control device can scan the data to be detected according to the second scanning rule when the data detection device cannot successfully scan the data to be detected according to the first scanning rule, and can scan according to the The second security analysis rule identifies second target data that meets the second security analysis rule from the data to be detected, and can notify the first security prevention and control device to perform security analysis on the second target data.

Based on the foregoing, the method of this embodiment further includes: receiving a notification message sent by the second security prevention and control device in the distributed security detection system; according to the notification message, reading the second from the log storage system in the distributed security detection system The attribute information and scanning result information of the target data; perform security analysis on the second target data according to the attribute information and scanning result information of the second target data; among them, the second target data is that the second security prevention and control device is in the data detection device In the case that the data to be detected cannot be successfully scanned according to the first scanning rule, data that meets the second security analysis rule is identified from the data to be detected.

In an optional embodiment, the first security prevention and control device may also receive the configuration information issued by the second security prevention and control device, and forward the configuration information to the data detection device, so that the data detection device can locally configure the first scan Rules and first safety analysis rules.

For a detailed description of each step in this embodiment, please refer to the foregoing system embodiment, which will not be repeated here.

In this embodiment, the security prevention and control equipment and the data detection equipment cooperate with each other, and are mainly responsible for the security analysis in the data security detection, which can realize the separation between data collection, scanning and analysis, and can separate the key links in the data security detection. Decoupling, so that the resources required for data security detection are distributed to multiple devices, which is not easy to cause resource bottlenecks, which is conducive to the protection of large amounts of network data.

FIG. 4c is a schematic flowchart of yet another data processing method provided by an exemplary embodiment of this application. This method is described from the perspective of the second safety prevention and control device in the distributed safety detection system. As shown in Figure 4c, the method includes:

41c. Receive a scan request sent by the data detection device in the distributed security detection system. The scan request is sent by the data detection device when the data detection device cannot successfully scan the data to be detected according to the first scan rule.

42c. Read the data to be detected from the data storage system in the distributed security detection system according to the scan request.

43c. Scan the data to be detected according to the second scanning rule to obtain scan result information of the data to be detected.

In an optional embodiment, after the scan result information of the data to be detected is obtained, the method of this embodiment further includes: identifying second target data that meets the second safety analysis rule from the data to be detected; The attribute information of the data and the scanning result information are used to perform security analysis on the second target data.

In an optional embodiment, after the scan result information of the data to be detected is obtained, the method of this embodiment further includes: identifying second target data that meets the second safety analysis rule from the data to be detected; The attribute information and the scanning result information are written into the log storage system in the distributed security detection system; and the first security prevention and control device in the distributed security detection system is notified, so that the first security prevention and control device can according to the attributes of the second target data The information and the scanning result information perform a security analysis on the second target data.

In an optional embodiment, when the second scanning rule is matched by the data to be detected, the method of this embodiment further includes: sending the scanning rule that is matched by the data to be detected in the second scanning rule to the data detection Device for the data detection device to update the first scanning rule.

In this embodiment, the second security prevention and control device cooperates with the first security prevention and control device and the data detection device to be responsible for the security analysis and configuration information management in the data security detection, and can assist the data detection device to perform Data scanning can ensure the overall performance of the distributed safety detection system based on the separation of data collection, scanning and analysis.

It should be noted that the execution subject of each step of the method provided in the foregoing embodiment may be the same device, or different devices may also be the execution subject of the method. For example, the execution subject of steps 41a to 44a may be device A; for another example, the execution subject of steps 41a-43a may be device A, and the execution subject of step 44a may be device B; and so on.

In addition, in some of the processes described in the above embodiments and drawings, multiple operations appearing in a specific order are included, but it should be clearly understood that these operations may be performed out of the order in which they appear in this document or performed in parallel. The operation sequence numbers such as 41a, 42a, etc., are only used to distinguish different operations, and the sequence numbers themselves do not represent any execution order. In addition, these processes may include more or fewer operations, and these operations may be executed sequentially or in parallel. It should be noted that the descriptions of "first" and "second" in this article are used to distinguish different messages, devices, modules, etc., and do not represent a sequence, nor do they limit the "first" and "second" Are different types.

Figure 4d is a schematic structural diagram of yet another distributed security detection system provided by an exemplary embodiment of this application. As shown in Figure 4d, the system includes: a producer module 41d, a consumer module 42d, a buffer module 43d, and a cloud analysis module 44d.

The producer module 41d is mainly responsible for collecting the data to be detected and writing the data to be detected into the buffer module 43d. Optionally, the producer module 41d can be deployed in any network environment that requires data security testing, for example, can be deployed at a certain network node, and is responsible for collecting data to be tested from network packets passing through the network node. The network node here can be any device, link, subsystem, or system that needs to perform data security testing in various network environments that need to perform data security testing. The number of producer modules 41d may be one or multiple.

The consumer module 42d is used to monitor whether the data to be detected is written in the buffer module 43d. When it is detected that the data to be detected is written in the buffer module 43d, the data to be detected is read from the buffer module 43d, and the data to be detected is read from the buffer module 43d. Scanning is performed, and the first target data and the attribute information and scanning result information of the first target data that need to be analyzed safely among the data to be detected are provided to the cloud analysis module 44d. The number of consumer modules 42d may be one or more.

In this embodiment, the implementation manner in which the consumer module 42d scans the data to be detected is not limited. For example, the data to be detected may be scanned according to the first scanning rule. For a detailed description of scanning the data to be detected according to the first scanning rule, refer to the specific implementation manner in which the data detection device scans the device to be detected according to the first scanning rule in the foregoing embodiment, which will not be repeated here.

In the same way, this embodiment does not limit the implementation manner in which the consumer module 42d determines whether the data to be detected requires security detection. For example, it may be determined whether the data to be detected requires security detection according to the first security analysis rule. For a detailed description of the rule determining whether the data to be detected requires security detection, refer to the specific implementation manner in which the data detection device analyzes whether the device to be detected requires security detection according to the first security analysis rule in the foregoing embodiment, which will not be repeated here.

The cloud analysis module 44d is configured to perform security analysis on the first target data according to the attribute information and the scan result information of the first target data. In this embodiment, the implementation manner in which the cloud analysis module 44d performs security analysis on the first target data is not limited. For details, refer to the implementation manner in which the security prevention and control device performs security analysis on the first target data in the foregoing embodiment. This will not be repeated here.

In an optional embodiment, as shown in FIG. 4d, the system further includes: an object storage system (OSS) 45d. The object storage system 45d is used to provide storage services for the consumer module 42d, and is also an intermediate storage medium for interaction between the consumer module 42d and the cloud analysis module 44d. The consumer module 42d is specifically configured to write the first target data into the object storage system 45d, and send the storage address, attribute information, and scan result information of the first target data to the cloud analysis module 44d. The cloud analysis module 44d is specifically configured to: read the first target data from the object storage system 45d according to the storage address of the first target data, and perform processing on the first target data according to the attribute information and scan result information of the first target data Security analysis.

In an optional embodiment, the consumer module 42d includes multiple threads, including but not limited to: a monitoring thread, a scanning thread, a local submission thread, and a cloud submission thread. Among them, the multi-threading mechanism is adopted, which is adjustable. The working principle of the consumer module 42d is as follows:

Among them, the monitoring thread monitors whether there is new data to be detected written in the buffer module 43d; and when it detects that there is new data to be detected written, the newly written data to be detected is read into the message queue, and concurrently Message to the scanning thread.

When triggered by the message, the scanning thread scans the data to be detected in the message queue according to the first scanning rule configured locally, and obtains the scanning result of the data to be detected, and will determine whether or not according to the first security analysis rule configured locally It is necessary to perform a security analysis on the data to be detected, and if so, send a message to the local submission thread.

The local submission thread reads the data to be detected from the message queue, submits the data to be detected as the first target data to the object storage system 45d, and obtains the storage address returned by the object storage system 45d, and the storage address of the first target data, The attribute information and scan result information are provided to the cloud submission thread.

The cloud submission thread submits the storage address, attribute information, and scan result information of the first target data to the cloud analysis module 44d, and the cloud analysis module 44d performs security analysis on the first target data.

Further, the consumer module 42d may further include: a cleaning thread for cleaning up the processed data to be detected in the message queue. Of course, the object storage system 45d also regularly cleans out obsolete or useless data.

Further, the consumer module 42d may further include: a configuration monitoring thread for performing the first scan used by the consumer module 42d when the first scanning rule and the first safety analysis rule used by the consumer module 42d are updated. The rules and the first safety analysis rules are updated.

Regarding the working principle and other related descriptions of the system provided in this embodiment, reference may be made to the foregoing embodiment, such as the embodiment shown in FIG. 3, which will not be repeated here.

FIG. 5 is a schematic structural diagram of a data detection device provided by an exemplary embodiment of this application. As shown in FIG. 5, the device includes: a memory 51, a processor 52, and a communication component 53.

The memory 51 is used to store computer programs, and can be configured to store other various data to support operations on the data detection device. Examples of these data include instructions, messages, pictures, videos, and the first scanning rule and the first security analysis rule for any application or method operating on the data detection device.

The processor 52, coupled to the memory 51, is configured to execute the computer program in the memory 51 for: receiving the data to be detected sent by the data acquisition device in the distributed safety detection system through the communication component 53; Scan the data to be detected to obtain scan result information of the data to be detected; determine the first target data that meets the first safety analysis rule in the data to be detected according to the first safety analysis rule; The target data and the attribute information and scanning result information of the first target data are provided to at least one safety prevention and control device in the distributed safety detection system, so that the at least one safety prevention and control device can perform the control on the first Target data for security analysis.

In an optional embodiment, the distributed security detection system includes a data storage system and a log storage system, and the security prevention and control device in the distributed security detection system includes the first security prevention and control device deployed on the local end and the first security prevention and control device deployed on the cloud. The second safety prevention and control equipment. Based on this, when the processor 52 provides the first target data and the attribute information and scanning result information of the first target data to at least one security prevention and control device in the distributed security detection system, it is specifically used for : Store the first target data in the data storage system, provide the first storage address of the first target data in the data storage system to the first security prevention and control device; write the attribute information and scan result information of the first target data In the log storage system, the second storage address of the attribute information of the first target data and the scan result information in the log storage system is provided to the first security prevention and control device.

In an optional embodiment, the processor 52 is further configured to: if the data to be detected cannot be successfully scanned according to the first scanning rule, store the data to be detected in the data storage system; and send the data to the second data storage system through the communication component 53 The security prevention and control device sends a scan request for the second security prevention and control device to scan the to-be-detected data according to the second scanning rule.

In an optional embodiment, the processor 52 is further configured to: receive through the communication component 53 the scan rule in the second scan rule issued by the second security prevention and control device that is matched by the data to be detected; according to the second scan rule The first scanning rule is updated for the scanning rule that is matched by the data to be detected.

Among them, the second scan rule refers to the scan rule that can be used by the second security prevention and control device; compared to the first scan rule, the second scan rule may be the latest scan rule, or it may be more comprehensive and complete. In an optional embodiment, the first scanning rule is a scanning rule configured on the local end of the data detection device; the second scanning rule is a scanning rule configured on the cloud.

In an optional embodiment, the processor 52 is further configured to: before using the first scanning rule and the security analysis rule, receive the configuration information from the second security prevention and control device forwarded by the first security prevention and control device through the communication component 53 , The configuration information includes the first security analysis rule and the first scanning rule; according to the configuration information, the first scanning rule and the first security analysis rule are configured locally.

Further, as shown in FIG. 5, the data detection device further includes: a display 54, a power supply component 55, an audio component 56, and other components. Only some of the components are schematically shown in FIG. 5, which does not mean that the data detection device only includes the components shown in FIG. 5. In addition, the components in the dashed box in FIG. 5 are optional components, not mandatory components, and the specifics may depend on the product form of the data detection equipment. The data detection device in this embodiment can be implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, or an IOT device, or it can be a server device such as a conventional server, a cloud server, or a server array. If the data detection device of this embodiment is implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, etc., it may include the components in the dashed box in FIG. 5; if the data detection device of this embodiment is implemented as a conventional server, a cloud server or a server Server devices such as arrays may not include the components in the dashed box in Figure 5.

Correspondingly, an embodiment of the present application also provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, the processor causes the processor to implement the steps in the method embodiment shown in FIG. 4a.

FIG. 6 is a schematic structural diagram of a safety prevention and control device provided by an exemplary embodiment of this application. The safety prevention and control device of this embodiment may be implemented by any safety prevention and control device in the distributed safety detection system, and in particular may be implemented as the first safety prevention and control device. As shown in FIG. 6, the device includes: a memory 61, a processor 62, and a communication component 63.

The memory 61 is used to store computer programs, and can be configured to store other various data to support operations on the security prevention and control equipment. Examples of these data include instructions for any application or method operated on the security prevention and control device, contact data, phone book data, messages, pictures, videos, etc.

The processor 62, coupled to the memory 61, is configured to execute a computer program in the memory 61 to obtain the first target data provided by the data detection device in the distributed security detection system and the attribute information of the first target data And scan result information; perform a security analysis on the first target data according to the attribute information and scan result information of the first target data; wherein, the first target data is the to-be-received data detection device The detected data meets the first safety analysis rule, and the scanning result information of the first target data is obtained by scanning the first target data by the data detection device according to its first scanning rule.

In an optional embodiment, the distributed security detection system includes a data storage system and a log storage system. Based on this, when the processor 62 obtains the first target data provided by the data detection device in the distributed security detection system and the attribute information and scanning result information of the first target data, it is specifically used to: receive data through the communication component 63 The first storage address sent by the detection device is used to read the first target data from the data storage system in the distributed security detection system according to the first storage address; the second storage address sent by the data detection device is received, and the second storage address is read from the data storage system according to the second storage address. The log storage system in the distributed security detection system reads the attribute information and scanning result information of the first target data. The first storage address is the storage address of the first target data in the data storage system; the second storage address is the storage address of the attribute information of the first target data and the scan result information in the log storage system.

In an optional embodiment, the security prevention and control device of this embodiment is implemented as the first security prevention and control device deployed at the local end in the distributed security detection system. In addition, the distributed security detection system also includes: a second security prevention and control device deployed in the cloud. In this optional embodiment, the second security prevention and control device can scan the data to be detected according to the second scanning rule when the data detection device cannot successfully scan the data to be detected according to the first scanning rule, and can scan according to the The second security analysis rule identifies second target data that meets the second security analysis rule from the data to be detected, and can notify the first security prevention and control device to perform security analysis on the second target data.

Based on the foregoing, the processor 62 is further configured to: receive the notification message sent by the second security prevention and control device in the distributed security detection system through the communication component 63; according to the notification message, read from the log storage system in the distributed security detection system Take the attribute information and scanning result information of the second target data; perform security analysis on the second target data according to the attribute information and scanning result information of the second target data; wherein, the second target data is the data of the second security prevention and control device When the detection device cannot successfully scan the data to be detected according to the first scanning rule, data that meets the second safety analysis rule is identified from the data to be detected.

In an optional embodiment, the processor 62 is further configured to: receive the configuration information issued by the second security prevention and control device through the communication component 63, and forward the configuration information to the data detection device for local configuration by the data detection device The first scanning rule and the first safety analysis rule.

Further, as shown in FIG. 6, the safety prevention and control device further includes: a display 64, a power supply component 65, an audio component 66 and other components. Only some of the components are schematically shown in FIG. 6, which does not mean that the safety prevention and control equipment only includes the components shown in FIG. 6. In addition, the components in the dashed box in FIG. 6 are optional components, not mandatory components, and the specifics may depend on the product form of the safety prevention and control equipment. The security prevention and control device of this embodiment can be implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, or an IOT device, and can also be a server device such as a conventional server, a cloud server, or a server array. If the security prevention and control device of this embodiment is implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, etc., it may include the components in the dashed box in FIG. 6; if the security prevention and control device of this embodiment is implemented as a conventional server or a cloud server Or server-side equipment such as server arrays may not include the components in the dashed box in FIG. 6.

Correspondingly, the embodiment of the present application also provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, the processor causes the processor to implement the steps in the method embodiment shown in FIG. 4b.

FIG. 7 is a schematic structural diagram of another safety prevention and control device provided by an exemplary embodiment of this application. The security prevention and control device of this embodiment may be implemented by the second security prevention and control device in the distributed security detection system. As shown in FIG. 7, the device includes: a memory 71, a processor 72, and a communication component 73.

The memory 71 is used to store computer programs, and can be configured to store various other data to support operations on the security prevention and control equipment. Examples of such data include instructions for any application or method that is used to operate on the security prevention and control device, contact data, phone book data, messages, pictures, videos, etc.

The processor 72, coupled to the memory 71, is configured to execute a computer program in the memory 71, and is used to receive a scan request sent by a data detection device in a distributed security detection system through the communication component 73, where the scan request is The data detection device is sent when the data to be detected cannot be successfully scanned according to the first scanning rule; the data to be detected is read from the data storage system in the distributed security detection system according to the scan request ; Scan the data to be detected according to the second scanning rule to obtain scan result information of the data to be detected.

In an optional embodiment, the processor 72 is further configured to: after obtaining the scan result information of the data to be detected, identify second target data that meets the second safety analysis rule from the data to be detected; and according to the second target data The security analysis of the second target data is performed on the attribute information and scanning result information of the data.

In an optional embodiment, the processor 72 is further configured to: after obtaining the scan result information of the data to be detected, identify second target data that meets the second security analysis rule from the data to be detected; The information and scan result information are written into the log storage system in the distributed security detection system; and the first security prevention and control device in the distributed security detection system is notified so that the first security prevention and control device can use the attribute information of the second target data And scan result information to perform security analysis on the second target data.

The second scanning rule refers to a scanning rule that can be used by the security prevention and control device provided in this embodiment; compared with the first scanning rule, the second scanning rule may be the latest scanning rule, or it may be more comprehensive and complete. In an optional embodiment, the first scanning rule is a scanning rule configured on the local end of the data detection device; the second scanning rule is a scanning rule configured on the cloud.

In an optional embodiment, the processor 72 is further configured to: in the case that the second scanning rule is matched by the data to be detected, send the scanning rule in the second scanning rule that is matched by the data to be detected to the data detection device , For the data detection device to update the first scanning rule.

In an optional embodiment, the processor 72 is further configured to: send configuration information to the first security prevention and control device through the communication component 73, so that the first security prevention and control device forwards the configuration information to the data detection device, so that The data detection device locally configures the first scanning rule and the first safety analysis rule.

Further, as shown in FIG. 7, the safety prevention and control device further includes: a display 74, a power supply component 75, an audio component 76 and other components. Only some components are schematically shown in FIG. 7, which does not mean that the safety prevention and control equipment only includes the components shown in FIG. 7. In addition, the components in the dashed box in FIG. 7 are optional components, not mandatory components, which may be determined by the product form of the safety prevention and control equipment. The security prevention and control device of this embodiment can be implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, or an IOT device, and can also be a server device such as a conventional server, a cloud server, or a server array. If the security prevention and control device of this embodiment is implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, etc., it may include the components in the dashed box in FIG. 7; if the security prevention and control device of this embodiment is implemented as a conventional server or a cloud server Or server-side equipment such as server arrays may not include the components in the dashed box in FIG. 7.

Correspondingly, an embodiment of the present application also provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, the processor causes the processor to implement the steps in the method embodiment shown in FIG. 4c.

The memory in Figure 5 to Figure 7 above can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory ( EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.

The communication components in Figures 5-7 are configured to facilitate wired or wireless communication between the device where the communication component is located and other devices. The device where the communication component is located can access wireless networks based on communication standards, such as WiFi, 2G, 3G, 4G/LTE, 5G and other mobile communication networks, or a combination of them. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component may further include a near field communication (NFC) module, radio frequency identification (RFID) technology, infrared data association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology Wait.

The above-mentioned display in FIGS. 5-7 includes a screen, and the screen may include a liquid crystal display (LCD) and a touch panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from the user. The touch panel includes one or more touch sensors to sense touch, sliding, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure related to the touch or slide operation.

The power components in Figures 5 to 7 above provide power for various components of the equipment where the power components are located. The power supply component may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device where the power supply component is located.

The audio components in Figs. 5-7 can be configured to output and/or input audio signals. For example, the audio component includes a microphone (MIC). When the device where the audio component is located is in an operating mode, such as call mode, recording mode, and voice recognition mode, the microphone is configured to receive external audio signals. The received audio signal can be further stored in a memory or sent via a communication component. In some embodiments, the audio component further includes a speaker for outputting audio signals.

Those skilled in the art should understand that the embodiments of the present invention can be provided as a method, a system, or a computer program product. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.

The present invention is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

In a typical configuration, the computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include non-permanent memory in a computer readable medium, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.

Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology. The information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.

It should also be noted that the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or equipment including a series of elements not only includes those elements, but also includes Other elements that are not explicitly listed, or they also include elements inherent to such processes, methods, commodities, or equipment. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, method, commodity, or equipment that includes the element.

The foregoing descriptions are only examples of the present application, and are not used to limit the present application. For those skilled in the art, this application can have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included in the scope of the claims of this application.

Claims

A distributed safety detection system, characterized by comprising: at least one data collection device, at least one data detection device, and at least one safety prevention and control device;

The at least one data collection device is configured to collect data to be detected from a network message passing through a network node, and distribute the data to be detected to the at least one data detection device;

The at least one data detection device is configured to scan the to-be-detected data according to a first scanning rule, and to compare the first target data and the first target data in the to-be-detected data that meet the first safety analysis rule Provide the at least one security prevention and control device with attribute information and scan result information of.

The at least one security prevention and control device is configured to perform a security analysis on the first target data according to the attribute information and scanning result information of the first target data.
The system according to claim 1, further comprising: a data storage system;

The at least one data detection device is specifically configured to store the first target data in the data storage system, and provide the first storage address of the first target data in the data storage system to the At least one safety prevention and control device;

The at least one security prevention and control device is further configured to: before performing security analysis on the first target data, read the first target data from the data storage system according to the first storage address.
The system according to claim 2, further comprising: a log storage system;

The at least one data detection device is specifically configured to: write attribute information and scan result information of the first target data into the log storage system, and write attribute information and scan result information of the first target data The second storage address in the log storage system is provided to the at least one security prevention and control device;

The at least one security prevention and control device is further configured to: before performing security analysis on the first target data, read the attributes of the first target data from the log storage system according to the second storage address Information and scan result information.
The system according to claim 3, wherein the at least one security prevention and control device comprises: a first security prevention and control device deployed at the local end;

The at least one data detection device is specifically configured to: send the first storage address and the second storage address to the first security prevention and control device, so that the first security prevention and control device can Perform security analysis on the first target data.
The system according to claim 4, wherein the at least one security prevention and control device further comprises: a second security prevention and control device deployed in the cloud;

The at least one data detection device is further configured to: in the case that the data to be detected cannot be successfully scanned according to the first scanning rule, store the data to be detected in the data storage system and send the data to the The second security prevention and control device sends a scan request;

The second security prevention and control device is further configured to: read the data to be detected from the data storage system according to the scan request, and scan the data to be detected according to a second scanning rule to obtain the data to be detected Scan result information of inspection data.
The system according to claim 5, wherein the second safety prevention and control device is further configured to: identify second target data conforming to a second safety analysis rule from the data to be detected, and according to the The security analysis of the second target data is performed on the attribute information and the scanning result information of the second target data.
The system according to claim 5, wherein the second safety prevention and control device is further configured to: identify second target data conforming to a second safety analysis rule from the data to be detected, and compare the second target data 2. The attribute information and scanning result information of the target data are written into the log storage system, and the first security prevention and control device is notified to perform a security analysis on the second target data;

The first security prevention and control device is further configured to read the attribute information and scan result information of the second target data from the log storage system according to the notification of the second security prevention and control device, and according to all The attribute information and scanning result information of the second target data are used to perform security analysis on the second target data.
The system according to claim 5, wherein the second security prevention and control device is further configured to: in the case that the second scanning rule is matched by the data to be detected, the second scanning rule is The scanning rule in the matching of the to-be-detected data is sent to the at least one data detection device, so that the at least one data detection device can update the first scanning rule.
The system according to claim 5, wherein the second security prevention and control device is further configured to: send configuration information to the first security prevention and control device, and the configuration information includes the first scan Rules and first safety analysis rules;

The first security prevention and control device is further configured to forward the configuration information to the at least one data detection device, so that the at least one data detection device locally configures the first scanning rule and the first security analysis rule.
The system according to claim 3, wherein the data storage system and the log storage system are deployed in the cloud.
The system according to claim 10, wherein the data storage system is an OSS, and the log storage system is an SLS-based log system.
The system according to any one of claims 1-11, wherein the at least one data collection device is specifically configured to: perform protocol analysis on a network message passing through the network node, and perform protocol analysis on a network message from the network node. The load data parsed in the text generates the data to be tested.
The system according to any one of claims 1-11, wherein the at least one data collection device is specifically configured to: in a case where the data to be detected is collected, according to the data of the at least one data detection device The processing capability and/or load information is used to determine the target data detection device, and the data to be detected is written into the data buffer area of the target data detection device.
The system according to claim 13, wherein the at least one data detection device is specifically configured to: when there is new data to be detected in the local data buffer area, write to the new data according to the first scanning rule The data to be detected in the local data buffer area is scanned.
The system according to any one of claims 1-11, wherein the at least one safety prevention and control device is specifically configured to perform at least one of the following safety analysis operations:

According to the attribute information and scanning result information of the first target data, analyze whether the frequency of the first target data in a certain period of time meets the set frequency requirement;

According to the attribute information of the first target data and the scanning result information, analyze whether the visit volume of the first target data in a certain period of time meets the set visit volume requirement;

According to the attribute information of the first target data and the scanning result information, analyze whether the permission of the visitor of the first target data belongs to the set legal permission;

Analyze whether the receiving address of the first target data belongs to the set legal receiving address according to the attribute information and the scanning result information of the first target data;

According to the attribute information and scanning result information of the first target data, analyze whether the transmission time of the first target data is within a reasonable time range;

And in a case where the analysis result of any analysis operation is negative, it is determined that the first target data has an information leakage risk.
The system according to claim 15, wherein the at least one security prevention and control device is further configured to: in the case where it is determined that the first target data is at risk of information leakage, notify the first target data to pass through The network node of performs interception processing on the network message corresponding to the first target data.
A data processing method suitable for data detection equipment in a distributed security detection system, characterized in that the method includes:

Receive the to-be-detected data sent by the data acquisition equipment in the distributed safety detection system;

Scanning the data to be detected according to the first scanning rule to obtain scan result information of the data to be detected;

According to the first safety analysis rule, determine the first target data that meets the first safety analysis rule among the data to be detected;

Provide the first target data and the attribute information and scan result information of the first target data to at least one security prevention and control device in the distributed security detection system for the at least one security prevention and control device Perform security analysis on the first target data.
The method according to claim 17, wherein the first target data and the attribute information and scanning result information of the first target data are provided to at least one security prevention and control system in the distributed security detection system Equipment, including:

Storing the first target data in a data storage system, and providing the first storage address of the first target data in the data storage system to the first security prevention and control device;

Write the attribute information and scan result information of the first target data into the log storage system, and provide the second storage address of the attribute information and scan result information of the first target data in the log storage system to The first safety prevention and control device;

Wherein, the first security prevention and control device is a security prevention and control device deployed at the local end of the at least one security prevention and control device.
The method according to claim 18, wherein the at least one security prevention and control device comprises: a second security prevention and control device deployed in the cloud; the method further comprises:

If the data to be detected cannot be successfully scanned according to the first scanning rule, storing the data to be detected in the data storage system; and

Sending a scan request to the second security prevention and control device, so that the second security prevention and control device scans the data to be detected according to the second scanning rule.
The method according to claim 19, characterized in that, in a case where the second scanning rule is matched by the data to be detected, the method further comprises:

Receiving the scanning rule that is matched by the data to be detected in the second scanning rule issued by the second security prevention and control device;

Update the first scanning rule according to the scanning rule that is matched by the data to be detected in the second scanning rule.
The method according to claim 19, further comprising:

Receiving configuration information from the second security prevention and control device forwarded by the first security prevention and control device, where the configuration information includes a first security analysis rule and a first scanning rule;

According to the configuration information, the first scanning rule and the first security analysis rule are configured locally.
A data processing method suitable for the first safety prevention and control device in a distributed safety detection system, characterized in that the method includes:

Acquiring the first target data provided by the data detection device in the distributed security detection system and the attribute information and scanning result information of the first target data;

Performing security analysis on the first target data according to the attribute information and the scanning result information of the first target data;

Wherein, the first target data is data that meets the first safety analysis rule among the data to be detected received by the data detection device, and the scan result information of the first target data is that the data detection device is based on the first scan The rule is obtained by scanning the first target data.
The method according to claim 22, wherein acquiring the first target data provided by the data detection device in the distributed security detection system and the attribute information and scanning result information of the first target data comprises:

Receiving the first storage address sent by the data detection device, and reading the first target data from the data storage system in the distributed security detection system according to the first storage address;

The second storage address sent by the data detection device is received, and the attribute information and scanning result information of the first target data are read from the log storage system in the distributed security detection system according to the second storage address.
The method according to claim 22 or 23, further comprising:

Receiving a notification message sent by the second security prevention and control device in the distributed security detection system;

Reading the attribute information and scanning result information of the second target data from the log storage system in the distributed security detection system according to the notification message;

Performing security analysis on the second target data according to the attribute information of the second target data and the scanning result information;

Wherein, the second target data is identified by the second security prevention and control device from the data to be detected when the data detection device cannot successfully scan the data to be detected according to the first scanning rule Data that meets the second safety analysis rule.
A data processing method suitable for a second safety prevention and control device in a distributed safety detection system, characterized in that the method includes:

Receiving a scan request sent by a data detection device in a distributed security detection system, the scan request being sent by the data detection device when the data detection device cannot successfully scan the data to be detected according to the first scanning rule;

Reading the data to be detected from the data storage system in the distributed security detection system according to the scan request;

Scan the data to be detected according to the second scanning rule to obtain scan result information of the data to be detected.
The method according to claim 25, wherein after obtaining the scan result information of the data to be detected, the method further comprises:

Identifying second target data that meets the second safety analysis rule from the data to be detected;

Perform security analysis on the second target data according to the attribute information and the scan result information of the second target data.
The method according to claim 25, wherein after obtaining the scan result information of the data to be detected, the method further comprises:

Identifying second target data that meets the second safety analysis rule from the data to be detected;

Writing the attribute information and scanning result information of the target data into the log storage system in the distributed security detection system; and

Notify the first security prevention and control device in the distributed security detection system for the first security prevention and control device to perform security on the second target data according to the attribute information and scan result information of the second target data Sexual analysis.
The method according to any one of claims 25-27, characterized in that, when the second scanning rule is being matched by the data to be detected, the method further comprises:

The scanning rule that is matched by the data to be detected in the second scanning rule is sent to the data detection device, so that the data detection device can update the first scanning rule.
A data detection device, which is characterized by comprising: a memory, a processor, and a communication component;

The memory is used to store a computer program;

The processor is coupled to the memory, and is configured to execute a computer program stored in the memory for:

Receiving, through the communication component, the data to be detected sent by the data acquisition device in the distributed safety detection system;

Scanning the data to be detected according to the first scanning rule to obtain scan result information of the data to be detected;

According to the first safety analysis rule, determine the first target data that meets the first safety analysis rule among the data to be detected;

Provide the first target data and the attribute information and scan result information of the first target data to at least one security prevention and control device in the distributed security detection system for the at least one security prevention and control device Perform security analysis on the first target data.
A safety prevention and control equipment, which is characterized by comprising: a memory and a processor;

The memory is used to store a computer program;

The processor is coupled to the memory, and is configured to execute a computer program stored in the memory for:

Acquiring the first target data provided by the data detection device in the distributed security detection system and the attribute information and scanning result information of the first target data;

Performing security analysis on the first target data according to the attribute information and the scanning result information of the first target data;

Wherein, the first target data is data that meets the first safety analysis rule among the data to be detected received by the data detection device, and the scan result information of the first target data is that the data detection device is based on the first scan The rule is obtained by scanning the first target data.
A security prevention and control device, which can be implemented as a second security prevention and control device in a distributed security detection system, characterized in that the device includes: a memory, a processor, and a communication component;

The memory is used to store a computer program;

The processor is coupled to the memory, and is configured to execute a computer program stored in the memory for:

Receiving a scan request sent by a data detection device in a distributed security detection system through the communication component, the scan request being sent by the data detection device when the data detection device cannot successfully scan the data to be detected according to the first scan rule;

Reading the data to be detected from the data storage system in the distributed security detection system according to the scan request;

Scan the data to be detected according to the second scanning rule to obtain scan result information of the data to be detected.
A computer-readable storage medium storing a computer program, wherein when the computer program is executed by a processor, the processor is caused to implement the steps in the method of any one of claims 17-28.
A distributed security detection system, which is characterized by comprising: a producer module, a consumer module, a buffer module, and a cloud analysis module;

The producer module is used to collect data to be detected and write the data to be detected into the buffer module;

The consumer module is configured to read the data to be detected from the buffer module, scan the data to be detected, and then scan the data to be detected when it is detected that the data to be detected is written in the buffer module. Providing the first target data that needs to be safely detected in the data to be detected, and the attribute information and scanning result information of the first target data to the cloud analysis module;

The cloud analysis module is configured to perform security analysis on the first target data according to the attribute information and scanning result information of the first target data.
The system according to claim 33, further comprising: an object storage system;

The consumer module is specifically configured to: write the first target data into the object storage system, and send the storage address, attribute information, and scan result information of the first target data to the cloud analysis module;

The cloud analysis module is specifically configured to: read the first target data from the object storage system according to the storage address of the first target data, and read the first target data according to the attribute information and the scanning result of the first target data Information, and perform a security analysis on the first target data.