WO2021097713A1 - Système, procédé et dispositif de test de sécurité distribué, et support de stockage - Google Patents

Système, procédé et dispositif de test de sécurité distribué, et support de stockage Download PDF

Info

Publication number
WO2021097713A1
WO2021097713A1 PCT/CN2019/119724 CN2019119724W WO2021097713A1 WO 2021097713 A1 WO2021097713 A1 WO 2021097713A1 CN 2019119724 W CN2019119724 W CN 2019119724W WO 2021097713 A1 WO2021097713 A1 WO 2021097713A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
security
target data
detected
control device
Prior art date
Application number
PCT/CN2019/119724
Other languages
English (en)
Chinese (zh)
Inventor
黄长权
吴坪
李新刚
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Priority to PCT/CN2019/119724 priority Critical patent/WO2021097713A1/fr
Priority to CN201980100728.2A priority patent/CN114450920A/zh
Publication of WO2021097713A1 publication Critical patent/WO2021097713A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks

Definitions

  • This application relates to the field of Internet security technology, and in particular to a distributed security detection system, method, device, and storage medium.
  • Various aspects of this application provide a distributed security detection system, method, equipment, and storage medium to solve the information security problems faced by the network environment and improve information security.
  • the embodiment of the present application provides a distributed security detection system, which includes: at least one data collection device, at least one data detection device, and at least one security prevention and control device; the at least one data collection device is configured to pass through Collect the to-be-detected data in the network message of the network node, and distribute the to-be-detected data to the at least one data detection device; the at least one data detection device is configured to detect the to-be-detected data according to the first scanning rule Data is scanned, and first target data in the to-be-detected data that meets the first security analysis rule and attribute information and scanning result information of the first target data are provided to the at least one security prevention and control device; At least one security prevention and control device is configured to perform security analysis on the first target data according to the attribute information and scanning result information of the first target data.
  • the embodiment of the present application also provides a data processing method, which is suitable for a data detection device in a distributed security detection system.
  • the method includes: receiving data to be detected sent by a data acquisition device in the distributed security detection system;
  • the scanning rules scan the data to be detected to obtain scan result information of the data to be detected; according to the first safety analysis rule, determine the first target data in the data to be detected that meets the first safety analysis rule;
  • the first target data and the attribute information and scan result information of the first target data are provided to at least one security prevention and control device in the distributed security detection system, so that the at least one security prevention and control device can control all
  • the security analysis of the first target data is performed.
  • the embodiment of the present application also provides a data processing method, which is suitable for the first security prevention and control device in the distributed security detection system, and the method includes: obtaining first target data provided by the data detection device in the distributed security detection system And the attribute information and scanning result information of the first target data; performing security analysis on the first target data according to the attribute information and scanning result information of the first target data; wherein, the first target data Is the data that meets the first safety analysis rule among the data to be detected received by the data detection device, and the scan result information of the first target data is that the data detection device performs the data detection on the first target data according to the first scan rule. Scan it.
  • the embodiment of the present application also provides a data processing method, which is suitable for the second security prevention and control device in the distributed security detection system.
  • the method includes: receiving a scan request sent by the data detection device in the distributed security detection system, and The scanning request is sent by the data detection device when the data to be detected cannot be successfully scanned according to the first scanning rule; according to the scanning request, all data is read from the data storage system in the distributed security detection system.
  • the data to be detected ; scan the data to be detected according to the second scanning rule to obtain scan result information of the data to be detected.
  • An embodiment of the present application also provides a data detection device, including: a memory, a processor, and a communication component; the memory is used to store a computer program; the processor is coupled to the memory and is used to execute The stored computer program is used to: receive the data to be detected sent by the data collection device in the distributed security detection system through the communication component; scan the data to be detected according to the first scanning rule to obtain the data to be detected Scanning result information of data;
  • the first safety analysis rule determine the first target data that meets the first safety analysis rule among the data to be detected
  • An embodiment of the present application also provides a security prevention and control device, including: a memory and a processor; the memory is used to store a computer program; the processor is coupled to the memory and is used to execute data stored in the memory
  • a computer program for: acquiring first target data provided by a data detection device in a distributed security detection system, and attribute information and scanning result information of the first target data; according to the attribute information and scanning result information of the first target data Scan result information, perform security analysis on the first target data; wherein, the first target data is data that meets the first security analysis rule among the data to be detected received by the data detection device, and the first The scanning result information of the target data is obtained by the data detection device scanning the first target data according to the first scanning rule.
  • An embodiment of the present application also provides a security prevention and control device, including: can be implemented as a second security prevention and control device in a distributed security detection system, the device includes: a memory, a processor, and a communication component; the memory is used In storing a computer program; the processor, coupled to the memory, for executing the computer program stored in the memory, for: receiving data from the data detection device in the distributed security detection system through the communication component A scan request, the scan request is sent by the data detection device when the data to be detected cannot be successfully scanned according to the first scan rule; according to the scan request from the data storage system in the distributed security detection system The data to be detected is read in the data; the data to be detected is scanned according to the second scanning rule to obtain the scanning result information of the data to be detected.
  • a security prevention and control device including: can be implemented as a second security prevention and control device in a distributed security detection system, the device includes: a memory, a processor, and a communication component; the memory is used In storing a computer program; the
  • the embodiment of the present application also provides a distributed security detection system, including: a producer module, a consumer module, a buffer module, and a cloud analysis module; the producer module is used to collect the data to be detected, and the Data is written into the buffer module; the consumer module is used to read the data to be detected from the buffer module when it is detected that the data to be detected is written in the buffer module, and to The data to be detected is scanned, and the first target data that needs to be safely detected in the data to be detected and the attribute information and scanning result information of the first target data are provided to the cloud analysis module; the cloud analysis module , For performing security analysis on the first target data according to the attribute information and scanning result information of the first target data.
  • a distributed security detection system including: a producer module, a consumer module, a buffer module, and a cloud analysis module; the producer module is used to collect the data to be detected, and the Data is written into the buffer module; the consumer module is used to read the data to be detected from the buffer module when it is detected that the data to be
  • the embodiment of the present application also provides a computer-readable storage medium storing a computer program.
  • the computer program When the computer program is executed by a processor, the processor is caused to implement the steps in the method embodiment of the present application.
  • a distributed data security detection solution is used to solve the information security problem in the network environment, and data collection, scanning, and analysis are separated, and the key links in data security detection are decoupled, so that data security
  • the resources required for detection are distributed to multiple devices, which is not easy to cause resource bottlenecks, which is conducive to the detection, analysis and protection of large amounts of network data, and the complexity of the entire distributed system is low, easy to deploy and implement, and Have strong flexibility.
  • Fig. 1a is a schematic structural diagram of a distributed security detection system provided by an exemplary embodiment of this application;
  • FIG. 1b is a schematic structural diagram of another distributed security detection system provided by an exemplary embodiment of this application.
  • FIG. 2 is a schematic structural diagram of yet another distributed security detection system provided by an exemplary embodiment of this application.
  • FIG. 3 is a schematic diagram of the working process of a data detection device provided by an exemplary embodiment of this application;
  • FIG. 4a is a schematic flowchart of a data processing method provided by an exemplary embodiment of this application.
  • 4b is a schematic flowchart of another data processing method provided by an exemplary embodiment of this application.
  • FIG. 4c is a schematic flowchart of yet another data processing method provided by an exemplary embodiment of this application.
  • 4d is a schematic structural diagram of yet another distributed security detection system provided by an exemplary embodiment of this application.
  • FIG. 5 is a schematic structural diagram of a data detection device provided by an exemplary embodiment of this application.
  • FIG. 6 is a schematic structural diagram of a safety prevention and control device provided by an exemplary embodiment of this application.
  • FIG. 7 is a schematic structural diagram of another safety prevention and control device provided by an exemplary embodiment of this application.
  • a distributed deployment data security detection solution is used to solve the information security issues in the network environment, and the data collection, scanning and analysis are separated, and the data is separated.
  • the decoupling of the key links in security detection so that the resources required for data security detection are distributed to multiple devices, and it is not easy to cause resource bottlenecks, which is conducive to the detection, analysis and protection of large amounts of network data, and the entire distribution is distributed.
  • the system has low complexity, is easy to deploy and realize, and has strong flexibility.
  • An exemplary embodiment of the present application provides a distributed security detection system 100, the structure of which is shown in FIG. 1a.
  • the system 100 of this embodiment can be deployed in various network environments, and is responsible for security detection of data transmitted in the network environment, preventing data leakage, and ensuring information security in the network environment.
  • the system 100 of this embodiment can perform data security detection for one or more devices, one or more links, one or more subsystems, or the entire system in a network environment according to security detection requirements.
  • devices, links, subsystems, or systems that require data security detection in various network environments are collectively referred to as network nodes.
  • the system 100 of this embodiment can collect data to be detected from network packets passing through a network node, and perform security detection on the data to be detected, so as to ensure the data security of the network node and prevent the data passing through the network node from being leaked.
  • the system 100 of this embodiment is deployed in a data center system, and is responsible for data security detection of the entire data center system.
  • the gateway device of the data center system can be used as the network node in the embodiment of this application.
  • the system 100 of this embodiment can collect the data to be detected from the network packets passing through the gateway device. Conduct security inspections to ensure the data security of the data center system and prevent the data in the data center system from being leaked.
  • the system 100 of this embodiment is deployed in a data center system, and is responsible for performing data security detection on a specific server in the data center system.
  • a specific server in the data center system can be used as the network node in the embodiment of this application.
  • the system 100 of this embodiment can collect the data to be detected from the network packets passing through the specific server. Perform security inspections to ensure the data security of the specific server and prevent the data passing through the specific server from being leaked.
  • the system 100 of this embodiment is deployed in an enterprise local area network system, and is responsible for data security detection of the enterprise local area network system.
  • the gateway device connected to the enterprise local area network system can be used as the network node in the embodiment of this application.
  • the system 100 of this embodiment can collect the data to be detected from the network packets passing through the gateway device. Data security checks are performed to prevent important company information from being leaked.
  • the system 100 of this embodiment adopts a distributed data security detection scheme, which separates data collection, scanning, and analysis, and decouples key links in data security detection.
  • the system 100 includes: at least one data collection device 101, at least one data detection device 102, and at least one safety prevention and control device 103.
  • At least one data collection device 101 is mainly responsible for collecting data to be detected from network messages passing through network nodes, and is responsible for distributing the device to be detected to at least one data detection device 102.
  • At least one data detection device 102 is mainly responsible for scanning the data to be detected according to the first scanning rule to obtain the scanning result information of the data to be detected, and is responsible for comparing the first target data and the first target data that meet the first safety analysis rule in the data to be detected.
  • the attribute information and scan result information of the target data are provided to at least one security prevention and control device 103.
  • At least one security prevention and control device 103 is mainly responsible for performing security analysis on the first target data according to the received attribute information and scanning result information of the first target data.
  • the data to be detected refers to data objects that may be involved in data security and may need to be tested for security.
  • the manner in which at least one data collection device 101 collects data to be detected from a network message passing through a network node is not limited. According to different application scenarios, the content of data that needs to be tested for data security will be different, and the manner in which the data collection device 101 collects the data to be tested and the collected data to be tested will be different.
  • the data collection device 101 may perform protocol analysis on network messages, parse the load data from the network messages, and generate data to be detected based on the load data parsed from the network messages. Furthermore, if the payload data in a network message can express a certain semantic meaning alone, the payload data in the network message can be directly used as the data to be detected. In more scenarios, data content that can express a certain semantic meaning is usually encapsulated in multiple network packets for transmission. Based on this, the data collection device 101 can parse the payload from multiple network packets in the same data stream. Data, according to the payload data in multiple network packets, combine to produce data to be detected that expresses a certain semantic meaning.
  • the data collection device 101 can directly use the network packet as the data to be detected; or, it can perform protocol analysis on the network packet, and reprocess all the parsed content according to the set data format. Combine them together as the data to be tested.
  • the data format here refers to the data format required by the data to be detected.
  • scanning rules and security analysis rules that can be used by at least one data detection device 102 are pre-configured.
  • the scanning rules and security analysis rules that can be used by at least one data detection device 102 are referred to as first scanning rules and first security analysis rules, respectively.
  • the first scanning rule and the first security analysis rule can be configured at the local end of at least one data detection device 102, but it is not limited to this.
  • the first scanning rule mainly includes some known data characteristics, which can reflect the characteristics or content of the data to be detected to a certain extent, and can assist in judging whether the data to be detected has a security risk.
  • the first safety analysis rule mainly includes some rules related to subsequent safety analysis.
  • these rules there is a data selection rule that determines which data to be detected need to be provided to the safety prevention and control device 103 for security analysis, which is to provide all the data to be detected to the safety prevention and control device 103 For security analysis, the data to be detected that meets specific conditions is still provided to the security prevention and control device 103 for security analysis.
  • these rules may also include other rules.
  • these rules may also include device selection rules, which determine which security prevention and control device(s) 103 to use for security analysis, the priority between these security prevention and control devices 103, and the main Preparation relationship, etc.
  • these rules may also include user selection rules, which determine which user data needs to be provided to the security prevention and control device 103 for security analysis.
  • the first scanning rule and the first security analysis rule will also be different, which is not limited in this embodiment.
  • the data detection device 102 scans the data to be detected according to the first scanning rule, which is mainly a process of matching the data to be detected with the first scanning rule.
  • the data detection device 102 also needs to identify data that meets the first safety analysis rule from the data to be detected according to the first safety analysis rule.
  • the data that meets the first safety analysis rule identified by the data detection device 102 from the data to be detected is referred to as the first target data.
  • the sequence between the two operations of scanning the data to be detected by the data detection device 102 and identifying the first target data from the data to be detected is not limited.
  • the two operations can be performed sequentially or in parallel.
  • the operation of scanning the data to be detected can be performed first, and then the operation of identifying the first target data from the data to be detected; or, the first target data can be identified from the data to be detected.
  • the first target data can be directly scanned during the scanning of the data to be detected, There is no need to scan all the data to be detected.
  • any data to be detected it can be judged whether the data to be detected conforms to the first safety analysis rule, and if the judgment result is conformed, it is determined that the data to be detected can be used as the first target data, and then according to the first scan
  • the rule scans the data to be tested; if the result of the judgment is non-conformance, it means that there is no need to perform security analysis on the data to be tested, so you can end the operation and no longer scan the data to be tested, which is conducive to saving data.
  • the computing resources of the device 102 The computing resources of the device 102.
  • the order in which the data to be detected is detected can be used to determine whether the data to be detected meets the first security analysis rule and scan the data to be detected according to the first scanning rule.
  • the attribute information of the first target data refers to some attribute information that the first target data itself has or comes with, such as the type, size, transmission time, quintuple information, and so on of the first target data.
  • the scanning result of the first target data may have two cases, one case is that one or some scanning rules in the first target data match, and the other case is that the first target data does not match any scanning rules in the first target data. For different scan results, the information contained in the scan result information will be different.
  • the scanning result information of the first target data may include but not limited to: the name of one or some scanning rules in the first target data matching, and the matching is in progress.
  • the scanning result information of the first target data may include: identifying information or descriptive content indicating that the first target data does not match any scanning rule, but is not limited to this.
  • the scanning result information of the first target data may not carry any information items, that is, blank, which also indicates that the first target data does not match any scanning rules.
  • the attribute information and scanning result information of the first target data are the basis for performing security analysis on the first target data.
  • At least one data detection device 102 provides the first target data and the attribute information and scan result information of the first target data to at least one security prevention and control device 103, and the at least one security prevention and control device 103 can be based on the first target data. Attribute information and scan result information, perform security analysis on the first target data.
  • the security analysis method and type are not limited, and all analysis methods and types that have a security prevention and control effect are applicable to the embodiments of this application.
  • at least one security prevention and control device 103 can perform various types of security analysis such as comprehensive data analysis or burst analysis on the first target data.
  • at least one security prevention and control device 103 can also use but not limited to the following methods to perform security analysis on the first target data:
  • Manner 1 According to the attribute information of the first target data and the scanning result information, analyze whether the frequency of the first target data in a certain period of time meets the set threshold requirement, which is referred to as frequency-based security analysis.
  • Manner 2 According to the attribute information of the first target data and the scanning result information, analyze whether the visit volume of the first target data in a certain period of time meets the set visit volume requirement, referred to as security analysis based on the visit volume.
  • Method 3 According to the attribute information of the first target data and the scan result information, analyze whether the permission of the visitor of the first target data belongs to the set legal permission, referred to as security analysis based on the access permission.
  • Manner 4 According to the attribute information of the first target data and the scan result information, analyze whether the receiving address of the first target data belongs to the set legal receiving address, which is referred to as address-based security analysis for short.
  • Manner 5 Analyze whether the transmission time of the first target data falls within a reasonable time range according to the attribute information of the first target data and the scan result information, which is referred to as time-based security analysis for short.
  • At least one security prevention and control device 103 can determine that the first target data has an information leakage risk, and corresponding measures can be taken to further prevent Information leakage.
  • the measures taken to prevent information leakage are not limited.
  • the network node through which the first target data passes may be notified to intercept the network message corresponding to the first target data.
  • the interception processing here mainly refers to preventing the network message corresponding to the first target data from being forwarded. Further, information such as the user and device that issued the first target data can also be analyzed, so as to warn the user or device that issued the first target data, restrict authority, or perform key monitoring.
  • multiple data to be detected can be distributed to different data detection devices 102 for processing.
  • One data to be detected is generally processed by one data detection device 102.
  • one data to be detected is handled by multiple data detection devices 102 at the same time.
  • Processing is also possible.
  • multiple first target data can be processed by different security prevention and control devices 103.
  • One first target data is generally processed by one security prevention and control device 103.
  • one first target data is processed by multiple security prevention and control devices.
  • 103 is responsible for processing at the same time.
  • the device forms of the data collection device 101, the data detection device 102, and the safety prevention and control device 103 are not limited.
  • the data collection device 101 it can be any computer device with data collection and communication capabilities, such as a notebook computer, a desktop computer, a network data collector, a network splitter, a conventional server or a server array, etc., or it can be ARM chips and some data acquisition chips or modules based on FPGA or CPLD.
  • the data detection device 102 it can be any computer device with data scanning capabilities and communication capabilities, for example, it can be a terminal device such as a notebook computer, a desktop computer, and a smart phone, or it can be an edge device such as a smart street lamp, a camera, and a traffic monitoring device.
  • Computing equipment can also be server equipment such as conventional servers, cloud servers, server arrays, data centers, etc., and can also be ARM chips and some data detection chips or modules implemented based on FPGA or CPLD.
  • the security prevention and control device 103 can be any computer device that can perform security analysis on data and has certain communication capabilities.
  • it can be a terminal device such as a notebook computer, a desktop computer, a smart phone, or a smart street lamp.
  • Edge computing devices such as cameras and traffic monitoring equipment can also be server devices such as conventional servers, cloud servers, server arrays, data centers, etc., and can also be ARM chips and some security prevention and control chips or modules based on FPGA or CPLD.
  • the data acquisition device 101 the data detection device 102, and the safety prevention and control device 103
  • software, applications Application, App
  • program codes can be written in the corresponding devices, and these software, App or program code to realize the corresponding function.
  • the deployment locations of the data collection device 101, the data detection device 102, and the safety prevention and control device 103 are not limited.
  • the data collection device 101 can be deployed close to a network node, which is beneficial for data collection, but is not limited to this.
  • For each data detection device 102 it can be deployed locally or in the cloud. In the case of multiple data detection devices 102, some data detection devices 102 can be deployed on the local end and some data detection devices 102 can be deployed on the cloud; or all data detection devices 102 can be deployed on the local end, or all data detection devices 102 are all deployed in the cloud.
  • each security prevention and control device 103 it can be deployed locally or in the cloud.
  • the security prevention and control devices 103 can be deployed on the local end, and some security prevention and control devices can be deployed in the cloud; or all security prevention and control devices 103 can be deployed in the cloud, or all The security prevention and control equipment 103 is deployed at the local end.
  • the local end here is relative to the cloud, which can be a location close to the network node in the network environment; the cloud generally refers to any location far away from the network node.
  • one or more data collection devices 101 can be deployed next to the gateway device of the data center system, one or more data detection devices 102 can be deployed in the computer room of the data center system, and in the data center
  • One or more security prevention and control devices 103 are deployed in the computer room of the system, and security prevention and control devices 103 may also be deployed in the cloud.
  • the deployment implementation of the distributed security detection system 100 in the data center system described in this embodiment is only an exemplary description, and is not limited thereto.
  • the number of data collection equipment 101, data detection equipment 102, and safety prevention and control equipment 103 is not limited. Each type of equipment can be deployed one or more, which can be specifically based on the distributed safety detection system 100. Depending on the application scenario. Of course, the data collection device 101 and the data detection device 102 can also be deployed on the same device.
  • one data collection device 101 can be deployed; if there are multiple network nodes for data security testing, multiple data collection devices 101 can be deployed to share the data collection pressure
  • Multiple data collection devices 101 are beneficial to reduce the processing burden of each data collection device 101, and the resource requirements for each data collection device 101 are relatively low, which is beneficial to improve the efficiency of data security detection.
  • one data inspection device 102 can be deployed; if the amount of data required for data security inspection is large, multiple data inspection devices 102 can be deployed to reduce the amount of data inspection.
  • the scanning burden of the device 102 and the resource requirements of each data detection device 102 are relatively low, which is beneficial to improving the efficiency of data security detection.
  • one security prevention and control device 103 can be deployed; if the amount of data required for data security testing is large, multiple security prevention and control devices 103 can be deployed to reduce The analysis burden of the security prevention and control devices 103 and the resource requirements for each security prevention and control device 103 are relatively low, which is beneficial to improve the efficiency of data security detection.
  • a data security detection solution is used to solve the information security problem in the network environment, and data collection, scanning, and analysis are completed by data collection equipment, data detection equipment, and security prevention and control equipment, respectively, so that data collection, scanning, and The purpose of separation of analysis and decoupling of key links in data security detection, so as to distribute the resources required for data security detection to multiple devices, compared with the solution implemented by centralized deployment of data security detection solutions on one device
  • resource bottlenecks are not easily generated, which is beneficial for protecting network data with a large amount of data, and the overall distributed system has low complexity, easy deployment and implementation, and strong flexibility.
  • the system 100 of this embodiment further includes: a data storage system 104.
  • the data storage system 104 mainly provides data storage functions for the data acquisition device 101, the data detection device 102, and the safety prevention and control device 103 in the system 100.
  • the data storage system 104 can be any system capable of data storage, such as any type of database system, or an object storage service (Object Storage Service). , OSS) system.
  • OSS object storage service
  • FIG. 1b the data storage system 104 is illustrated by taking OSS as an example, but it is not limited to this.
  • this embodiment does not limit the deployment location of the data storage system 104, and it can be deployed locally or in the cloud.
  • At least one data collection device 101 is mainly responsible for collecting data to be detected from network messages passing through network nodes, and is responsible for distributing the device to be detected to at least one data detection device 102.
  • At least one data detection device 102 is mainly responsible for scanning the data to be detected according to the first scanning rule to obtain scan result information of the data to be detected, and is responsible for identifying the first target data that meets the first safety analysis rule from the data to be detected,
  • the first target data and the attribute information and scan result information of the first target data are provided to at least one security prevention and control device 103.
  • the storage capacity of the data storage system 104 after at least one data detection device 102 recognizes the first target data, it can store the first target data in the data storage system 104 and obtain the first target data.
  • the storage address of the data in the data storage system 104, and the storage address is provided to at least one safety prevention and control device 103, so that at least one safety prevention and control device 103 can read the first data storage system 104 according to the storage address.
  • the target data achieves the purpose of providing the first target data to at least one safety prevention and control device 103.
  • the data detection device 102 may send the first target data to the data storage system 104; the data storage system 104 stores the first target data in the corresponding storage space according to its own data storage mechanism, and returns the first target data to the storage space.
  • the storage address in the data storage system 104 is given to the data detection device 102.
  • the storage address of the first target data in the data storage system 104 is referred to as the first storage address.
  • the manner in which at least one data detection device 102 provides the attribute information and scan result information of the first target data to at least one security prevention and control device 103 is not limited.
  • at least one data detection device 102 may directly send the encrypted attribute information and scan result information of the first target data to the at least one security prevention and control device 103.
  • the system 100 of this embodiment further includes a log storage system 105.
  • the log storage system 105 is mainly used to provide a log storage function for the data collection device 101, the data detection device 102, and the security prevention and control device 103 in the system 100.
  • the implementation form of the log storage system 105 is not limited.
  • the log storage system 105 may be any system capable of log storage, for example, it may be an SLS.
  • the log storage system 105 is illustrated by taking SLS as an example, but it is not limited to this.
  • this embodiment does not limit the deployment location of the log storage system 105, and it can be deployed locally or in the cloud.
  • At least one data detection device 102 can store the attribute information and scan result information of the first target data in the log storage system 105 to obtain the attribute information of the first target data And the storage address of the scan result information in the log storage system 105, and provide the storage address to at least one security prevention and control device 103.
  • the storage address of the attribute information of the first target data and the scan result information in the log storage system 105 is referred to as the second storage address.
  • At least one security prevention and control device 103 it can receive the first storage address and the second storage address sent by at least one data detection device 102; according to the first storage address, read the first target from the data storage system 104 Data, and read the attribute information and scanning result information of the first target data from the log storage system 105 according to the second storage address; then, according to the attribute information and scanning result information of the first target data, secure the first target data Sexual analysis.
  • data collection, scanning, storage, analysis, and logs are separated in data security detection to achieve a greater degree of distribution. While ensuring information security in the network environment, it is beneficial to reduce distributed security.
  • the complexity of the detection system makes the distributed safety detection system easy to deploy and realize, and improves the flexibility of the distributed safety detection system.
  • the system 100 of this embodiment includes two safety prevention and control devices 103, which are referred to as a first safety prevention and control device 1031 and a second safety prevention and control device 1032.
  • the first security prevention and control device 1031 is deployed on the local end and is a device with security prevention and control functions on the local end;
  • the second security prevention and control device 1032 is deployed on the cloud and is a device with security prevention and control functions on the cloud.
  • the deployment of security prevention and control equipment in the "network environment that requires security prevention and control” is called deployment at the local end, and security is deployed outside the "network environment that needs security prevention and control”.
  • the situation of prevention and control equipment is called deployment in the cloud.
  • the first security prevention and control device 1031 is deployed in a "network environment requiring security prevention and control”
  • the second security prevention and control device 1032 is deployed outside the "network environment requiring security prevention and control”.
  • the data detection device 102 directly reports the attribute information and scan result information of the first target data to the first security prevention and control device 1031 and the second security prevention and control device 1032 as an example for illustration, which is not shown in FIG. ⁇ LOG storage system 105.
  • the first security prevention and control device 1031 is preferentially used to perform security analysis on the first target data.
  • the second safety prevention and control device 1032 can also be used to perform a safety analysis on the first target data.
  • the first storage address of the first target data in the data storage system 104 and the attribute information and scan result information of the first target data in the log storage system 105 are obtained.
  • the first storage address and the second storage address may be sent to the first security prevention and control device 1031 for the first security prevention and control device 1031 to perform security analysis on the first target data.
  • the first security prevention and control device 1031 After receiving the first storage address and the second storage address, read the first target data from the data storage system 104 according to the first storage address, and read the log according to the second storage address
  • the storage system 105 reads the attribute information and scan result information of the first target data; and performs security analysis on the first target data according to the attribute information and scan result information of the first target data.
  • the second security prevention and control device 1032 performs security analysis on the first target data in the same or the same way as the first security prevention and control device 1031. Similar, I won't repeat them here.
  • the second security prevention and control device 1032 also has a configuration function, and can perform an operation of issuing configuration information related to data security detection.
  • the administrator can provide configuration information related to data security detection to the second security prevention and control device 1032.
  • the configuration information includes the first scanning rule and the first security analysis rule; the second security prevention and control device 1032 can The configuration information is delivered to the first security prevention and control device 1031; the first security prevention and control device 1031 forwards the configuration information to the at least one data detection device 102, so that the at least one data detection device 102 locally configures the first scanning rule and the first Safety analysis rules.
  • the manner in which the administrator provides configuration information to the second security prevention and control device 1032 is not limited.
  • the second security prevention and control device 1032 may have a human-computer interaction interface, and the management personnel can enter the human-computer interaction interface provided by the second security prevention and control device 1032, and enter the scanning rules and security analysis rules through the human-computer interaction interface. information.
  • the manager can also generate a configuration file on the terminal device he uses. The configuration file contains configuration information, and then sends the configuration file to the second security prevention and control device 1032; the second security prevention and control device 1032 parses out from the configuration file Configuration information.
  • the management and distribution of configuration information through the second security prevention and control device 1032 is taken as an example, but it is not limited to this.
  • the configuration information can also be managed and issued through the first security prevention and control device 1031.
  • the specific implementation manner is similar to the implementation manner through the second security prevention and control device 1032, and details are not described herein again.
  • this embodiment can flexibly change the configuration information.
  • the change of configuration information has basically no impact on the data collection process of the data collection device and the safety analysis process of the first safety prevention and control device. , There is basically no impact on data transmission in these processes, and the system of this embodiment has manageability and scalability.
  • the data detection device 102 may fail to comply with the first A situation where the scanning rule succeeds in scanning the data to be detected.
  • the first scanning rule of the data detection device 102 only supports text type data, and does not support multimedia data such as pictures or small videos. Therefore, the data detection device 102 cannot successfully complete the scan for the data to be detected whose data types are pictures or small videos.
  • the data to be detected can be stored in the data storage system 104, and a scan request can be sent to the second security prevention and control device 1032, The second security prevention and control device 1032 is requested to use the second scanning rule to scan the data to be detected.
  • the scan request carries the storage address of the data to be detected in the data storage system 104.
  • the second scanning rule refers to a scanning rule that can be used by the second security prevention and control device 1032; compared to the first scanning rule, the second scanning rule may be the latest scanning rule, or it may be more comprehensive and complete.
  • the first scan rule is a scan rule configured on the local end of the data detection device 102; the second scan rule is a scan rule configured on the cloud.
  • the second security prevention and control device 1032 it is also possible to read the data to be detected from the data storage system 104 according to the scan request sent by the data detection device 102, and scan the data to be detected according to the second scanning rule to obtain the data to be detected Scan result information.
  • the second security prevention and control device 1032 may also send the scan rule in the second scan rule that is matched by the data to be detected to at least one data detection device 102 , So that at least one data detection device 102 can update the first scanning rule.
  • the second safety prevention and control device 1032 in addition to scanning the data to be detected according to the second scanning rule, can also identify second target data that meets the second safety analysis rule from the data to be detected. , Write the attribute information and scan result information of the second target data into the log storage system 105, and notify the first security prevention and control device 1031 to perform security analysis on the second target data.
  • the data that meets the second safety analysis rule identified by the second safety prevention and control device 1032 from the data to be detected according to the second safety analysis rule is called the second target data.
  • the notification message sent by the second security prevention and control device 1032 to the first security prevention and control device 1031 carries the attribute information of the second target data and the storage address of the scan result information in the log storage system 105.
  • the first security prevention and control device 1031 it is also possible to read the attribute information and scan result information of the second target data from the log storage system 105 according to the notification of the second security prevention and control device 1032, and according to the second target data
  • the security analysis of the second target data is performed on the attribute information and scanning result information of the data.
  • the second security prevention and control device 1032 after the second security prevention and control device 1032 recognizes the second target data, it can use the security analysis capability of the first security prevention and control device 1031 to give priority to the security prevention and control device 1031 deployed at the local end. Perform security analysis on the second target data.
  • the second security prevention and control device 1032 may not only scan the data to be detected according to the second scanning rule, but also identify a second target that meets the second security analysis rule from the data to be detected. Data, based on the attribute information of the second target data and the scanning result information, perform a security analysis on the second target data. In this optional embodiment, after the second security prevention and control device 1032 recognizes the second target data, it can directly perform security analysis on the second target data with its own security analysis capability.
  • the data collection device 101 may use a hash method to distribute the data to be detected to multiple data detection devices 102.
  • the data collection device 101 may distribute the to-be-detected data from data streams of different attributes to different data detection devices 102 according to the attributes of the data stream.
  • the data detection device 102 may also distribute the data to be detected to different data detection devices 102 according to the processing capabilities and/or load information of each data detection device 102.
  • the data detection device 102 when the data detection device 102 collects the data to be detected, it can determine the target data detection device according to the processing capability and/or load information of each data detection device 102; write the data to be detected into the target data detection device In the data buffer area.
  • the data buffer area of the target data detection device may be a file buffer area or a virtual storage pool (pool).
  • the data collection stage can be regarded as the producer of the data to be tested, and the data scanning stage can be regarded as the consumer of the data to be tested. Therefore, Producer/consumer model.
  • the internal working process of the data detection device 102 is exemplified.
  • the data detection device 102 includes multiple threads, including but not limited to: a file monitoring thread FileWatch, a file scanning thread FileScan, a file submission thread Filesubmit, and a cloud submission thread cloudsubmit.
  • the multi-threading mechanism is adopted, which is adjustable.
  • the data collection device 101 writes the collected data to be detected into the data buffer area of the data detection device 102, such as a file buffer area or a virtual storage pool;
  • the file monitoring thread FileWatch monitors whether there is new data to be detected in the data buffer area of the data detection device 102; and when it detects that there is new data to be detected, it reads the newly written data to be detected to the message queue In, concurrently send messages to the file scanning thread FileScan;
  • the file scanning thread FileScan scans the data to be detected in the message queue according to the locally configured scanning rules when triggered by the message, and obtains the scanning result of the data to be detected, and determines whether it needs to be detected according to the locally configured security analysis rules. Perform security analysis on the data to be detected, and if yes, send a message to the file submission thread Filesubmit;
  • the file submission thread Filesubmit reads the data to be detected from the message queue, submits the data to be detected as the first target data to the data storage system 104, such as OSS, and obtains the storage address returned by the data storage system 104, and then transfers the first target data to the data storage system 104.
  • the storage address, attribute information, and scan result information of is provided to the cloud submission thread cloudsubmit;
  • the cloud submission thread cloudsubmit submits the storage address, attribute information, and scan result information of the first target data to the second security prevention and control device 1032 deployed in the cloud, and the second security prevention and control device 1032 performs security analysis on the first target data .
  • the cloud submission thread cloudsubmit can also submit the storage address, attribute information, and scan result information of the first target data to the first security prevention and control device 1031 deployed on the local end, and the first security prevention and control device 1031 performs the first target data Conduct a safety analysis.
  • the data detection device 102 may further include a file cleaning thread for cleaning the processed data to be detected in the message queue.
  • the data storage system 104 also regularly cleans out obsolete or useless data.
  • the data detection device 102 may also include: a configuration monitoring thread ConfWatch, which is used to monitor whether there are new scanning rules and security analysis rules in the configuration information buffer area, and when new scanning rules and security analysis rules arrive Next, update the locally configured scanning rules and security analysis rules.
  • ConfWatch a configuration monitoring thread ConfWatch
  • the data detection device 102 may further include: a log caching thread LocalLogging, which is used to cache log data generated by the data detection device 102 in the process of scanning the data to be detected.
  • the log data here includes but is not limited to: scan time, the name of the scanned data to be detected, whether the data to be detected hits the scan rule, if so, the name of the scan rule that is hit, and the name of the scan rule that is hit in the data to be detected Data content and context information of the data content, etc.
  • the log cache thread can periodically cache the log data of the data detection device 102 locally and upload it to the log storage system 105.
  • a distributed data security detection solution is adopted to solve the information security problem in the network environment, and data collection, scanning and analysis are separated, and the key links in data security detection are decoupled.
  • the resources required for data security detection are distributed to multiple devices, which is not easy to produce resource bottlenecks, which is conducive to the protection of large amounts of network data, and the complexity of the entire distributed system is low, easy to deploy and implement, and has Strong flexibility.
  • new functions can be easily added, the scalability is strong, and service chain-style services can be realized, which provides the possibility for the subsequent functionalization of functions.
  • FIG. 4a is a schematic flowchart of a data processing method provided by an exemplary embodiment of this application. This method is described from the perspective of any data detection device in the distributed security detection system. As shown in Figure 4a, the method includes:
  • the data to be detected is collected by the data collection device from the network messages passing through the network node, and refers to data objects that may involve data security and may need to undergo security detection.
  • network nodes refer to devices, links, subsystems, or entire systems that require data security testing in various network environments.
  • the network node may be a flow entry/exit device in various network environments, such as a gateway device.
  • the data detection device is locally configured with scanning rules and security analysis rules.
  • the scanning rules mainly include some known data characteristics, which can reflect the characteristics or content of the data to be detected to a certain extent, and can assist in judging whether the data to be detected has security risks.
  • Safety analysis rules mainly include some rules related to subsequent safety analysis. Among these rules, there is a data selection rule that determines which data to be detected need to be provided to the security prevention and control equipment for security analysis, and all the data to be detected are provided to the security prevention and control device for security. For security analysis, the data to be tested that meets specific conditions is still provided to the security prevention and control equipment for security analysis.
  • these rules may also include other rules.
  • these rules can also include device selection rules, which determine which security prevention and control device or devices to use for security analysis, the priority between these security prevention and control devices, and the relationship between master and backup Wait.
  • the data detection device scans the data to be detected according to the first scanning rule, which is mainly a process of matching the data to be detected with the first scanning rule.
  • step 42a and step 43a is not limited.
  • the two steps can be executed sequentially as shown in FIG. 4a, or they can be executed in parallel.
  • the operation described in step 43a can also be performed first, and then the operation described in step 42a is performed.
  • the first target data can be directly scanned during the scanning of the data to be detected, without scanning all the data to be detected .
  • it can be judged whether the data to be detected conforms to the first safety analysis rule, and if the judgment result is conformed, it is determined that the data to be detected can be used as the first target data, and then according to the first scan
  • the rule scans the data to be tested; if the result of the judgment is non-conformance, it means that there is no need to perform security analysis on the data to be tested, so you can end the operation and no longer scan the data to be tested, which is conducive to saving data.
  • the computing resources of the device are examples of the computing resources of the device.
  • the attribute information of the first target data refers to some attribute information that the first target data itself has or comes with, such as the type, size, transmission time, quintuple information, and so on of the first target data.
  • the scanning result of the first target data may have two cases, one case is that one or some scanning rules in the first target data match, and the other case is that the first target data does not match any scanning rules in the first target data. For different scan results, the information contained in the scan result information will be different.
  • the scanning result information of the first target data may include but not limited to: the name of one or some scanning rules in the first target data matching, and the matching is in progress.
  • the scanning result information of the first target data may include: identifying information or descriptive content indicating that the first target data does not match any scanning rule, but is not limited to this.
  • the scanning result information of the first target data may not carry any information items, that is, blank, which also indicates that the first target data does not match any scanning rules.
  • the attribute information and scanning result information of the first target data are the basis for performing security analysis on the first target data.
  • the data detection device after the data detection device recognizes the first target data, it can provide the first target data and the attribute information and scan result information of the first target data to at least one security prevention and control device for at least one A security prevention and control device performs security analysis on the first target data based on the attribute information of the first target data and the scan result information.
  • the distributed security detection system includes a data storage system and a log storage system
  • the security prevention and control device in the distributed security detection system includes the first security prevention and control device deployed on the local end and the first security prevention and control device deployed on the cloud.
  • the second safety prevention and control equipment includes: storing the first target data in the data storage system, and providing the first storage address of the first target data in the data storage system to the first security prevention and control device; The attribute information of the target data and the scanning result information are written into the log storage system, and the second storage address of the attribute information of the first target data and the scanning result information in the log storage system is provided to the first security prevention and control device.
  • the method of this embodiment further includes: when the data detection device cannot successfully scan the data to be detected according to the first scanning rule, storing the data to be detected in the data storage system; and The security prevention and control device sends a scan request for the second security prevention and control device to scan the to-be-detected data according to the second scanning rule.
  • the method of this embodiment further includes: receiving the scanning rule that is matched by the data to be detected in the second scanning rule issued by the second security prevention and control device; according to the scanning rule that is matched by the data to be detected in the second scanning rule , Update the first scan rule.
  • the second scanning rule refers to a scanning rule that can be used by the second security prevention and control device; compared to the first scanning rule, the second scanning rule may be the latest scanning rule, or it may be more comprehensive and complete.
  • the first scanning rule is a scanning rule configured on the local end of the data detection device; the second scanning rule is a scanning rule configured on the cloud.
  • the method of this embodiment before using the first scanning rule and the first security analysis rule, further includes: receiving configuration information from the second security prevention and control device forwarded by the first security prevention and control device ,
  • the configuration information includes the first security analysis rule and the first scanning rule; according to the configuration information, the first scanning rule and the first security analysis rule are configured locally.
  • the data detection equipment cooperates with the data acquisition equipment and the safety prevention and control equipment, and is mainly responsible for the data scanning in the data safety detection, which can realize the separation between data collection, scanning and analysis, and can be used for data safety detection.
  • the decoupling of the key links of data security detection so that the resources required for data security detection are distributed to multiple devices, and it is not easy to cause resource bottlenecks, which is conducive to the protection of large amounts of network data.
  • FIG. 4b is a schematic flowchart of another data processing method provided by an exemplary embodiment of this application. The method is described from the perspective of any safety prevention and control device in the distributed safety detection system, especially the first safety prevention and control device. As shown in Figure 4b, the method includes:
  • the distributed security detection system includes a data storage system and a log storage system.
  • an implementation of step 41b includes: receiving the first storage address sent by the data detection device, and reading the first target data from the data storage system in the distributed security detection system according to the first storage address; receiving data detection
  • the second storage address sent by the device reads the attribute information and scan result information of the first target data from the log storage system in the distributed security detection system according to the second storage address.
  • the first storage address is the storage address of the first target data in the data storage system.
  • the second storage address is the storage address of the attribute information and scan result information of the first target data in the log storage system.
  • the security prevention and control device in the distributed security detection system includes: a first security prevention and control device deployed on the local end and a second security prevention and control device deployed on the cloud.
  • the second security prevention and control device can scan the data to be detected according to the second scanning rule when the data detection device cannot successfully scan the data to be detected according to the first scanning rule, and can scan according to the The second security analysis rule identifies second target data that meets the second security analysis rule from the data to be detected, and can notify the first security prevention and control device to perform security analysis on the second target data.
  • the method of this embodiment further includes: receiving a notification message sent by the second security prevention and control device in the distributed security detection system; according to the notification message, reading the second from the log storage system in the distributed security detection system The attribute information and scanning result information of the target data; perform security analysis on the second target data according to the attribute information and scanning result information of the second target data; among them, the second target data is that the second security prevention and control device is in the data detection device In the case that the data to be detected cannot be successfully scanned according to the first scanning rule, data that meets the second security analysis rule is identified from the data to be detected.
  • the second scanning rule refers to a scanning rule that can be used by the second security prevention and control device; compared to the first scanning rule, the second scanning rule may be the latest scanning rule, or it may be more comprehensive and complete.
  • the first scanning rule is a scanning rule configured on the local end of the data detection device; the second scanning rule is a scanning rule configured on the cloud.
  • the first security prevention and control device may also receive the configuration information issued by the second security prevention and control device, and forward the configuration information to the data detection device, so that the data detection device can locally configure the first scan Rules and first safety analysis rules.
  • the security prevention and control equipment and the data detection equipment cooperate with each other, and are mainly responsible for the security analysis in the data security detection, which can realize the separation between data collection, scanning and analysis, and can separate the key links in the data security detection. Decoupling, so that the resources required for data security detection are distributed to multiple devices, which is not easy to cause resource bottlenecks, which is conducive to the protection of large amounts of network data.
  • FIG. 4c is a schematic flowchart of yet another data processing method provided by an exemplary embodiment of this application. This method is described from the perspective of the second safety prevention and control device in the distributed safety detection system. As shown in Figure 4c, the method includes:
  • the scan request is sent by the data detection device when the data detection device cannot successfully scan the data to be detected according to the first scan rule.
  • the method of this embodiment further includes: identifying second target data that meets the second safety analysis rule from the data to be detected; The attribute information of the data and the scanning result information are used to perform security analysis on the second target data.
  • the method of this embodiment further includes: identifying second target data that meets the second safety analysis rule from the data to be detected; The attribute information and the scanning result information are written into the log storage system in the distributed security detection system; and the first security prevention and control device in the distributed security detection system is notified, so that the first security prevention and control device can according to the attributes of the second target data The information and the scanning result information perform a security analysis on the second target data.
  • the method of this embodiment further includes: sending the scanning rule that is matched by the data to be detected in the second scanning rule to the data detection Device for the data detection device to update the first scanning rule.
  • the second scanning rule refers to a scanning rule that can be used by the second security prevention and control device; compared to the first scanning rule, the second scanning rule may be the latest scanning rule, or it may be more comprehensive and complete.
  • the first scanning rule is a scanning rule configured on the local end of the data detection device; the second scanning rule is a scanning rule configured on the cloud.
  • the second security prevention and control device cooperates with the first security prevention and control device and the data detection device to be responsible for the security analysis and configuration information management in the data security detection, and can assist the data detection device to perform Data scanning can ensure the overall performance of the distributed safety detection system based on the separation of data collection, scanning and analysis.
  • execution subject of each step of the method provided in the foregoing embodiment may be the same device, or different devices may also be the execution subject of the method.
  • the execution subject of steps 41a to 44a may be device A; for another example, the execution subject of steps 41a-43a may be device A, and the execution subject of step 44a may be device B; and so on.
  • Figure 4d is a schematic structural diagram of yet another distributed security detection system provided by an exemplary embodiment of this application. As shown in Figure 4d, the system includes: a producer module 41d, a consumer module 42d, a buffer module 43d, and a cloud analysis module 44d.
  • the producer module 41d is mainly responsible for collecting the data to be detected and writing the data to be detected into the buffer module 43d.
  • the producer module 41d can be deployed in any network environment that requires data security testing, for example, can be deployed at a certain network node, and is responsible for collecting data to be tested from network packets passing through the network node.
  • the network node here can be any device, link, subsystem, or system that needs to perform data security testing in various network environments that need to perform data security testing.
  • the number of producer modules 41d may be one or multiple.
  • the consumer module 42d is used to monitor whether the data to be detected is written in the buffer module 43d. When it is detected that the data to be detected is written in the buffer module 43d, the data to be detected is read from the buffer module 43d, and the data to be detected is read from the buffer module 43d. Scanning is performed, and the first target data and the attribute information and scanning result information of the first target data that need to be analyzed safely among the data to be detected are provided to the cloud analysis module 44d.
  • the number of consumer modules 42d may be one or more.
  • the implementation manner in which the consumer module 42d scans the data to be detected is not limited.
  • the data to be detected may be scanned according to the first scanning rule.
  • the data detection device scans the device to be detected according to the first scanning rule in the foregoing embodiment, which will not be repeated here.
  • this embodiment does not limit the implementation manner in which the consumer module 42d determines whether the data to be detected requires security detection. For example, it may be determined whether the data to be detected requires security detection according to the first security analysis rule.
  • the rule determining whether the data to be detected requires security detection refer to the specific implementation manner in which the data detection device analyzes whether the device to be detected requires security detection according to the first security analysis rule in the foregoing embodiment, which will not be repeated here.
  • the cloud analysis module 44d is configured to perform security analysis on the first target data according to the attribute information and the scan result information of the first target data.
  • the implementation manner in which the cloud analysis module 44d performs security analysis on the first target data is not limited. For details, refer to the implementation manner in which the security prevention and control device performs security analysis on the first target data in the foregoing embodiment. This will not be repeated here.
  • the system further includes: an object storage system (OSS) 45d.
  • the object storage system 45d is used to provide storage services for the consumer module 42d, and is also an intermediate storage medium for interaction between the consumer module 42d and the cloud analysis module 44d.
  • the consumer module 42d is specifically configured to write the first target data into the object storage system 45d, and send the storage address, attribute information, and scan result information of the first target data to the cloud analysis module 44d.
  • the cloud analysis module 44d is specifically configured to: read the first target data from the object storage system 45d according to the storage address of the first target data, and perform processing on the first target data according to the attribute information and scan result information of the first target data Security analysis.
  • the consumer module 42d includes multiple threads, including but not limited to: a monitoring thread, a scanning thread, a local submission thread, and a cloud submission thread.
  • the multi-threading mechanism is adopted, which is adjustable.
  • the working principle of the consumer module 42d is as follows:
  • the monitoring thread monitors whether there is new data to be detected written in the buffer module 43d; and when it detects that there is new data to be detected written, the newly written data to be detected is read into the message queue, and concurrently Message to the scanning thread.
  • the scanning thread When triggered by the message, the scanning thread scans the data to be detected in the message queue according to the first scanning rule configured locally, and obtains the scanning result of the data to be detected, and will determine whether or not according to the first security analysis rule configured locally It is necessary to perform a security analysis on the data to be detected, and if so, send a message to the local submission thread.
  • the local submission thread reads the data to be detected from the message queue, submits the data to be detected as the first target data to the object storage system 45d, and obtains the storage address returned by the object storage system 45d, and the storage address of the first target data,
  • the attribute information and scan result information are provided to the cloud submission thread.
  • the cloud submission thread submits the storage address, attribute information, and scan result information of the first target data to the cloud analysis module 44d, and the cloud analysis module 44d performs security analysis on the first target data.
  • the consumer module 42d may further include: a cleaning thread for cleaning up the processed data to be detected in the message queue.
  • a cleaning thread for cleaning up the processed data to be detected in the message queue.
  • the object storage system 45d also regularly cleans out obsolete or useless data.
  • the consumer module 42d may further include: a configuration monitoring thread for performing the first scan used by the consumer module 42d when the first scanning rule and the first safety analysis rule used by the consumer module 42d are updated. The rules and the first safety analysis rules are updated.
  • FIG. 5 is a schematic structural diagram of a data detection device provided by an exemplary embodiment of this application. As shown in FIG. 5, the device includes: a memory 51, a processor 52, and a communication component 53.
  • the memory 51 is used to store computer programs, and can be configured to store other various data to support operations on the data detection device. Examples of these data include instructions, messages, pictures, videos, and the first scanning rule and the first security analysis rule for any application or method operating on the data detection device.
  • the processor 52 coupled to the memory 51, is configured to execute the computer program in the memory 51 for: receiving the data to be detected sent by the data acquisition device in the distributed safety detection system through the communication component 53; Scan the data to be detected to obtain scan result information of the data to be detected; determine the first target data that meets the first safety analysis rule in the data to be detected according to the first safety analysis rule; The target data and the attribute information and scanning result information of the first target data are provided to at least one safety prevention and control device in the distributed safety detection system, so that the at least one safety prevention and control device can perform the control on the first Target data for security analysis.
  • the distributed security detection system includes a data storage system and a log storage system
  • the security prevention and control device in the distributed security detection system includes the first security prevention and control device deployed on the local end and the first security prevention and control device deployed on the cloud.
  • the second safety prevention and control equipment includes the first security prevention and control device deployed on the local end and the first security prevention and control device deployed on the cloud.
  • the processor 52 when the processor 52 provides the first target data and the attribute information and scanning result information of the first target data to at least one security prevention and control device in the distributed security detection system, it is specifically used for : Store the first target data in the data storage system, provide the first storage address of the first target data in the data storage system to the first security prevention and control device; write the attribute information and scan result information of the first target data In the log storage system, the second storage address of the attribute information of the first target data and the scan result information in the log storage system is provided to the first security prevention and control device.
  • the processor 52 is further configured to: if the data to be detected cannot be successfully scanned according to the first scanning rule, store the data to be detected in the data storage system; and send the data to the second data storage system through the communication component 53
  • the security prevention and control device sends a scan request for the second security prevention and control device to scan the to-be-detected data according to the second scanning rule.
  • the processor 52 is further configured to: receive through the communication component 53 the scan rule in the second scan rule issued by the second security prevention and control device that is matched by the data to be detected; according to the second scan rule The first scanning rule is updated for the scanning rule that is matched by the data to be detected.
  • the second scan rule refers to the scan rule that can be used by the second security prevention and control device; compared to the first scan rule, the second scan rule may be the latest scan rule, or it may be more comprehensive and complete.
  • the first scanning rule is a scanning rule configured on the local end of the data detection device; the second scanning rule is a scanning rule configured on the cloud.
  • the processor 52 is further configured to: before using the first scanning rule and the security analysis rule, receive the configuration information from the second security prevention and control device forwarded by the first security prevention and control device through the communication component 53 ,
  • the configuration information includes the first security analysis rule and the first scanning rule; according to the configuration information, the first scanning rule and the first security analysis rule are configured locally.
  • the data detection device further includes: a display 54, a power supply component 55, an audio component 56, and other components. Only some of the components are schematically shown in FIG. 5, which does not mean that the data detection device only includes the components shown in FIG. 5. In addition, the components in the dashed box in FIG. 5 are optional components, not mandatory components, and the specifics may depend on the product form of the data detection equipment.
  • the data detection device in this embodiment can be implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, or an IOT device, or it can be a server device such as a conventional server, a cloud server, or a server array.
  • the data detection device of this embodiment is implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, etc., it may include the components in the dashed box in FIG. 5; if the data detection device of this embodiment is implemented as a conventional server, a cloud server or a server Server devices such as arrays may not include the components in the dashed box in Figure 5.
  • an embodiment of the present application also provides a computer-readable storage medium storing a computer program.
  • the processor causes the processor to implement the steps in the method embodiment shown in FIG. 4a.
  • FIG. 6 is a schematic structural diagram of a safety prevention and control device provided by an exemplary embodiment of this application.
  • the safety prevention and control device of this embodiment may be implemented by any safety prevention and control device in the distributed safety detection system, and in particular may be implemented as the first safety prevention and control device.
  • the device includes: a memory 61, a processor 62, and a communication component 63.
  • the memory 61 is used to store computer programs, and can be configured to store other various data to support operations on the security prevention and control equipment. Examples of these data include instructions for any application or method operated on the security prevention and control device, contact data, phone book data, messages, pictures, videos, etc.
  • the processor 62 coupled to the memory 61, is configured to execute a computer program in the memory 61 to obtain the first target data provided by the data detection device in the distributed security detection system and the attribute information of the first target data And scan result information; perform a security analysis on the first target data according to the attribute information and scan result information of the first target data; wherein, the first target data is the to-be-received data detection device The detected data meets the first safety analysis rule, and the scanning result information of the first target data is obtained by scanning the first target data by the data detection device according to its first scanning rule.
  • the distributed security detection system includes a data storage system and a log storage system. Based on this, when the processor 62 obtains the first target data provided by the data detection device in the distributed security detection system and the attribute information and scanning result information of the first target data, it is specifically used to: receive data through the communication component 63
  • the first storage address sent by the detection device is used to read the first target data from the data storage system in the distributed security detection system according to the first storage address; the second storage address sent by the data detection device is received, and the second storage address is read from the data storage system according to the second storage address.
  • the log storage system in the distributed security detection system reads the attribute information and scanning result information of the first target data.
  • the first storage address is the storage address of the first target data in the data storage system;
  • the second storage address is the storage address of the attribute information of the first target data and the scan result information in the log storage system.
  • the security prevention and control device of this embodiment is implemented as the first security prevention and control device deployed at the local end in the distributed security detection system.
  • the distributed security detection system also includes: a second security prevention and control device deployed in the cloud.
  • the second security prevention and control device can scan the data to be detected according to the second scanning rule when the data detection device cannot successfully scan the data to be detected according to the first scanning rule, and can scan according to the The second security analysis rule identifies second target data that meets the second security analysis rule from the data to be detected, and can notify the first security prevention and control device to perform security analysis on the second target data.
  • the processor 62 is further configured to: receive the notification message sent by the second security prevention and control device in the distributed security detection system through the communication component 63; according to the notification message, read from the log storage system in the distributed security detection system Take the attribute information and scanning result information of the second target data; perform security analysis on the second target data according to the attribute information and scanning result information of the second target data; wherein, the second target data is the data of the second security prevention and control device When the detection device cannot successfully scan the data to be detected according to the first scanning rule, data that meets the second safety analysis rule is identified from the data to be detected.
  • the second scanning rule refers to a scanning rule that can be used by the second security prevention and control device; compared to the first scanning rule, the second scanning rule may be the latest scanning rule, or it may be more comprehensive and complete.
  • the first scanning rule is a scanning rule configured on the local end of the data detection device; the second scanning rule is a scanning rule configured on the cloud.
  • the processor 62 is further configured to: receive the configuration information issued by the second security prevention and control device through the communication component 63, and forward the configuration information to the data detection device for local configuration by the data detection device The first scanning rule and the first safety analysis rule.
  • the safety prevention and control device further includes: a display 64, a power supply component 65, an audio component 66 and other components. Only some of the components are schematically shown in FIG. 6, which does not mean that the safety prevention and control equipment only includes the components shown in FIG. 6. In addition, the components in the dashed box in FIG. 6 are optional components, not mandatory components, and the specifics may depend on the product form of the safety prevention and control equipment.
  • the security prevention and control device of this embodiment can be implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, or an IOT device, and can also be a server device such as a conventional server, a cloud server, or a server array.
  • the security prevention and control device of this embodiment is implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, etc., it may include the components in the dashed box in FIG. 6; if the security prevention and control device of this embodiment is implemented as a conventional server or a cloud server Or server-side equipment such as server arrays may not include the components in the dashed box in FIG. 6.
  • the embodiment of the present application also provides a computer-readable storage medium storing a computer program.
  • the processor causes the processor to implement the steps in the method embodiment shown in FIG. 4b.
  • FIG. 7 is a schematic structural diagram of another safety prevention and control device provided by an exemplary embodiment of this application.
  • the security prevention and control device of this embodiment may be implemented by the second security prevention and control device in the distributed security detection system.
  • the device includes: a memory 71, a processor 72, and a communication component 73.
  • the memory 71 is used to store computer programs, and can be configured to store various other data to support operations on the security prevention and control equipment. Examples of such data include instructions for any application or method that is used to operate on the security prevention and control device, contact data, phone book data, messages, pictures, videos, etc.
  • the processor 72 coupled to the memory 71, is configured to execute a computer program in the memory 71, and is used to receive a scan request sent by a data detection device in a distributed security detection system through the communication component 73, where the scan request is
  • the data detection device is sent when the data to be detected cannot be successfully scanned according to the first scanning rule; the data to be detected is read from the data storage system in the distributed security detection system according to the scan request ; Scan the data to be detected according to the second scanning rule to obtain scan result information of the data to be detected.
  • the processor 72 is further configured to: after obtaining the scan result information of the data to be detected, identify second target data that meets the second safety analysis rule from the data to be detected; and according to the second target data The security analysis of the second target data is performed on the attribute information and scanning result information of the data.
  • the processor 72 is further configured to: after obtaining the scan result information of the data to be detected, identify second target data that meets the second security analysis rule from the data to be detected; The information and scan result information are written into the log storage system in the distributed security detection system; and the first security prevention and control device in the distributed security detection system is notified so that the first security prevention and control device can use the attribute information of the second target data And scan result information to perform security analysis on the second target data.
  • the second scanning rule refers to a scanning rule that can be used by the security prevention and control device provided in this embodiment; compared with the first scanning rule, the second scanning rule may be the latest scanning rule, or it may be more comprehensive and complete.
  • the first scanning rule is a scanning rule configured on the local end of the data detection device; the second scanning rule is a scanning rule configured on the cloud.
  • the processor 72 is further configured to: in the case that the second scanning rule is matched by the data to be detected, send the scanning rule in the second scanning rule that is matched by the data to be detected to the data detection device , For the data detection device to update the first scanning rule.
  • the processor 72 is further configured to: send configuration information to the first security prevention and control device through the communication component 73, so that the first security prevention and control device forwards the configuration information to the data detection device, so that The data detection device locally configures the first scanning rule and the first safety analysis rule.
  • the safety prevention and control device further includes: a display 74, a power supply component 75, an audio component 76 and other components. Only some components are schematically shown in FIG. 7, which does not mean that the safety prevention and control equipment only includes the components shown in FIG. 7. In addition, the components in the dashed box in FIG. 7 are optional components, not mandatory components, which may be determined by the product form of the safety prevention and control equipment.
  • the security prevention and control device of this embodiment can be implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, or an IOT device, and can also be a server device such as a conventional server, a cloud server, or a server array.
  • the security prevention and control device of this embodiment is implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, etc., it may include the components in the dashed box in FIG. 7; if the security prevention and control device of this embodiment is implemented as a conventional server or a cloud server Or server-side equipment such as server arrays may not include the components in the dashed box in FIG. 7.
  • an embodiment of the present application also provides a computer-readable storage medium storing a computer program.
  • the processor causes the processor to implement the steps in the method embodiment shown in FIG. 4c.
  • the memory in Figure 5 to Figure 7 above can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
  • SRAM static random access memory
  • EEPROM electrically erasable programmable read-only memory
  • EPROM erasable programmable read-only memory
  • PROM programmable read-only memory
  • ROM read-only memory
  • magnetic memory magnetic memory
  • flash memory magnetic disk or optical disk.
  • the communication components in Figures 5-7 are configured to facilitate wired or wireless communication between the device where the communication component is located and other devices.
  • the device where the communication component is located can access wireless networks based on communication standards, such as WiFi, 2G, 3G, 4G/LTE, 5G and other mobile communication networks, or a combination of them.
  • the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel.
  • the communication component may further include a near field communication (NFC) module, radio frequency identification (RFID) technology, infrared data association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology Wait.
  • NFC near field communication
  • RFID radio frequency identification
  • IrDA infrared data association
  • UWB ultra-wideband
  • Bluetooth Bluetooth
  • the above-mentioned display in FIGS. 5-7 includes a screen, and the screen may include a liquid crystal display (LCD) and a touch panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from the user.
  • the touch panel includes one or more touch sensors to sense touch, sliding, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure related to the touch or slide operation.
  • the power components in Figures 5 to 7 above provide power for various components of the equipment where the power components are located.
  • the power supply component may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device where the power supply component is located.
  • the audio components in Figs. 5-7 can be configured to output and/or input audio signals.
  • the audio component includes a microphone (MIC).
  • the microphone When the device where the audio component is located is in an operating mode, such as call mode, recording mode, and voice recognition mode, the microphone is configured to receive external audio signals.
  • the received audio signal can be further stored in a memory or sent via a communication component.
  • the audio component further includes a speaker for outputting audio signals.
  • the embodiments of the present invention can be provided as a method, a system, or a computer program product. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • the computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • the memory may include non-permanent memory in a computer readable medium, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash memory
  • Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology.
  • the information can be computer-readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Alarm Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Système, procédé et dispositif de test de sécurité distribué, et support de stockage. Un schéma de test de sécurité de données de déploiement distribué est utilisé pour résoudre le problème de sécurité d'informations dans un environnement de réseau; la collecte, le balayage et l'analyse de données sont séparés, et des liaisons clés dans le test de sécurité de données sont découplées; et de cette manière, des ressources requises pour un test de sécurité de données sont dispersées sur une pluralité de dispositifs, facilitant ainsi le test, l'analyse et la protection d'un grand volume de données de réseau; en outre, l'ensemble du système distribué est relativement faible en termes de complexité et est facilement déployé et réalisé, et présente une flexibilité relativement élevée.
PCT/CN2019/119724 2019-11-20 2019-11-20 Système, procédé et dispositif de test de sécurité distribué, et support de stockage WO2021097713A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2019/119724 WO2021097713A1 (fr) 2019-11-20 2019-11-20 Système, procédé et dispositif de test de sécurité distribué, et support de stockage
CN201980100728.2A CN114450920A (zh) 2019-11-20 2019-11-20 分布式安全检测系统、方法、设备及存储介质

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/119724 WO2021097713A1 (fr) 2019-11-20 2019-11-20 Système, procédé et dispositif de test de sécurité distribué, et support de stockage

Publications (1)

Publication Number Publication Date
WO2021097713A1 true WO2021097713A1 (fr) 2021-05-27

Family

ID=75980325

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/119724 WO2021097713A1 (fr) 2019-11-20 2019-11-20 Système, procédé et dispositif de test de sécurité distribué, et support de stockage

Country Status (2)

Country Link
CN (1) CN114450920A (fr)
WO (1) WO2021097713A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113344543A (zh) * 2021-06-24 2021-09-03 北京红山信息科技研究院有限公司 一种防疫数据管理系统
CN115063286A (zh) * 2022-08-08 2022-09-16 江苏时代新能源科技有限公司 一种检测系统及图像处理方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103020520A (zh) * 2012-11-26 2013-04-03 北京奇虎科技有限公司 一种基于企业的文件安全检测方法和系统
CN103442008A (zh) * 2013-08-29 2013-12-11 中国科学院计算技术研究所 一种路由安全检测系统及检测方法
CN104065645A (zh) * 2014-05-28 2014-09-24 北京知道创宇信息技术有限公司 用于防护web漏洞的方法和设备
US20160205125A1 (en) * 2015-01-14 2016-07-14 Korea Internet & Security Agency System and method for analyzing mobile cyber incident
CN106357689A (zh) * 2016-11-07 2017-01-25 北京奇虎科技有限公司 威胁数据的处理方法及系统

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102015212206A1 (de) * 2015-06-30 2017-01-05 Siemens Healthcare Gmbh Verfahren zu einem Bestimmen zumindest eines patientenspezifischen Sicherheitsparameters sowie eine medizinische Bildgebungsvorrichtung hierzu
CN109818972B (zh) * 2019-03-12 2021-07-09 国网新疆电力有限公司电力科学研究院 一种工业控制系统信息安全管理方法、装置及电子设备

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103020520A (zh) * 2012-11-26 2013-04-03 北京奇虎科技有限公司 一种基于企业的文件安全检测方法和系统
CN103442008A (zh) * 2013-08-29 2013-12-11 中国科学院计算技术研究所 一种路由安全检测系统及检测方法
CN104065645A (zh) * 2014-05-28 2014-09-24 北京知道创宇信息技术有限公司 用于防护web漏洞的方法和设备
US20160205125A1 (en) * 2015-01-14 2016-07-14 Korea Internet & Security Agency System and method for analyzing mobile cyber incident
CN106357689A (zh) * 2016-11-07 2017-01-25 北京奇虎科技有限公司 威胁数据的处理方法及系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113344543A (zh) * 2021-06-24 2021-09-03 北京红山信息科技研究院有限公司 一种防疫数据管理系统
CN115063286A (zh) * 2022-08-08 2022-09-16 江苏时代新能源科技有限公司 一种检测系统及图像处理方法

Also Published As

Publication number Publication date
CN114450920A (zh) 2022-05-06

Similar Documents

Publication Publication Date Title
US11188397B2 (en) Mobile application for an information technology (IT) and security operations application
US11575579B2 (en) Systems and methods for networked microservice modeling
KR101979363B1 (ko) 애플리케이션 토폴로지 관계의 발견 방법, 장치, 및 시스템
US20200210424A1 (en) Query engine for remote endpoint information retrieval
US11503070B2 (en) Techniques for classifying a web page based upon functions used to render the web page
Kotenko et al. Aggregation of elastic stack instruments for collecting, storing and processing of security information and events
US20200351190A1 (en) Virtual Probes
US9836358B2 (en) Ephemeral remote data store for dual-queue systems
US11294740B2 (en) Event to serverless function workflow instance mapping mechanism
US11954130B1 (en) Alerting based on pod communication-based logical graph
US11297105B2 (en) Dynamically determining a trust level of an end-to-end link
US20160323160A1 (en) Detection of node.js memory leaks
US20140337471A1 (en) Migration assist system and migration assist method
CN113835836B (zh) 动态发布容器服务的系统、方法、计算机设备及介质
US10129280B2 (en) Modular event pipeline
WO2021097713A1 (fr) Système, procédé et dispositif de test de sécurité distribué, et support de stockage
WO2020036763A1 (fr) Test des changements de données dans des systèmes de production
CN117271584A (zh) 数据处理方法及装置、计算机可读存储介质和电子设备
CN109324892B (zh) 分布式管理方法、分布式管理系统及装置
CN111130882A (zh) 网络设备的监控系统及方法
US11874848B2 (en) Automated dataset placement for application execution
US11023479B2 (en) Managing asynchronous analytics operation based on communication exchange
US11995055B2 (en) Data management techniques using distributed policy agent
US11516109B1 (en) Application of data services based on services policies
US20210173729A1 (en) Systems and methods of application program interface (api) parameter monitoring

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19953503

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19953503

Country of ref document: EP

Kind code of ref document: A1