WO2021139308A1 - Procédé, appareil et dispositif de surveillance de serveur en nuage et support de stockage - Google Patents

Procédé, appareil et dispositif de surveillance de serveur en nuage et support de stockage Download PDF

Info

Publication number
WO2021139308A1
WO2021139308A1 PCT/CN2020/122338 CN2020122338W WO2021139308A1 WO 2021139308 A1 WO2021139308 A1 WO 2021139308A1 CN 2020122338 W CN2020122338 W CN 2020122338W WO 2021139308 A1 WO2021139308 A1 WO 2021139308A1
Authority
WO
WIPO (PCT)
Prior art keywords
cloud server
hardware
software
reference value
monitoring
Prior art date
Application number
PCT/CN2020/122338
Other languages
English (en)
Chinese (zh)
Inventor
胡俊文
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021139308A1 publication Critical patent/WO2021139308A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3037Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a memory, e.g. virtual memory, cache
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine
    • G06F11/324Display of status information
    • G06F11/327Alarm or error message display
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Definitions

  • the present invention relates to the field of artificial intelligence logic programming, in particular to a cloud server monitoring method, device, equipment and storage medium.
  • cloud servers came into being.
  • the cloud service provider that provides the cloud server is responsible for purchasing hardware equipment and providing basic Internet services such as computing, storage, online backup, and the user only needs to use the connection interface to perform system deployment, software configuration and maintenance on the provider’s server Operations, and can even be fully managed to a provider. Thereby reducing the user's online service expenditure cost and improving service efficiency.
  • the inventor realized that because the user semi-hosted the service, or even fully hosted the service to the cloud service provider, the user may not be able to know if problems such as information leakage or environmental damage occur during the service process. For example, when cloud service providers discover that a server's hard disk fails, they will replace the original hard disk with the backup hard disk. If commercial secrets are stored on the hard disk, there is a serious risk of data leakage. Therefore, there is an urgent need for a mechanism to effectively monitor the environmental integrity of cloud servers, so as to reduce the possibility of risks in the process of providing cloud services.
  • the main purpose of this application is to solve the problem that users cannot monitor the environmental integrity of the cloud server.
  • the first aspect of this application provides a cloud server monitoring method, including:
  • the cloud server hardware trusted integrity check includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity check strategy, and judging the hardware environment monitoring value and the preset hardware Whether the environmental benchmark values are consistent;
  • the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
  • a hardware credibility report and/or a software credibility report corresponding to the current cloud server is generated and sent to the corresponding cloud server rental user.
  • a second aspect of the present application provides a cloud server monitoring device.
  • the cloud server monitoring device includes a memory, a processor, and a cloud server monitoring program that is stored on the memory and can run on the processor.
  • the processor implements the following steps when executing the cloud server monitoring program:
  • the cloud server hardware trusted integrity check includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity check strategy, and judging the hardware environment monitoring value and the preset hardware Whether the environmental reference value is consistent; if the hardware environment monitoring value is consistent with the hardware environment reference value, trigger the execution of cloud server software trusted integrity check;
  • the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
  • a hardware credibility report and/or a software credibility report corresponding to the current cloud server is generated and sent to the corresponding cloud server rental user.
  • a third aspect of the present application provides a computer-readable storage medium that stores computer instructions, and when the computer instructions are executed on a computer, the computer executes the following steps:
  • the cloud server hardware trusted integrity check includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity check strategy, and judging the hardware environment monitoring value and the preset hardware Whether the environmental reference value is consistent; if the hardware environment monitoring value is consistent with the hardware environment reference value, trigger the execution of cloud server software trusted integrity check;
  • the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
  • a hardware credibility report and/or a software credibility report corresponding to the current cloud server is generated and sent to the corresponding cloud server rental user.
  • the fourth aspect of the present application provides a cloud server monitoring device, including:
  • the detection module is used to detect whether there is a scheduled monitoring task of the cloud server currently;
  • the verification module is used to trigger the execution of the cloud server hardware credible integrity verification if there is a cloud server timing monitoring task currently;
  • the verification module includes:
  • the hardware verification unit is used to perform cloud server hardware trusted integrity verification, which specifically includes: generating the hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity verification strategy, and judging the hardware environment Whether the monitoring value is consistent with the preset hardware environment reference value; if the hardware environment monitoring value is consistent with the hardware environment reference value, trigger the execution of the cloud server software trusted integrity check;
  • the software verification unit is used to perform cloud server software credible integrity verification, which specifically includes: generating the software environment monitoring value corresponding to the current cloud server according to a preset software credible integrity verification strategy, and judging the software environment Whether the monitoring value is consistent with the preset software environment reference value;
  • the standby module is configured to wait to enter the next round of regular monitoring tasks if the hardware environment monitoring value is consistent with the hardware environment reference value, and/or if the software environment monitoring value is consistent with the preset software environment reference value;
  • a judgment module configured to judge whether the current cloud server meets preset alarm conditions if the hardware environment monitoring value is inconsistent with the hardware environment reference value, or the software environment monitoring value is inconsistent with the software environment reference value;
  • the alarm module is configured to generate a hardware credibility report and/or software credibility report corresponding to the current cloud server if the alarm condition is met, and send it to the corresponding cloud server rental user.
  • this application it is first to detect whether there is a regular monitoring task, and if it exists, a hardware credible integrity check is performed to determine whether the hardware environment of the current cloud server is complete. After passing, the software credible integrity check is performed. To judge whether the software environment of the current cloud server is complete, if all pass, wait for the next monitoring. If it fails, a hardware credibility report and/or a software credibility report are generated and sent to the user. Therefore, this application can implement timing monitoring of the cloud server from the two levels of the hardware environment and the software environment, thereby reducing the risk of data leakage and improving the security of the user's data.
  • this solution uses the hardware/software environment
  • the environmental reference value is stored in the NV space of the trusted chip or on the blockchain.
  • the hardware/software trusted integrity verification strategies provided by this application are freely selectable and updateable.
  • it is set to issue a hardware credibility report and/or a software credibility report when the number of untrusted times found by monitoring reaches a certain threshold.
  • FIG. 1 is a schematic diagram of a first embodiment of a cloud server monitoring method in an embodiment of this application;
  • Figure 2-1 is a schematic diagram of the hardware/software trusted integrity check policy configuration part in the second embodiment of the cloud server monitoring method in the embodiment of the application;
  • FIG. 2-2 is a schematic diagram of monitoring a cloud server in the second embodiment of the cloud server monitoring method in the embodiment of this application;
  • FIG. 3 is a schematic diagram of a third embodiment of a cloud server monitoring method in an embodiment of this application.
  • FIG. 4 is a schematic diagram of a fourth embodiment of a cloud server monitoring method in an embodiment of this application.
  • FIG. 5 is a schematic diagram of a first embodiment of a cloud server monitoring device in an embodiment of this application.
  • FIG. 6 is a schematic diagram of a second embodiment of a cloud server monitoring device in an embodiment of this application.
  • Fig. 7 is a schematic diagram of an embodiment of a cloud server monitoring device in an embodiment of the application.
  • the embodiments of the application provide a cloud server monitoring method, device, equipment, and storage medium.
  • the first embodiment of the cloud server monitoring method in the embodiment of the present application includes:
  • the execution subject of this application may be a cloud server monitoring device, or may also be a terminal or a server, etc., which is not specifically limited here.
  • the embodiment of the present application takes the cloud server monitoring device as the execution subject as an example for description.
  • the device is equipped with a cloud server verification strategy preset by the cloud server rental user.
  • the verification strategy includes a monitoring cycle, and every other monitoring cycle, the pair will initiate a monitoring task on the cloud server. Therefore, during the operation of the device, it is detected whether there is a regular monitoring task of the cloud server.
  • the cloud server hardware trusted integrity check includes:
  • the hardware environment monitoring value corresponding to the current cloud server is generated, and it is judged whether the hardware environment monitoring value is consistent with the preset hardware environment reference value; if the hardware environment monitoring value is consistent with all If the hardware environment reference values are consistent, the cloud server software trusted integrity check will be triggered;
  • the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
  • the hardware trusted integrity check strategy preset by the developer is applied to the device. Before the cloud server is leased, the device first obtains the attribute value of the hardware specified in the hardware trusted integrity check policy. Then, the first measurement algorithm specified in the hardware trusted integrity check strategy is used to calculate the attribute value of the hardware to obtain the hardware environment reference value. In order to protect the reliability of the hardware environment reference value, this solution preferably stores the hardware environment reference value on a trusted security chip or blockchain.
  • the first measurement algorithm is used to calculate the attribute value of the hardware corresponding to the current cloud server to obtain the corresponding hardware environment monitoring value, which is compared with the hardware environment reference value.
  • the hardware environment monitoring value is consistent with the hardware environment reference value, it indicates that the hardware environment of the current cloud server is complete, and then the cloud server software trusted integrity check is performed.
  • cloud server leasing users When cloud server leasing users first start using cloud servers, they will collect their selected cloud server verification policy configuration parameters, including software trusted integrity verification policies.
  • the strategy includes a second measurement algorithm and a designated software name. In the first run, first obtain the corresponding software file according to the specified software name, and then obtain the corresponding software environment monitoring value through the second measurement algorithm.
  • the hardware environment monitoring value is inconsistent with the hardware environment reference value, or the software environment monitoring value is inconsistent with the software environment reference value, it means that the current cloud server may be at risk.
  • the hardware environment monitoring value is inconsistent with the hardware environment reference value, or the software environment monitoring value is inconsistent with the software environment reference value, it means that the current cloud server may be at risk.
  • Each inconsistency is counted, and when the technology reaches the preset threshold, it is determined that the current cloud server meets the preset alarm conditions.
  • the preset report template is obtained, and the inconsistent hardware/software environment monitoring values and hardware/software environment benchmark values are written into the report template to obtain the hardware credibility report and/or software credibility report, and Send it to the corresponding cloud server rental user.
  • a monitoring method for a cloud server detects the existence of a regular monitoring task, first performs a hardware credible integrity check, and then performs a software credible integrity check after passing, and if all passes, wait again next time. If it fails, a hardware credibility report and/or a software credibility report are generated and sent to the user. Therefore, this application can implement timing monitoring of the cloud server from the two levels of the hardware environment and the software environment, thereby reducing the risk of data leakage and improving the security of the user's data.
  • the second embodiment of the cloud server monitoring method in the embodiment of the present application includes:
  • the developer writes the name of the hardware object to be monitored in the hardware trusted integrity check strategy in advance, and stores the hardware trusted integrity check strategy in the device.
  • the hardware name includes system boot sector, BIOS firmware, hard disk serial number, and so on.
  • the security chip also known as the trusted platform module, is a device that can independently perform key generation, encryption and decryption. It has an independent processor and storage unit inside that can store keys and characteristic data.
  • TPM Trusted Platform Module
  • TCM Trusted Cryptography Module
  • the security chip also known as the trusted platform module, is a device that can independently perform key generation, encryption and decryption. It has an independent processor and storage unit inside that can store keys and characteristic data.
  • TPM Trusted Platform Module
  • TCM Trusted Cryptography Module
  • Trusted security module is jointly launched by Great Wall, ZTE and other companies. Due to the encryption measures of the trusted security chip, this solution uses them to store the hardware environment reference value and/or the software environment reference value. This solution does not limit the type of trusted chip used, and this embodiment only uses a TPM chip as an example to describe the solution.
  • the device obtains the hardware credible integrity check strategy preset by the developer.
  • the attribute value of the corresponding hardware in the cloud server with the TPM chip is obtained.
  • the abbreviation of the hard disk serial number is SN.
  • the hard disk manufacturer adds a code for the hard disk to distinguish different hard disk products. The code is unique and immutable. First read the /etc/mtab file, find the device file that is hung, and then use the system to call ioctl to obtain the information in the device file. Then extract the corresponding attribute value from the obtained information, which is the serial number of the hard disk in the current server.
  • the attribute values corresponding to hardware such as boot sector, BIOS firmware, etc. can be obtained in a similar manner. Since this technology is very mature, we will not repeat them one by one.
  • the measurement algorithm commonly used to measure the hardware information and software information of the server is the hash algorithm.
  • the hash algorithms supported by trusted security chips are SHA256, SM3, etc. Since the standard configuration of the TPM is the SHA256 algorithm, this embodiment uses SHA256 as the first measurement algorithm to measure hardware attribute values.
  • NV space Non-Volatile Random Access Memory, non-volatile (or non-playable) random access memory
  • NVRAM Non-Volatile Random Access Memory, non-volatile (or non-playable) random access memory
  • NVRAM is not easy to lose.
  • NVRAM is used to store the hardware environment reference value and the software environment reference value.
  • TPM can maintain a static chain of trust.
  • the static chain of trust is used for measurement after the platform is powered on.
  • the first one is used to store the BIOS, the attribute value is A, and the hash value is B; the second one is used to extend the platform configuration and the attribute value It is B.
  • (A+B) is taken as a whole, and the first measurement algorithm is used to measure it, and the hash value C is obtained.
  • the data stored on the PCR will be stored in the NV space at the same time.
  • the hardware environment reference value may also be stored in a node of a blockchain.
  • the cloud server verification strategy configuration parameters selected by the server leasing user, where the cloud server verification strategy configuration parameters include enabling or disabling the software trusted integrity verification strategy, and enabling or disabling the hardware trusted integrity Verification strategy;
  • the operating system kernel is the first layer of software on the device and is one of the core components of the entire operating system and device. Because the operating system kernel may be attacked by buffer overflows, direct memory access peripheral attacks, etc., the operating system enters an unexpected state, which causes the entire software environment to be untrustworthy. Therefore, this solution provides a trusted integrity check strategy that can realize the software level.
  • the server can be rented on the shelf to provide cloud services.
  • an option box will first pop up so that the user can select the cloud server to verify the policy configuration parameters.
  • the cloud server verification strategy configuration parameters include turning on or off the software trusted integrity verification strategy, and turning on or off the hardware trusted integrity verification strategy.
  • the hardware trusted integrity check strategy you can also choose whether to perform the hardware trusted integrity check strategy. When some users start to use it, they may pay more attention to the integrity of the hardware environment before use, so as to provide users with more monitoring options.
  • specific software trusted integrity check policy configuration parameters will pop up, such as the type of the second measurement algorithm used, those files that need to be measured, the monitoring period, and so on.
  • the frequently used software files to be measured are the kernel files of the operating system. For example, in ubuntu, the file name of the kernel file is .config.
  • the second metric algorithm is still the SHA256 algorithm. Use SHA256 to calculate the obtained String filePath to obtain the hash value corresponding to ".config", which is the software environment benchmark value.
  • the above-mentioned software environment reference value may also be stored in a node of a blockchain or/and a blockchain.
  • the cloud server hardware trusted integrity check includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity check strategy, and judging the hardware environment monitoring value and the preset hardware Whether the environmental reference value is consistent; if the hardware environment monitoring value is consistent with the hardware environment reference value, trigger the execution of cloud server software trusted integrity check;
  • the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
  • the blockchain referred to in this application is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm.
  • Blockchain essentially a decentralized database, is a series of data blocks associated with cryptographic methods. Each data block contains a batch of network transaction information for verification. The validity of the information (anti-counterfeiting) and generation of the next block.
  • the blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
  • the hardware environment reference value is obtained according to the preset hardware trusted integrity check strategy, so that the user can perform a complete measurement of the hardware environment before starting to use the cloud server.
  • this embodiment also provides the user to freely choose whether to enable the hardware trusted integrity check strategy or the software trusted integrity check strategy. If it chooses to turn on the software trusted integrity verification strategy, it will configure the parameters according to its selected cloud server verification strategy to obtain the software environment benchmark value and start the monitoring service.
  • the software environment reference value and hardware environment reference value in this solution are stored in the trusted security chip and the blockchain, both can be better protected, thereby reducing the risk of tampering and improving the post-verification results Credibility.
  • the third embodiment of the cloud server monitoring method in the embodiment of the present application includes:
  • the cloud server hardware trusted integrity check includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity check strategy, and judging the hardware environment monitoring value and the preset hardware Whether the environmental reference value is consistent; if the hardware environment monitoring value is consistent with the hardware environment reference value, trigger the execution of cloud server software trusted integrity check;
  • the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
  • the hardware environment monitoring value is inconsistent with the hardware environment reference value, or the software environment monitoring value is inconsistent with the software environment reference value, it means that there may be environmental changes currently. However, in real applications, there may be the possibility of false alarms. Therefore, to ensure rigor, when users select cloud server verification policy configuration parameters, the threshold of untrustworthy times can be set. Every time it happens, add 1 to the number of untrustworthy times and gradually accumulate.
  • the current untrustworthy times are compared with the preset untrustworthy times threshold, and it is judged whether it reaches the untrustworthy times threshold.
  • the developer writes the credible report template into the device in advance.
  • the credible report template includes a title, a string name (in this embodiment, the hardware environment monitoring value and the hardware environment reference value), the writing rules corresponding to each string name, the judgment result, and so on. If the current cloud server meets the alarm conditions, obtain the trusted report template
  • the credible alarm report also judges each pair of hardware (software) environmental monitoring values and hardware (software) environmental benchmark values. If they are consistent, they are judged to be credible, and those that are inconsistent are judged to be unreliable, so that users can quickly find out. The hardware or software in question.
  • the hardware credibility report and/or the software credibility report are sent to the server rental user.
  • an alarm message is also sent to the other party.
  • the alarm process in the monitoring process is described and supplemented.
  • a threshold of untrustworthy times is set. Only when the untrustworthy times reaches the threshold, an alarm will be issued.
  • there are inconsistent hardware (software) environmental monitoring values and hardware (software) environmental benchmark values in the trusted report and after sending the trusted report to the mailbox , And also send a text message to remind you.
  • the fourth embodiment of the cloud server monitoring method in the embodiment of the present application includes:
  • the cloud server hardware trusted integrity check includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity check strategy, and judging the hardware environment monitoring value and the preset hardware Whether the environmental reference value is consistent; if the hardware environment monitoring value is consistent with the hardware environment reference value, trigger the execution of cloud server software trusted integrity check;
  • the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
  • this application also provides a solution for updating the cloud server verification strategy.
  • the updated cloud server verification strategy configuration parameters are updated, the hardware feasible integrity verification strategy and/or the software feasible integrity verification strategy are updated, and the updateable cloud server verification strategy configuration parameters include the measurement algorithm, waiting The name of the software being measured, the monitoring period, etc.
  • the hardware environment reference value and/or the software environment reference value also need to be based on the updated hardware feasible integrity check strategy and /Or a software feasible integrity check strategy to update the hardware environment reference value and/or the software environment reference value in the NV space.
  • a solution for updating a hardware feasible integrity check strategy and/or a software feasible integrity check strategy is provided.
  • the hardware environment reference value and/or the software environment reference value will also be updated.
  • the cloud server monitoring method in the embodiment of the present application is described above, and the cloud server monitoring device in the embodiment of the present application is described below.
  • the first embodiment of the cloud server monitoring device in the embodiment of the present application includes:
  • the detection module 501 is used to detect whether there is a cloud server timing monitoring task currently;
  • the verification module 502 is configured to trigger the execution of the cloud server hardware credible integrity check and/or the cloud server software credible integrity check if there is a cloud server timing monitoring task currently;
  • the verification module 502 includes:
  • the hardware verification unit 5021 is configured to perform cloud server hardware trusted integrity verification, which specifically includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity verification strategy, and judging the hardware Whether the environment monitoring value is consistent with the preset hardware environment reference value; if the hardware environment monitoring value is consistent with the hardware environment reference value, triggering the execution of the cloud server software trusted integrity check;
  • the software verification unit 5022 is used to perform cloud server software trusted integrity verification, which specifically includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity verification strategy, and judging the software Whether the environmental monitoring value is consistent with the preset software environmental reference value;
  • the standby module 503 is configured to wait for the next round of regular monitoring tasks if the hardware environment monitoring value is consistent with the hardware environment reference value, and/or if the software environment monitoring value is consistent with the preset software environment reference value ;
  • the judgment module 504 is configured to judge whether the current cloud server meets preset alarm conditions if the hardware environment monitoring value is inconsistent with the hardware environment reference value, or the software environment monitoring value is inconsistent with the software environment reference value;
  • the alarm module 505 is configured to generate a hardware credibility report and/or a software credibility report corresponding to the current cloud server if the alarm condition is met, and send it to the corresponding cloud server rental user.
  • a monitoring method for a cloud server detects the existence of a regular monitoring task, first performs a hardware credible integrity check, and then performs a software credible integrity check after passing, and if all passes, wait again next time. If it fails, a hardware credibility report and/or a software credibility report are generated and sent to the user. Therefore, this application can implement timing monitoring of the cloud server from the two levels of the hardware environment and the software environment, thereby reducing the risk of data leakage and improving the security of the user's data.
  • the second embodiment of the cloud server monitoring device in the embodiment of the present application includes:
  • the detection module 501 is used to detect whether there is a cloud server timing monitoring task currently;
  • the verification module 502 is configured to trigger the execution of the cloud server hardware credible integrity check and/or the cloud server software credible integrity check if there is a cloud server timing monitoring task currently;
  • the verification module 502 includes:
  • the hardware verification unit 5021 is configured to perform cloud server hardware trusted integrity verification, which specifically includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity verification strategy, and judging the hardware Whether the environment monitoring value is consistent with the preset hardware environment reference value; if the hardware environment monitoring value is consistent with the hardware environment reference value, triggering the execution of the cloud server software trusted integrity check;
  • the software verification unit 5022 is used to perform cloud server software trusted integrity verification, which specifically includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity verification strategy, and judging the software Whether the environmental monitoring value is consistent with the preset software environmental reference value;
  • the standby module 503 is configured to wait for the next round of regular monitoring tasks if the hardware environment monitoring value is consistent with the hardware environment reference value, and/or if the software environment monitoring value is consistent with the preset software environment reference value ;
  • the judgment module 504 is configured to judge whether the current cloud server meets preset alarm conditions if the hardware environment monitoring value is inconsistent with the hardware environment reference value, or the software environment monitoring value is inconsistent with the software environment reference value;
  • the alarm module 505 is configured to generate a hardware credibility report and/or a software credibility report corresponding to the current cloud server if the alarm condition is met, and send it to the corresponding cloud server rental user.
  • the detection module 501 previously includes a hardware measurement module 506, the hardware environment reference value is stored in the NV space in the blockchain and/or a preset trusted security chip, and the hardware measurement module 506 is specifically used for:
  • the attribute value of the hardware is calculated according to the first metric algorithm specified in the hardware trusted integrity check policy to obtain the hardware environment reference value of the hardware.
  • the hardware measurement module 506 is further connected with a software measurement module 507, the software environment reference value is stored in the NV space in the blockchain and/or a preset trusted security chip, and the software measurement module 507 specifically Used for:
  • the software file is calculated according to the second measurement algorithm specified in the software trusted integrity verification strategy to obtain the software environment reference value.
  • the cloud server verification policy configuration parameter further includes enabling or disabling the hardware trusted integrity verification policy.
  • the judgment module 504 is specifically configured to:
  • the alarm module 505 is specifically configured to:
  • the alarm report is sent to the corresponding server rental user and the preset alarm short message is sent to the server rental user.
  • the cloud server monitoring device further includes an update module 508, and the update module 508 is specifically configured to:
  • updated cloud server verification strategy configuration parameters update the hardware feasible integrity verification strategy and/or the software feasible integrity verification strategy, and generate corresponding hardware update values and/or software update values;
  • the hardware update value and/or the software update value are respectively replaced with the corresponding hardware environment reference value and/or the software environment reference value.
  • this embodiment also provides the user to freely choose whether to enable the hardware trusted integrity check strategy or the software trusted integrity check strategy. If it chooses to turn on the software trusted integrity verification strategy, it will configure the parameters according to its selected cloud server verification strategy to obtain the software environment benchmark value and start the monitoring service.
  • the software environment reference value and hardware environment reference value in this solution are stored in the trusted security chip and the blockchain, both can be better protected, thereby reducing the risk of tampering and improving the post-verification results Credibility.
  • a threshold for the number of unreliable times is set. Only when the number of unreliable times reaches the threshold will an alarm be issued.
  • a solution is provided for updating a feasible hardware integrity check strategy and/or a software feasible integrity check strategy.
  • FIGS 5 and 6 above describe the cloud server monitoring device in the embodiment of the present application in detail from the perspective of modular functional entities, and the following describes the cloud server monitoring device in the embodiment of the present application in detail from the perspective of hardware processing.
  • FIG. 7 is a schematic structural diagram of a cloud server monitoring device provided by an embodiment of the present application.
  • the cloud server monitoring device 700 may have relatively large differences due to different configurations or performance, and may include one or more processors (central processing units).
  • a CPU 710 for example, one or more processors
  • a memory 720 for example, one or more storage devices
  • storage media 730 for example, one or more storage devices
  • the memory 720 and the storage medium 730 may be short-term storage or persistent storage.
  • the program stored in the storage medium 730 may include one or more modules (not shown in the figure), and each module may include a series of instruction operations on the cloud server monitoring device 700.
  • the processor 710 may be configured to communicate with the storage medium 730, and execute a series of instruction operations in the storage medium 730 on the cloud server monitoring device 700.
  • the cloud-based server monitoring device 700 may also include one or more power supplies 730, one or more wired or wireless network interfaces 750, one or more input and output interfaces 760, and/or one or more operating systems 731, such as Windows Serve, Mac OS X, Unix, Linux, FreeBSD, etc.
  • operating systems 731 such as Windows Serve, Mac OS X, Unix, Linux, FreeBSD, etc.
  • FIG. 7 does not constitute a limitation on the cloud server monitoring device, and may include more or less components than shown in the figure, or a combination of certain components, or different components. The layout of the components.
  • the computer-readable storage medium may be a non-volatile computer-readable storage medium, and the computer-readable storage medium may also be a volatile computer-readable storage medium.
  • the computer-readable storage medium stores instructions, and when the instructions run on a computer, the computer executes the steps of the cloud server monitoring method.
  • the computer-readable storage medium may mainly include a storage program area and a storage data area, where the storage program area may store an operating system, an application program required by at least one function, etc.; the storage data area may store Data created by the use of nodes, etc.
  • the blockchain referred to in this application is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm.
  • Blockchain essentially a decentralized database, is a series of data blocks associated with cryptographic methods. Each data block contains a batch of network transaction information for verification. The validity of the information (anti-counterfeiting) and generation of the next block.
  • the blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

La présente invention concerne le domaine de l'intelligence artificielle. La présente invention concerne un procédé, un appareil et un dispositif de surveillance de serveur en nuage et un support de stockage. Le procédé de surveillance de serveur en nuage consiste à : détecter s'il existe actuellement une tâche de surveillance de synchronisation de serveur en nuage ; si tel est le cas, obtenir une valeur de surveillance d'environnement matériel et/ou une valeur de surveillance d'environnement logiciel correspondante selon une politique de vérification d'intégrité de fiabilité matérielle et/ou une politique de vérification d'intégrité de fiabilité logicielle prédéfinie, déterminer respectivement si lesdites valeurs sont cohérentes avec une valeur de référence d'environnement matériel et/ou une valeur de référence d'environnement logiciel, et si ce n'est pas le cas, déterminer si le serveur en nuage actuel satisfait une condition d'alarme prédéfinie ; et si la condition d'alarme est satisfaite, générer un rapport de fiabilité matérielle et/ou un rapport de fiabilité logicielle et envoyer ce ou ces rapports à un utilisateur correspondant. Cette solution permet à un utilisateur d'effectuer une surveillance de sécurité d'un serveur en nuage, de façon à garantir la sécurité des données sur le serveur en nuage. La présente invention concerne en outre la technologie des chaînes de blocs. La valeur de référence d'environnement matériel et/ou la valeur de référence d'environnement logiciel peuvent être stockées dans une chaîne de blocs.
PCT/CN2020/122338 2020-06-16 2020-10-21 Procédé, appareil et dispositif de surveillance de serveur en nuage et support de stockage WO2021139308A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010547614.7A CN111737081B (zh) 2020-06-16 2020-06-16 云服务器监控方法、装置、设备及存储介质
CN202010547614.7 2020-06-16

Publications (1)

Publication Number Publication Date
WO2021139308A1 true WO2021139308A1 (fr) 2021-07-15

Family

ID=72649373

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/122338 WO2021139308A1 (fr) 2020-06-16 2020-10-21 Procédé, appareil et dispositif de surveillance de serveur en nuage et support de stockage

Country Status (2)

Country Link
CN (1) CN111737081B (fr)
WO (1) WO2021139308A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114389971A (zh) * 2022-03-23 2022-04-22 苏州浪潮智能科技有限公司 一种智能监控微调整方法、装置、设备及存储介质
CN117539721A (zh) * 2023-11-29 2024-02-09 郑州迪维勒普科技有限公司 基于数字孪生技术的数据中心可视化运维管理系统

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111737081B (zh) * 2020-06-16 2022-05-17 平安科技(深圳)有限公司 云服务器监控方法、装置、设备及存储介质
CN115174210B (zh) * 2022-06-30 2024-06-04 珠海奔图电子有限公司 可信报告生成方法和电子设备
CN115883416A (zh) * 2022-11-25 2023-03-31 东信和平科技股份有限公司 服务终端监控方法、系统及可读存储介质

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103501303A (zh) * 2013-10-12 2014-01-08 武汉大学 一种针对云平台虚拟机度量的主动远程证明方法
US20140298439A1 (en) * 2011-04-18 2014-10-02 Bank Of America Corporation Trusted Hardware for Attesting to Authenticity in a Cloud Environment
CN106656915A (zh) * 2015-10-30 2017-05-10 深圳市中电智慧信息安全技术有限公司 基于可信计算的云安全服务器
CN110197073A (zh) * 2019-05-30 2019-09-03 苏州浪潮智能科技有限公司 一种基于自校验机制保护主机完整性的方法与系统
CN110515699A (zh) * 2019-08-20 2019-11-29 苏州浪潮智能科技有限公司 一种获取虚拟机所在平台可信状态的方法和设备
CN111008379A (zh) * 2019-11-22 2020-04-14 腾讯科技(深圳)有限公司 电子设备的固件安全检测方法及相关设备
CN111737081A (zh) * 2020-06-16 2020-10-02 平安科技(深圳)有限公司 云服务器监控方法、装置、设备及存储介质

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101515933A (zh) * 2009-03-16 2009-08-26 中兴通讯股份有限公司 一种网络设备的软硬件完整性检测方法及系统
CN103605784A (zh) * 2013-11-29 2014-02-26 北京航空航天大学 一种多重云环境下数据完整性验证方法
TWI521480B (zh) * 2014-03-28 2016-02-11 D Link Corp 能主動偵測終端裝置所在位置之安全看護系統
CN103905461B (zh) * 2014-04-14 2017-02-01 北京工业大学 一种基于可信第三方的云服务行为可信证明方法和系统
CN108259422B (zh) * 2016-12-29 2021-07-16 中兴通讯股份有限公司 一种多租户访问控制方法和装置
CN109144813B (zh) * 2018-07-26 2022-08-05 郑州云海信息技术有限公司 一种云计算系统服务器节点故障监控系统及方法
CN109491866A (zh) * 2018-11-09 2019-03-19 郑州云海信息技术有限公司 监控存储硬件的方法、装置、终端及计算机可读存储介质

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140298439A1 (en) * 2011-04-18 2014-10-02 Bank Of America Corporation Trusted Hardware for Attesting to Authenticity in a Cloud Environment
CN103501303A (zh) * 2013-10-12 2014-01-08 武汉大学 一种针对云平台虚拟机度量的主动远程证明方法
CN106656915A (zh) * 2015-10-30 2017-05-10 深圳市中电智慧信息安全技术有限公司 基于可信计算的云安全服务器
CN110197073A (zh) * 2019-05-30 2019-09-03 苏州浪潮智能科技有限公司 一种基于自校验机制保护主机完整性的方法与系统
CN110515699A (zh) * 2019-08-20 2019-11-29 苏州浪潮智能科技有限公司 一种获取虚拟机所在平台可信状态的方法和设备
CN111008379A (zh) * 2019-11-22 2020-04-14 腾讯科技(深圳)有限公司 电子设备的固件安全检测方法及相关设备
CN111737081A (zh) * 2020-06-16 2020-10-02 平安科技(深圳)有限公司 云服务器监控方法、装置、设备及存储介质

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114389971A (zh) * 2022-03-23 2022-04-22 苏州浪潮智能科技有限公司 一种智能监控微调整方法、装置、设备及存储介质
CN114389971B (zh) * 2022-03-23 2022-12-23 苏州浪潮智能科技有限公司 一种智能监控微调整方法、装置、设备及存储介质
WO2023178923A1 (fr) * 2022-03-23 2023-09-28 苏州浪潮智能科技有限公司 Procédé et appareil de micro-réglage intelligent de surveillance, dispositif et support de stockage
CN117539721A (zh) * 2023-11-29 2024-02-09 郑州迪维勒普科技有限公司 基于数字孪生技术的数据中心可视化运维管理系统

Also Published As

Publication number Publication date
CN111737081A (zh) 2020-10-02
CN111737081B (zh) 2022-05-17

Similar Documents

Publication Publication Date Title
WO2021139308A1 (fr) Procédé, appareil et dispositif de surveillance de serveur en nuage et support de stockage
EP3765985B1 (fr) Protection de stockage par détection d'un accès non recommandé
US8161285B2 (en) Protocol-Independent remote attestation and sealing
US11645390B2 (en) Cloud-based method to increase integrity of a next generation antivirus (NGAV) security solution in a virtualized computing environment
US8572692B2 (en) Method and system for a platform-based trust verifying service for multi-party verification
US8966642B2 (en) Trust verification of a computing platform using a peripheral device
US11714910B2 (en) Measuring integrity of computing system
JP4843246B2 (ja) 冗長な信頼されるプラットフォーム・モジュールを有する信頼されるサーバをブートするための方法およびシステム
TWI791975B (zh) 藉由監測對基本輸入/輸出系統(bios)或統一可延伸韌體介面(uefi)屬性進行之組態改變之鏈來偵測安全威脅
US9270467B1 (en) Systems and methods for trust propagation of signed files across devices
US10915632B2 (en) Handling of remote attestation and sealing during concurrent update
US10769045B1 (en) Measuring effectiveness of intrusion detection systems using cloned computing resources
US10073980B1 (en) System for assuring security of sensitive data on a host
JP6293133B2 (ja) 被保護データー集合のネットワーク・ベース管理
US20240104213A1 (en) Securing node groups
CN110334515B (zh) 一种基于可信计算平台生成度量报告的方法及装置
US10122739B2 (en) Rootkit detection system and method
EP3185166B1 (fr) Procédé et dispositif pour métrique de confiance
US20230388278A1 (en) Detecting and mitigating forged authentication object attacks in multi - cloud environments with attestation
JP2023500433A (ja) ポリシ強制のための仮想環境タイプ検証
US11251976B2 (en) Data security processing method and terminal thereof, and server
KR20210132545A (ko) 이상행위 탐지 장치, 방법 및 이를 포함하는 시스템
Shang et al. ICS software trust measurement method based on dynamic length trust chain
Zhao et al. SOMR: Towards a security-oriented MapReduce infrastructure
US11853417B2 (en) Hardware device integrity validation using platform configuration values

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20911757

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20911757

Country of ref document: EP

Kind code of ref document: A1