WO2021139308A1 - Procédé, appareil et dispositif de surveillance de serveur en nuage et support de stockage - Google Patents
Procédé, appareil et dispositif de surveillance de serveur en nuage et support de stockage Download PDFInfo
- Publication number
- WO2021139308A1 WO2021139308A1 PCT/CN2020/122338 CN2020122338W WO2021139308A1 WO 2021139308 A1 WO2021139308 A1 WO 2021139308A1 CN 2020122338 W CN2020122338 W CN 2020122338W WO 2021139308 A1 WO2021139308 A1 WO 2021139308A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- cloud server
- hardware
- software
- reference value
- monitoring
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3037—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a memory, e.g. virtual memory, cache
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/32—Monitoring with visual or acoustical indication of the functioning of the machine
- G06F11/324—Display of status information
- G06F11/327—Alarm or error message display
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
Definitions
- the present invention relates to the field of artificial intelligence logic programming, in particular to a cloud server monitoring method, device, equipment and storage medium.
- cloud servers came into being.
- the cloud service provider that provides the cloud server is responsible for purchasing hardware equipment and providing basic Internet services such as computing, storage, online backup, and the user only needs to use the connection interface to perform system deployment, software configuration and maintenance on the provider’s server Operations, and can even be fully managed to a provider. Thereby reducing the user's online service expenditure cost and improving service efficiency.
- the inventor realized that because the user semi-hosted the service, or even fully hosted the service to the cloud service provider, the user may not be able to know if problems such as information leakage or environmental damage occur during the service process. For example, when cloud service providers discover that a server's hard disk fails, they will replace the original hard disk with the backup hard disk. If commercial secrets are stored on the hard disk, there is a serious risk of data leakage. Therefore, there is an urgent need for a mechanism to effectively monitor the environmental integrity of cloud servers, so as to reduce the possibility of risks in the process of providing cloud services.
- the main purpose of this application is to solve the problem that users cannot monitor the environmental integrity of the cloud server.
- the first aspect of this application provides a cloud server monitoring method, including:
- the cloud server hardware trusted integrity check includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity check strategy, and judging the hardware environment monitoring value and the preset hardware Whether the environmental benchmark values are consistent;
- the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
- a hardware credibility report and/or a software credibility report corresponding to the current cloud server is generated and sent to the corresponding cloud server rental user.
- a second aspect of the present application provides a cloud server monitoring device.
- the cloud server monitoring device includes a memory, a processor, and a cloud server monitoring program that is stored on the memory and can run on the processor.
- the processor implements the following steps when executing the cloud server monitoring program:
- the cloud server hardware trusted integrity check includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity check strategy, and judging the hardware environment monitoring value and the preset hardware Whether the environmental reference value is consistent; if the hardware environment monitoring value is consistent with the hardware environment reference value, trigger the execution of cloud server software trusted integrity check;
- the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
- a hardware credibility report and/or a software credibility report corresponding to the current cloud server is generated and sent to the corresponding cloud server rental user.
- a third aspect of the present application provides a computer-readable storage medium that stores computer instructions, and when the computer instructions are executed on a computer, the computer executes the following steps:
- the cloud server hardware trusted integrity check includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity check strategy, and judging the hardware environment monitoring value and the preset hardware Whether the environmental reference value is consistent; if the hardware environment monitoring value is consistent with the hardware environment reference value, trigger the execution of cloud server software trusted integrity check;
- the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
- a hardware credibility report and/or a software credibility report corresponding to the current cloud server is generated and sent to the corresponding cloud server rental user.
- the fourth aspect of the present application provides a cloud server monitoring device, including:
- the detection module is used to detect whether there is a scheduled monitoring task of the cloud server currently;
- the verification module is used to trigger the execution of the cloud server hardware credible integrity verification if there is a cloud server timing monitoring task currently;
- the verification module includes:
- the hardware verification unit is used to perform cloud server hardware trusted integrity verification, which specifically includes: generating the hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity verification strategy, and judging the hardware environment Whether the monitoring value is consistent with the preset hardware environment reference value; if the hardware environment monitoring value is consistent with the hardware environment reference value, trigger the execution of the cloud server software trusted integrity check;
- the software verification unit is used to perform cloud server software credible integrity verification, which specifically includes: generating the software environment monitoring value corresponding to the current cloud server according to a preset software credible integrity verification strategy, and judging the software environment Whether the monitoring value is consistent with the preset software environment reference value;
- the standby module is configured to wait to enter the next round of regular monitoring tasks if the hardware environment monitoring value is consistent with the hardware environment reference value, and/or if the software environment monitoring value is consistent with the preset software environment reference value;
- a judgment module configured to judge whether the current cloud server meets preset alarm conditions if the hardware environment monitoring value is inconsistent with the hardware environment reference value, or the software environment monitoring value is inconsistent with the software environment reference value;
- the alarm module is configured to generate a hardware credibility report and/or software credibility report corresponding to the current cloud server if the alarm condition is met, and send it to the corresponding cloud server rental user.
- this application it is first to detect whether there is a regular monitoring task, and if it exists, a hardware credible integrity check is performed to determine whether the hardware environment of the current cloud server is complete. After passing, the software credible integrity check is performed. To judge whether the software environment of the current cloud server is complete, if all pass, wait for the next monitoring. If it fails, a hardware credibility report and/or a software credibility report are generated and sent to the user. Therefore, this application can implement timing monitoring of the cloud server from the two levels of the hardware environment and the software environment, thereby reducing the risk of data leakage and improving the security of the user's data.
- this solution uses the hardware/software environment
- the environmental reference value is stored in the NV space of the trusted chip or on the blockchain.
- the hardware/software trusted integrity verification strategies provided by this application are freely selectable and updateable.
- it is set to issue a hardware credibility report and/or a software credibility report when the number of untrusted times found by monitoring reaches a certain threshold.
- FIG. 1 is a schematic diagram of a first embodiment of a cloud server monitoring method in an embodiment of this application;
- Figure 2-1 is a schematic diagram of the hardware/software trusted integrity check policy configuration part in the second embodiment of the cloud server monitoring method in the embodiment of the application;
- FIG. 2-2 is a schematic diagram of monitoring a cloud server in the second embodiment of the cloud server monitoring method in the embodiment of this application;
- FIG. 3 is a schematic diagram of a third embodiment of a cloud server monitoring method in an embodiment of this application.
- FIG. 4 is a schematic diagram of a fourth embodiment of a cloud server monitoring method in an embodiment of this application.
- FIG. 5 is a schematic diagram of a first embodiment of a cloud server monitoring device in an embodiment of this application.
- FIG. 6 is a schematic diagram of a second embodiment of a cloud server monitoring device in an embodiment of this application.
- Fig. 7 is a schematic diagram of an embodiment of a cloud server monitoring device in an embodiment of the application.
- the embodiments of the application provide a cloud server monitoring method, device, equipment, and storage medium.
- the first embodiment of the cloud server monitoring method in the embodiment of the present application includes:
- the execution subject of this application may be a cloud server monitoring device, or may also be a terminal or a server, etc., which is not specifically limited here.
- the embodiment of the present application takes the cloud server monitoring device as the execution subject as an example for description.
- the device is equipped with a cloud server verification strategy preset by the cloud server rental user.
- the verification strategy includes a monitoring cycle, and every other monitoring cycle, the pair will initiate a monitoring task on the cloud server. Therefore, during the operation of the device, it is detected whether there is a regular monitoring task of the cloud server.
- the cloud server hardware trusted integrity check includes:
- the hardware environment monitoring value corresponding to the current cloud server is generated, and it is judged whether the hardware environment monitoring value is consistent with the preset hardware environment reference value; if the hardware environment monitoring value is consistent with all If the hardware environment reference values are consistent, the cloud server software trusted integrity check will be triggered;
- the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
- the hardware trusted integrity check strategy preset by the developer is applied to the device. Before the cloud server is leased, the device first obtains the attribute value of the hardware specified in the hardware trusted integrity check policy. Then, the first measurement algorithm specified in the hardware trusted integrity check strategy is used to calculate the attribute value of the hardware to obtain the hardware environment reference value. In order to protect the reliability of the hardware environment reference value, this solution preferably stores the hardware environment reference value on a trusted security chip or blockchain.
- the first measurement algorithm is used to calculate the attribute value of the hardware corresponding to the current cloud server to obtain the corresponding hardware environment monitoring value, which is compared with the hardware environment reference value.
- the hardware environment monitoring value is consistent with the hardware environment reference value, it indicates that the hardware environment of the current cloud server is complete, and then the cloud server software trusted integrity check is performed.
- cloud server leasing users When cloud server leasing users first start using cloud servers, they will collect their selected cloud server verification policy configuration parameters, including software trusted integrity verification policies.
- the strategy includes a second measurement algorithm and a designated software name. In the first run, first obtain the corresponding software file according to the specified software name, and then obtain the corresponding software environment monitoring value through the second measurement algorithm.
- the hardware environment monitoring value is inconsistent with the hardware environment reference value, or the software environment monitoring value is inconsistent with the software environment reference value, it means that the current cloud server may be at risk.
- the hardware environment monitoring value is inconsistent with the hardware environment reference value, or the software environment monitoring value is inconsistent with the software environment reference value, it means that the current cloud server may be at risk.
- Each inconsistency is counted, and when the technology reaches the preset threshold, it is determined that the current cloud server meets the preset alarm conditions.
- the preset report template is obtained, and the inconsistent hardware/software environment monitoring values and hardware/software environment benchmark values are written into the report template to obtain the hardware credibility report and/or software credibility report, and Send it to the corresponding cloud server rental user.
- a monitoring method for a cloud server detects the existence of a regular monitoring task, first performs a hardware credible integrity check, and then performs a software credible integrity check after passing, and if all passes, wait again next time. If it fails, a hardware credibility report and/or a software credibility report are generated and sent to the user. Therefore, this application can implement timing monitoring of the cloud server from the two levels of the hardware environment and the software environment, thereby reducing the risk of data leakage and improving the security of the user's data.
- the second embodiment of the cloud server monitoring method in the embodiment of the present application includes:
- the developer writes the name of the hardware object to be monitored in the hardware trusted integrity check strategy in advance, and stores the hardware trusted integrity check strategy in the device.
- the hardware name includes system boot sector, BIOS firmware, hard disk serial number, and so on.
- the security chip also known as the trusted platform module, is a device that can independently perform key generation, encryption and decryption. It has an independent processor and storage unit inside that can store keys and characteristic data.
- TPM Trusted Platform Module
- TCM Trusted Cryptography Module
- the security chip also known as the trusted platform module, is a device that can independently perform key generation, encryption and decryption. It has an independent processor and storage unit inside that can store keys and characteristic data.
- TPM Trusted Platform Module
- TCM Trusted Cryptography Module
- Trusted security module is jointly launched by Great Wall, ZTE and other companies. Due to the encryption measures of the trusted security chip, this solution uses them to store the hardware environment reference value and/or the software environment reference value. This solution does not limit the type of trusted chip used, and this embodiment only uses a TPM chip as an example to describe the solution.
- the device obtains the hardware credible integrity check strategy preset by the developer.
- the attribute value of the corresponding hardware in the cloud server with the TPM chip is obtained.
- the abbreviation of the hard disk serial number is SN.
- the hard disk manufacturer adds a code for the hard disk to distinguish different hard disk products. The code is unique and immutable. First read the /etc/mtab file, find the device file that is hung, and then use the system to call ioctl to obtain the information in the device file. Then extract the corresponding attribute value from the obtained information, which is the serial number of the hard disk in the current server.
- the attribute values corresponding to hardware such as boot sector, BIOS firmware, etc. can be obtained in a similar manner. Since this technology is very mature, we will not repeat them one by one.
- the measurement algorithm commonly used to measure the hardware information and software information of the server is the hash algorithm.
- the hash algorithms supported by trusted security chips are SHA256, SM3, etc. Since the standard configuration of the TPM is the SHA256 algorithm, this embodiment uses SHA256 as the first measurement algorithm to measure hardware attribute values.
- NV space Non-Volatile Random Access Memory, non-volatile (or non-playable) random access memory
- NVRAM Non-Volatile Random Access Memory, non-volatile (or non-playable) random access memory
- NVRAM is not easy to lose.
- NVRAM is used to store the hardware environment reference value and the software environment reference value.
- TPM can maintain a static chain of trust.
- the static chain of trust is used for measurement after the platform is powered on.
- the first one is used to store the BIOS, the attribute value is A, and the hash value is B; the second one is used to extend the platform configuration and the attribute value It is B.
- (A+B) is taken as a whole, and the first measurement algorithm is used to measure it, and the hash value C is obtained.
- the data stored on the PCR will be stored in the NV space at the same time.
- the hardware environment reference value may also be stored in a node of a blockchain.
- the cloud server verification strategy configuration parameters selected by the server leasing user, where the cloud server verification strategy configuration parameters include enabling or disabling the software trusted integrity verification strategy, and enabling or disabling the hardware trusted integrity Verification strategy;
- the operating system kernel is the first layer of software on the device and is one of the core components of the entire operating system and device. Because the operating system kernel may be attacked by buffer overflows, direct memory access peripheral attacks, etc., the operating system enters an unexpected state, which causes the entire software environment to be untrustworthy. Therefore, this solution provides a trusted integrity check strategy that can realize the software level.
- the server can be rented on the shelf to provide cloud services.
- an option box will first pop up so that the user can select the cloud server to verify the policy configuration parameters.
- the cloud server verification strategy configuration parameters include turning on or off the software trusted integrity verification strategy, and turning on or off the hardware trusted integrity verification strategy.
- the hardware trusted integrity check strategy you can also choose whether to perform the hardware trusted integrity check strategy. When some users start to use it, they may pay more attention to the integrity of the hardware environment before use, so as to provide users with more monitoring options.
- specific software trusted integrity check policy configuration parameters will pop up, such as the type of the second measurement algorithm used, those files that need to be measured, the monitoring period, and so on.
- the frequently used software files to be measured are the kernel files of the operating system. For example, in ubuntu, the file name of the kernel file is .config.
- the second metric algorithm is still the SHA256 algorithm. Use SHA256 to calculate the obtained String filePath to obtain the hash value corresponding to ".config", which is the software environment benchmark value.
- the above-mentioned software environment reference value may also be stored in a node of a blockchain or/and a blockchain.
- the cloud server hardware trusted integrity check includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity check strategy, and judging the hardware environment monitoring value and the preset hardware Whether the environmental reference value is consistent; if the hardware environment monitoring value is consistent with the hardware environment reference value, trigger the execution of cloud server software trusted integrity check;
- the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
- the blockchain referred to in this application is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm.
- Blockchain essentially a decentralized database, is a series of data blocks associated with cryptographic methods. Each data block contains a batch of network transaction information for verification. The validity of the information (anti-counterfeiting) and generation of the next block.
- the blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
- the hardware environment reference value is obtained according to the preset hardware trusted integrity check strategy, so that the user can perform a complete measurement of the hardware environment before starting to use the cloud server.
- this embodiment also provides the user to freely choose whether to enable the hardware trusted integrity check strategy or the software trusted integrity check strategy. If it chooses to turn on the software trusted integrity verification strategy, it will configure the parameters according to its selected cloud server verification strategy to obtain the software environment benchmark value and start the monitoring service.
- the software environment reference value and hardware environment reference value in this solution are stored in the trusted security chip and the blockchain, both can be better protected, thereby reducing the risk of tampering and improving the post-verification results Credibility.
- the third embodiment of the cloud server monitoring method in the embodiment of the present application includes:
- the cloud server hardware trusted integrity check includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity check strategy, and judging the hardware environment monitoring value and the preset hardware Whether the environmental reference value is consistent; if the hardware environment monitoring value is consistent with the hardware environment reference value, trigger the execution of cloud server software trusted integrity check;
- the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
- the hardware environment monitoring value is inconsistent with the hardware environment reference value, or the software environment monitoring value is inconsistent with the software environment reference value, it means that there may be environmental changes currently. However, in real applications, there may be the possibility of false alarms. Therefore, to ensure rigor, when users select cloud server verification policy configuration parameters, the threshold of untrustworthy times can be set. Every time it happens, add 1 to the number of untrustworthy times and gradually accumulate.
- the current untrustworthy times are compared with the preset untrustworthy times threshold, and it is judged whether it reaches the untrustworthy times threshold.
- the developer writes the credible report template into the device in advance.
- the credible report template includes a title, a string name (in this embodiment, the hardware environment monitoring value and the hardware environment reference value), the writing rules corresponding to each string name, the judgment result, and so on. If the current cloud server meets the alarm conditions, obtain the trusted report template
- the credible alarm report also judges each pair of hardware (software) environmental monitoring values and hardware (software) environmental benchmark values. If they are consistent, they are judged to be credible, and those that are inconsistent are judged to be unreliable, so that users can quickly find out. The hardware or software in question.
- the hardware credibility report and/or the software credibility report are sent to the server rental user.
- an alarm message is also sent to the other party.
- the alarm process in the monitoring process is described and supplemented.
- a threshold of untrustworthy times is set. Only when the untrustworthy times reaches the threshold, an alarm will be issued.
- there are inconsistent hardware (software) environmental monitoring values and hardware (software) environmental benchmark values in the trusted report and after sending the trusted report to the mailbox , And also send a text message to remind you.
- the fourth embodiment of the cloud server monitoring method in the embodiment of the present application includes:
- the cloud server hardware trusted integrity check includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity check strategy, and judging the hardware environment monitoring value and the preset hardware Whether the environmental reference value is consistent; if the hardware environment monitoring value is consistent with the hardware environment reference value, trigger the execution of cloud server software trusted integrity check;
- the cloud server software trusted integrity check includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity check strategy, and judging the software environment monitoring value and the preset software Whether the environmental benchmark values are consistent;
- this application also provides a solution for updating the cloud server verification strategy.
- the updated cloud server verification strategy configuration parameters are updated, the hardware feasible integrity verification strategy and/or the software feasible integrity verification strategy are updated, and the updateable cloud server verification strategy configuration parameters include the measurement algorithm, waiting The name of the software being measured, the monitoring period, etc.
- the hardware environment reference value and/or the software environment reference value also need to be based on the updated hardware feasible integrity check strategy and /Or a software feasible integrity check strategy to update the hardware environment reference value and/or the software environment reference value in the NV space.
- a solution for updating a hardware feasible integrity check strategy and/or a software feasible integrity check strategy is provided.
- the hardware environment reference value and/or the software environment reference value will also be updated.
- the cloud server monitoring method in the embodiment of the present application is described above, and the cloud server monitoring device in the embodiment of the present application is described below.
- the first embodiment of the cloud server monitoring device in the embodiment of the present application includes:
- the detection module 501 is used to detect whether there is a cloud server timing monitoring task currently;
- the verification module 502 is configured to trigger the execution of the cloud server hardware credible integrity check and/or the cloud server software credible integrity check if there is a cloud server timing monitoring task currently;
- the verification module 502 includes:
- the hardware verification unit 5021 is configured to perform cloud server hardware trusted integrity verification, which specifically includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity verification strategy, and judging the hardware Whether the environment monitoring value is consistent with the preset hardware environment reference value; if the hardware environment monitoring value is consistent with the hardware environment reference value, triggering the execution of the cloud server software trusted integrity check;
- the software verification unit 5022 is used to perform cloud server software trusted integrity verification, which specifically includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity verification strategy, and judging the software Whether the environmental monitoring value is consistent with the preset software environmental reference value;
- the standby module 503 is configured to wait for the next round of regular monitoring tasks if the hardware environment monitoring value is consistent with the hardware environment reference value, and/or if the software environment monitoring value is consistent with the preset software environment reference value ;
- the judgment module 504 is configured to judge whether the current cloud server meets preset alarm conditions if the hardware environment monitoring value is inconsistent with the hardware environment reference value, or the software environment monitoring value is inconsistent with the software environment reference value;
- the alarm module 505 is configured to generate a hardware credibility report and/or a software credibility report corresponding to the current cloud server if the alarm condition is met, and send it to the corresponding cloud server rental user.
- a monitoring method for a cloud server detects the existence of a regular monitoring task, first performs a hardware credible integrity check, and then performs a software credible integrity check after passing, and if all passes, wait again next time. If it fails, a hardware credibility report and/or a software credibility report are generated and sent to the user. Therefore, this application can implement timing monitoring of the cloud server from the two levels of the hardware environment and the software environment, thereby reducing the risk of data leakage and improving the security of the user's data.
- the second embodiment of the cloud server monitoring device in the embodiment of the present application includes:
- the detection module 501 is used to detect whether there is a cloud server timing monitoring task currently;
- the verification module 502 is configured to trigger the execution of the cloud server hardware credible integrity check and/or the cloud server software credible integrity check if there is a cloud server timing monitoring task currently;
- the verification module 502 includes:
- the hardware verification unit 5021 is configured to perform cloud server hardware trusted integrity verification, which specifically includes: generating a hardware environment monitoring value corresponding to the current cloud server according to a preset hardware trusted integrity verification strategy, and judging the hardware Whether the environment monitoring value is consistent with the preset hardware environment reference value; if the hardware environment monitoring value is consistent with the hardware environment reference value, triggering the execution of the cloud server software trusted integrity check;
- the software verification unit 5022 is used to perform cloud server software trusted integrity verification, which specifically includes: generating a software environment monitoring value corresponding to the current cloud server according to a preset software trusted integrity verification strategy, and judging the software Whether the environmental monitoring value is consistent with the preset software environmental reference value;
- the standby module 503 is configured to wait for the next round of regular monitoring tasks if the hardware environment monitoring value is consistent with the hardware environment reference value, and/or if the software environment monitoring value is consistent with the preset software environment reference value ;
- the judgment module 504 is configured to judge whether the current cloud server meets preset alarm conditions if the hardware environment monitoring value is inconsistent with the hardware environment reference value, or the software environment monitoring value is inconsistent with the software environment reference value;
- the alarm module 505 is configured to generate a hardware credibility report and/or a software credibility report corresponding to the current cloud server if the alarm condition is met, and send it to the corresponding cloud server rental user.
- the detection module 501 previously includes a hardware measurement module 506, the hardware environment reference value is stored in the NV space in the blockchain and/or a preset trusted security chip, and the hardware measurement module 506 is specifically used for:
- the attribute value of the hardware is calculated according to the first metric algorithm specified in the hardware trusted integrity check policy to obtain the hardware environment reference value of the hardware.
- the hardware measurement module 506 is further connected with a software measurement module 507, the software environment reference value is stored in the NV space in the blockchain and/or a preset trusted security chip, and the software measurement module 507 specifically Used for:
- the software file is calculated according to the second measurement algorithm specified in the software trusted integrity verification strategy to obtain the software environment reference value.
- the cloud server verification policy configuration parameter further includes enabling or disabling the hardware trusted integrity verification policy.
- the judgment module 504 is specifically configured to:
- the alarm module 505 is specifically configured to:
- the alarm report is sent to the corresponding server rental user and the preset alarm short message is sent to the server rental user.
- the cloud server monitoring device further includes an update module 508, and the update module 508 is specifically configured to:
- updated cloud server verification strategy configuration parameters update the hardware feasible integrity verification strategy and/or the software feasible integrity verification strategy, and generate corresponding hardware update values and/or software update values;
- the hardware update value and/or the software update value are respectively replaced with the corresponding hardware environment reference value and/or the software environment reference value.
- this embodiment also provides the user to freely choose whether to enable the hardware trusted integrity check strategy or the software trusted integrity check strategy. If it chooses to turn on the software trusted integrity verification strategy, it will configure the parameters according to its selected cloud server verification strategy to obtain the software environment benchmark value and start the monitoring service.
- the software environment reference value and hardware environment reference value in this solution are stored in the trusted security chip and the blockchain, both can be better protected, thereby reducing the risk of tampering and improving the post-verification results Credibility.
- a threshold for the number of unreliable times is set. Only when the number of unreliable times reaches the threshold will an alarm be issued.
- a solution is provided for updating a feasible hardware integrity check strategy and/or a software feasible integrity check strategy.
- FIGS 5 and 6 above describe the cloud server monitoring device in the embodiment of the present application in detail from the perspective of modular functional entities, and the following describes the cloud server monitoring device in the embodiment of the present application in detail from the perspective of hardware processing.
- FIG. 7 is a schematic structural diagram of a cloud server monitoring device provided by an embodiment of the present application.
- the cloud server monitoring device 700 may have relatively large differences due to different configurations or performance, and may include one or more processors (central processing units).
- a CPU 710 for example, one or more processors
- a memory 720 for example, one or more storage devices
- storage media 730 for example, one or more storage devices
- the memory 720 and the storage medium 730 may be short-term storage or persistent storage.
- the program stored in the storage medium 730 may include one or more modules (not shown in the figure), and each module may include a series of instruction operations on the cloud server monitoring device 700.
- the processor 710 may be configured to communicate with the storage medium 730, and execute a series of instruction operations in the storage medium 730 on the cloud server monitoring device 700.
- the cloud-based server monitoring device 700 may also include one or more power supplies 730, one or more wired or wireless network interfaces 750, one or more input and output interfaces 760, and/or one or more operating systems 731, such as Windows Serve, Mac OS X, Unix, Linux, FreeBSD, etc.
- operating systems 731 such as Windows Serve, Mac OS X, Unix, Linux, FreeBSD, etc.
- FIG. 7 does not constitute a limitation on the cloud server monitoring device, and may include more or less components than shown in the figure, or a combination of certain components, or different components. The layout of the components.
- the computer-readable storage medium may be a non-volatile computer-readable storage medium, and the computer-readable storage medium may also be a volatile computer-readable storage medium.
- the computer-readable storage medium stores instructions, and when the instructions run on a computer, the computer executes the steps of the cloud server monitoring method.
- the computer-readable storage medium may mainly include a storage program area and a storage data area, where the storage program area may store an operating system, an application program required by at least one function, etc.; the storage data area may store Data created by the use of nodes, etc.
- the blockchain referred to in this application is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm.
- Blockchain essentially a decentralized database, is a series of data blocks associated with cryptographic methods. Each data block contains a batch of network transaction information for verification. The validity of the information (anti-counterfeiting) and generation of the next block.
- the blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
- the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
- the technical solution of the present application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
- the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Mathematical Physics (AREA)
- Debugging And Monitoring (AREA)
Abstract
La présente invention concerne le domaine de l'intelligence artificielle. La présente invention concerne un procédé, un appareil et un dispositif de surveillance de serveur en nuage et un support de stockage. Le procédé de surveillance de serveur en nuage consiste à : détecter s'il existe actuellement une tâche de surveillance de synchronisation de serveur en nuage ; si tel est le cas, obtenir une valeur de surveillance d'environnement matériel et/ou une valeur de surveillance d'environnement logiciel correspondante selon une politique de vérification d'intégrité de fiabilité matérielle et/ou une politique de vérification d'intégrité de fiabilité logicielle prédéfinie, déterminer respectivement si lesdites valeurs sont cohérentes avec une valeur de référence d'environnement matériel et/ou une valeur de référence d'environnement logiciel, et si ce n'est pas le cas, déterminer si le serveur en nuage actuel satisfait une condition d'alarme prédéfinie ; et si la condition d'alarme est satisfaite, générer un rapport de fiabilité matérielle et/ou un rapport de fiabilité logicielle et envoyer ce ou ces rapports à un utilisateur correspondant. Cette solution permet à un utilisateur d'effectuer une surveillance de sécurité d'un serveur en nuage, de façon à garantir la sécurité des données sur le serveur en nuage. La présente invention concerne en outre la technologie des chaînes de blocs. La valeur de référence d'environnement matériel et/ou la valeur de référence d'environnement logiciel peuvent être stockées dans une chaîne de blocs.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010547614.7A CN111737081B (zh) | 2020-06-16 | 2020-06-16 | 云服务器监控方法、装置、设备及存储介质 |
CN202010547614.7 | 2020-06-16 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021139308A1 true WO2021139308A1 (fr) | 2021-07-15 |
Family
ID=72649373
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/122338 WO2021139308A1 (fr) | 2020-06-16 | 2020-10-21 | Procédé, appareil et dispositif de surveillance de serveur en nuage et support de stockage |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN111737081B (fr) |
WO (1) | WO2021139308A1 (fr) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114389971A (zh) * | 2022-03-23 | 2022-04-22 | 苏州浪潮智能科技有限公司 | 一种智能监控微调整方法、装置、设备及存储介质 |
CN117539721A (zh) * | 2023-11-29 | 2024-02-09 | 郑州迪维勒普科技有限公司 | 基于数字孪生技术的数据中心可视化运维管理系统 |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111737081B (zh) * | 2020-06-16 | 2022-05-17 | 平安科技(深圳)有限公司 | 云服务器监控方法、装置、设备及存储介质 |
CN115174210B (zh) * | 2022-06-30 | 2024-06-04 | 珠海奔图电子有限公司 | 可信报告生成方法和电子设备 |
CN115883416A (zh) * | 2022-11-25 | 2023-03-31 | 东信和平科技股份有限公司 | 服务终端监控方法、系统及可读存储介质 |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103501303A (zh) * | 2013-10-12 | 2014-01-08 | 武汉大学 | 一种针对云平台虚拟机度量的主动远程证明方法 |
US20140298439A1 (en) * | 2011-04-18 | 2014-10-02 | Bank Of America Corporation | Trusted Hardware for Attesting to Authenticity in a Cloud Environment |
CN106656915A (zh) * | 2015-10-30 | 2017-05-10 | 深圳市中电智慧信息安全技术有限公司 | 基于可信计算的云安全服务器 |
CN110197073A (zh) * | 2019-05-30 | 2019-09-03 | 苏州浪潮智能科技有限公司 | 一种基于自校验机制保护主机完整性的方法与系统 |
CN110515699A (zh) * | 2019-08-20 | 2019-11-29 | 苏州浪潮智能科技有限公司 | 一种获取虚拟机所在平台可信状态的方法和设备 |
CN111008379A (zh) * | 2019-11-22 | 2020-04-14 | 腾讯科技(深圳)有限公司 | 电子设备的固件安全检测方法及相关设备 |
CN111737081A (zh) * | 2020-06-16 | 2020-10-02 | 平安科技(深圳)有限公司 | 云服务器监控方法、装置、设备及存储介质 |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101515933A (zh) * | 2009-03-16 | 2009-08-26 | 中兴通讯股份有限公司 | 一种网络设备的软硬件完整性检测方法及系统 |
CN103605784A (zh) * | 2013-11-29 | 2014-02-26 | 北京航空航天大学 | 一种多重云环境下数据完整性验证方法 |
TWI521480B (zh) * | 2014-03-28 | 2016-02-11 | D Link Corp | 能主動偵測終端裝置所在位置之安全看護系統 |
CN103905461B (zh) * | 2014-04-14 | 2017-02-01 | 北京工业大学 | 一种基于可信第三方的云服务行为可信证明方法和系统 |
CN108259422B (zh) * | 2016-12-29 | 2021-07-16 | 中兴通讯股份有限公司 | 一种多租户访问控制方法和装置 |
CN109144813B (zh) * | 2018-07-26 | 2022-08-05 | 郑州云海信息技术有限公司 | 一种云计算系统服务器节点故障监控系统及方法 |
CN109491866A (zh) * | 2018-11-09 | 2019-03-19 | 郑州云海信息技术有限公司 | 监控存储硬件的方法、装置、终端及计算机可读存储介质 |
-
2020
- 2020-06-16 CN CN202010547614.7A patent/CN111737081B/zh active Active
- 2020-10-21 WO PCT/CN2020/122338 patent/WO2021139308A1/fr active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140298439A1 (en) * | 2011-04-18 | 2014-10-02 | Bank Of America Corporation | Trusted Hardware for Attesting to Authenticity in a Cloud Environment |
CN103501303A (zh) * | 2013-10-12 | 2014-01-08 | 武汉大学 | 一种针对云平台虚拟机度量的主动远程证明方法 |
CN106656915A (zh) * | 2015-10-30 | 2017-05-10 | 深圳市中电智慧信息安全技术有限公司 | 基于可信计算的云安全服务器 |
CN110197073A (zh) * | 2019-05-30 | 2019-09-03 | 苏州浪潮智能科技有限公司 | 一种基于自校验机制保护主机完整性的方法与系统 |
CN110515699A (zh) * | 2019-08-20 | 2019-11-29 | 苏州浪潮智能科技有限公司 | 一种获取虚拟机所在平台可信状态的方法和设备 |
CN111008379A (zh) * | 2019-11-22 | 2020-04-14 | 腾讯科技(深圳)有限公司 | 电子设备的固件安全检测方法及相关设备 |
CN111737081A (zh) * | 2020-06-16 | 2020-10-02 | 平安科技(深圳)有限公司 | 云服务器监控方法、装置、设备及存储介质 |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114389971A (zh) * | 2022-03-23 | 2022-04-22 | 苏州浪潮智能科技有限公司 | 一种智能监控微调整方法、装置、设备及存储介质 |
CN114389971B (zh) * | 2022-03-23 | 2022-12-23 | 苏州浪潮智能科技有限公司 | 一种智能监控微调整方法、装置、设备及存储介质 |
WO2023178923A1 (fr) * | 2022-03-23 | 2023-09-28 | 苏州浪潮智能科技有限公司 | Procédé et appareil de micro-réglage intelligent de surveillance, dispositif et support de stockage |
CN117539721A (zh) * | 2023-11-29 | 2024-02-09 | 郑州迪维勒普科技有限公司 | 基于数字孪生技术的数据中心可视化运维管理系统 |
Also Published As
Publication number | Publication date |
---|---|
CN111737081A (zh) | 2020-10-02 |
CN111737081B (zh) | 2022-05-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021139308A1 (fr) | Procédé, appareil et dispositif de surveillance de serveur en nuage et support de stockage | |
EP3765985B1 (fr) | Protection de stockage par détection d'un accès non recommandé | |
US8161285B2 (en) | Protocol-Independent remote attestation and sealing | |
US11645390B2 (en) | Cloud-based method to increase integrity of a next generation antivirus (NGAV) security solution in a virtualized computing environment | |
US8572692B2 (en) | Method and system for a platform-based trust verifying service for multi-party verification | |
US8966642B2 (en) | Trust verification of a computing platform using a peripheral device | |
US11714910B2 (en) | Measuring integrity of computing system | |
JP4843246B2 (ja) | 冗長な信頼されるプラットフォーム・モジュールを有する信頼されるサーバをブートするための方法およびシステム | |
TWI791975B (zh) | 藉由監測對基本輸入/輸出系統(bios)或統一可延伸韌體介面(uefi)屬性進行之組態改變之鏈來偵測安全威脅 | |
US9270467B1 (en) | Systems and methods for trust propagation of signed files across devices | |
US10915632B2 (en) | Handling of remote attestation and sealing during concurrent update | |
US10769045B1 (en) | Measuring effectiveness of intrusion detection systems using cloned computing resources | |
US10073980B1 (en) | System for assuring security of sensitive data on a host | |
JP6293133B2 (ja) | 被保護データー集合のネットワーク・ベース管理 | |
US20240104213A1 (en) | Securing node groups | |
CN110334515B (zh) | 一种基于可信计算平台生成度量报告的方法及装置 | |
US10122739B2 (en) | Rootkit detection system and method | |
EP3185166B1 (fr) | Procédé et dispositif pour métrique de confiance | |
US20230388278A1 (en) | Detecting and mitigating forged authentication object attacks in multi - cloud environments with attestation | |
JP2023500433A (ja) | ポリシ強制のための仮想環境タイプ検証 | |
US11251976B2 (en) | Data security processing method and terminal thereof, and server | |
KR20210132545A (ko) | 이상행위 탐지 장치, 방법 및 이를 포함하는 시스템 | |
Shang et al. | ICS software trust measurement method based on dynamic length trust chain | |
Zhao et al. | SOMR: Towards a security-oriented MapReduce infrastructure | |
US11853417B2 (en) | Hardware device integrity validation using platform configuration values |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20911757 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20911757 Country of ref document: EP Kind code of ref document: A1 |