WO2023160010A1 - Security detection method and apparatus, electronic device and storage medium - Google Patents

Security detection method and apparatus, electronic device and storage medium Download PDF

Info

Publication number
WO2023160010A1
WO2023160010A1 PCT/CN2022/130436 CN2022130436W WO2023160010A1 WO 2023160010 A1 WO2023160010 A1 WO 2023160010A1 CN 2022130436 W CN2022130436 W CN 2022130436W WO 2023160010 A1 WO2023160010 A1 WO 2023160010A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
detection
container
data
detected
Prior art date
Application number
PCT/CN2022/130436
Other languages
French (fr)
Chinese (zh)
Inventor
刘小辉
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2023160010A1 publication Critical patent/WO2023160010A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]

Definitions

  • the embodiments of the present application relate to the field of communication technologies, and in particular, to a security detection method, device, electronic equipment, and storage medium.
  • the fifth generation mobile communication system (5th Generation Wireless Systems, 5G) has become the mainstream communication system. Wide range of applications. With the application of microservice technology, the complexity of each communication system is increasing, and the system security is also facing more and more challenges.
  • the 5G access network system in order to support complex services, the 5G access network system runs hundreds of micro-service applications, and the micro-service applications of each business face a very large security risk detection and management work.
  • the current security risk detection and governance solution is that each microservice application is independently security tested and governed by the domain that maintains and develops the microservice application.
  • the traditional security risk detection and management has the problem of incomplete security detection coverage, or repetitive and complicated security detection work; on the other hand, each microservice application Developed and maintained by different fields, due to the inconsistency of security specifications, it is very prone to loopholes.
  • the main purpose of the embodiment of the present application is to propose a security detection method, device, electronic equipment and storage medium, aiming to improve the coverage of security detection as much as possible, and alleviate the problems of a large number of repetitions and complex detection in security detection work.
  • an embodiment of the present application provides a security detection method, including: obtaining the operating status data of the system; inputting the operating status data into a pre-created security container, and performing security on the system through the security container detection; wherein, the security container is built on a lightweight platform deployed on the operating system kernel; and reporting an alarm when a security problem is detected in the system.
  • the embodiment of the present application also provides a safety detection device, including: an acquisition module, used to obtain the running status data of the system; a detection module, used to input the running status data into a pre-created security container, Perform security detection on the system through the security container; wherein, the security container is built on a lightweight platform deployed on the operating system kernel; an alarm module is used to detect that there is a security problem in the system Next, report to the police.
  • a safety detection device including: an acquisition module, used to obtain the running status data of the system; a detection module, used to input the running status data into a pre-created security container, Perform security detection on the system through the security container; wherein, the security container is built on a lightweight platform deployed on the operating system kernel; an alarm module is used to detect that there is a security problem in the system Next, report to the police.
  • an embodiment of the present application further provides an electronic device, the device includes: at least one processor; and a memory connected to the at least one processor in communication; wherein, the memory stores information that can be Instructions executed by the at least one processor, the instructions are executed by the at least one processor, so that the at least one processor can execute the security detection method as described above.
  • the embodiment of the present application also proposes a computer-readable storage medium storing a computer program, and when the computer program is executed by a processor, the above-mentioned security detection method is implemented.
  • a security container is pre-created on a lightweight platform deployed on the kernel of the operating system of the 5G access network system, before the 5G access network system is put into use or during use , to obtain the operating status data of the 5G access network system, and input the obtained operating status data into the security container, and perform security detection on the system through the security container, and report to the operation and maintenance personnel if a security problem is detected in the system Or the management personnel report the alarm, or directly display the detected security problems on the detection result interface.
  • the process of security risk detection management is managed , without the help of external detection means, through the automation of the security container inside the system, the coverage of security testing is improved, the complexity and possible repetition of security testing are reduced, and the purpose of endogenous security in the system is achieved.
  • Fig. 1 is a flow chart of the safety detection method in the embodiment of the present application.
  • Fig. 2 is a schematic structural diagram of a safety detection device in another embodiment of the present application.
  • Fig. 3 is a schematic structural diagram of an electronic device in another embodiment of the present application.
  • the embodiment of the present application provides a security testing method, including: obtaining the running status data of the system; inputting the running status data into a pre-created security container, and performing security testing on the system through the security container; wherein, the security container Built on a lightweight platform deployed on the operating system kernel; when a security problem is detected in the system, an alarm is reported.
  • a security container is pre-created on a lightweight platform deployed on the kernel of the operating system of the 5G access network system, before the 5G access network system is put into use or during use , to obtain the operating status data of the 5G access network system, and input the obtained operating status data into the security container, and perform security detection on the system through the security container, and report to the operation and maintenance personnel if a security problem is detected in the system Or the management personnel report the alarm, or directly display the detected security problems on the detection result interface.
  • the process of security risk detection management is managed , without the help of external detection means, through the automation of the security container inside the system, the coverage of security testing is improved, the complexity and possible repetition of security testing are reduced, and the purpose of generating security in the system is achieved.
  • the first aspect of the embodiment of the present application provides a security detection method
  • the specific flow of the security detection method can refer to Figure 1
  • the security detection method is applied to the baseband processing unit in the 5G access network system, or A terminal device that can perform data transmission with a baseband processing unit.
  • the terminal device has communication, data storage, and processing capabilities.
  • This embodiment uses the baseband processing unit as an example for illustration.
  • the security detection method includes the following steps:
  • Step 101 acquiring system operation status data.
  • the baseband processing unit (Building Base band Unit, BBU) communicates with the operating system kernel and lightweight
  • BBU Building Base band Unit
  • Each hardware resource in the service platform and the business container (micro-service application) carrying different services interact with each other, collect the current operating data or usage data of the operating system kernel, hardware resources, and each business container, and obtain the 5G access network system operating status data.
  • the baseband processing unit acquires the operating state data of the system, including: periodically acquiring the current operating state data of the system according to a preset time interval. Specifically, the baseband processing unit collects the running status data of the 5G access network system at regular intervals according to the administrator's instructions or the preset time interval preset by the operation and maintenance personnel, and according to the obtained current Running status data for subsequent security testing of the system. Through periodic operation status data acquisition and security risk detection, the security problems existing in the system can be detected and dealt with in time to the greatest extent, and the security during system operation can be improved.
  • Step 102 input the running state data into the pre-created security container, and perform security detection on the system through the security container; wherein, the security container is established in a lightweight platform deployed on the operating system kernel.
  • the baseband processing unit obtains the running status data of the 5G access network system through data interaction, it transmits the running status data to a secure container pre-created on a lightweight platform deployed on the operating system kernel,
  • the security detection of the 5G access network system is carried out according to the obtained operation status data through the security container.
  • the security problems that may exist in the system include one or any combination of the following: operating system kernel exceptions, external intrusion exceptions, and business container exceptions.
  • This embodiment only lists several common security issues in the 5G access network system, and other uncommon security issues can also be detected during actual use.
  • the baseband processing unit when the security problem includes an abnormal operating system kernel, performs security detection on the system through the security container, including: obtaining the configuration data in the configuration files of each public component in the system according to the configuration data Configuration items; when it is detected that there are public components whose configuration items do not meet the preset security criteria, it is determined that the system has an operating system kernel exception.
  • the baseband processing unit fetches and occupies corresponding resources on the lightweight platform in advance according to the control instructions of the container management process of the lightweight platform, such as communication ports, storage addresses, and computing resources, etc. Complete the creation of secure containers on an order-of-magnitude platform.
  • the security container is used to check the compliance of the configuration of each public component in the 5G access network system according to the configuration data in the running status data, and detect the configuration files contained in the configuration files of each public component. Whether all configuration items comply with the industry's general security guidelines.
  • the configuration data in the running state data is obtained by the baseband processing unit by scanning the configuration of the operating system kernel at the operating system level. According to whether the configuration items in the configuration file in the public components are legal, it can accurately and efficiently detect whether there is an operating system kernel in the system, and improve the ability to detect and identify abnormalities in the operating system kernel.
  • the security detection of the operating system kernel when the security detection of the operating system kernel is performed through the security container, it can be performed directly through the local shell program of the Lunix operating system pre-deployed in the security container, or it can be detected by other methods, which is not discussed in this embodiment. Do limit.
  • the baseband processing unit when the security problem includes an abnormal external intrusion, performs security detection on the system through the security container, including: obtaining the resource occupancy information of each hardware resource according to the resource call information in the running state data; When it is detected that there is a hardware resource whose resource occupation exceeds the preset threshold, it is determined that the system has an external intrusion exception.
  • the baseband processing unit detects the resource invocation information in the running status data through the security container, and obtains the resource occupancy information of each hardware resource in the 5G access network system , for example, the usage of the processing power of the central processing unit (central processing unit, CPU), the usage of the storage space of the memory, and the like.
  • the resource invocation information of the hardware resources may be obtained through interaction between the baseband processing unit and the resource management process in the lightweight platform, or may be obtained through direct detection of the occupancy of the hardware resources by invocation detection software.
  • the resource occupancy preset threshold of each hardware resource can be set individually, or a threshold value of an occupancy ratio can be set uniformly.
  • the specific setting method can be based on the size of the hardware resource and the business that needs to be carried. The specific needs of hardware resources are determined, and this embodiment does not limit the specific setting of the resource occupation threshold of each hardware resource.
  • firewall policies can also be pre-deployed in the security container. After the security container is created, the firewall policy can be directly activated to monitor the external ports and port service status in the 5G access network system in real time. When an abnormal request is detected, the detected abnormal request is directly intercepted; or, when an abnormal external intrusion is detected in the system, the external port of the abnormal resource is blocked to avoid further damage to the system by external intrusion .
  • This embodiment does not limit the firewall policy deployed in the security container.
  • the baseband processing unit conducts security detection on the system through the security container, including: performing operation detection on each service container according to the operation data of each service container in the operation status data ; In the case of detecting that there is a business container running abnormally, it is determined that the system has an abnormal business container. Specifically, the baseband processing unit detects the operation of each service container through the security container according to the operation data of each service container in the operation state data, and detects whether there is an abnormally running service container when the security problem includes the exception of the service container. In the case that a service container with abnormal operation is detected, it is determined that there is an abnormal service container in the 5G access network system. Through the application-level security review of each micro-service application running in the system, it can accurately identify business containers with abnormal operation in the system, avoid duplication of security detection, and improve the coverage of security detection.
  • each service container by the baseband processing unit through the security container includes one of the following or any combination thereof: file permission detection, running user identity detection, access control detection, patch update detection, and daemon process detection.
  • file permission detection when performing operation detection, it is possible to detect whether there are files with 777 permissions in each business container, to detect whether there is a host identity or user identity running the business container, and to detect whether there is a file with inconsistent rights and responsibilities in the business container.
  • Check the access control instructions check whether the service components in the business container implement patch updates for leaked vulnerabilities, and check whether the container daemon process and its configuration items of the business container meet the specification requirements.
  • one or more detection results are abnormal, it is determined that the service container has an abnormal operation problem, and then it is determined that the system has an abnormal service container.
  • the multi-dimensional operation detection of business containers it can comprehensively and accurately determine the business containers with abnormal operation and improve the effectiveness of security detection.
  • the baseband operation unit performs security detection on the system through the security container, including: analyzing the security log of the system according to the security log data in the running state data; in the case of detecting abnormal data in the security log data , it is determined that there is a security problem in the system.
  • the key events of the 5G access network system will be automatically recorded in the system, which is convenient for auditing and backtracking.
  • the recorded form is a security log. Therefore, when the security detection of the system is carried out through the security container, the security log data in the running state data can be directly analyzed through the security container, and the abnormal data reported in the security log data can be detected. If there is abnormal data in the security data, it is determined that the system has a security problem.
  • the security log data may be obtained through interaction between the baseband processing unit and the log storage container in the system.
  • Step 103 reporting an alarm when a security problem is detected in the system.
  • the baseband processing unit detects that there is a security problem in the system through the security container, according to the detected specific security problem, it reports the alarm of the security problem in the system to the management personnel or operation and maintenance personnel, or reports the alarm of the security problem in the detection result
  • the page displays the detected security issues and prompts that there are security issues in the system. For example, if an abnormal external intrusion is detected in the 5G access network system through the security container, the operation and maintenance personnel will be prompted that the system is currently in an external intrusion state, and the port affected by the external intrusion will be reported for the operation and maintenance personnel to intercept the external intrusion, and then The system is safe to restore.
  • the security detection of the system based on the customized security container is carried out through automatic means, which greatly enhances the coverage and speed of security detection, thereby enhancing the robustness of the business.
  • the baseband processing unit before the baseband processing unit obtains the operating status data of the system, it also includes: obtaining the latest vulnerability information, synchronizing the latest vulnerability information to the security container, and performing vulnerability detection on the system according to the latest vulnerability information through the security container; When there is a vulnerability in the system, report the vulnerability.
  • the 5G access network system and other types of access network systems will contain a specific standard component, and the standard component will disclose leaked or newly detected vulnerability information on the industry website for all The system performs corresponding security problem avoidance and defense according to the leaked vulnerability information. Therefore, the baseband processing unit can also monitor leaked vulnerability information on industry websites, obtain the latest leaked vulnerability information, and synchronize the latest vulnerability information to the security container.
  • the security container automatically generates detection scripts for each vulnerability or directly obtains external detection scripts, and uses the detection scripts to detect whether there are flawed vulnerabilities in the 5G access network system.
  • the security container uses the detection scripts to detect whether there are flawed vulnerabilities in the 5G access network system.
  • the security container can also instruct the relevant components in the system to automatically generate corresponding patches for the detected vulnerabilities based on the detected vulnerabilities, and generate The patch is used to defend and repair the vulnerability; or obtain the corresponding patch corresponding to the detected vulnerability from the outside, and defend and repair the vulnerability according to the obtained patch, thereby further deepening the security problem defense capability of the system.
  • the detection rules in the security components and the detection content involved in the security detection can be continuously iteratively updated according to the detected security issues or the latest vulnerability information, so as to further improve
  • the system requires the security management of business containers to achieve the purpose of system endogenous security.
  • FIG. 2 Another aspect of the embodiment of the present application also provides a safety detection device, referring to Figure 2, including:
  • the obtaining module 201 is used to obtain the running status data of the system.
  • the detection module 202 is configured to input the running status data into a pre-created security container, and perform security detection on the system through the security container; wherein, the security container is built on a lightweight platform deployed on the operating system kernel.
  • the alarm module 203 is configured to report an alarm when a security problem is detected in the system.
  • this embodiment is an apparatus embodiment corresponding to the method embodiment, and this embodiment can be implemented in cooperation with the method embodiment.
  • the relevant technical details mentioned in the method embodiments are still valid in this embodiment, and will not be repeated here in order to reduce repetition.
  • the related technical details mentioned in this embodiment can also be applied in the method embodiment.
  • modules involved in this embodiment are logical modules.
  • a logical unit can be a physical unit, or a part of a physical unit, or multiple physical units. Combination of units.
  • units that are not closely related to solving the technical problem proposed by the present invention are not introduced in this embodiment, but this does not mean that there are no other units in this embodiment.
  • FIG. 3 Another aspect of the embodiment of the present application also provides an electronic device, referring to FIG. 3 , including: including at least one processor 301; Instructions executed by at least one processor 301, the instructions are executed by at least one processor 301, so that at least one processor 301 can execute the security detection method described in any one of the foregoing method embodiments.
  • the memory 302 and the processor 301 are connected by a bus, and the bus may include any number of interconnected buses and bridges, and the bus connects one or more processors 301 and various circuits of the memory 302 together.
  • the bus may also connect together various other circuits such as peripherals, voltage regulators, and power management circuits, all of which are well known in the art and therefore will not be further described herein.
  • the bus interface provides an interface between the bus and the transceivers.
  • a transceiver may be a single element or multiple elements, such as multiple receivers and transmitters, providing means for communicating with various other devices over a transmission medium.
  • the data processed by the processor 301 is transmitted on the wireless medium through the antenna, and further, the antenna receives the data and transmits the data to the processor 301 .
  • the processor 301 is responsible for managing the bus and general processing, and may also provide various functions including timing, peripheral interface, voltage regulation, power management and other control functions. And the memory 302 can be used to store data used by the processor 301 when performing operations.
  • Embodiments of the present invention also provide a computer-readable storage medium storing a computer program.
  • the above method embodiments are implemented when the computer program is executed by the processor.
  • a storage medium includes several instructions to make a device ( It may be a single-chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. .

Abstract

The present application relates to a security detection method and apparatus, an electronic device and a storage medium. The method comprises: acquiring the operation state data of a system; inputting the operation state data into a pre-created secure container, and carrying out security detection on the system by means of the secure container, the secure container being established in a lightweight platform deployed on an operating system kernel; and reporting an alarm when it is detected that the system has a security problem.

Description

安全检测方法、装置、电子设备和存储介质Safety detection method, device, electronic equipment and storage medium
相关申请related application
本申请要求于2022年2月28日申请的、申请号为202210191549.8的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to a Chinese patent application with application number 202210191549.8 filed on February 28, 2022, the entire contents of which are incorporated herein by reference.
技术领域technical field
本申请实施例涉及通信技术领域,特别涉及一种安全检测方法、装置、电子设备和存储介质。The embodiments of the present application relate to the field of communication technologies, and in particular, to a security detection method, device, electronic equipment, and storage medium.
背景技术Background technique
随着通信技术的不断发展和进步,第五代移动通信系统(5th Generation Wireless Systems,5G)已成为主流的通信系统,借助5G的数据传输能力和效率,微服务技术也出现了高速的发展与广泛的应用。伴随着微服务技术的应用,各通信系统的复杂程度不断上升,并且系统安全也面临越来越大的挑战。以5G接入网系统为例,为了支撑复杂的业务,5G接入网系统运行着数百个微服务应用,各个业务的微服务应用面临非常庞大的安全风险检测治理工作。With the continuous development and progress of communication technology, the fifth generation mobile communication system (5th Generation Wireless Systems, 5G) has become the mainstream communication system. Wide range of applications. With the application of microservice technology, the complexity of each communication system is increasing, and the system security is also facing more and more challenges. Taking the 5G access network system as an example, in order to support complex services, the 5G access network system runs hundreds of micro-service applications, and the micro-service applications of each business face a very large security risk detection and management work.
当下的安全风险检测治理方案是,各微服务应用分别由维护开发该微服务应用的领域进行独立的安全检测和治理。但是,一方面,系统快速迭代、变动,各类安全风险随之增加,传统的安全风险检测治理存在安全检测覆盖范围不全面,或者安全检测工作重复庞杂的问题;另一方面,各个微服务应用由不同领域开发和维护,由于安全规范的不一致问题,极易出现漏洞。The current security risk detection and governance solution is that each microservice application is independently security tested and governed by the domain that maintains and develops the microservice application. However, on the one hand, the rapid iteration and changes of the system have increased various security risks. The traditional security risk detection and management has the problem of incomplete security detection coverage, or repetitive and complicated security detection work; on the other hand, each microservice application Developed and maintained by different fields, due to the inconsistency of security specifications, it is very prone to loopholes.
发明内容Contents of the invention
本申请实施例的主要目的在于提出一种安全检测方法、装置、电子设备和存储介质,旨在尽可能提升安全检测覆盖范围,减轻安全检测工作存在的大量重复和检测庞杂问题。The main purpose of the embodiment of the present application is to propose a security detection method, device, electronic equipment and storage medium, aiming to improve the coverage of security detection as much as possible, and alleviate the problems of a large number of repetitions and complex detection in security detection work.
为实现上述目的,本申请实施例提供了一种安全检测方法,包括:获取系统的运行状态数据;将所述运行状态数据输入预先创建的安全容器,通过所述安全容器对所述系统进行安全检测;其中,所述安全容器建立在部署于操作系统内核上的轻量级平台中;在检测到所述系统存在安全问题的情况下,上报告警。In order to achieve the above purpose, an embodiment of the present application provides a security detection method, including: obtaining the operating status data of the system; inputting the operating status data into a pre-created security container, and performing security on the system through the security container detection; wherein, the security container is built on a lightweight platform deployed on the operating system kernel; and reporting an alarm when a security problem is detected in the system.
为实现上述目的,本申请实施例还提供了一种安全检测装置,包括:获取模块,用于获取系统的运行状态数据;检测模块,用于将所述运行状态数据输入预先创建的安全容器,通过所述安全容器对所述系统进行安全检测;其中,所述安全容器建立在部署于操作系统内核上的轻量级平台中;告警模块,用于在检测到所述系统存在安全问题的情况下,上报告警。In order to achieve the above purpose, the embodiment of the present application also provides a safety detection device, including: an acquisition module, used to obtain the running status data of the system; a detection module, used to input the running status data into a pre-created security container, Perform security detection on the system through the security container; wherein, the security container is built on a lightweight platform deployed on the operating system kernel; an alarm module is used to detect that there is a security problem in the system Next, report to the police.
为实现上述目的,本申请实施例还提供了一种电子设备,所述设备包括:至少一个处理器;以及,与所述至少一个处理器通信连接的存储器;其中,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行如上所述的安全检测方法。To achieve the above purpose, an embodiment of the present application further provides an electronic device, the device includes: at least one processor; and a memory connected to the at least one processor in communication; wherein, the memory stores information that can be Instructions executed by the at least one processor, the instructions are executed by the at least one processor, so that the at least one processor can execute the security detection method as described above.
为实现上述目的,本申请实施例还提出了计算机可读存储介质,存储有计算机程序,所述计算机程序被处理器执行时实现如上所述的安全检测方法。In order to achieve the above purpose, the embodiment of the present application also proposes a computer-readable storage medium storing a computer program, and when the computer program is executed by a processor, the above-mentioned security detection method is implemented.
本申请实施例提供的安全检测方法,在部署于5G接入网系统的操作系统的内核上的轻量级平台中,预先创建一个安全容器,在5G接入网系统投入使用前或者使用过程中,获取5G接入网系统的运行状态数据,并将获取到的运行状态数据输入到安全容器中,通过安全容器对系统进行安全检测,在检测到系统存在安全问题的情况下,向运维人员或管理人员上报告警,或者直接在检测结果界面显示检测到的安全问题。通过在部署于5G接入网系统的操作系统的内核上的轻量级平台上创建一个安全容器,并通过安全容器根据系统的运行状态数据对系统进行安全检测,将安全风险检测管理这一过程,在不借助外部检测手段的情况下,通过系统内部的安全容器自动化实现,提高了安全检测的覆盖率、降低安全检测的复杂程度和可能出现的重复,进而达到系统内生安全的目的。In the security detection method provided by the embodiment of the present application, a security container is pre-created on a lightweight platform deployed on the kernel of the operating system of the 5G access network system, before the 5G access network system is put into use or during use , to obtain the operating status data of the 5G access network system, and input the obtained operating status data into the security container, and perform security detection on the system through the security container, and report to the operation and maintenance personnel if a security problem is detected in the system Or the management personnel report the alarm, or directly display the detected security problems on the detection result interface. By creating a security container on a lightweight platform deployed on the kernel of the operating system of the 5G access network system, and performing security testing on the system based on the operating status data of the system through the security container, the process of security risk detection management is managed , without the help of external detection means, through the automation of the security container inside the system, the coverage of security testing is improved, the complexity and possible repetition of security testing are reduced, and the purpose of endogenous security in the system is achieved.
附图说明Description of drawings
一个或多个实施例通过与之对应的附图中的图片进行示例性说明,这些示例性说明并不构成对实施例的限定。One or more embodiments are exemplified by pictures in the accompanying drawings, and these exemplifications are not intended to limit the embodiments.
图1是本申请实施例中的安全检测方法流程图;Fig. 1 is a flow chart of the safety detection method in the embodiment of the present application;
图2是本申请另一实施例中的安全检测装置的结构示意图;Fig. 2 is a schematic structural diagram of a safety detection device in another embodiment of the present application;
图3是本申请另一实施例中的电子设备的结构示意图。Fig. 3 is a schematic structural diagram of an electronic device in another embodiment of the present application.
具体实施方式Detailed ways
由背景技术可知,各微服务应用由不同领域开发和维护,由于安全规范的不一致问题,极易出现漏洞,另外系统快速迭代、变动,各类安全风险也随之增加,传统的安全风险检测治理存在安全检测覆盖范围不全面,或者安全检测工作重复庞杂的问题。因此,如何简单高效的实现覆盖较为全面的系统安全检测是一个急需解决的技术问题。It can be seen from the background technology that each microservice application is developed and maintained by different fields. Due to the inconsistency of security specifications, loopholes are prone to occur. In addition, the system is rapidly iterated and changed, and various security risks are also increasing. The traditional security risk detection and governance There are problems that the coverage of security testing is not comprehensive, or the work of security testing is repetitive and complicated. Therefore, how to simply and efficiently implement system security detection with relatively comprehensive coverage is a technical problem that needs to be solved urgently.
为了解决上述问题,本申请实施例提供了一种安全检测方法,包括:获取系统的运行状态数据;将运行状态数据输入预先创建的安全容器,通过安全容器对系统进行安全检测;其中,安全容器建立在部署于操作系统内核上的轻量级平台中;在检测到系统存在安全问题的情况下,上报告警。In order to solve the above problems, the embodiment of the present application provides a security testing method, including: obtaining the running status data of the system; inputting the running status data into a pre-created security container, and performing security testing on the system through the security container; wherein, the security container Built on a lightweight platform deployed on the operating system kernel; when a security problem is detected in the system, an alarm is reported.
本申请实施例提供的安全检测方法,在部署于5G接入网系统的操作系统的内核上的轻量级平台中,预先创建一个安全容器,在5G接入网系统投入使用前或者使用过程中,获取5G接入网系统的运行状态数据,并将获取到的运行状态数据输入到安全容器中,通过安全容器对系统进行安全检测,在检测到系统存在安全问题的情况下,向运维人员或管理人员上报告警,或者直接在检测结果界面显示检测到的安全问题。通过在部署于5G接入网系统的操作系统的内核上的轻量级平台上创建一个安全容器,并通过安全容器根据系统的运行状态数据对系统进行安全检测,将安全风险检测管理这一过程,在不借助外部检测手段的情况下,通过系统内部的安全容器自动化实现,提高了安全检测的覆盖率、降低了安全检测的复杂程度和可能出现的重复,进而达到系统内产生安全的目的。In the security detection method provided by the embodiment of the present application, a security container is pre-created on a lightweight platform deployed on the kernel of the operating system of the 5G access network system, before the 5G access network system is put into use or during use , to obtain the operating status data of the 5G access network system, and input the obtained operating status data into the security container, and perform security detection on the system through the security container, and report to the operation and maintenance personnel if a security problem is detected in the system Or the management personnel report the alarm, or directly display the detected security problems on the detection result interface. By creating a security container on a lightweight platform deployed on the kernel of the operating system of the 5G access network system, and performing security testing on the system based on the operating status data of the system through the security container, the process of security risk detection management is managed , without the help of external detection means, through the automation of the security container inside the system, the coverage of security testing is improved, the complexity and possible repetition of security testing are reduced, and the purpose of generating security in the system is achieved.
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请的各实施例进行详细的阐述。然而,本领域的普通技术人员可以理解,在本申请各实施例中,为了使读者更好地理解本申请而提出了许多技术细节。但是,即使没有这些技术细节和基于以下各实施例的种种变化和修改,也可以实现本申请所要求保护的技术方案。以下各个实施例的 划分是为了描述方便,不应对本申请的具体实现方式构成任何限定,各个实施例在不矛盾的前提下可以相互结合相互引用。In order to make the purpose, technical solutions and advantages of the embodiments of the present application clearer, the embodiments of the present application will be described in detail below with reference to the accompanying drawings. However, those of ordinary skill in the art can understand that in each embodiment of the application, many technical details are provided for readers to better understand the application. However, even without these technical details and various changes and modifications based on the following embodiments, the technical solutions claimed in this application can also be realized. The division of each of the following embodiments is for the convenience of description, and should not constitute any limitation to the specific implementation of the present application, and each embodiment can be combined and referenced to each other on the premise of no contradiction.
下面将对结合具体的实施例的对本申请记载的安全检测方法的实现细节进行具体的说明,以下内容仅为方便理解提供的实现细节,并非实施本方案的必须。The implementation details of the security detection method described in the present application will be described in detail below in conjunction with specific embodiments. The following content is only the implementation details provided for easy understanding, and is not necessary for the implementation of this solution.
本申请实施例的第一方面提供了一种安全检测方法,安全检测方法的具体流程可以参考图1,在一些实施例中,安全检测方法应用于5G接入网系统中的基带处理单元,或者能够与基带处理单元进行数据传输的终端设备,终端设备具有通信和数据存储、处理能力,本实施例以应用在基带处理单元为例进行说明,安全检测方法包括以下步骤:The first aspect of the embodiment of the present application provides a security detection method, the specific flow of the security detection method can refer to Figure 1, in some embodiments, the security detection method is applied to the baseband processing unit in the 5G access network system, or A terminal device that can perform data transmission with a baseband processing unit. The terminal device has communication, data storage, and processing capabilities. This embodiment uses the baseband processing unit as an example for illustration. The security detection method includes the following steps:
步骤101,获取系统的运行状态数据。 Step 101, acquiring system operation status data.
具体地说,5G接入网系统在构建完成或者投入使用后,基带处理单元(Building Base band Unit,BBU)通过相应的数据传输通道,分别与所在5G接入网系统的操作系统内核、轻量级服务平台中的各硬件资源以及承载不同业务的业务容器(微服务应用)进行交互,对操作系统内核、硬件资源和各业务容器当前的运行数据或者使用数据进行采集,获取5G接入网系统的运行状态数据。Specifically, after the 5G access network system is built or put into use, the baseband processing unit (Building Base band Unit, BBU) communicates with the operating system kernel and lightweight Each hardware resource in the service platform and the business container (micro-service application) carrying different services interact with each other, collect the current operating data or usage data of the operating system kernel, hardware resources, and each business container, and obtain the 5G access network system operating status data.
在一个例子中,基带处理单元获取系统的运行状态数据,包括:按照预设时间间隔,周期性获取系统的当前运行状态数据。具体而言,基带处理单元根据管理员指令或者运维人员预先设置的预设时间间隔,每隔一定的时长,对所在的5G接入网系统进行一次运行状态数据采集,并根据获取到的当前运行状态数据,对系统进行后续的安全检测。通过周期性的运行状态数据获取和安全风险检测,最大程度上保证系统中存在的安全问题能够被及时发现和处理,提升系统运行过程中的安全性。In an example, the baseband processing unit acquires the operating state data of the system, including: periodically acquiring the current operating state data of the system according to a preset time interval. Specifically, the baseband processing unit collects the running status data of the 5G access network system at regular intervals according to the administrator's instructions or the preset time interval preset by the operation and maintenance personnel, and according to the obtained current Running status data for subsequent security testing of the system. Through periodic operation status data acquisition and security risk detection, the security problems existing in the system can be detected and dealt with in time to the greatest extent, and the security during system operation can be improved.
步骤102,将运行状态数据输入预先创建的安全容器,通过安全容器对系统进行安全检测;其中,安全容器建立在部署于操作系统内核上的轻量级平台中。 Step 102, input the running state data into the pre-created security container, and perform security detection on the system through the security container; wherein, the security container is established in a lightweight platform deployed on the operating system kernel.
具体地说,基带处理单元在通过数据交互获取到5G接入网系统的运行状态数据后,将运行状态数据传输到预先在部署于操作系统内核上的轻量级平台中创建的安全容器中,通过安全容器根据获取到的运行状态数据对5G接入网系统进行安全检测。通过利用预先在系统内部轻量级平台上创建的安全容器进行自动化的安全检测,避免安全检测过程中需要采用外部检测手段,降低安全检测的复杂程度和重复,提高安全检测效率。Specifically, after the baseband processing unit obtains the running status data of the 5G access network system through data interaction, it transmits the running status data to a secure container pre-created on a lightweight platform deployed on the operating system kernel, The security detection of the 5G access network system is carried out according to the obtained operation status data through the security container. By using the security container pre-created on the system's internal lightweight platform to perform automated security testing, it avoids the need to use external testing methods during the security testing process, reduces the complexity and repetition of security testing, and improves the efficiency of security testing.
值得一提的是,系统可能存在的安全问题包括以下之一或其任意组合:操作系统内核异常、外部入侵异常、业务容器异常。本实施例仅列举了5G接入网系统中常见的几种安全问题,实际使用过程中还可以针对其他不常见的安全问题进行检测。It is worth mentioning that the security problems that may exist in the system include one or any combination of the following: operating system kernel exceptions, external intrusion exceptions, and business container exceptions. This embodiment only lists several common security issues in the 5G access network system, and other uncommon security issues can also be detected during actual use.
在一个例子中,在安全问题包括操作系统内核异常的情况下,基带处理单元通过安全容器对系统进行安全检测,包括:根据运行状态数据中的配置数据,获取系统中各公共组件配置文件中的配置项;在检测到存在配置项不符合预设安全准则的公共组件的情况下,判定系统存在操作系统内核异常。具体而言,基带处理单元根据轻量级平台的容器管理进程的控制指令,预先在轻量级平台上拉取并占用相应的资源,例如,通信端口、存储地址和计算资源等,从而在轻量级平台上完成安全容器的创建。在安全问题包括操作系统内核异常的情况下,通过安全容器根据运行状态数据中的配置数据,对5G接入网络系统中各公共组件的配置进行合规检测,检测各公共组件配置文件中包含的所有配置项是否都符合业界通用安全准则的规范。在检测到存在对应配置文件中包含非法配置项的公共组件的情况下,判定5G接入网 系统中存在操作系统内核异常。其中,运行状态数据中的配置数据是基带处理单元通过对操作系统内核进行操作系统级别的配置扫描获取到的。通过根据公共组件中配置文件的配置项是否合法,准确的对系统中是否存在操作系统内核进行准确高效的检测,提高对操作系统内核异常的检测和识别能力。In one example, when the security problem includes an abnormal operating system kernel, the baseband processing unit performs security detection on the system through the security container, including: obtaining the configuration data in the configuration files of each public component in the system according to the configuration data Configuration items; when it is detected that there are public components whose configuration items do not meet the preset security criteria, it is determined that the system has an operating system kernel exception. Specifically, the baseband processing unit fetches and occupies corresponding resources on the lightweight platform in advance according to the control instructions of the container management process of the lightweight platform, such as communication ports, storage addresses, and computing resources, etc. Complete the creation of secure containers on an order-of-magnitude platform. In the case of security issues including operating system kernel exceptions, the security container is used to check the compliance of the configuration of each public component in the 5G access network system according to the configuration data in the running status data, and detect the configuration files contained in the configuration files of each public component. Whether all configuration items comply with the industry's general security guidelines. When it is detected that there are public components containing illegal configuration items in the corresponding configuration file, it is determined that there is an operating system kernel exception in the 5G access network system. Wherein, the configuration data in the running state data is obtained by the baseband processing unit by scanning the configuration of the operating system kernel at the operating system level. According to whether the configuration items in the configuration file in the public components are legal, it can accurately and efficiently detect whether there is an operating system kernel in the system, and improve the ability to detect and identify abnormalities in the operating system kernel.
值得一提的是,通过安全容器进行操作系统内核安全检测时,可以直接通过预先部署在安全容器中的Lunix操作系统的本地壳程序进行,也可以通过其他方式进行检测,本实施例对此不做限制。It is worth mentioning that when the security detection of the operating system kernel is performed through the security container, it can be performed directly through the local shell program of the Lunix operating system pre-deployed in the security container, or it can be detected by other methods, which is not discussed in this embodiment. Do limit.
在另一个例子中,在安全问题包括外部入侵异常的情况下,基带处理单元通过安全容器对系统进行安全检测,包括:根据运行状态数据中的资源调用信息,获取各硬件资源的资源占用信息;在检测到存在资源占用超过预设门限的硬件资源的情况下,判定系统存在外部入侵异常。具体而言,在需要检测的安全问题包括外部入侵异常的情况下,基带处理单元通过安全容器对运行状态数据中的资源调用信息进行检测,获取5G接入网系统中各硬件资源的资源占用信息,例如,中央处理器(central processing unit,CPU)的处理能力使用情况、存储器的存储空间占用情况等。然后检测各硬件资源的资源占用是否超过预设门限,在检测到存在资源占用超过预设门限的硬件资源的情况下,判定系统存在外部入侵异常。硬件资源的资源调用信息可以是基带处理单元与轻量级平台中的资源管理进程进行交互获取的,也可以是调用检测软件对硬件资源的占用直接进行检测获取到的。通过对硬件资源的资源占用进行检测和监控,避免出现资源占用超过预设门限的情况,进而避免硬件资源由于过度占用出现硬件设备损坏的情况。In another example, when the security problem includes an abnormal external intrusion, the baseband processing unit performs security detection on the system through the security container, including: obtaining the resource occupancy information of each hardware resource according to the resource call information in the running state data; When it is detected that there is a hardware resource whose resource occupation exceeds the preset threshold, it is determined that the system has an external intrusion exception. Specifically, when the security issues that need to be detected include external intrusion exceptions, the baseband processing unit detects the resource invocation information in the running status data through the security container, and obtains the resource occupancy information of each hardware resource in the 5G access network system , for example, the usage of the processing power of the central processing unit (central processing unit, CPU), the usage of the storage space of the memory, and the like. Then detect whether the resource occupancy of each hardware resource exceeds the preset threshold, and determine that the system has an external intrusion abnormality when it is detected that there is a hardware resource whose resource occupancy exceeds the preset threshold. The resource invocation information of the hardware resources may be obtained through interaction between the baseband processing unit and the resource management process in the lightweight platform, or may be obtained through direct detection of the occupancy of the hardware resources by invocation detection software. By detecting and monitoring the resource occupancy of hardware resources, it is possible to avoid situations where resource occupancy exceeds a preset threshold, thereby avoiding damage to hardware devices due to excessive occupancy of hardware resources.
值得一提的是,各硬件资源的资源占用预设门限可以是单独设置的,也可以是统一设置一个占用比例的门限值,具体的设置方式可以是根据硬件资源的大小以及需要承载的业务的需要确定,本实施例对各硬件资源的资源占用门限的具体设置不做限制。It is worth mentioning that the resource occupancy preset threshold of each hardware resource can be set individually, or a threshold value of an occupancy ratio can be set uniformly. The specific setting method can be based on the size of the hardware resource and the business that needs to be carried. The specific needs of hardware resources are determined, and this embodiment does not limit the specific setting of the resource occupation threshold of each hardware resource.
另外,为了避免外部入侵导致的安全问题,安全容器中还可以预先部署防火墙策略,在安全容器完成创建后,直接启动防火墙策略,对5G接入网系统中对外端口以及端口服务状态进行实时监测,在检测到异常请求的情况下,直接拦截检测到的异常请求;或者,在检测到系统存在外部入侵异常的情况下,对存在异常的资源的对外端口进行封锁,避免外部入侵对系统进行进一步破坏。本实施例对安全容器中部署的防火墙策略不做限制。In addition, in order to avoid security problems caused by external intrusion, firewall policies can also be pre-deployed in the security container. After the security container is created, the firewall policy can be directly activated to monitor the external ports and port service status in the 5G access network system in real time. When an abnormal request is detected, the detected abnormal request is directly intercepted; or, when an abnormal external intrusion is detected in the system, the external port of the abnormal resource is blocked to avoid further damage to the system by external intrusion . This embodiment does not limit the firewall policy deployed in the security container.
在另一个例子中,在安全问题包括业务容器异常的情况下,基带处理单元通过安全容器对系统进行安全检测,包括:根据运行状态数据中各业务容器的运行数据,对各业务容器进行运行检测;在检测到存在运行异常的业务容器的情况下,判定系统存在业务容器异常。具体而言,基带处理单元在安全问题包括业务容器异常的情况下,通过安全容器根据运行状态数据中各业务容器的运行数据,对各业务容器进行运行检测,检测是否存在异常运行的业务容器。在检测到存在运行异常的业务容器的情况下,判定5G接入网系统存在业务容器异常。通过对系统中运行的各微服务应用进行应用级别的安全审查,准确的识别出系统中存在运行异常的业务容器,避免出现安全检测重复的同时,提高安全检测的覆盖率。In another example, when the security problem includes abnormality of the service container, the baseband processing unit conducts security detection on the system through the security container, including: performing operation detection on each service container according to the operation data of each service container in the operation status data ; In the case of detecting that there is a business container running abnormally, it is determined that the system has an abnormal business container. Specifically, the baseband processing unit detects the operation of each service container through the security container according to the operation data of each service container in the operation state data, and detects whether there is an abnormally running service container when the security problem includes the exception of the service container. In the case that a service container with abnormal operation is detected, it is determined that there is an abnormal service container in the 5G access network system. Through the application-level security review of each micro-service application running in the system, it can accurately identify business containers with abnormal operation in the system, avoid duplication of security detection, and improve the coverage of security detection.
进一步地,基带处理单元通过安全容器对各业务容器进行的运行检测包括以下之一或其任意组合:文件权限检测、运行用户身份检测、访问控制检测、补丁更新检测、守护进程检测。具体而言,进行运行检测的时候,可以对各业务容器中是否存在777权限的文件进行检测、对有运行业务容器的主机身份或用户身份进行检测、对业务容器中是否存在权责不统一 的访问控制指令进行检测、对业务容器中服务组件是否针对已纰漏的漏洞实施补丁更新进行检测以及对业务容器的容器守护进程及其配置项是否符合规范要求进行检测。在存在一个或者多个检测的结果为异常的情况下,判定业务容器存在运行异常问题,进而判定系统存在业务容器异常。通过对业务容器进行多维度的运行检测,全面准确的确定出存在运行异常的业务容器,提高安全检测的效力。Further, the operation detection of each service container by the baseband processing unit through the security container includes one of the following or any combination thereof: file permission detection, running user identity detection, access control detection, patch update detection, and daemon process detection. Specifically, when performing operation detection, it is possible to detect whether there are files with 777 permissions in each business container, to detect whether there is a host identity or user identity running the business container, and to detect whether there is a file with inconsistent rights and responsibilities in the business container. Check the access control instructions, check whether the service components in the business container implement patch updates for leaked vulnerabilities, and check whether the container daemon process and its configuration items of the business container meet the specification requirements. In the case that one or more detection results are abnormal, it is determined that the service container has an abnormal operation problem, and then it is determined that the system has an abnormal service container. Through the multi-dimensional operation detection of business containers, it can comprehensively and accurately determine the business containers with abnormal operation and improve the effectiveness of security detection.
在另一个例子中,基带运行单元通过安全容器对系统进行安全检测,包括:根据运行状态数据中的安全日志数据,对系统进行安全日志分析;在检测到安全日志数据中存在异常数据的情况下,判定系统存在安全问题。具体而言,5G接入网系统的关键事件会在系统中自动记录,便于进行审计和回溯,记录的形式是安全日志。因此,在通过安全容器对系统进行安全检测的时候,可以直接通过安全容器对运行状态数据中的安全日志数据进行安全日志分析,对安全日志数据中上报系统异常的异常数据进行检测,在检测到安全数据中存在异常数据的情况下,判定系统存在安全问题。其中,安全日志数据可以是基带处理单元和系统中的日志存储容器进行交互获取到的。安全问题的具体类型可以是一种或者多种,问题类型可以通过对异常数据进行数据分析或者关键字提取的方式获取。通过定期对安全日志数据进行审计和分析,提高安全事件的审计效率和已经记录下来的安全事件的上报效率,进一步深化系统的安全检测能力。In another example, the baseband operation unit performs security detection on the system through the security container, including: analyzing the security log of the system according to the security log data in the running state data; in the case of detecting abnormal data in the security log data , it is determined that there is a security problem in the system. Specifically, the key events of the 5G access network system will be automatically recorded in the system, which is convenient for auditing and backtracking. The recorded form is a security log. Therefore, when the security detection of the system is carried out through the security container, the security log data in the running state data can be directly analyzed through the security container, and the abnormal data reported in the security log data can be detected. If there is abnormal data in the security data, it is determined that the system has a security problem. Wherein, the security log data may be obtained through interaction between the baseband processing unit and the log storage container in the system. There can be one or more specific types of security issues, and the types of issues can be obtained by analyzing abnormal data or extracting keywords. By regularly auditing and analyzing security log data, the auditing efficiency of security events and the reporting efficiency of recorded security events are improved, and the security detection capability of the system is further deepened.
步骤103,在检测到系统存在安全问题的情况下,上报告警。 Step 103, reporting an alarm when a security problem is detected in the system.
具体地说,基带处理单元在通过安全容器检测到系统存在安全问题的情况下,根据检测到的具体的安全问题,向管理人员或者运维人员上报系统存在的安全问题的告警,或者在检测结果页面显示检测到的安全问题,并提示系统存在安全问题。例如,通过安全容器检测到5G接入网系统中存在外部入侵异常,则提示运维人员系统当前处于外部入侵状态,并上报受外部入侵的端口,供运维人员对外部入侵进行拦截,然后对系统安全进行恢复。通过自动化手段基于定制的安全容器对系统进行安全检测,极大的增强安全检测的覆盖率和速度,进而使得业务的健壮性得到增强。Specifically, when the baseband processing unit detects that there is a security problem in the system through the security container, according to the detected specific security problem, it reports the alarm of the security problem in the system to the management personnel or operation and maintenance personnel, or reports the alarm of the security problem in the detection result The page displays the detected security issues and prompts that there are security issues in the system. For example, if an abnormal external intrusion is detected in the 5G access network system through the security container, the operation and maintenance personnel will be prompted that the system is currently in an external intrusion state, and the port affected by the external intrusion will be reported for the operation and maintenance personnel to intercept the external intrusion, and then The system is safe to restore. The security detection of the system based on the customized security container is carried out through automatic means, which greatly enhances the coverage and speed of security detection, thereby enhancing the robustness of the business.
在一个例子中,基带处理单元在获取系统的运行状态数据前,还包括:获取最新漏洞信息,并将最新漏洞信息同步至安全容器,通过安全容器根据最新漏洞信息对系统进行漏洞检测;在检测到系统存在漏洞的情况下,上报漏洞。具体而言,5G接入网系统和其他各类型的接入网系统中都会包含一个特定的标准组件,标准组件会在业界网站上对已经暴漏或者新检测出的漏洞信息进行纰漏,供各系统根据纰漏出的漏洞信息进行相应的安全问题规避和防御。因此,基带处理单元还可以对业界网站上纰漏的漏洞信息进行监测,获取已经纰漏的最新漏洞信息,并将最新漏洞信息同步至安全容器中。然后通过安全容器根据获取到的最新漏洞信息,自动生成针对各漏洞的检测脚本或者直接获取外部检测脚本,并利用检测脚本对5G接入网系统中是否存在已经纰漏的漏洞进行检测。在检测到系统中存在已纰漏的漏洞的情况下,上报检测出的漏洞到检测结果界面或者向管理运维人员上报漏洞告警。通过根据纰漏的最新漏洞信息对系统进行漏洞检测,并及时上报检测出的系统漏洞,提高系统对漏洞的反应和处理速度,增强系统的安全性。In one example, before the baseband processing unit obtains the operating status data of the system, it also includes: obtaining the latest vulnerability information, synchronizing the latest vulnerability information to the security container, and performing vulnerability detection on the system according to the latest vulnerability information through the security container; When there is a vulnerability in the system, report the vulnerability. Specifically, the 5G access network system and other types of access network systems will contain a specific standard component, and the standard component will disclose leaked or newly detected vulnerability information on the industry website for all The system performs corresponding security problem avoidance and defense according to the leaked vulnerability information. Therefore, the baseband processing unit can also monitor leaked vulnerability information on industry websites, obtain the latest leaked vulnerability information, and synchronize the latest vulnerability information to the security container. Then, based on the latest vulnerability information obtained, the security container automatically generates detection scripts for each vulnerability or directly obtains external detection scripts, and uses the detection scripts to detect whether there are flawed vulnerabilities in the 5G access network system. In the event that a leaked vulnerability is detected in the system, report the detected vulnerability to the detection result interface or report a vulnerability alarm to the management operation and maintenance personnel. By performing vulnerability detection on the system according to the latest vulnerability information of leaks, and reporting the detected system vulnerabilities in time, the system's response and processing speed to vulnerabilities can be improved, and the security of the system can be enhanced.
值得一提的是,通过安全容器检测到系统中存在已纰漏的漏洞后,安全容器还可以根据检测出的漏洞,指示系统中的相关组件自动为检测出的漏洞生成相应的补丁,并通过生成的补丁对漏洞进行防御和修复;或者从外部获取检测出的漏洞对应的相应补丁,并根据获取到 的补丁对漏洞进行防御和修复,进而进一步深化系统的安全问题防御能力。It is worth mentioning that after the security container detects that there are leaked vulnerabilities in the system, the security container can also instruct the relevant components in the system to automatically generate corresponding patches for the detected vulnerabilities based on the detected vulnerabilities, and generate The patch is used to defend and repair the vulnerability; or obtain the corresponding patch corresponding to the detected vulnerability from the outside, and defend and repair the vulnerability according to the obtained patch, thereby further deepening the security problem defense capability of the system.
另外,通过安全组件对系统的安全问题进行检测后,还可以根据检测出的安全问题或者最新漏洞信息,对安全组件中的检测规则和安全检测涉及的检测内容进行不断地迭代更新,进而进一步提升系统对业务容器的安全管理要求,实现系统的内生安全这一目的。In addition, after detecting the security issues of the system through the security components, the detection rules in the security components and the detection content involved in the security detection can be continuously iteratively updated according to the detected security issues or the latest vulnerability information, so as to further improve The system requires the security management of business containers to achieve the purpose of system endogenous security.
此外,应当理解的是,上面各种方法的步骤划分,只是为了描述清楚,实现时可以合并为一个步骤或者对某些步骤进行拆分,分解为多个步骤,只要包括相同的逻辑关系,都在本专利的保护范围内;对算法中或者流程中添加无关紧要的修改或者引入无关紧要的设计,但不改变其算法和流程的核心设计都在该专利的保护范围内。In addition, it should be understood that the division of steps in the above methods is only for clarity of description, and may be combined into one step or split into multiple steps during implementation. As long as the same logical relationship is included, all Within the scope of protection of this patent; adding insignificant modifications or introducing insignificant designs to the algorithm or process, but not changing the core design of the algorithm and process are all within the scope of protection of the patent.
本申请实施例的另一方面还提供了一种安全检测装置,参考图2,包括:Another aspect of the embodiment of the present application also provides a safety detection device, referring to Figure 2, including:
获取模块201,用于获取系统的运行状态数据。The obtaining module 201 is used to obtain the running status data of the system.
检测模块202,用于将运行状态数据输入预先创建的安全容器,通过安全容器对系统进行安全检测;其中,安全容器建立在部署于操作系统内核上的轻量级平台中。The detection module 202 is configured to input the running status data into a pre-created security container, and perform security detection on the system through the security container; wherein, the security container is built on a lightweight platform deployed on the operating system kernel.
告警模块203,用于在检测到系统存在安全问题的情况下,上报告警。The alarm module 203 is configured to report an alarm when a security problem is detected in the system.
不难发现,本实施例为与方法实施例相对应的装置实施例,本实施例可与方法实施例互相配合实施。方法实施例中提到的相关技术细节在本实施例中依然有效,为了减少重复,这里不再赘述。相应地,本实施例中提到的相关技术细节也可应用在方法实施例中。It is not difficult to find that this embodiment is an apparatus embodiment corresponding to the method embodiment, and this embodiment can be implemented in cooperation with the method embodiment. The relevant technical details mentioned in the method embodiments are still valid in this embodiment, and will not be repeated here in order to reduce repetition. Correspondingly, the related technical details mentioned in this embodiment can also be applied in the method embodiment.
值得一提的是,本实施例中所涉及到的各模块均为逻辑模块,在实际应用中,一个逻辑单元可以是一个物理单元,也可以是一个物理单元的一部分,还可以以多个物理单元的组合实现。此外,为了突出本发明的创新部分,本实施例中并没有将与解决本发明所提出的技术问题关系不太密切的单元引入,但这并不表明本实施例中不存在其它的单元。It is worth mentioning that all the modules involved in this embodiment are logical modules. In practical applications, a logical unit can be a physical unit, or a part of a physical unit, or multiple physical units. Combination of units. In addition, in order to highlight the innovative part of the present invention, units that are not closely related to solving the technical problem proposed by the present invention are not introduced in this embodiment, but this does not mean that there are no other units in this embodiment.
本申请实施例的另一方面还提供了一种电子设备,参考图3,包括:包括至少一个处理器301;以及,与至少一个处理器301通信连接的存储器302;其中,存储器302存储有可被至少一个处理器301执行的指令,指令被至少一个处理器301执行,以使至少一个处理器301能够执行上述任一方法实施例所描述的安全检测方法。Another aspect of the embodiment of the present application also provides an electronic device, referring to FIG. 3 , including: including at least one processor 301; Instructions executed by at least one processor 301, the instructions are executed by at least one processor 301, so that at least one processor 301 can execute the security detection method described in any one of the foregoing method embodiments.
其中,存储器302和处理器301采用总线方式连接,总线可以包括任意数量的互联的总线和桥,总线将一个或多个处理器301和存储器302的各种电路连接在一起。总线还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路连接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口在总线和收发机之间提供接口。收发机可以是一个元件,也可以是多个元件,比如多个接收器和发送器,提供用于在传输介质上与各种其他装置通信的单元。经处理器301处理的数据通过天线在无线介质上进行传输,进一步,天线还接收数据并将数据传输给处理器301。Wherein, the memory 302 and the processor 301 are connected by a bus, and the bus may include any number of interconnected buses and bridges, and the bus connects one or more processors 301 and various circuits of the memory 302 together. The bus may also connect together various other circuits such as peripherals, voltage regulators, and power management circuits, all of which are well known in the art and therefore will not be further described herein. The bus interface provides an interface between the bus and the transceivers. A transceiver may be a single element or multiple elements, such as multiple receivers and transmitters, providing means for communicating with various other devices over a transmission medium. The data processed by the processor 301 is transmitted on the wireless medium through the antenna, and further, the antenna receives the data and transmits the data to the processor 301 .
处理器301负责管理总线和通常的处理,还可以提供各种功能,包括定时,外围接口,电压调节、电源管理以及其他控制功能。而存储器302可以被用于存储处理器301在执行操作时所使用的数据。The processor 301 is responsible for managing the bus and general processing, and may also provide various functions including timing, peripheral interface, voltage regulation, power management and other control functions. And the memory 302 can be used to store data used by the processor 301 when performing operations.
本发明的实施方式还提供了一种计算机可读存储介质,存储有计算机程序。计算机程序被处理器执行时实现上述方法实施例。Embodiments of the present invention also provide a computer-readable storage medium storing a computer program. The above method embodiments are implemented when the computer program is executed by the processor.
即,本领域技术人员可以理解,实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,该程序存储在一个存储介质中,包括若干指令用以使得一个设备(可以是单片机,芯片等)或处理器(processor)执行本申请各个实施例所述方法的全部 或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。That is, those skilled in the art can understand that all or part of the steps in the method of the above-mentioned embodiments can be completed by instructing related hardware through a program, the program is stored in a storage medium, and includes several instructions to make a device ( It may be a single-chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. .
本领域的普通技术人员可以理解,上述各实施例是实现本申请的具体实施例,而在实际应用中,可以在形式上和细节上对其作各种改变,而不偏离本申请的精神和范围。Those of ordinary skill in the art can understand that the above-mentioned embodiments are specific embodiments for realizing the present application, and in practical applications, various changes can be made to it in form and details without departing from the spirit and spirit of the present application. scope.

Claims (12)

  1. 一种安全检测方法,包括:A safety detection method, comprising:
    获取系统的运行状态数据;Obtain the operating status data of the system;
    将所述运行状态数据输入预先创建的安全容器,通过所述安全容器对所述系统进行安全检测;其中,所述安全容器建立在部署于操作系统内核上的轻量级平台中;Inputting the running state data into a pre-created security container, and performing security detection on the system through the security container; wherein, the security container is built on a lightweight platform deployed on the operating system kernel;
    在检测到所述系统存在安全问题的情况下,上报告警。When it is detected that there is a security problem in the system, an alarm is reported.
  2. 根据权利要求1所述的安全检测方法,其中,所述安全问题包括以下之一或其任意组合:The security detection method according to claim 1, wherein the security issues include one of the following or any combination thereof:
    操作系统内核异常、外部入侵异常、业务容器异常。Operating system kernel exceptions, external intrusion exceptions, and business container exceptions.
  3. 根据权利要求2所述的安全检测方法,其中,在所述安全问题包括所述操作系统内核异常的情况下,所述通过所述安全容器对所述系统进行安全检测,包括:The security detection method according to claim 2, wherein, in the case that the security problem includes an abnormality of the operating system kernel, performing security detection on the system through the security container includes:
    根据所述运行状态数据中的配置数据,获取所述系统中各公共组件配置文件中的配置项;Acquiring the configuration items in the configuration files of the public components in the system according to the configuration data in the running status data;
    在检测到存在所述配置项不符合预设安全准则的所述公共组件的情况下,判定所述系统存在所述操作系统内核异常。If it is detected that the configuration item does not meet the preset security criteria of the public component, it is determined that the operating system kernel exception exists in the system.
  4. 根据权利要求2所述的安全检测方法,其中,在所述安全问题包括外部入侵异常的情况下,所述通过所述安全容器对所述系统进行安全检测,包括:The security detection method according to claim 2, wherein, in the case that the security problem includes an abnormal external intrusion, the security detection of the system through the security container includes:
    根据所述运行状态数据中的资源调用信息,获取各硬件资源的资源占用信息;Acquiring resource occupancy information of each hardware resource according to the resource invocation information in the running state data;
    在检测到存在资源占用超过预设门限的所述硬件资源的情况下,判定所述系统存在所述外部入侵异常。If it is detected that there is the hardware resource whose resource occupation exceeds a preset threshold, it is determined that the external intrusion exception exists in the system.
  5. 根据权利要求2所述的安全检测方法,其中,在所述安全问题包括业务容器异常的情况下,所述通过所述安全容器对所述系统进行安全检测,包括:The security detection method according to claim 2, wherein, in the case that the security problem includes an abnormality of a business container, performing security detection on the system through the security container includes:
    根据所述运行状态数据中各业务容器的运行数据,对各所述业务容器进行运行检测;According to the operation data of each service container in the operation status data, perform operation detection on each of the service containers;
    在检测到存在运行异常的所述业务容器的情况下,判定所述系统存在所述业务容器异常。If it is detected that there is the service container running abnormally, it is determined that the system has the service container abnormality.
  6. 根据权利要求5所述的安全检测方法,其中,所述运行检测,包括以下之一或其任意组合:The safety detection method according to claim 5, wherein the operation detection comprises one of the following or any combination thereof:
    文件权限检测、运行用户身份检测、访问控制检测、补丁更新检测、守护进程检测。File permission detection, running user identity detection, access control detection, patch update detection, daemon process detection.
  7. 根据权利要求1所述的安全检测方法,其中,所述通过所述安全容器对所述系统进行安全检测,包括:The security testing method according to claim 1, wherein the security testing of the system through the security container comprises:
    根据所述运行状态数据中的安全日志数据,对所述系统进行安全日志分析;Perform security log analysis on the system according to the security log data in the running state data;
    在检测到所述安全日志数据中存在异常数据的情况下,判定所述系统存在所述安全问题。If it is detected that there is abnormal data in the security log data, it is determined that the security problem exists in the system.
  8. 根据权利要求1至7中任一项所述的安全检测方法,其中,在所述获取系统的运行状态数据前,还包括:The safety detection method according to any one of claims 1 to 7, wherein, before acquiring the operating state data of the system, further comprising:
    获取最新漏洞信息,并将所述最新漏洞信息同步至所述安全容器,通过所述安全容器根据所述最新漏洞信息对所述系统进行漏洞检测;Obtaining the latest vulnerability information, synchronizing the latest vulnerability information to the security container, and performing vulnerability detection on the system according to the latest vulnerability information through the security container;
    在检测到所述系统存在漏洞的情况下,上报所述漏洞。When a vulnerability is detected in the system, the vulnerability is reported.
  9. 根据权利要求1至7中任一项所述的安全检测方法,其中,所述获取系统的运行状态数据,包括:The safety detection method according to any one of claims 1 to 7, wherein said acquiring the operating state data of the system comprises:
    按照预设时间间隔,周期性获取所述系统的当前运行状态数据。The current operating state data of the system is periodically acquired according to a preset time interval.
  10. 一种安全检测装置,包括:A safety detection device, comprising:
    获取模块,用于获取系统的运行状态数据;The acquisition module is used to acquire the operating status data of the system;
    检测模块,用于将所述运行状态数据输入预先创建的安全容器,通过所述安全容器对所述系统进行安全检测;其中,所述安全容器建立在部署于操作系统内核上的轻量级平台中;A detection module, configured to input the running state data into a pre-created security container, and perform security detection on the system through the security container; wherein, the security container is built on a lightweight platform deployed on the operating system kernel middle;
    告警模块,用于在检测到所述系统存在安全问题的情况下,上报告警。The alarm module is configured to report an alarm when a security problem is detected in the system.
  11. 一种电子设备,包括:An electronic device comprising:
    至少一个处理器;以及,at least one processor; and,
    与所述至少一个处理器通信连接的存储器;其中,a memory communicatively coupled to the at least one processor; wherein,
    所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行如权利要求1至8中任意一项安全检测方法。The memory stores instructions that can be executed by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can perform the security operation according to any one of claims 1 to 8. Detection method.
  12. 一种计算机可读存储介质,存储有计算机程序,其中,所述计算机程序被处理器执行时实现权利要求1至8中任一项所述的安全检测方法。A computer-readable storage medium storing a computer program, wherein the computer program implements the security detection method according to any one of claims 1 to 8 when executed by a processor.
PCT/CN2022/130436 2022-02-28 2022-11-07 Security detection method and apparatus, electronic device and storage medium WO2023160010A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210191549.8 2022-02-28
CN202210191549.8A CN116709335A (en) 2022-02-28 2022-02-28 Security detection method, security detection device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2023160010A1 true WO2023160010A1 (en) 2023-08-31

Family

ID=87764619

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/130436 WO2023160010A1 (en) 2022-02-28 2022-11-07 Security detection method and apparatus, electronic device and storage medium

Country Status (2)

Country Link
CN (1) CN116709335A (en)
WO (1) WO2023160010A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9501304B1 (en) * 2015-06-16 2016-11-22 Architecture Technology Corporation Lightweight application virtualization architecture
US10191778B1 (en) * 2015-11-16 2019-01-29 Turbonomic, Inc. Systems, apparatus and methods for management of software containers
CN109828824A (en) * 2018-12-29 2019-05-31 东软集团股份有限公司 Safety detecting method, device, storage medium and the electronic equipment of mirror image
CN111783106A (en) * 2019-07-08 2020-10-16 谷歌有限责任公司 System and method for detecting file system modifications via multi-tier file system state
CN111813497A (en) * 2020-06-30 2020-10-23 绿盟科技集团股份有限公司 Container environment anomaly detection method, device, medium and computer equipment
CN112350870A (en) * 2020-11-11 2021-02-09 杭州飞致云信息科技有限公司 Operation and maintenance safety auditing method and device for container cluster system
CN112860484A (en) * 2021-01-29 2021-05-28 深信服科技股份有限公司 Container runtime abnormal behavior detection and model training method and related device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9501304B1 (en) * 2015-06-16 2016-11-22 Architecture Technology Corporation Lightweight application virtualization architecture
US10191778B1 (en) * 2015-11-16 2019-01-29 Turbonomic, Inc. Systems, apparatus and methods for management of software containers
CN109828824A (en) * 2018-12-29 2019-05-31 东软集团股份有限公司 Safety detecting method, device, storage medium and the electronic equipment of mirror image
CN111783106A (en) * 2019-07-08 2020-10-16 谷歌有限责任公司 System and method for detecting file system modifications via multi-tier file system state
CN111813497A (en) * 2020-06-30 2020-10-23 绿盟科技集团股份有限公司 Container environment anomaly detection method, device, medium and computer equipment
CN112350870A (en) * 2020-11-11 2021-02-09 杭州飞致云信息科技有限公司 Operation and maintenance safety auditing method and device for container cluster system
CN112860484A (en) * 2021-01-29 2021-05-28 深信服科技股份有限公司 Container runtime abnormal behavior detection and model training method and related device

Also Published As

Publication number Publication date
CN116709335A (en) 2023-09-05

Similar Documents

Publication Publication Date Title
KR102495750B1 (en) System and method for cloud-based operating system event and data access monitoring
CN113228587B (en) System and method for cloud-based control plane event monitoring
US20240054234A1 (en) Methods and systems for hardware and firmware security monitoring
EP2860657B1 (en) Determining a security status of potentially malicious files
US10140453B1 (en) Vulnerability management using taxonomy-based normalization
US9027125B2 (en) Systems and methods for network flow remediation based on risk correlation
US20210160249A1 (en) Systems and methods for role-based computer security configurations
US11671461B1 (en) Apparatus and methods thereof for inspecting events in a computerized environment respective of a unified index for granular access control
WO2012173906A2 (en) Threat level assessment of applications
CN103414585A (en) Method and device for building safety baselines of service system
US10986112B2 (en) Method for collecting cyber threat intelligence data and system thereof
US10262133B1 (en) System and method for contextually analyzing potential cyber security threats
EP4044057B1 (en) Method and system for identifying security vulnerabilities
WO2023160010A1 (en) Security detection method and apparatus, electronic device and storage medium
CN115208689A (en) Access control method, device and equipment based on zero trust
CN117150453B (en) Network application detection method, device, equipment, storage medium and program product
CN109800568B (en) Security protection method, client, system and storage medium for document file
US20240152612A9 (en) System and method for cloud-based operating system event and data access monitoring
CN117472514A (en) Method and device for managing container authority, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22928272

Country of ref document: EP

Kind code of ref document: A1