WO2023207175A1 - Procédé, appareil et système de détection de balayage dans un environnement infonuagique hybride, et dispositif et support - Google Patents

Procédé, appareil et système de détection de balayage dans un environnement infonuagique hybride, et dispositif et support Download PDF

Info

Publication number
WO2023207175A1
WO2023207175A1 PCT/CN2022/142001 CN2022142001W WO2023207175A1 WO 2023207175 A1 WO2023207175 A1 WO 2023207175A1 CN 2022142001 W CN2022142001 W CN 2022142001W WO 2023207175 A1 WO2023207175 A1 WO 2023207175A1
Authority
WO
WIPO (PCT)
Prior art keywords
probe
scanning
subnet
task
detection
Prior art date
Application number
PCT/CN2022/142001
Other languages
English (en)
Chinese (zh)
Inventor
胡竞允
Original Assignee
京东科技信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 京东科技信息技术有限公司 filed Critical 京东科技信息技术有限公司
Publication of WO2023207175A1 publication Critical patent/WO2023207175A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route

Definitions

  • the present disclosure relates to the field of cloud computing technology, and in particular to a scanning detection method, device, system, electronic equipment and non-transitory computer-readable storage medium in a hybrid cloud environment.
  • the scanning target When performing vulnerability scanning, if the scanning target is located in an environment that is reachable by the public network, you can use the vulnerability service deployed in the public network environment to scan and manage the vulnerability; if the scanning target is in the user's internal computer room that is not reachable by the external network, you can Deploy an independent vulnerability scanning service in the computer room for scanning and management. If the scanning target is in the intranet environment of a virtual private cloud on the cloud, it will be difficult to perform vulnerability scanning.
  • the current vulnerability scanning method cannot effectively support users to carry out security operation and maintenance work conveniently and quickly.
  • the present disclosure provides a scanning detection method, device, system, electronic equipment and non-transitory computer-readable storage medium in a hybrid cloud environment to solve the problem in the existing technology that vulnerability scanning tasks cannot be uniformly distributed, and improves the efficiency of It is convenient for users to carry out security operation and maintenance work.
  • a scanning detection method in a hybrid cloud environment including: after receiving a scanning detection task issued by the current user, determining whether there is an online third party in the target subnet of the scanning detection task.
  • a probe in which the scanning and detection tasks include vulnerability scanning tasks or asset detection tasks, and the target subnet includes any one of the user computer room intranet, public network, and cloud intranet in a hybrid cloud environment; responding to the target subnet
  • There is an online first probe which caches the scanning and detection tasks for the first probe to pull regularly; and receives the scanning and detection results of the first probe.
  • the first probe executes the Scan and detect tasks on the target subnet to obtain scan and detection results.
  • determining whether there is an online first probe in the target subnet of the scanning detection task includes: obtaining the target subnet and/or user account according to the task parameters of the scanning detection task. ; Determine whether there is an online first probe in the target subnet based on at least one of the target subnet and the user account.
  • determining whether there is an online first probe in the target subnet based on at least one of the target subnet and the user account includes: searching for the target in a cached probe list The first probe corresponding to the subnet and/or user account; if the first probe exists in the probe list, it is determined that there is an online first probe in the target subnet.
  • the method before determining whether there is an online first probe in the target subnet of the scanning detection task, the method further includes: generating a probe of the first probe according to the user's generation command.
  • a needle installation script wherein the probe installation script is used to install the first probe in the target subnet, and the first probe generates probe information after being started in the target subnet; receives the probe information reported by the first probe, Store the probe information in the database and add the first probe to the cached probe list.
  • the method further includes: receiving heartbeat information regularly reported by the first probe, and based on the heartbeat information, Add the latest heartbeat time of the first probe to the cache.
  • the scanning detection method in the hybrid cloud environment it is determined whether there is an online first probe in the target subnet of the scanning detection task.
  • the method also includes: periodically traversing the first probe in the current cache probe list. the latest heartbeat time; if the latest heartbeat time of the first probe is earlier than the set time, update the status of the first probe to offline in the database, and delete the first probe from the cached probe list .
  • the method further includes: responding that there is no online first probe in the target subnet. needle to confirm that the delivery of the scanning detection task failed, and generate a delivery failure message and return it to the current user.
  • another scanning and detection method in a hybrid cloud environment includes: regularly pulling the target subnet cached in the management server as a scanning and detection task for the current subnet, wherein the scanning
  • the detection task is cached after the management server receives the scanning detection task issued by the current user and determines whether there is an online first probe in the target subnet of the scanning detection task.
  • the current subnet includes the user computer room in the hybrid cloud environment.
  • the current subnet is the target subnet of the scanning and detection task; use the first probe to perform the scanning and detection task of the current subnet, and obtain the scanning and detection results;
  • the detection results are sent to the management server.
  • the target subnet cached in the management server is regularly pulled before the scanning and detection task of the current subnet.
  • the method also includes: responding to the first probe in the current subnet. After the network is started, probe information is generated, and the probe information of the first probe is reported to the management server, so that the management server stores the probe information in the database and adds the first probe to the cached probe list.
  • the management server determines whether there is an online first probe in the target subnet of the scanning detection task based on the probe list.
  • the method further includes: regularly reporting the heartbeat information of the first probe to the management server, so that the management server Add the latest heartbeat time of the first probe to the cache based on the heartbeat information.
  • a scanning and detection system in a hybrid cloud environment includes a management server and a subnet.
  • the subnet includes the user computer room intranet, public network and cloud intranet in the hybrid cloud environment. Any one in the network; after receiving the scanning and detection task issued by the current user, the management server determines whether there is an online first probe in the target subnet of the scanning and detection task, and responds that there is an online first probe in the target subnet.
  • the first probe caches scanning and detection tasks for the first probe to pull regularly.
  • the scanning and detection tasks include vulnerability scanning tasks or asset detection tasks; if the current subnet is the target subnet, the current subnet pulls the cache regularly.
  • the target subnet in the management server is the scanning and detection task of the current subnet.
  • the first probe is used to perform the scanning and detection task of the current subnet, and the scan and detection results are sent to the management server; the management server receives the first probe. scan detection results.
  • the current subnet is also used to report the probe of the first probe to the management server in response to the first probe generating probe information after being started in the current subnet.
  • the management server is also used to store the probe information in the database, and add the first probe to the cached probe list, so that the management server determines whether there is a probe in the target subnet of the scanning detection task based on the probe list.
  • the first probe online is also used to report the probe of the first probe to the management server in response to the first probe generating probe information after being started in the current subnet.
  • the management server is also used to store the probe information in the database, and add the first probe to the cached probe list, so that the management server determines whether there is a probe in the target subnet of the scanning detection task based on the probe list.
  • the first probe online is also used to report the probe of the first probe to the management server in response to the first probe generating probe information after being started in the current subnet.
  • the management server is also used to store the probe information in the database, and
  • a scanning detection device in a hybrid cloud environment includes: a judgment unit configured to judge the target sub-section of the scanning detection task after receiving the scanning detection task issued by the current user. Whether there is an online first probe in the network.
  • the scanning and detection tasks include vulnerability scanning tasks or asset detection tasks.
  • the target subnet includes any of the user computer room intranet, public network and cloud intranet in the hybrid cloud environment.
  • the cache unit is used to cache the scanning and detection tasks in response to the online first probe in the target subnet, so that the first probe can pull them regularly;
  • the receiving unit is used to receive the scanning and detection results of the first probe , wherein, after pulling the scanning detection task, the first probe executes the scanning detection task on the target subnet to obtain the scanning detection result.
  • the determination unit is also used to: obtain the target subnet and/or user account according to the task parameters of the scanning detection task; determine the target according to at least one of the target subnet and the user account Whether there is an online first probe in the subnet.
  • the judgment unit is further used to search for the first probe corresponding to the target subnet and/or user account in the cached probe list; In the case of the first probe, it is determined that the first probe is online in the target subnet.
  • the scanning and detection device in a hybrid cloud environment also includes a probe registration unit, configured to: generate a probe installation script for the first probe according to a user's generation command, wherein the probe installation script is used to: Install the first probe in the target subnet, and generate probe information after the first probe is started in the target subnet; receive the probe information reported by the first probe, store the probe information in the database, and store the probe information in the database. A probe is added to the cached probe list.
  • the scanning and detection device in a hybrid cloud environment provided by the present disclosure also includes a heartbeat update unit, configured to: receive heartbeat information regularly reported by the first probe, and add the latest heartbeat time of the first probe to the cache according to the heartbeat information. .
  • the scanning and detection device in a hybrid cloud environment provided by the present disclosure also includes a heartbeat detection unit for: regularly traversing the latest heartbeat time of the first probe in the current cache probe list; if the latest heartbeat time of the first probe is earlier At the set time, the status of the first probe is updated in the database to be offline, and the first probe is deleted from the cached probe list.
  • the scanning and detection device in a hybrid cloud environment provided by the present disclosure also includes a generating unit configured to: in response to the fact that there is no online first probe in the target subnet, determine that the delivery of the scanning and detection task has failed, so as to generate delivery failure information. Returned to the current user.
  • another scanning and detection device in a hybrid cloud environment including: a scheduled pulling unit, configured to regularly pull the scanning and detecting target subnet cached in the management server as the current subnet. task, in which the scanning and detection task is cached after the management server determines whether there is an online first probe in the target subnet of the scanning and detection task after receiving the scanning and detection task issued by the current user.
  • the current subnet includes hybrid cloud Any of the user computer room intranet, public network and cloud intranet in the environment, the current subnet is the target subnet of the scanning detection task; the task execution unit is used to use the first probe to execute the current subnet
  • the scanning detection task is used to obtain the scanning detection results; the sending unit is used to send the scanning detection results to the management server.
  • the scanning and detection device in a hybrid cloud environment also includes: a reporting unit, configured to report the detection of the first probe to the management server in response to the first probe generating probe information after being started in the current subnet. needle information, so that the management server stores the probe information in the database and adds the first probe to the cached probe list.
  • the management server determines whether there is an online probe in the target subnet of the scan detection task based on the probe list. First probe.
  • the reporting unit is further configured to regularly report the heartbeat information of the first probe to the management server, so that the management server adds the latest information of the first probe to the cache according to the heartbeat information. Heartbeat time.
  • an electronic device including a memory, a processor, and a computer program stored in the memory and executable on the processor.
  • the processor executes the program, any one of the above is implemented. Steps of scanning detection method in hybrid cloud environment.
  • a non-transitory computer-readable storage medium is also provided, on which a computer program is stored.
  • the computer program When executed by a processor, it implements any of the above hybrid cloud environments. Steps of the scanning detection method.
  • the scanning and detection methods, devices, electronic devices and non-transitory computer-readable storage media provided by the present disclosure in a hybrid cloud environment set up probes in the target subnet and use the probes to perform scanning and detection tasks on the target subnet.
  • vulnerability scanning can be performed on different scanning environments, so that vulnerability scanning tasks can be distributed uniformly in the hybrid cloud environment and scanning results can be viewed uniformly, which improves the convenience for users to carry out security operation and maintenance work.
  • the disclosed technical solution is a remote probe management and scanning detection task delivery solution. It only requires the user to scan the target environment and there is a host that can request a given domain name from the outside to complete the scanning of the target intranet environment.
  • This disclosed technical solution can effectively solve the vulnerability scanning work of the user's own IDC computer room, public network and VPC intranet on the cloud in a hybrid cloud scenario, and can uniformly manage vulnerabilities and surviving asset information, thereby effectively helping users to inventory intranet survival assets and perform vulnerability scanning on assets to effectively reduce the risk of user network being invaded.
  • Figure 1 is one of the flow diagrams of a scanning detection method in a hybrid cloud environment according to an embodiment of the present disclosure
  • Figure 2 is a second schematic flowchart of a scanning detection method in a hybrid cloud environment according to an embodiment of the present disclosure
  • Figure 3 is a flow chart of the third scanning detection method in a hybrid cloud environment according to an embodiment of the present disclosure
  • Figure 4 is one of the structural schematic diagrams of a scanning detection device in a hybrid cloud environment according to an embodiment of the present disclosure
  • Figure 5 is a second structural schematic diagram of a scanning detection device in a hybrid cloud environment according to an embodiment of the present disclosure
  • FIG. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
  • first, second, etc. may be used to describe various information in one or more embodiments of the present disclosure, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other.
  • the first may also be referred to as the second, and similarly, the second may also be referred to as the first.
  • word "if” as used herein may be interpreted as "when” or “when” or “in response to determining.”
  • Probe A Docker image with integrated scanning function. Users can start the Docker container of this image by executing a script.
  • Docker is an open source application container engine that allows developers to package their applications and dependency packages into portable containers, and then publish them to any popular Linux machine, which can also be virtualized.
  • MySQL An open source RDBMS (Relational Database Management System), which uses the most commonly used database management language SQL (Structured Query Language) for database management.
  • SQL Structured Query Language
  • IDC Internet Data Center, Internet Data Center
  • IDC Internet Data Center, Internet Data Center
  • VPC Virtual Private Cloud
  • VPC Virtual Private Cloud
  • Vulnerability scanning refers to a security detection behavior that uses scanning and other means to detect the security vulnerabilities of specified remote or local computer systems based on the vulnerability database and discover exploitable vulnerabilities.
  • Figure 1 shows a flow chart of a scanning detection method in a hybrid cloud environment according to an embodiment of the present disclosure.
  • the methods provided by the embodiments of the present disclosure can be executed by any electronic device with computer processing capabilities, such as terminal devices and/or servers.
  • the scanning detection method of the embodiment of the present disclosure is executed by the server on the management side, that is, the management server.
  • the scanning and detection methods in this hybrid cloud environment include:
  • Step 102 After receiving the scanning detection task issued by the current user, determine whether there is an online first probe in the target subnet of the scanning detection task, where the scanning detection task includes a vulnerability scanning task or an asset detection task.
  • the task parameters of the scanning detection task issued by the current user include the IP address or domain name of the first probe, the subnet information where the first probe is located, and the scanning task configuration. After the scanning detection task is issued, it can be obtained and executed by the first probe specified by the task parameter of the scanning detection task.
  • the target subnet can be any of the user's own IDC computer room, public network, and cloud VPC intranet.
  • Step 104 In response to the first probe being online in the target subnet, the scan detection task is cached for the first probe to pull regularly.
  • the scanning detection task can be cached in the cache of the current management server so that the corresponding first probe can periodically pull it.
  • the first probe with the set IP address or domain name of the target subnet can pull the scanning and detection task.
  • Step 106 Receive the scanning detection result of the first probe, where, after pulling the scanning detection task, the first probe executes the scanning detection task on the target subnet to obtain the scanning detection result.
  • the first probe executes the vulnerability scanning task or asset detection task according to the scanning task configuration in the task parameters, and uploads the scanning and detection results of the vulnerability scanning task or asset detection task to the management server.
  • a scanning probe is installed in the scanning target environment to perform a security scan on the target environment.
  • the scanning target environment supports IDC computer rooms, cloud VPC environments and public network environments, and is not limited to these.
  • the probe server Through the probe server, all probe information can be managed uniformly, scanning tasks can be issued uniformly, and scan results can be viewed uniformly.
  • the disclosed technical solution is a remote probe management and scanning detection task delivery solution. It only requires the user to scan the target environment and there is a host that can request a given domain name from the outside to complete the scanning of the target intranet environment.
  • This disclosed technical solution can effectively solve the vulnerability scanning work of the user's own IDC computer room, public network and VPC intranet on the cloud in a hybrid cloud scenario, and can uniformly manage vulnerabilities and surviving asset information, thereby effectively helping users to inventory intranet survival assets and perform vulnerability scanning on assets to effectively reduce the risk of user network being invaded.
  • the first probe needs to be installed and started in the target subnet.
  • the user can send a generation command to the probe server, and the probe management service generates the probe installation script of the first probe according to the user's generation command.
  • the user uses the probe installation script in the target subnet to install the first probe in the target subnet, and then the first probe is started.
  • the first probe After the first probe is started, it will obtain the intranet segment where the current device is located, that is, obtain the IP address of the current device where the first probe is located, which can be used as the IP address of the first probe, and the first probe will be installed.
  • the user account of the probe, the target subnet where the first probe is located, and the IP address of the first probe are reported to the probe manager as probe information of the first probe.
  • the management server generates a probe installation script for the first probe according to the user's generation command, wherein the probe installation script is used to install the first probe in the target subnet, and the first probe generates a probe after it is started in the target subnet. needle information.
  • the management server receives the probe information reported by the first probe, stores the probe information in the database, and adds the first probe to the cached probe list.
  • the probe manager receives the probe information and stores it in the database, and adds the first probe to the cached probe list.
  • This probe list is an online probe list.
  • the probe server can store the probe information in the MySQL database and add the probe identification data of the first probe and the first heartbeat time to the redis cache.
  • the probe identification data may be the probe number or identification number.
  • the first probe will periodically call the interface to report its own heartbeat information to the probe server.
  • the probe server After receiving the heartbeat information regularly reported by the first probe, the probe server adds the latest heartbeat time of the first probe to the cache based on the heartbeat information.
  • the probe server can also determine the status of the first probe based on the heartbeat information reported by the first probe, and add the status information of the first probe to the above-mentioned probe information.
  • the status of the first probe may be online or offline.
  • the probe server can periodically traverse the latest heartbeat time of the first probe in the current redis probe list; if the latest heartbeat time of the first probe is earlier than the set time, update the first probe's value in the MySQL database. The status is offline and the first probe is removed from the cached probe list.
  • the probe server When the probe server receives the heartbeat information reported by the first probe through the probe calling interface, it updates the latest heartbeat time of the first probe in the redis probe list, and determines the probe status recorded in the MySQL database. If If the probe status is offline, change the probe status in the MySQL database to online.
  • step 102 obtain the target subnet and/or user account according to the task parameters of the scanning detection task; determine whether there is an online first probe in the target subnet according to at least one of the target subnet and the user account.
  • the cached probe list is searched for the first probe corresponding to the target subnet and/or the user account, and if the first probe exists in the probe list, it is determined that the target subnet has an online first probe. probe. Alternatively, if there is an online first probe in the target subnet, it means that the probe status of the first probe is online, indicating that there is an online first probe in the target subnet. If there is no online first probe in the target subnet, it means that the probe status of the first probe is offline, indicating that there is no online first probe in the target subnet.
  • the management server may determine that the delivery of the scanning probe task has failed, and generate a delivery failure message and return it to the current user. After receiving the delivery failure message, the user can proceed to the next step, such as re-using the probe installation script to install the first probe in the target subnet.
  • Vulnerability scanning technology is an important type of network security technology. It cooperates with firewalls and intrusion detection systems to effectively improve network security. By scanning the network, network administrators can understand the network's security settings and running application services, discover security vulnerabilities in a timely manner, and objectively assess network risk levels. Network administrators can correct network security vulnerabilities and incorrect settings in the system based on the scan results to prevent hackers from attacking.
  • the scanning detection results can be vulnerability scanning results.
  • the vulnerabilities in the vulnerability scanning results can be obtained according to the vulnerability information database.
  • the vulnerability information of the vulnerabilities can include: vulnerability name, release date, vulnerability number, risk level, Impact scope, vulnerability description, solutions, etc. Based on the solutions recommended by the vulnerability information, users can perform protective measures against the vulnerabilities in the scan detection results.
  • the scanning and detection method in a hybrid cloud environment may include the following steps:
  • Step 201 The user side creates subnet information, that is, sets the target subnet for vulnerability scanning and sends the subnet information to the management side.
  • the management side can be a probe server.
  • Step 202 The management side generates a script according to the subnet information and returns the generated script. Instead, the generation script contains information such as user account, target subnet, etc.
  • the probe server generates a probe installation script for the current user to guide the user to execute the script in the scan target network environment to start the probe.
  • Step 203 The user side uses the above generation script to install the probe in the scanning environment.
  • the scanning environment is the above target subnet.
  • the probe may be a second probe.
  • Step 204 the probe is started.
  • Step 205 The probe obtains the network segment of the intranet where the current device is located, and generates probe information based on the network segment data.
  • Step 206 The probe reports the probe information to the probe server.
  • the probe obtains the current IP address of the machine and the intranet environment information, and regularly calls the interface to report to the management side.
  • Step 207 After receiving the probe information, the probe server stores the probe information in the database.
  • the probe server can store probe-related information through the MySQL database, including: corresponding user account, corresponding subnet information, probe's own IP address and other data.
  • Step 208 The probe regularly reports the probe heartbeat information to the probe server.
  • Step 209 The probe server updates the probe heartbeat time in the cache.
  • the probe server can add the probe and its initial heartbeat time to the online probe list in redis and update the probe's latest heartbeat time.
  • Step 210 The probe server periodically traverses the online probe list in redis.
  • Step 211 The probe server determines whether the probe heartbeat time has expired. If timeout occurs, perform step 212. If it does not time out, perform step 210.
  • Step 212 The probe server updates the probe status to offline.
  • the probe server can start a timer to regularly traverse the latest heartbeat time of the probes in the current redis probe list; for probes whose heartbeat time is earlier than the set time, update the probe status To be offline, delete it from the redis probe list.
  • the probe server reports heartbeat information through the probe calling interface, it updates the latest heartbeat time of the probe in the redis probe list, and determines the currently recorded probe status. If it is offline, it updates the probe in the MySQL database. The needle status is online.
  • Step 213 The user side issues a scanning task.
  • users can deliver vulnerability scanning or asset detection tasks by calling the interface.
  • the delivered task parameters include target IP or domain name, target subnet information, and scanning task related configurations.
  • Step 214 The probe server determines the corresponding probe based on the subnet information in the scanning task. Alternatively, the probe server determines whether there is an online intranet probe in the target subnet in the task based on the subnet information and user account in the task parameters; if so, the task is successfully delivered; if not, it is determined that there is no scan. Permissions, task delivery failed.
  • Step 215 The probe regularly pulls the scanning task and executes it, and returns the scanning detection result.
  • the probe periodically requests the corresponding interface of the probe server to obtain the scan task to be executed.
  • the request parameters include the subnet information where the probe is located, user account and other data.
  • the probe performs the scanning task and reports the results to the management side through the interface after completion.
  • Figure 3 shows another scanning and detection method in a hybrid cloud environment.
  • This scanning and detection method can be executed by the probe server on the subnet side.
  • the scanning detection method in the hybrid cloud environment according to the embodiment of the present disclosure includes:
  • Step 302 Periodically pull the scanning and detection tasks cached in the management server whose target subnet is the current subnet, where the scanning and detection tasks are determined by the management server after receiving the scanning and detection tasks issued by the current user. Whether there is an online first probe cached in the target subnet.
  • the current subnet includes any one of the user room intranet, public network, and cloud intranet in a hybrid cloud environment.
  • the current subnet is a scanning detection task. the target subnet.
  • Step 304 Use the first probe to perform a scanning and detection task on the current subnet, and obtain the scanning and detection results.
  • Step 306 Send the scanning detection results to the management server.
  • the probe server Before step 302, the probe server generates probe information in response to the first probe being started in the current subnet, and reports the probe information of the first probe to the management server, so that the management server stores the probe information in the database. , and adds the first probe to the cached probe list.
  • the management server determines whether there is an online first probe in the target subnet of the scanning detection task based on the probe list.
  • the probe server can regularly report the heartbeat information of the first probe to the management server, so that the management server adds the latest heartbeat time of the first probe to the cache based on the heartbeat information.
  • Embodiments of the present disclosure provide a scanning and detection system in a hybrid cloud environment.
  • the scanning and detection system includes a management server and a subnet.
  • the subnet includes any of the user computer room intranet, public network and cloud intranet in the hybrid cloud environment. kind; after receiving the scanning and detection task issued by the current user, the management server determines whether there is an online first probe in the target subnet of the scanning and detection task, and responds that there is an online first probe in the target subnet, Cache scanning and detection tasks for the first probe to pull regularly.
  • the scanning and detection tasks include vulnerability scanning tasks or asset detection tasks; if the current subnet is the target subnet, the current subnet regularly pulls the information cached in the management server.
  • the target subnet is the scanning and detection task of the current subnet, and the first probe is used to perform the scanning and detection task of the current subnet, and the scanning and detection results are sent to the management server; the management server receives the scanning and detection results of the first probe.
  • the current subnet can also be used to report the probe information of the first probe to the management server in response to the first probe generating probe information after being started in the current subnet; the management server also uses Store the probe information in the database, and add the first probe to the cached probe list, so that the management server determines whether there is an online first probe in the target subnet of the scan detection task based on the probe list .
  • the scanning and detection method and system in the hybrid cloud environment can perform vulnerability scanning on different scanning environments by setting probes in the target subnet and using the probes to perform scanning and detection tasks on the target subnet, thereby enabling
  • the unified distribution of vulnerability scanning tasks and unified viewing of scanning results in the hybrid cloud environment improves the convenience for users to carry out security operation and maintenance work.
  • the scanning and detection device in the hybrid cloud environment provided by the present disclosure is described below.
  • the scanning and detection device in the hybrid cloud environment described below and the scanning and detection method in the hybrid cloud environment described above can be mutually referenced.
  • the scanning and detection device in the hybrid cloud environment according to the embodiment of the present disclosure is applied in the management server.
  • the scanning and detection device includes:
  • the determination unit 402 may be configured to determine whether there is an online first probe in the target subnet of the scan detection task after receiving a scanning detection task issued by the current user, where the scanning detection task includes a vulnerability scanning task or an asset detection task. Task.
  • the task parameters of the scanning detection task issued by the current user include the IP address or domain name of the first probe, the subnet information where the first probe is located, and the scanning task configuration. After the scanning detection task is issued, it can be obtained and executed by the first probe specified by the task parameter.
  • the target subnet can be any of the user's own IDC computer room, public network, and cloud VPC intranet.
  • the caching unit 404 may be configured to cache the scan detection task in response to the first probe being online in the target subnet, so that the first probe can pull it regularly.
  • the scanning detection task can be cached in the cache of the current management server so that the corresponding first probe can periodically pull it.
  • the first probe with the set IP address or domain name of the target subnet can pull the scanning and detection task.
  • the receiving unit 406 may be configured to receive the scanning detection result of the first probe, where, after pulling the scanning detection task, the first probe executes the scanning detection task on the target subnet to obtain the scanning detection result.
  • the first probe executes the vulnerability scanning task or asset detection task according to the scanning task configuration in the task parameters, and uploads the scanning and detection results of the vulnerability scanning task or asset detection task to the management server.
  • a scanning probe is installed in the scanning target environment to perform a security scan on the target environment.
  • the scanning target environment supports IDC computer rooms, cloud VPC environments and public network environments, and is not limited to these.
  • the probe server Through the probe server, all probe information can be managed uniformly, scanning tasks can be issued uniformly, and scan results can be viewed uniformly.
  • the judgment unit can also be used to: obtain the target subnet and/or user account according to the task parameters of the scanning detection task; judge whether there is an online person in the target subnet according to at least one of the target subnet and the user account. the first probe.
  • the judgment unit may also be used to search for the first probe corresponding to the target subnet and/or user account in the cached probe list; if the first probe exists in the probe list Next, confirm that the first probe exists online in the target subnet.
  • the scanning detection device may further include a probe registration unit, configured to: generate a probe installation script of the first probe according to the user's generation command, wherein the probe installation script is used to generate a probe in the target subnet. Install the first probe, and generate probe information after the first probe is started in the target subnet; receive the probe information reported by the first probe, store the probe information in the database, and add the first probe to cached probe list.
  • a probe registration unit configured to: generate a probe installation script of the first probe according to the user's generation command, wherein the probe installation script is used to generate a probe in the target subnet.
  • Install the first probe and generate probe information after the first probe is started in the target subnet; receive the probe information reported by the first probe, store the probe information in the database, and add the first probe to cached probe list.
  • the probe registration unit is used to install and start the first probe in the target subnet.
  • the user can send a generation command to the probe server, and the probe registration unit generates the probe installation script of the first probe according to the user's generation command.
  • the user uses the probe installation script in the target subnet to install the first probe in the target subnet, and then the first probe is started.
  • the first probe After the first probe is started, it will obtain the intranet segment where the current device is located, that is, obtain the IP address of the current device where the first probe is located, which can be used as the IP address of the first probe, and the first probe will be installed.
  • the user account of the probe, the target subnet where the first probe is located, and the IP address of the first probe are reported to the probe manager as probe information of the first probe.
  • the scanning detection device may further include a heartbeat update unit configured to: receive heartbeat information regularly reported by the first probe, and add the latest heartbeat time of the first probe to the cache according to the heartbeat information.
  • a heartbeat update unit configured to: receive heartbeat information regularly reported by the first probe, and add the latest heartbeat time of the first probe to the cache according to the heartbeat information.
  • the scanning detection device may also include a heartbeat detection unit for: periodically traversing the latest heartbeat time of the first probe in the current redis probe list; if the latest heartbeat time of the first probe is earlier than the setting time, the status of the first probe is updated in the database to be offline, and the first probe is deleted from the cached probe list.
  • a heartbeat detection unit for: periodically traversing the latest heartbeat time of the first probe in the current redis probe list; if the latest heartbeat time of the first probe is earlier than the setting time, the status of the first probe is updated in the database to be offline, and the first probe is deleted from the cached probe list.
  • the scanning detection device may further include a generating unit configured to: when there is no online first probe, determine that the delivery of the scanning detection task has failed, so as to generate delivery failure information and return it to the current user.
  • the scanning and detection device in the hybrid cloud environment according to the embodiment of the present disclosure is applied in the management server.
  • the scanning and detection device includes:
  • the scheduled pulling unit 502 can be used to regularly pull scanning and detection tasks whose target subnet is the current subnet cached in the management server, where the scanning and detection tasks are performed by the management server after receiving the scanning and detection tasks issued by the current user. , determine whether there is an online first probe cached in the target subnet of the scanning detection task.
  • the current subnet includes any of the user room intranet, public network and cloud intranet in the hybrid cloud environment. Currently The subnet is the target subnet of the scan detection task.
  • the task execution unit 504 may be configured to use the first probe to execute a scanning and detection task on the current subnet to obtain a scanning and detection result.
  • the sending unit 506 may be used to send the scanning detection results to the management server.
  • the scanning detection device may further include: a reporting unit, configured to report the probe information of the first probe to the management server in response to the first probe generating probe information after being started in the current subnet, This causes the management server to store the probe information in the database and add the first probe to the cached probe list.
  • the management server determines whether there is an online first probe in the target subnet of the scan detection task based on the probe list. Needle.
  • the reporting unit may also be configured to regularly report the heartbeat information of the first probe to the management server, so that the management server adds the latest heartbeat time of the first probe to the cache based on the heartbeat information.
  • each functional module of the scanning and detection device in a hybrid cloud environment corresponds to the steps of the above-mentioned exemplary embodiment of the scanning and detection method in a hybrid cloud environment, details not disclosed in the device embodiments of the present disclosure are , please refer to the embodiments of the scanning detection method in the hybrid cloud environment described above in this disclosure.
  • the scanning and detection device in the hybrid cloud environment can perform vulnerability scanning on different scanning environments by setting probes in the target subnet and using the probes to perform scanning and detection tasks on the target subnet, thereby enabling the system to perform vulnerability scanning in the hybrid cloud environment.
  • the unified distribution of vulnerability scanning tasks and unified viewing of scanning results in the cloud environment improves the convenience for users to carry out security operation and maintenance work.
  • Figure 6 illustrates a schematic diagram of the physical structure of an electronic device.
  • the electronic device may include: a processor (processor) 610, a communications interface (Communications Interface) 620, a memory (memory) 630 and a communication bus 640.
  • the processor 610, the communication interface 620, and the memory 630 complete communication with each other through the communication bus 640.
  • the processor 610 can call logical instructions in the memory 630 to execute a scanning and detection method in a hybrid cloud environment. The method includes: after receiving a scanning and detection task issued by the current user, determining the target subnet of the scanning and detection task.
  • the scanning detection task includes a vulnerability scanning task or an asset detection task; in response to the online first probe in the target subnet, cache the scanning detection task , for the first probe to pull regularly; to receive the scanning detection result of the first probe, wherein, after pulling the scanning detection task, the first probe executes the target subnet
  • the scanning detection task is to obtain the scanning detection result; or, the target subnet cached in the management server is regularly pulled as the scanning detection task of the current subnet, wherein the scanning detection task is the scanning detection task of the management server After receiving the scanning and detection task issued by the current user, determine whether there is an online first probe cached in the target subnet of the scanning and detection task, and the current subnet includes the user in the hybrid cloud environment.
  • the current subnet is the target subnet of the scanning detection task; use the first probe to perform the detection of the current subnet. Scan the detection task to obtain the scanning detection result; send the scanning detection result to the management server.
  • the above-mentioned logical instructions in the memory 630 can be implemented in the form of software functional units and can be stored in a computer-readable storage medium when sold or used as an independent product.
  • the technical solution of the present disclosure is essentially or contributes to the existing technology or part of the technical solution can be embodied in the form of a software product.
  • the computer software product is stored in a storage medium and includes several The instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of the present disclosure.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program code. .
  • the present disclosure also provides a computer program product.
  • the computer program product includes a computer program stored on a non-transitory computer-readable storage medium.
  • the computer program includes program instructions. When the program instructions are read by a computer, When executed, the computer can execute the scanning and detection method in the hybrid cloud environment provided by each of the above methods.
  • the method includes: after receiving the scanning and detection task issued by the current user, determining whether the target subnet of the scanning and detection task is There is an online first probe, wherein the scanning and detection task includes a vulnerability scanning task or an asset detection task; in response to the online first probe in the target subnet, the scanning and detection task is cached to for the first probe to pull regularly; to receive the scanning detection result of the first probe, wherein after pulling the scanning detection task, the first probe performs all operations on the target subnet
  • the scanning detection task is performed to obtain the scanning detection result; or, the target subnet cached in the management server is regularly pulled as the scanning detection task of the current subnet, wherein the scanning detection task is the scanning detection task received by the management server.
  • the current subnet includes the user's computer room in the hybrid cloud environment. Any one of a network, a public network and an intranet on the cloud, the current subnet is the target subnet of the scanning detection task; use the first probe to perform the scanning detection of the current subnet Task: obtain scanning detection results; and send the scanning detection results to the management server.
  • the present disclosure also provides a non-transitory computer-readable storage medium on which a computer program is stored, which is implemented when executed by a processor to perform the above-mentioned scanning and detection methods in a hybrid cloud environment,
  • the method includes: after receiving a scanning detection task issued by the current user, determining whether there is an online first probe in the target subnet of the scanning detection task, wherein the scanning detection task includes a vulnerability scanning task or an asset Detection task; in response to the first probe being online in the target subnet, caching the scanning detection task for the first probe to pull regularly; receiving the scanning detection of the first probe As a result, after pulling the scanning detection task, the first probe executes the scanning detection task on the target subnet to obtain the scanning detection result; or, periodically pulls the cache in the management
  • the target subnet in the server is the scanning and detection task of the current subnet, wherein the scanning and detection task is the management server determining the target subnet of the scanning and detection task after receiving the scanning and detection task issued by the current user. Whether there
  • the device embodiments described above are only illustrative.
  • the units described as separate components may or may not be physically separated.
  • the components shown as units may or may not be physical units, that is, they may be located in One location, or it can be distributed across multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. Persons of ordinary skill in the art can understand and implement the method without any creative effort.
  • each embodiment can be implemented by software plus a necessary general hardware platform, and of course, it can also be implemented by hardware.
  • the computer software product can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., including a number of instructions to cause a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods described in various embodiments or certain parts of the embodiments.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Geophysics And Detection Of Objects (AREA)

Abstract

La présente divulgation concerne un procédé, un appareil et un système de détection de balayage dans un environnement infonuagique hybride, et un dispositif et un support. Le procédé comprend les étapes suivantes : après la réception d'une tâche de détection de balayage qui est émise par l'utilisateur courant, détermination quant au fait de savoir s'il existe une première sonde en ligne dans un sous-réseau cible de la tâche de détection de balayage, la tâche de détection de balayage comprenant une tâche de balayage de vulnérabilité ou une tâche de détection d'actif, et le sous-réseau cible comprenant un quelconque réseau d'un réseau interne de salle informatique d'utilisateur, d'un réseau public et d'un réseau interne infonuagique dans un environnement infonuagique hybride ; en réponse à l'existence d'une première sonde en ligne dans le sous-réseau cible, mise en mémoire cache de la tâche de détection de balayage de sorte que la première sonde extrait celle-ci de manière périodique ; et réception d'un résultat de détection de balayage de la première sonde, après avoir extrait la tâche de détection de balayage, la première sonde exécute la tâche de détection de balayage sur le sous-réseau cible afin d'obtenir le résultat de détection de balayage. La solution technique de la présente divulgation peut mettre en œuvre un balayage de vulnérabilité dans différents environnements.
PCT/CN2022/142001 2022-04-24 2022-12-26 Procédé, appareil et système de détection de balayage dans un environnement infonuagique hybride, et dispositif et support WO2023207175A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210435857.0A CN114900341B (zh) 2022-04-24 2022-04-24 混合云环境下的扫描探测方法、装置、系统、设备和介质
CN202210435857.0 2022-04-24

Publications (1)

Publication Number Publication Date
WO2023207175A1 true WO2023207175A1 (fr) 2023-11-02

Family

ID=82717365

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/142001 WO2023207175A1 (fr) 2022-04-24 2022-12-26 Procédé, appareil et système de détection de balayage dans un environnement infonuagique hybride, et dispositif et support

Country Status (2)

Country Link
CN (1) CN114900341B (fr)
WO (1) WO2023207175A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114900341B (zh) * 2022-04-24 2023-11-03 京东科技信息技术有限公司 混合云环境下的扫描探测方法、装置、系统、设备和介质

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8019856B1 (en) * 2007-11-07 2011-09-13 Trend Micro Incorporated Automatic mapping and location discovery of computers in computer networks
CN107566394A (zh) * 2017-09-28 2018-01-09 小花互联网金融服务(深圳)有限公司 一种云平台实例主机的新增自动发现并快速漏洞扫描方法
CN111090615A (zh) * 2019-12-11 2020-05-01 哈尔滨安天科技集团股份有限公司 混合资产的分析处理方法、装置、电子设备及存储介质
CN113014427A (zh) * 2021-02-22 2021-06-22 深信服科技股份有限公司 网络管理方法和设备,及存储介质
CN114050940A (zh) * 2022-01-10 2022-02-15 北京华云安信息技术有限公司 一种资产漏洞探测方法、装置和电子设备
CN114900341A (zh) * 2022-04-24 2022-08-12 京东科技信息技术有限公司 混合云环境下的扫描探测方法、装置、系统、设备和介质

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9438634B1 (en) * 2015-03-13 2016-09-06 Varmour Networks, Inc. Microsegmented networks that implement vulnerability scanning
CN108282489B (zh) * 2018-02-07 2020-01-31 网宿科技股份有限公司 一种漏洞扫描方法、服务端及系统
US10778534B2 (en) * 2018-06-13 2020-09-15 Juniper Networks, Inc. Virtualization infrastructure underlay network performance measurement and monitoring
CN109089301B (zh) * 2018-07-19 2021-01-15 深圳云盈网络科技有限公司 网络数据处理系统及方法
CN110677315A (zh) * 2019-08-30 2020-01-10 视联动力信息技术股份有限公司 一种状态监控的方法和系统
CN113497731B (zh) * 2020-04-04 2023-05-23 杭州迪普科技股份有限公司 集控探针调度方法及集控探针管理系统
US11659029B2 (en) * 2020-05-29 2023-05-23 Vmware, Inc. Method and system for distributed multi-cloud diagnostics
CN111726352B (zh) * 2020-06-17 2023-05-26 杭州安恒信息技术股份有限公司 可视化监测探针状态的方法、装置、计算机设备和介质
CN113240258B (zh) * 2021-04-30 2023-04-28 山东云天安全技术有限公司 一种工业资产探测方法、设备及装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8019856B1 (en) * 2007-11-07 2011-09-13 Trend Micro Incorporated Automatic mapping and location discovery of computers in computer networks
CN107566394A (zh) * 2017-09-28 2018-01-09 小花互联网金融服务(深圳)有限公司 一种云平台实例主机的新增自动发现并快速漏洞扫描方法
CN111090615A (zh) * 2019-12-11 2020-05-01 哈尔滨安天科技集团股份有限公司 混合资产的分析处理方法、装置、电子设备及存储介质
CN113014427A (zh) * 2021-02-22 2021-06-22 深信服科技股份有限公司 网络管理方法和设备,及存储介质
CN114050940A (zh) * 2022-01-10 2022-02-15 北京华云安信息技术有限公司 一种资产漏洞探测方法、装置和电子设备
CN114900341A (zh) * 2022-04-24 2022-08-12 京东科技信息技术有限公司 混合云环境下的扫描探测方法、装置、系统、设备和介质

Also Published As

Publication number Publication date
CN114900341B (zh) 2023-11-03
CN114900341A (zh) 2022-08-12

Similar Documents

Publication Publication Date Title
US11095524B2 (en) Component detection and management using relationships
US11882144B2 (en) Rule-based assignment of criticality scores to assets and generation of a criticality rules table
US11616810B2 (en) Methods and systems for ransomware detection, isolation and remediation
US9338187B1 (en) Modeling user working time using authentication events within an enterprise network
EP2987090B1 (fr) Système de corrélation d'événements distribués
CN112261172B (zh) 服务寻址访问方法、装置、系统、设备及介质
US10798061B2 (en) Automated learning of externally defined network assets by a network security device
US10798218B2 (en) Environment isolation method and device
US20160164893A1 (en) Event management systems
US20180302430A1 (en) SYSTEM AND METHOD FOR DETECTING CREATION OF MALICIOUS new USER ACCOUNTS BY AN ATTACKER
CN113424157A (zh) IoT设备行为的多维周期性检测
WO2019085074A1 (fr) Appareil et procédé de balayage de vulnérabilité de site web, dispositif informatique et support d'informations
US10965521B2 (en) Honeypot asset cloning
CN107360198B (zh) 可疑域名检测方法及系统
WO2023207175A1 (fr) Procédé, appareil et système de détection de balayage dans un environnement infonuagique hybride, et dispositif et support
WO2023193513A1 (fr) Procédé et appareil d'utilisation de réseau pot de miel, dispositif et support de stockage
US20180295151A1 (en) Methods for mitigating network attacks through client partitioning and devices thereof
US7480651B1 (en) System and method for notification of group membership changes in a directory service
US7350065B2 (en) Method, apparatus and program storage device for providing a remote power reset at a remote server through a network connection
CN114598507A (zh) 攻击者画像生成方法、装置、终端设备及存储介质
CN111522649B (zh) 一种分布式任务分配方法、装置和系统
AU2021400579B2 (en) Methods and systems for ransomware detection, isolation and remediation
US20240020390A1 (en) Vulnerability assessment of machine images in development phase
CN116318841A (zh) 基于Web多级缓存的微应用帐号免登方法
CN111769965A (zh) 信息处理方法、装置和设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22939984

Country of ref document: EP

Kind code of ref document: A1