CN103916376A - Cloud system with attract defending mechanism and defending method thereof - Google Patents
Cloud system with attract defending mechanism and defending method thereof Download PDFInfo
- Publication number
- CN103916376A CN103916376A CN201310007908.0A CN201310007908A CN103916376A CN 103916376 A CN103916376 A CN 103916376A CN 201310007908 A CN201310007908 A CN 201310007908A CN 103916376 A CN103916376 A CN 103916376A
- Authority
- CN
- China
- Prior art keywords
- main frame
- server
- safety regulation
- security centre
- renewal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a cloud system with an attack defending mechanism and a defending method of the cloud system. The cloud system comprises a safety center server, a monitoring server and a host. After the host is turned on, the monitoring server conducts deployment on the host, so that a sensing program is installed, and a local end safety rule is run. The host conducts self-monitoring through the sensing program and makes a report to the monitoring server when any datum exceeds a threshold value. The monitoring server judges whether the host is attacked or not according to reported relevant data, and the monitoring server notices the safety center server when it is determined that the host is attacked. When the safety center server receives a notice, the safety center server analyzes the type of attack on the host according to relevant data and generates a new safety rule after analysis. Finally, the safety center server conducts deployment again on the attacked host according to the new safety rule so that the local end safety rule run in the host can be updated.
Description
Technical field
The present invention has about high in the clouds system, especially more has about possessing the high in the clouds system of preventing mechanism of attack, and the means of defence that uses of this high in the clouds system.
Background technology
In general, in the time that being attacked, high in the clouds system (for example suffer hacker by outside invasion, or the implanted wooden horse of main frame and in inside launch attack), need after finding, administrative staff judge, or importing algorithm analyzes, to draw the information such as pattern, source and object of attack.
And, except finding out the information of above-mentioned attack, also must further analyze the method for solution, so, administrative staff just can login in the main frame of being attacked, and carry out the setting of this main frame inside of manual modification according to solution, and then allow this main frame can get rid of this attack.
Moreover part high in the clouds system can be set up a filtering server that filtering packets function can be provided, all packages that comprise data and/or instruction that will enter in this high in the clouds system, all can first be imported in this filtering server and filter.Until this filtering server confirm data or instruction no problem after, just can be sent to the respective hosts in the system of high in the clouds.But, under such system architecture, once this filtering server damages, will break except the All hosts in this high in the clouds system and outside contacting, thereby the problem that can cause the All hosts in this high in the clouds system all cannot be accessed.
And, because all packages in this high in the clouds system all must first filter via this filtering server, therefore the network traffics (traffic) of whole high in the clouds system all can concentrate on this filtering server, thus, will cause very large burden to whole high in the clouds system, and then easily have influence on the running of high in the clouds system.
Summary of the invention
Main purpose of the present invention, is to provide a kind of tool to attack high in the clouds system and the means of defence thereof of preventing mechanism, can be in the time that main frame be attacked, and produce new safety regulation and the main frame of being attacked is re-started to deployment, the attack being suffered to get rid of main frame.
For reaching above-mentioned purpose, the invention provides a kind of high in the clouds system of tool attack preventing mechanism, comprising:
One main frame, is provided with a detection procedure, monitors every data of this main frame, and this main frame triggers an event in the time that these data of any one exceed a threshold value;
One monitoring server, connects this main frame, judges according to this event whether this main frame is attacked, and externally sends a warning message in the time that definite this main frame is attacked; And
One security centre's server, connects this monitoring server and this main frame, receives this warning message of this monitoring server;
Wherein, this security centre's server analyze this warning message and produce a renewal after safety regulation, and with safety regulation after this renewal, this main frame is re-started to deployment.
The present invention also provides the attack guarding method of a kind of high in the clouds system, the monitoring server that wherein this high in the clouds system comprises a main frame, is connected with this main frame, and the security centre's server being connected with this main frame and this monitoring server, this attack guarding method comprises:
A) this main frame is monitored every data by a detection procedure;
B) in the time having these data of any one to exceed a threshold value, trigger an event;
C) this monitoring server judges according to this event whether this main frame is attacked;
D) this monitoring server produces a warning message and notifies this security centre's server in the time that definite this main frame is attacked;
E) this security centre's server receives this warning message of this monitoring server, analyzes according to this this main frame and attacked by which kind of, and produce the rear safety regulation of a renewal according to analysis result; And
F) this security centre's server according to this renewal after safety regulation this main frame is re-started to deployment.
The present invention also provides a kind of tool to attack the high in the clouds system of preventing mechanism, comprising:
One main frame, one detection procedure is installed, monitors every data of this main frame, and this main frame internal operation there is a local side safety regulation, to carry out the security protection of this main frame and to set a threshold value, this main frame triggers an event in the time that these data of any one exceed this threshold value;
One monitoring server, connects this main frame, judges according to this event whether this main frame is attacked, and externally sends a warning message in the time that definite this main frame is attacked;
One security centre's server, connects this monitoring server and this main frame, receives this warning message of this monitoring server, analyzes according to this this main frame and attacked by which kind of, and produce the rear safety regulation of a renewal according to analysis result; And
One knowledge base, connects this security centre's server, stores safety regulation after this renewal that this security centre server produces;
Wherein, this security centre's server with this renewal after safety regulation this main frame is re-started to deployment, to upgrade this local side safety regulation of this main frame internal operation.
The present invention contrasts effect that prior art can reach and is, main frame is in the time of every data of monitoring oneself, and the phenomenon of being attacked if find that there is, can notify security centre's server via monitoring server.Thus, security centre's server can be analyzed main frame and attacked by what kind of, and to get rid of this attack as object, produces a new safety regulation, then re-starts deployment take this new safety regulation as main frame.Because new safety regulation is to give birth to because attacking, therefore, after main frame redeploys with new safety regulation, can effectively get rid of this attack, this attack is produced to protection effect.Thus, contribute to promote in fact the fail safe of whole high in the clouds system.
Accompanying drawing explanation
Fig. 1 is the system architecture diagram of a preferred embodiment of the present invention.
Fig. 2 is the rack schematic diagram of the high in the clouds machine room of a preferred embodiment of the present invention.
Fig. 3 is the system block diagrams of a preferred embodiment of the present invention.
Fig. 4 is the deployment flow chart of a preferred embodiment of the present invention.
Fig. 5 is that the safety regulation of a preferred embodiment of the present invention is upgraded flow chart.
Fig. 6 is the attack notice flow chart of a preferred embodiment of the present invention.
Fig. 7 is the attack protection flow chart of a preferred embodiment of the present invention.
Fig. 8 is the system block diagrams of another preferred embodiment of the present invention.
Fig. 9 is the protection sequential flow chart of a preferred embodiment of the present invention.
Wherein, description of reference numerals is as follows:
1 ... monitoring server
10 ... notification rule
2,2 ' ... security centre's server
20 ... attack analysis algorithm
3 ... knowledge base
30 ... safety regulation after upgrading
4 ... main frame
40 ... detection procedure
400 ... local side safety regulation
41 ... computing end points main frame
42 ... storage end points main frame
43 ... the network switch
5 ... rack
S10 ~ S16 ... step
S20 ~ S24 ... step
S30 ~ S42 ... step
S50 ~ S58 ... step
S60 ~ S80 ... step
Embodiment
Hereby with regard to a preferred embodiment of the present invention, coordinate graphicly, be described in detail as follows.
Head refers to Fig. 1, is the system architecture diagram of a preferred embodiment of the present invention.The present invention mainly discloses a kind of high in the clouds system of tool attack preventing mechanism, as shown in the figure, this high in the clouds system mainly comprises a monitoring server 1 (management server), security centre's server 2 (security center), a knowledge base 3 (knowledge base) and at least one main frame 4 (node).In the present embodiment, those main frames 4 can be various entity machine (Physical Machine, PM), as the computing end points main frame 41 (computing node) of entity, storage end points main frame 42 (storage node) or the network switch 43 (switch), or, also can be various virtual machine (Virtual Machine, VM), as virtual endpoint main frame (virtual node) or virtual switch (virtual switch) etc., be not limited.For convenience of narration, will, in specification, illustrate with single this main frame 4 below, be not limited with one but the quantity of this main frame 4 is real.
This main frame 4 is mainly the corresponding role who serves as in this high in the clouds system, thinks that client provides service.This monitoring server 1 connects this main frame 4, to monitor the running situation of this main frame 4, when this main frame 4 produces when abnormal, can return to this monitoring server 1, by this monitoring server 1 determine whether this main frame 4 attacked and produce abnormal.
The attack of indication in the present embodiment, mainly refer to virus or hacker's attack, and those attacks generally can cause the external throughput (throughput) of for example this main frame 4 to rise suddenly, or the inner implanted wooden horse of certain file and cause access rate abnormal etc.Once above-mentioned condition is returned to this monitoring server 1, what this monitoring server 1 can judge this main frame 4 has been subjected to attack really.
After this monitoring server 1 thinks that this main frame 4 has been subjected to attack, can, according to the information that monitored at that time, notify this security centre's server 2 in event (even) mode, carry out event analysis and assessment and processing by this security centre's server 2.The money peace core that this security centre's server 2 is whole high in the clouds system, in the time that this security centre's server 2 is received the event notice of this monitoring server 1, the corresponding data that can provide according to it, via algorithm evaluation, to analyze this main frame 4 be to be subjected to any attack.Thus, this security centre's server 2 can be according to a set of settling mode of the instant generation of analysis result, and this main frame 4 of being attacked is re-started to the deployment (re-deployment) of money safety, thus, make this main frame 4 after redeploying, get rid of the attack being originally subjected to new money safety.
It is worth mentioning that, this security centre's server 2, all can be by its analysis result after analyzing each time, and the settling mode producing according to analysis result is all stored in this knowledge base 3.Thus, in the time having new main frame to be activated in this high in the clouds system, can directly dispose with up-to-date money safety, with make new main frame can protect other main frames before the attack that suffered.
The continuous Fig. 2 that refers to is the rack schematic diagram of the high in the clouds machine room of a preferred embodiment of the present invention.In the present embodiment, this monitoring server 1, this security centre's server 2, this knowledge base 3 and this main frame 4 in this high in the clouds system, all can be arranged among the same rack 5 of high in the clouds machine room, connect by the entity connecting line of the network switch in this rack 5 (figure does not indicate) each other.Moreover, in the present embodiment take single this rack 5 in the machine room of high in the clouds as example, in the middle of other embodiment, this monitoring server 1, this security centre's server 2, this knowledge base 3 and this main frame 4 also can be arranged at the different racks in the machine room of same high in the clouds, and are connected to each other by network each other.But, these are only a preferred embodiment of the present invention, should be as limit.
Consulting Fig. 3, is the system block diagrams of a preferred embodiment of the present invention.After this main frame 4 starts, be the deployment action (deployment) of accepting this monitoring server 1, thus, a detection procedure 40 and a local side safety regulation 400 be mounted in this main frame 4.This main frame 4 these local side safety regulations 400 of operation, carry out security protection thus, and set respectively the threshold value of a correspondence for every data of this main frame 4.It is worth mentioning that, this local side safety regulation 400 that this monitoring server 1 is disposed this main frame 4, mainly can be a kind of firewall rule, to make this main frame 4 can protect various contingent malicious attack, but is not limited.
This main frame 4 more carrys out self-monitoring by this detection procedure 40, to monitor every data of this main frame 4, and for example access rate of the utilization rate of external throughput (throughput), CPU, hard-disk capacity, temperature, file etc.In the time that this detection procedure 40 monitors that the data that find that there is any one exceed this threshold value that this local side safety regulation 400 sets, the event that will trigger produces, and return is to this monitoring server 1.
More specifically, this detection procedure 40 is disposed and is mounted in this main frame 4 by this monitoring server 1, and therefore this main frame main 4 can be returned this monitoring server 1 by this detection procedure 40.This main frame 4 can, in the time of this Event triggered, produce an event related data (that is, exceeding the related data of this item number certificate of this threshold value), and this event related data be returned to this monitoring server 1 simultaneously.
In the time that this event is triggered, this monitoring server 1 can be according to this event, judges whether this main frame 4 is subjected to attack, or for no other reason than that other problems and produce the unstable of data.More specifically, this monitoring server 1 can be in internal operation one notification rule 10, and this monitoring server 1 is analyzed this received event related data by this notification rule 10, thus, judges whether this main frame 4 is attacked really.
If this event is to cause because of other factors, this monitoring server 1 can be carried out corresponding start, if and judge that this main frame 4 is attacked really, this monitoring server 1 can produce a warning message according to this event related data, and notifies this security centre's server 2 with event mode.More specifically, this monitoring server 1 can, after analyzing, judge whether to meet the notice standard that this notification rule 10 is formulated, and in the time meeting, send this warning message to notify this security centre's server 2, wherein in this warning message, comprised this event related data.
The notice that this security centre's server 2 is received this monitoring server 1 (, receive this warning message) after, can assess this event, analyze according to this this main frame 4 and be subjected to which kind of attack, and, produce safety regulation 30 after a renewal according to analysis result again, and be stored in this knowledge base 3.More specifically, this security centre's server 2 can be in internal operation one attack analysis algorithm 20, this security centre's server 2 is mainly analyzed this event related data by this attack analysis algorithm 20, draw thus the attack mode that this main frame 4 suffers, and then develop a corresponding settling mode.And, produce safety regulation 30 after this renewal by this settling mode.
Finally, this security centre's server 2 according to this renewal after safety regulation 30 this main frame 4 of being attacked is re-started to deployment, thus this local side safety regulation 400 of these main frame 4 inside is updated to a new version.Technical characterictic of the present invention is, after this renewal, safety regulation 30 is attacks that suffer for this main frame 4 and producing, therefore after this main frame 4 has been disposed this renewal, after safety regulation 30, can get rid of easily this attack, there is in fact sizable benefit for administrative staff.It is worth mentioning that, after this renewal, safety regulation 30 mainly can be a kind of firewall rule, in order to make this main frame 4 can protect various contingent attacks, but is not limited.
For instance, when this attack is external attack, this security centre's server 2 can calculate according to this event related data the source (source address) of this attack, in safety regulation 30, stops the access action in this source thus after this renewal.Again for example, if this attack is for internaling attack, it is which program or file are at offensive attack that this security centre's server 2 also can calculate according to this event related data, thus after this renewal in safety regulation 30, isolate this program or file, make it cannot harass other programs or the file in this main frame 4, and when this main frame 4 idle (idle) again by it deletion.But, the foregoing is only a preferred embodiments of the present invention, this security centre's server 2 is real can analyze different results with regard to different attack patterns, and then produces safety regulation 30 after this different renewals, should be as limit.
Moreover, except this main frame 4 of being attacked, this security centre's server 2 also can be according to safety regulation 30 after this renewal, All hosts in this high in the clouds system is re-started to deployment, thus, prevent other main frame in this high in the clouds system to be subjected to identical attack, therefore can reach effective preventing mechanism.
Continue please refer to Fig. 4 and Fig. 5, the deployment flow chart and the safety regulation that are respectively a preferred embodiment of invention are upgraded flow chart.Head refers to Fig. 4, set up high in the clouds of the present invention system, and first administrative staff need shilling this main frame 4 start shooting (step S10).More specifically, if this main frame 4 is an entity machine, administrative staff can start shooting by the online mode that starts (wake on lan), or the entity starting key (figure does not indicate) of directly pressing on this main frame 4 is started shooting; If this main frame 4 is a virtual machine, administrative staff can pass through the virtual machine generating mode of standard, produce this main frame 4.
Then, this monitoring server 1 can be learnt the existence of this main frame 4, and disposes this corresponding detection procedure 40 (step S12) for this main frame 4, thus, is that this main frame 4 carries out self-monitoring by this detection procedure 40.And, this monitoring server 1 more can be this main frame 4 and disposes this required local side safety regulation 400 (step S14), thus, allow these main frame 4 these local side safety regulations 400 of operation to carry out security protection (S16), and set the threshold value of every data of this main frame 4 according to this local side safety regulation 400.After this step S16, this main frame 4 formally becomes the corresponding role in this high in the clouds system of the present invention.
Then as shown in Figure 5, when this main frame 4 has been deployed after this local side safety regulation 400, this main frame 4 can further propose inquiry (step S20) according to this local side safety regulation 400 to this security centre's server 2, and, inquire about whether existing this renewal by this security centre's server 2 after safety regulation 30 produce (step S22).More specifically, this main frame 4 can MD5 or the mode of Hash table come to propose inquiry to this security centre's server 2, to confirm the version of this local side safety regulation 400, with the new and old relationship of the version of the safety regulation in this knowledge base 3.
If safety regulation 30 produces after after these security centre's server 2 inquiries, discovery not yet has this renewal, represent the safety regulation that this local side safety regulation 400 is latest edition, therefore this main frame 4 and this security centre's server 2 do not do any action.In this knowledge base 3, have safety regulation 30 after this renewal if find after 2 inquiries of this security centre's server, Ze Gai security centre server 2 can re-start deployment (step S24) to this main frame 4 by safety regulation 30 after this renewal.Thus, upgrade the version of this local side safety regulation 400 in this main frame 4, to allow this main frame 4 may operate in best protection state.
The continuous Fig. 6 that refers to is the attack notice flow chart of a preferred embodiment of the present invention.First, this main frame 4 carries out self-monitoring (step S30) by this detection procedure 40 of inside, thus, obtain the every data of this main frame 4 own, the such as access rate of throughput, CPU usage, the rotation speed of hard disk, hard-disk capacity, temperature, humidity, each program or file etc.Then the data that, regularly judge whether any one exceed the threshold value (step S32) that this local side safety regulation 400 sets.If all data are all correct, do not exceed the phenomenon of this threshold value, this main frame 4 does not do any action, and continues to carry out self-monitoring by this detection procedure 40.
Moreover in the time having the data of any one to exceed this threshold value, this main frame 4 triggers an event and starts, and automatically returns this monitoring server 1 (step S34).More specifically, this main frame 4 can be in the time that this Event triggered starts, this event related data (that is, exceeding the related data of this item number certificate of this threshold value) is returned to this monitoring server 1, to make this monitoring server 1 can carry out detailed analysis simultaneously.
After this event is triggered, this monitoring server 1 is mainly to receive this event related data (step S36) that this main frame 4 is returned, and, this notification rule 10 according to internal operation is analyzed this event related data (step S38), thus, judge whether this main frame 4 is subjected to attack (step S40) really.Do not reach if this monitoring server 1 is analyzed rear discovery the notice standard that this notification rule 10 is formulated, represent that this main frame 4 is not attacked, but cause the unstable of data because of other factors.In this situation, this monitoring server 1 can be carried out corresponding action (such as record data or notify administrative staff etc.), but can not notify this security centre's server 2.
But, if this monitoring server 1 after analyzing, find this main frame 4 be subjected to really attack, this monitoring server 1 can be notified this security centre's server 2 (step S42) with this warning message.More specifically, this monitoring server 1 is mainly to produce this warning message according to this event related data, to notify this security centre's server 2, thus, Ling Gai security centre server 2 can pass through this event related data, and the pattern of attacking is carried out to detailed analysis.
Then please refer to Fig. 7, be the attack protection flow chart of a preferred embodiment of the present invention.When this, main frame 4 is doubtful while being attacked, can return this monitoring server 1, and in the time that this monitoring server 1 is confirmed being attacked really of this main frame 4, can notify this security centre's server 2.This security centre's server 2 receives this warning message (step S50) of this monitoring server 1, and, analyze this main frame 4 and attacked by which kind of.More specifically, this security centre's server 2 is analyzed this event related data (step S52) by this attack analysis algorithm 20 of internal operation, analyze thus the pattern of this attack, then produce safety regulation 30 (step S54) after this renewal according to analysis result.That is to say, after this renewal, safety regulation 30 is the safety regulations according to originally, adds that the settling mode drawing after analysis upgrades to form, and therefore adopts safety regulation 30 after this renewal, and reality can effectively be got rid of this attack.
After this step S54, this security centre's server 2 re-starts deployment (step S56) by safety regulation 30 after this renewal to this main frame 4 of being attacked.And as mentioned above, safety regulation 30 is given birth to because attacking after this renewal, therefore after safety regulation 30, can get rid of easily this attack after this main frame 4 has been disposed this renewal, and then make the running of this main frame 4 and every data recover normal.It is worth mentioning that, except this main frame 4 of being attacked, this security centre's server 2 more can, by safety regulation 30 after this renewal, all re-start deployment (step S58) to the All hosts in this high in the clouds system.Such benefit is, after this renewal, safety regulation 30 has increased the protection method to this attack, therefore safety regulation 30 after the All hosts in this high in the clouds system is all disposed this renewal, and those main frames can not suffered the attack that this main frame 4 once suffered.That is to say, for other main frame, can effectively reach in fact the effect of prevention.
By System and method for of the present invention, as long as the arbitrary main frame in this high in the clouds system is subjected to attack, and this attack is notified this security centre's server 2 via this monitoring server 1, analyzed by this security centre's server 2, and pin analysis result produces after this renewal after safety regulation 30, as long as the All hosts in the system of high in the clouds all accepts to redeploy, and move safety regulation 30 after this renewal, the All hosts in this high in the clouds system, neither can be subject to the impact of same attack mode again.
Consulting Fig. 8, is the system block diagrams of another preferred embodiment of the present invention.In the middle of previous embodiment, this knowledge base 3 is mainly take a separate server in this high in the clouds system as example, serves as the role of safety regulation 30 after this renewal of storage, and connects this security centre's server 2 by entity connecting line or network.But in the present embodiment, this high in the clouds system also can provide another security centre's server 2 ', this security centre's server 2 ' inside provides a memory cell, and serves as this knowledge base 3 in this high in the clouds system with this memory cell.In the middle of the present embodiment, this high in the clouds system needn't provide extra property server to come as this knowledge base 3 again, therefore can effectively save the quantity of server.But, above are only another instantiation of the present invention, this knowledge base 3 by entity independently server serve as, or be integrated with this security centre's server 2 ', should be required depending on the reality of high in the clouds system, should be as limit.
Consulting Fig. 9, is the protection sequential flow chart of a preferred embodiment of the present invention.In the system of high in the clouds of the present invention, first need dispose this detection procedure 40 (step S60) for this all main frames 4 by this monitoring server 1, and, then dispose this local side safety regulation 400 (step S62) by this monitoring server 1 for this all main frames 4.Then, this main frame 4, according to this local side safety regulation 400, inquires whether this security centre's server 2 is latest edition (step S64), and then, if latest edition, this security centre's server 2 can be replied this main frame 4 for latest edition; And if safety regulation 30 produces after having this renewal in this knowledge base 3, Ze Gai security centre server 2 can be this main frame 4 and re-starts deployment, this local side safety regulation 400 is upgraded to safety regulation 30 (step S66) after this renewal.
After this main frame 4 starts, continue self-monitoring by this detection procedure 40, with every data (step S68) of this main frame 4 of sensing.And in the time having any one data to exceed the threshold value that this local side safety regulation 400 formulates, the event that triggers starts, and returns this monitoring server 1 (step S70).This monitoring server 1 is accepted after return, first analyze for this event, judge whether this main frame 4 suffers to attack (step S72), and in the time that definite this main frame 4 is attacked, notify this security centre's server 2 (step S74) with this warning message.
This security centre's server 2 receives after this warning message, attack mode is analyzed, and according to analysis result, produce safety regulation 30 (step S76) after this renewal, and safety regulation 30 after this renewal is stored in this knowledge base 3 (step 78), thus existing safety regulation in this knowledge base 3 is upgraded to safety regulation 30 after this renewal.Finally, this security centre's server 2 according to this renewal after safety regulation 30, this main frame 4 of being attacked is re-started to deployment (step S80), thus, upgrade this local side safety regulation 400 of these main frame 4 inside, and then make this local side safety regulation 400 after upgrading can get rid of the attack that this main frame 4 is suffered, to make this main frame 4 recover stably to operate.And after this step S80, this main frame 4 still continues to carry out self-monitoring by this detection procedure 40, to monitor that next time possible attack produces.
The foregoing is only preferred embodiments of the present invention, non-ly therefore limit to the scope of the claims of the present invention, therefore such as use the equivalence that content of the present invention is done to change, be all in like manner all contained in scope of the present invention, close and give Chen Ming.
Claims (20)
1. tool is attacked a high in the clouds system for preventing mechanism, comprising:
One main frame, is provided with a detection procedure, monitors every data of this main frame, and this main frame triggers an event in the time that these data of any one exceed a threshold value;
One monitoring server, connects this main frame, judges according to this event whether this main frame is attacked, and externally sends a warning message in the time that definite this main frame is attacked; And
One security centre's server, connects this monitoring server and this main frame, receives this warning message of this monitoring server;
Wherein, this security centre's server analyze this warning message and produce a renewal after safety regulation, and with safety regulation after this renewal, this main frame is re-started to deployment.
2. high in the clouds as claimed in claim 1 system, wherein this main frame internal operation one local side safety regulation, to carry out the security protection of this main frame and to set this threshold value, this security centre's server with this renewal after safety regulation this main frame is re-started to deployment, to upgrade this local side safety regulation.
3. high in the clouds as claimed in claim 2 system, wherein after this local side safety regulation and this renewal, safety regulation is a firewall rule.
4. high in the clouds as claimed in claim 1 system, wherein this main frame is entity machine, virtual machine, the network switch or virtual network switch.
5. tool as claimed in claim 1 is attacked the high in the clouds system of preventing mechanism, wherein also comprises a knowledge base, connects this security centre's server, stores safety regulation after this renewal that this security centre's server produces.
6. high in the clouds as claimed in claim 5 system, wherein this main frame, this monitoring server, this security centre's server and this knowledge base are arranged in the same rack of high in the clouds machine room.
7. high in the clouds as claimed in claim 1 system, when wherein this main frame triggers this event, return an event related data to this monitoring server simultaneously, this monitoring server internal operation one notification rule, analyze this event related data according to this notification rule, to judge whether this main frame is attacked, and in the time that definite this main frame is attacked, this monitoring server produces this warning message to notify this security centre's server according to this event related data.
8. high in the clouds as claimed in claim 7 system, wherein this security centre's server internal operation one attack analysis algorithm, this security centre's server is according to this this event related data of attack analysis Algorithm Analysis, with the attack mode that show that this main frame suffers, and produces according to this safety regulation after this renewal.
9. an attack guarding method for high in the clouds system, the monitoring server that wherein this high in the clouds system comprises a main frame, is connected with this main frame, and the security centre's server being connected with this main frame and this monitoring server, this attack guarding method comprises:
A) this main frame is monitored every data by a detection procedure;
B) in the time having these data of any one to exceed a threshold value, trigger an event;
C) this monitoring server judges according to this event whether this main frame is attacked;
D) this monitoring server produces a warning message and notifies this security centre's server in the time that definite this main frame is attacked;
E) this security centre's server receives this warning message of this monitoring server, analyzes according to this this main frame and attacked by which kind of, and produce the rear safety regulation of a renewal according to analysis result; And
F) this security centre's server according to this renewal after safety regulation this main frame is re-started to deployment.
10. attack guarding method as claimed in claim 9, wherein also comprises a step g: this security centre's server according to this renewal after safety regulation, all main frames of being attacked in this high in the clouds system are re-started to deployment.
11. attack guarding methods as claimed in claim 9, wherein this step c comprises the following steps:
C1) this monitoring server receives the event related data that this main frame produces and returns according to this event; And
C2) this monitoring server is analyzed this event related data according to a notification rule, to judge whether this main frame is attacked;
Wherein, in this steps d, this monitoring server produces this warning message to notify this security centre's server according to this event related data.
12. attack guarding methods as claimed in claim 11, wherein this step e comprises the following steps:
E1) this security centre's server receives this event related data;
E2) according to an attack analysis algorithm, this event related data is analyzed, to judge this main frame is attacked by which kind of; And
E2) produce safety regulation after this renewal according to analysis result.
13. attack guarding methods as claimed in claim 9, wherein also comprise the following steps: before this step a
A01) this main frame start;
A02) this monitoring server is disposed this detection procedure for this main frame;
A03) this monitoring server is disposed a local side safety regulation for this main frame; And
A04) this main frame moves this local side safety regulation, to carry out security protection and to set this threshold value.
14. attack guarding methods as claimed in claim 13, wherein also comprise the following steps: before this step a
A05) this main frame proposes inquiry according to this local side safety regulation to this security centre's server;
A06) whether this security centre's server lookup has safety regulation after this renewal; And
A07) if there is safety regulation after this renewal, this security centre's server re-starts deployment according to safety regulation after this renewal to this main frame, to upgrade this local side safety regulation.
15. attack guarding methods as claimed in claim 14, wherein this high in the clouds system also comprises a knowledge base that connects this security centre's server, store safety regulation after this renewal, in this step a06, this security centre's server inquires about whether there is safety regulation after this renewal in this knowledge base.
16. attack guarding methods as claimed in claim 13, wherein after this local side safety regulation and this renewal, safety regulation is a firewall rule.
17. 1 kinds of tools are attacked the high in the clouds system of preventing mechanism, comprising:
One main frame, one detection procedure is installed, monitors every data of this main frame, and this main frame internal operation there is a local side safety regulation, to carry out the security protection of this main frame and to set a threshold value, this main frame triggers an event in the time that these data of any one exceed this threshold value;
One monitoring server, connects this main frame, judges according to this event whether this main frame is attacked, and externally sends a warning message in the time that definite this main frame is attacked;
One security centre's server, connects this monitoring server and this main frame, receives this warning message of this monitoring server, analyzes according to this this main frame and attacked by which kind of, and produce the rear safety regulation of a renewal according to analysis result; And
One knowledge base, connects this security centre's server, stores safety regulation after this renewal that this security centre server produces;
Wherein, this security centre's server with this renewal after safety regulation this main frame is re-started to deployment, to upgrade this local side safety regulation of this main frame internal operation.
18. high in the clouds as claimed in claim 17 systems, when wherein this main frame triggers this event, return an event related data to this monitoring server simultaneously, this monitoring server internal operation one notification rule, analyze this event related data according to this notification rule, to judge whether this main frame is attacked, and in the time that definite this main frame is attacked, this monitoring server produces this warning message to notify this security centre's server according to this event related data.
19. high in the clouds as claimed in claim 18 systems, wherein this security centre's server internal operation one attack analysis algorithm, this security centre's server is according to this this event related data of attack analysis Algorithm Analysis, with the attack mode that show that this main frame suffers, and produce according to this safety regulation after this renewal.
20. high in the clouds as claimed in claim 17 systems, wherein this knowledge base is arranged in this security centre's server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310007908.0A CN103916376A (en) | 2013-01-09 | 2013-01-09 | Cloud system with attract defending mechanism and defending method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310007908.0A CN103916376A (en) | 2013-01-09 | 2013-01-09 | Cloud system with attract defending mechanism and defending method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103916376A true CN103916376A (en) | 2014-07-09 |
Family
ID=51041783
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310007908.0A Pending CN103916376A (en) | 2013-01-09 | 2013-01-09 | Cloud system with attract defending mechanism and defending method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103916376A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104717212A (en) * | 2014-10-21 | 2015-06-17 | 中华电信股份有限公司 | Protection method and system for cloud virtual network security |
| CN106534174A (en) * | 2016-12-07 | 2017-03-22 | 北京奇虎科技有限公司 | Cloud protection method, apparatus and system of sensitive data |
| CN106973058A (en) * | 2017-03-31 | 2017-07-21 | 北京奇艺世纪科技有限公司 | A kind of Web application firewalls rule update method, apparatus and system |
| CN109218336A (en) * | 2018-11-16 | 2019-01-15 | 北京知道创宇信息技术有限公司 | Loophole defence method and system |
| CN109347846A (en) * | 2018-10-30 | 2019-02-15 | 郑州市景安网络科技股份有限公司 | A kind of website clearance method, apparatus, equipment and readable storage medium storing program for executing |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697404A (en) * | 2005-06-10 | 2005-11-16 | 广东省电信有限公司研究院 | System and method for detecting network worm in interactive mode |
| CN101056198A (en) * | 2006-04-10 | 2007-10-17 | 华为技术有限公司 | An information security management platform |
| US20080244745A1 (en) * | 2001-01-25 | 2008-10-02 | Solutionary, Inc. | Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures |
| CN101567787A (en) * | 2008-04-25 | 2009-10-28 | 联想(北京)有限公司 | Computer system, computer network and data communication method |
| CN102546638A (en) * | 2012-01-12 | 2012-07-04 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
-
2013
- 2013-01-09 CN CN201310007908.0A patent/CN103916376A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080244745A1 (en) * | 2001-01-25 | 2008-10-02 | Solutionary, Inc. | Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures |
| CN1697404A (en) * | 2005-06-10 | 2005-11-16 | 广东省电信有限公司研究院 | System and method for detecting network worm in interactive mode |
| CN101056198A (en) * | 2006-04-10 | 2007-10-17 | 华为技术有限公司 | An information security management platform |
| CN101567787A (en) * | 2008-04-25 | 2009-10-28 | 联想(北京)有限公司 | Computer system, computer network and data communication method |
| CN102546638A (en) * | 2012-01-12 | 2012-07-04 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104717212A (en) * | 2014-10-21 | 2015-06-17 | 中华电信股份有限公司 | Protection method and system for cloud virtual network security |
| CN104717212B (en) * | 2014-10-21 | 2018-05-11 | 中华电信股份有限公司 | Protection method and system for cloud virtual network security |
| CN106534174A (en) * | 2016-12-07 | 2017-03-22 | 北京奇虎科技有限公司 | Cloud protection method, apparatus and system of sensitive data |
| CN106973058A (en) * | 2017-03-31 | 2017-07-21 | 北京奇艺世纪科技有限公司 | A kind of Web application firewalls rule update method, apparatus and system |
| CN109347846A (en) * | 2018-10-30 | 2019-02-15 | 郑州市景安网络科技股份有限公司 | A kind of website clearance method, apparatus, equipment and readable storage medium storing program for executing |
| CN109218336A (en) * | 2018-11-16 | 2019-01-15 | 北京知道创宇信息技术有限公司 | Loophole defence method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI474213B (en) | Cloud system for threat protection and protection method using for the same | |
| EP3068095B1 (en) | Monitoring apparatus and method | |
| US9401924B2 (en) | Monitoring operational activities in networks and detecting potential network intrusions and misuses | |
| US10579797B2 (en) | Program integrity monitoring and contingency management system and method | |
| CN102082836A (en) | DNS (Domain Name Server) safety monitoring system and method | |
| CN103916376A (en) | Cloud system with attract defending mechanism and defending method thereof | |
| CN110620768A (en) | Baseline safety detection method and device for intelligent terminal of Internet of things | |
| JP7311350B2 (en) | MONITORING DEVICE, MONITORING METHOD, AND MONITORING PROGRAM | |
| US20160110544A1 (en) | Disabling and initiating nodes based on security issue | |
| CN113055407A (en) | Asset risk information determination method, device, equipment and storage medium | |
| CN112818307A (en) | User operation processing method, system, device and computer readable storage medium | |
| JP2008052637A (en) | Abnormality detector, abnormality detection program, and recording medium | |
| RU2630415C2 (en) | Method for detecting anomalous work of network server (options) | |
| JP6616045B2 (en) | Graph-based combination of heterogeneous alerts | |
| CN113672912A (en) | Network security monitoring system based on computer hardware indication and behavior analysis | |
| JP2006146600A (en) | Operation monitoring server, terminal apparatus and operation monitoring system | |
| CN115801305B (en) | Network attack detection and identification method and related equipment | |
| CN114969744A (en) | Process interception method and system, electronic device and storage medium | |
| KR102348357B1 (en) | Apparatus and methods for endpoint detection and reponse using dynamic analysis plans | |
| KR102311997B1 (en) | Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis | |
| CN111510431B (en) | Universal terminal access control platform, client and control method | |
| CN108011880A (en) | The management method and computer-readable recording medium monitored in cloud data system | |
| KR102221726B1 (en) | Endpoint detection and response terminal device and method | |
| KR101681017B1 (en) | Monitoring system of server using closed network | |
| CN111935180A (en) | Active defense method, device and system for security equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: HOPE BAY TECHNOLOGIES, INC. Free format text: FORMER OWNER: TAIDA ELECTRONIC INDUSTRY CO. LTD. Effective date: 20150114 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20150114 Address after: Chau Street China Neihu district of Taipei city Taiwan 48 Building No. 2 Applicant after: HOPE BAY TECHNOLOGIES, INC. Address before: China Taiwan Taoyuan County Applicant before: Delta Optoelectronics Inc. |
|
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140709 |
|
| WD01 | Invention patent application deemed withdrawn after publication |