CN107295021A - The safety detection method and system of a kind of main frame based on centralized management - Google Patents
The safety detection method and system of a kind of main frame based on centralized management Download PDFInfo
- Publication number
- CN107295021A CN107295021A CN201710703313.7A CN201710703313A CN107295021A CN 107295021 A CN107295021 A CN 107295021A CN 201710703313 A CN201710703313 A CN 201710703313A CN 107295021 A CN107295021 A CN 107295021A
- Authority
- CN
- China
- Prior art keywords
- main frame
- log information
- information
- client
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiments of the invention provide a kind of safety detection method of main frame based on centralized management and system, the efficiency for improving the Host Security detection based on centralized management.Present invention method includes:The client being deployed on the multiple host of different user gathers the log information of respective hosts and is uploaded to cloud platform respectively, and the cloud platform is deployed in global network, it is necessary to which each main frame of safety detection is provided with a client;The log information is forwarded to the safety management platform belonging to the corresponding user of the log information by the cloud platform respectively, and the cloud platform includes at least one described safety management platform;The safety management platform parses the log information and generates security threat information according to the log information and show user respectively.
Description
Technical field
The present invention relates to network safety filed, more particularly to a kind of main frame based on centralized management safety detection method and
System.
Background technology
The booming of internet makes all trades and professions enter information and network times, and online service is varied, enjoys clothes
Crowd's enormous amount of business, the server host of company is also more and more, and the attack that at the same time main frame is subject to is threatened also not
Disconnected to increase, managing main frame challenge is increasing, and traditional Host Security, which is safeguarded, not to have been applied to and existing large data center.
The present situation of many host data center management, particular problem is as follows:Traditional Host Security defense mechanism is for single
Individual host deployments antivirus software scans leak, and antivirus software is run in main frame, and the data in detection main frame are simultaneously generated for being somebody's turn to do
The report file of main frame, can not carry out processing in real time, it is necessary to which user periodically extracts every one by one to the security incident occurred
The report file of main frame antivirus software generation, with the assessment carried out to the safe condition of individual host, analysis main frame whether there is
Security threat.The security of the regular Inspection and analysis main frame one by one of user, process is cumbersome, inefficiency, and user is to single master
The analysis of machine is difficult to the assessment of the safe condition progress to whole data center.
Therefore, it is necessary to research and develop a kind of safety detection method of the main frame based on centralized management, solve above-mentioned based on concentration
The problem of detection efficiency of the main frame of management is low.
The content of the invention
The embodiments of the invention provide a kind of safety detection method of main frame based on centralized management and system, for improving
The efficiency of Host Security detection based on centralized management.
First aspect of the embodiment of the present invention provides a kind of safety detection method of the main frame based on centralized management, can wrap
Include:
The client being deployed on the multiple host of different user gathers the log information of respective hosts and uploads institute respectively
Log information is stated to cloud platform, the cloud platform is deployed in global network, it is necessary to which each main frame of safety detection is provided with
One client;
The log information is forwarded to the bursting tube belonging to the corresponding user of the log information by the cloud platform respectively
Platform, the cloud platform includes at least one described safety management platform;
The safety management platform parses the log information and generates security threat letter according to the log information respectively
Cease and show user.
With reference in a first aspect, in the first possible embodiment of first aspect, methods described also includes:
Client detects preset security incident whether occurs in corresponding main frame in real time according to presetting rule;
If the generation preset security incident, the preset security incident is handled according to presetting rule immediately.
With reference to the first possible embodiment of first aspect, in second of possible embodiment of first aspect
In, it is described to handle the preset security incident immediately according to presetting rule and include:
When client is monitored in real time according to presetting rule there is malicious file in corresponding main frame, client automatism isolation
Or delete the malicious file.
With reference to second of possible embodiment of first aspect, in the third possible embodiment of first aspect
In, it is described to handle the preset security incident immediately according to presetting rule and include:
When client is monitored according to presetting rule there is Brute Force attack in corresponding main frame, client closure is described
The IP address of the attack source of Brute Force attack.
With reference in a first aspect, the first possible embodiment of first aspect, second of possible reality of first aspect
Mode is applied, the third possible embodiment of first aspect is described in the 4th kind of possible embodiment of first aspect
Port information that the hardware assets information of log information including main frame, operation system information, network connection information, main frame are opened,
One or more in progress information, network traffic information and security log information;
The safety management platform parses the log information, and shows the log information to user.
With reference to the 4th kind of possible embodiment of first aspect, in the 5th kind of possible embodiment of first aspect
In, methods described also includes:
After user configures corresponding security strategy according to the security threat information, the safety management platform is by institute
Security strategy is stated to be sent to the destination client of the corresponding destination host of the log information or be sent to belonging to the user
The client of All hosts.
With reference to the 5th kind of possible embodiment of first aspect, in the 6th kind of possible embodiment of first aspect
In, the safety management platform is the application program for the virtualization that the cloud platform is deployed in using Docker container techniques.
Second aspect of the embodiment of the present invention provides a kind of safety detecting system of the main frame based on centralized management, can wrap
Include:
Cloud platform and client, wherein,
The client deployment gathers log information and the upload of respective hosts respectively in the multiple host of different user
The log information is to cloud platform, it is necessary to which each main frame of safety detection is provided with a client;
The cloud platform is deployed in global network, for the log information to be forwarded into the log information pair respectively
The safety management platform belonging to user answered, the cloud platform includes at least one described safety management platform;
The safety management platform parses the log information respectively, and security threat information is generated according to the log information
And show user.
With reference to second aspect, in the first possible embodiment of second aspect, the client includes:
Detection module, for detecting in main frame whether occur preset security incident according to presetting rule, and according to preset rule
The preset security incident is then handled immediately.
With reference to the first possible embodiment of second aspect, in second of possible embodiment of second aspect
In, the detection module includes:
First detection unit, whether there is malicious file, if there is institute for being monitored in real time according to presetting rule in main frame
State malicious file then automatism isolation or the deletion malicious file.
With reference to second of possible embodiment of second aspect, in the third possible embodiment of second aspect
In, the detection module also includes:
Second detection unit, for monitoring with the presence or absence of Brute Force attack in main frame, if it there is Brute Force attack
Block the IP address of the attack source of the Brute Force attack.
With reference to second aspect, the first possible embodiment of second aspect, second of possible reality of second aspect
Mode is applied, the third possible embodiment of second aspect is described in the 4th kind of possible embodiment of second aspect
Port information that the hardware assets information of log information including main frame, operation system information, network connection information, main frame are opened,
One or more in progress information, network traffic information and security log information, the safety management platform also includes:
Secure visual module, the log information is shown for parsing the log information, and to user.
With reference to the 4th kind of possible embodiment of second aspect, in the 5th kind of possible embodiment of second aspect
In, the safety management platform also includes:
Security policy module, after user configures corresponding security strategy according to the security threat information, the peace
The security strategy is sent to the destination client of the corresponding destination host of the log information or is sent to by full management platform
The client of All hosts belonging to the user.
With reference to the 5th kind of possible embodiment of second aspect, in the 6th kind of possible embodiment of second aspect
In, the safety management platform is the application program for the virtualization that the cloud platform is deployed in using Docker container techniques.
As can be seen from the above technical solutions, the embodiment of the present invention has advantages below:
In the embodiment of the present invention, the client being deployed on the multiple host of different user gathers the day of respective hosts respectively
Will information is simultaneously uploaded to cloud platform, and log information can be forwarded to the safety management platform belonging to corresponding user by the cloud platform,
The safety management platform can parse log information and generate security threat information according to log information and show user.I.e. originally
Inventive embodiments can be patted with the log information of the multiple host of real-time automatic collecting user to the bursting tube for being deployed in cloud platform
Platform carries out Data Detection and generates corresponding security threat information, detects its data relative to main frame operation antivirus software and generates
Examining report, the artificial mode for periodically extracting report file one by one, without manually extracting one by one, improves the effect of safety monitoring
Rate, while reducing the amount that main frame needs the data of detection, has saved host resource expense.
Brief description of the drawings
Fig. 1 is the system architecture schematic diagram of the safety detection of the main frame based on centralized management in the embodiment of the present invention;
Fig. 2 shows for a kind of one embodiment of the safety detection method of the main frame based on centralized management in the embodiment of the present invention
It is intended to;
Fig. 3 is a kind of another embodiment of the safety detection method of the main frame based on centralized management in the embodiment of the present invention
Schematic diagram;
Fig. 4 is a kind of another embodiment of the safety detection method of the main frame based on centralized management in the embodiment of the present invention
Schematic diagram;
Fig. 5 shows for a kind of one embodiment of the safety detecting system of the main frame based on centralized management in the embodiment of the present invention
It is intended to;
Fig. 6 is a kind of refinement of the client of the safety detecting system of the main frame based on centralized management in the embodiment of the present invention
High-level schematic functional block diagram;
Fig. 7 is a kind of safety management platform of the safety detection method of the main frame based on centralized management in the embodiment of the present invention
Refinement high-level schematic functional block diagram.
Embodiment
The embodiments of the invention provide a kind of safety detection method of main frame based on centralized management and system, for improving
The efficiency of Host Security detection based on centralized management.
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention
Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only
The embodiment of a part of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill people
The every other embodiment that member is obtained under the premise of creative work is not made, should all belong to the model that the present invention is protected
Enclose.
Term " first ", " second ", " the 3rd " in description and claims of this specification and above-mentioned accompanying drawing, "
The (if present)s such as four " are for distinguishing similar object, without for describing specific order or precedence.It should manage
The data that solution is so used can be exchanged in the appropriate case, so that the embodiments described herein can be with except illustrating herein
Or the order beyond the content of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that
Covering is non-exclusive to be included, for example, containing process, method, system, product or the equipment of series of steps or unit need not limit
In those steps or unit for clearly listing, but may include not list clearly or for these processes, method, production
Product or the intrinsic other steps of equipment or unit.
In order to make it easy to understand, the existing system architecture by the safety detection of the main frame based on centralized management in the embodiment of the present invention
Simple exemplary illustration is carried out, referring to Fig. 1, the cloud platform in the embodiment of the present invention can be directed to different tenant's dynamically distributes
The safety management platform of virtualization, comprising at least one safety management platform, each safety management platform can be to belonging to user
Multiple host managed concentratedly.
In the embodiment of the present invention client is disposed by the cloud platform disposed in public network and in the main frame of multiple users
Centralized detecting and the analysis of many main frames of user are realized in end, be deployed in cloud platform in common network can for different enterprises different tenants
Conduct interviews, the main frame in the embodiment of the present invention can be the fictitious host computer or physical services being deployed in public cloud or private clound
The action of response is collected and performed to the main frame of device, the main execution information of client, and cloud platform is empty for different tenant's dynamically distributes
Safety management platform in the safety management platform of planization, cloud platform can be detected by big data safety analysis, artificial intelligence
The analysis of engine, the score value computation model of credit system and the huge prestige list storehouse of the scale of construction etc. form presetting rule to client
The data collected carry out safety detection, for example, can form black and white lists to distinguish the text in log information according to prestige storehouse
Part species is normal file or malicious file, and specific detection mode is not limited herein.When testing result is threat event
When, then it can be disposed with real-time response, configure corresponding security strategy, for example, off-limit file or blocking intrusion behavior etc..
The idiographic flow in the embodiment of the present invention is described below, referring to Fig. 2, a kind of base in the embodiment of the present invention
It may include in one embodiment of the safety detection method of the main frame of centralized management:
201st, the client being deployed on the multiple host of different user gather respectively the log information of respective hosts and on
Reach cloud platform;
In the present embodiment, client can be deployed on the multiple host for needing to carry out safety detection, and these main frames can be with
Adhere to different user separately, client can gather the log information of respective hosts respectively, and client can be selected according to the demand of detection
The main frame relevant information for needing to gather is selected as a part for log information and is uploaded to cloud platform, specific suspicious of log information
Rationally set according to detection demand, for example, client finds a undeveloped serve port of mainframe program, at this moment client
The progress information that the main frame can further be recorded identifies whether have malicious process into log information for user's progress judgement
In the presence of.
Specifically, log information can include the hardware assets information of main frame, operation system information, network connection information,
Serve port information, progress information, network traffic information and security log information that main frame is opened etc. can react main frame
The information of running status or safe condition, is not limited specifically herein.
Specifically, the cloud platform in the present embodiment can be the SaaS being deployed in public network in practice
(Software-as-a-Service) cloud platform of class, user need not install corresponding cloud platform software client, and user only needs
To log in that the SaaS cloud platforms can manage that main frame belonging to the user and storing extracts from main frame in Web it is a large amount of in real time
Data, specific cloud platform is not limited herein.
Specifically, its corresponding cloud platform by parameter configuration when main frame is installed of the client in the present embodiment
Address so that the client in respective hosts may be coupled to corresponding cloud platform, under special circumstances, and host client can not
When being directly connected to corresponding cloud platform, corresponding cloud platform, specific connection side can be connected to by way of socks is acted on behalf of
Formula is not limited herein.
It is understood that client can be carried out during data are transmitted to cloud platform according to the demand of user
Encrypt or without encryption, do not limit herein.
202nd, log information is forwarded to the safety management platform belonging to corresponding user by cloud platform respectively;
After the log information that the different main frames that cloud platform uniformly receives different user are sent, cloud platform can be by this
A little log informations are forwarded to the safety management platform of corresponding user, further to locate respectively according to the difference of owning user
Manage these log informations.
Specifically, cloud platform can be acted on behalf of the log information of user using Apache, Lighttpd or Nginx server
The safety management platform of correspondence tenant is forwarded to, for example, using high performance HTTP and Reverse Proxy Ngxin, agency
The safety management platform of correspondence tenant is forwarded to, Ngxin concrete configuration is referred to following program:
The concrete condition for the related cloud platform that specific parameter configuration in program can be disposed according to supplier is adjusted
It is whole, do not limit herein.
203rd, safety management platform parses log information and generates security threat information according to log information and show use
Family;
In the present embodiment safety management platform can by big data safety analysis, the analysis of artificial intelligence detecting and alarm,
The huge prestige list storehouse of the score value computation model and the scale of construction of credit system, the data collected to client carry out safe inspection
Survey, specific detection mode is not limited herein, if finding in the main frame described in the log information or log information of main frame
Related data information in there is security threat, then safety management platform can generate corresponding security threat information and show
User.
In the embodiment of the present invention, the client being deployed on the multiple host of different user gathers the day of respective hosts respectively
Will information is simultaneously uploaded to cloud platform, and log information can be forwarded to the safety management platform belonging to corresponding user by the cloud platform,
The safety management platform can parse log information and generate security threat information according to log information and show user.I.e. originally
Inventive embodiments can be patted with the log information of the multiple host of real-time automatic collecting user to the bursting tube for being deployed in cloud platform
Platform carries out Data Detection and generates corresponding security threat information, detects its data relative to main frame operation antivirus software and generates
Examining report, the artificial mode for periodically extracting report file one by one, without manually extracting one by one, improves the effect of safety monitoring
Rate, while reducing the amount that main frame needs the data of detection, has saved host resource expense, user can be patted by bursting tube
Platform manages multiple host concentratedly, and real time parsing log information simultaneously generates corresponding security threat information, reduced at security incident
The possibility being delayed during reason.
Secondly, the safety management platform in the present embodiment can pass through big data safety analysis, artificial intelligence detecting and alarm
Analysis, the score value computation model of credit system and the huge prestige list storehouse of the scale of construction, the data that are collected to client carry out
Safety detection, improves the accuracy of detection.
On the basis of above-described embodiment, user can be collected by way of gathering log information from multiple main frames
Corresponding log information detects the potential safety hazard on corresponding main frame, but it is normal to there are some in practice, in most main frames
The security incident seen, in for main frame the Brute Force attack of server, the write-in of malicious file, these security incidents
Need real-time protection or handle immediately, in addition, for some sensitive data parts in main frame, be typically not suitable for uploading to high in the clouds
Safety detection is carried out, in this regard, needing to set preset safety regulation to specific in main frame according to the demand of user in the client
Security incident and sensitive data carry out real-time protection or immediately processing.Referring to Fig. 3, a kind of based on collection in the embodiment of the present invention
Another embodiment of the safety detection method of the main frame of middle management may include:
301st, the client being deployed on the multiple host of different user gather respectively the log information of respective hosts and on
Reach cloud platform;
302nd, log information is forwarded to the safety management platform belonging to corresponding user by cloud platform respectively;
303rd, safety management platform parses log information and generates security threat information according to log information and show use
Family;
Step 301 in the present embodiment to 303 with described in the step 201 in the embodiment shown in above-mentioned Fig. 2 to 203
Content is similar, and here is omitted.
304th, client detects preset security incident whether occurs in corresponding main frame in real time according to presetting rule;
In practice, main frame needs some common security incidents of real-time protection, corresponding client can according to
The operation at family, the peace for the security incident for needing real time automatic detection is rationally set in the client of the All hosts belonging to the user
Full detected rule and its processing rule are as presetting rule, and client can be in real time detected in corresponding main frame according to presetting rule
Whether preset security incident is occurred, and specific safety detection rule is not limited herein.
It is understood that the implementation order of the step 304 and its subsequent step in the present embodiment can be in above-mentioned step
Before rapid 301 to 303, afterwards or simultaneously perform, specific implementation order is not limited herein.
305th, client handles preset security incident according to presetting rule immediately.
When client detects preset security incident according to presetting rule, it is preset that client can be set according to user
Rule handles the preset security incident immediately, and specific processing mode can be automatism isolation or delete malicious file, closure should
The generation of preset security incident is write daily record by the IP address of the attack source of Brute Force attack in the form of security log
Information, is not limited specifically herein.
Further, cloud platform can gather the log information progress comprehensive analysis of multiple users, more comprehensively identification
Various security threats, with the corresponding presetting rule storehouse of real-time update.
Specifically, when client monitors and there is malicious file in corresponding main frame in real time according to presetting rule, client
With automatism isolation or the malicious file can be deleted, for example, can find that web takes automatically for the web server client in main frame
Business device root, using the real-time monitored directory of inotify technologies, has meeting scanning file during document change to find in time in catalogue
Webshell malicious files, can be with automatism isolation or deletion malicious file by configuring.For example, client detects this using real-time
The domain name mapping of machine and regular storehouse determines whether Botnet behavior, detection Botnet malicious file in real time, once inspection
Measuring malicious file client can report event details safety management platform or automatism isolation deletion in the form of daily record
Malicious file.
Specifically, when there is Brute Force attack in the corresponding main frame of client monitors, it is sudden and violent that client can block this
Power cracks the IP address of the attack source of attack, with the safety of protected host.Optionally, client can be with the visit of analysis summary main frame
Daily record is asked, the details that this Brute Force is attacked report safety management platform in the form of threatening daily record.
On the basis of the embodiment shown in above-mentioned Fig. 2 or Fig. 3, user gathers the daily record of single main frame by client
Information often can accurately not assess the safe condition and running status of the whole data center of multiple main frames composition, can not yet
Some unified safety regulations are set for whole data center, client is needed to solve this problem by the log information of collection
User security is visualized, specifically, a kind of referring to Fig. 4, safety of the main frame based on centralized management in the embodiment of the present invention
Another embodiment of detection method may include:
401st, the client being deployed on the multiple host of different user gather respectively the log information of respective hosts and on
Reach cloud platform;
In the present embodiment, client can be deployed on the multiple host of different user, and gathers respective hosts respectively
Log information, client can select the main frame relevant information that needs are gathered as one of log information according to the demand of detection
Divide and be uploaded to cloud platform, specific log information is suspicious rationally to be set according to detection demand, for example, main frame can be included
Hardware assets information, operation system information, network connection information, open serve port information, progress information, network traffics letter
Breath etc. can react the running status of main frame or the information of safe condition, not limit herein specifically.
Specifically, the cloud platform in the present embodiment can be the SaaS being deployed in public network in practice
(Software-as-a-Service) cloud platform of class, user need not install corresponding cloud platform software client, and user only needs
To log in that the SaaS cloud platforms can manage that main frame belonging to the user and storing extracts from main frame in Web it is a large amount of in real time
Data.The cloud platform can virtualize container technique using Docker according to different user and create completely self-contained virtualization
Safety management platform, and pipework is used for the IP address of virtual management platform configuration independence.
It is understood that client can be carried out during data are transmitted to cloud platform according to the demand of user
Encrypt or without encryption, do not limit herein.
402nd, log information is forwarded to the safety management platform belonging to corresponding user by cloud platform respectively;
403rd, safety management platform parses log information and generates security threat information according to log information and show use
Family;
404th, client detects preset security incident whether occurs in corresponding main frame in real time according to presetting rule;
405th, client handles preset security incident according to presetting rule immediately;
The step 302 of step 402 in the present embodiment into the content described in 405 and the embodiment shown in Fig. 3 to
Content described in 305 is similar, does not repeat herein.
406th, safety management platform shows log information to user;
For the safe condition or running status of the data center of accurate evaluation multiple main frames composition, user can rationally set
Put the information category of the log information of client collection, hardware assets information, operation system information, the network connection of such as main frame
Information, open serve port information, progress information, network traffic information etc. can react the running status or safe shape of main frame
The information of state, client can analyze and process all kinds of daily records of collection according to the setting of user, be broken to user's displaying violence
Solve, malicious file, event, the flow Visual Graph of whole access system such as unauthorized access.Collect the exposure of All hosts, assets
Etc. information.User can check the security incident of institute's generic, assets information etc. by logging in safety management platform.
Further, the present embodiment can also include:
407th, security strategy is sent to client by safety management platform.
When user or safety management platform judge to there is security risk in corresponding main frame or have occurred and that security incident,
Safety management platform can generate corresponding security strategy according to the operation of user, and specific security strategy is with security breaches or peace
The change of total event and change, do not limit herein.For example, client described in the log information detected in main frame it is a certain
The apocrypha of type, safety management platform can configure the corresponding security strategy of the main frame for isolation or delete the suspicious text
Part;For example, the server in main frame described in the log information has malice IP malicious access, then safety management platform can be with
Configure again access of the corresponding security strategy of the main frame for shielding malice IP to main frame.
The security strategy that user configures for security threat information is probably for a single main frame, it may be possible to be directed to
Security strategy can be sent to log information according to the setting of user and corresponded to by one class main frame or multiclass main frame, safety management platform
Destination host destination client or be sent to the clients of the All hosts belonging to the user and do not limit herein specifically.
For example, when there is a certain security incident to occur, user needs fire prevention of the All hosts configuration pin to the security incident
When wall is regular, it directly can configure firewall rule in safety management platform and be issued to correspondence All hosts automatically, when the peace
When total event occurs on the either host belonging to the user again, the main frame can automatically process correspondence according to firewall rule
Security incident.
The embodiment of the present invention additionally provides a kind of safety detecting system of the main frame based on centralized management, referring to Fig. 5, this
A kind of one embodiment of the safety detecting system of the main frame based on centralized management may include in inventive embodiments:
Cloud platform 500 and client 600, wherein,
Client 600 is deployed in the multiple host of different user, and log information and the upload of respective hosts are gathered respectively
To cloud platform;
Log information is forwarded to the safety management platform 501 belonging to the corresponding user of log information by cloud platform 500 respectively,
Cloud platform 500 includes at least one safety management platform 501;
Safety management platform 501 parses log information and according to log information respectively, is generated and pacified according to the log information
Full threat information simultaneously shows user.
The concrete function of the safety detecting system of the main frame based on centralized management shown in the present embodiment and above-mentioned Fig. 2 institutes
The content described in embodiment shown is similar, specifically refers to the embodiment shown in Fig. 2, repeats again herein.
In the embodiment of the present invention, the client being deployed on the multiple host of different user gathers the day of respective hosts respectively
Will information is simultaneously uploaded to cloud platform, and log information can be forwarded to the safety management platform belonging to corresponding user by the cloud platform,
The safety management platform can parse log information and generate security threat information according to log information and show user.I.e. originally
Inventive embodiments can be patted with the log information of the multiple host of real-time automatic collecting user to the bursting tube for being deployed in cloud platform
Platform carries out Data Detection and generates corresponding security threat information, detects its data relative to main frame operation antivirus software and generates
Examining report, the artificial mode for periodically extracting report file one by one, without manually extracting one by one, improves the effect of safety monitoring
Rate, while reducing the amount that main frame needs the data of detection, has saved host resource expense, user can be patted by bursting tube
Platform manages multiple host concentratedly, and real time parsing log information simultaneously generates corresponding security threat information, reduced at security incident
The possibility being delayed during reason.
On the basis of the embodiment shown in Fig. 5, referring to Fig. 6, Fig. 6 be the embodiment of the present invention in client 600 it is thin
Change module diagram, as a kind of possible embodiment, the client 600 in the present embodiment may further include:
Detection module 601, for detecting in main frame whether occur preset security incident according to presetting rule, and according to preset
Rule handles preset security incident immediately.
Optionally, the detection module 601 in the present embodiment can further include:
First detection unit 6011, whether there is malicious file, if depositing for being monitored in real time according to presetting rule in main frame
Malicious file then automatism isolation or delete malicious file.
Optionally, the detection module 601 in the present embodiment can further include:
Second detection unit, for monitoring with the presence or absence of Brute Force attack in main frame, if it there is Brute Force attack
Block the IP address of the attack source of Brute Force attack.
The concrete function of the safety detecting system of the main frame based on centralized management shown in the embodiment of the present invention with it is above-mentioned
The content described in embodiment shown in Fig. 3 is similar, specifically refers to the embodiment shown in Fig. 3, repeats again herein.
On the basis of above-described embodiment, referring to Fig. 7, Fig. 7 be the embodiment of the present invention in safety management platform 501 it is thin
Change module diagram, as a kind of possible embodiment, the hardware that the log information in the present embodiment can include main frame is provided
Produce information, operation system information, network connection information, main frame open port information, progress information, network traffic information and
One or more in security log information, specifically can rationally it be set according to the demand of user, safety in the present embodiment
Management platform 501 may further include:
Secure visual module 5011, log information is shown for parsing log information, and to user.
Optionally, the safety management platform 501 in the present embodiment may further include:
Security policy module 5012, after user configures corresponding security strategy according to the security threat information, institute
State destination client or hair that the security strategy is sent to the corresponding destination host of the log information by safety management platform
Give the client of the All hosts belonging to the user.
Optionally, safety management platform can be the void that cloud platform is deployed in using Docker container techniques in the present embodiment
The application program of planization.
In the present embodiment, client can be deployed on the multiple host of different user, and gathers respective hosts respectively
Log information, client can select the main frame relevant information that needs are gathered as one of log information according to the demand of detection
Divide and be uploaded to cloud platform, finally, security strategy is sent to the target of the corresponding destination host of log information by safety management platform
Client simultaneously performs the security strategy.Specifically log information is suspicious is rationally set according to detection demand, for example, can wrap
Include the hardware assets information, operation system information, network connection information of main frame, open serve port information, progress information, net
Network flow information etc. can react the running status of main frame or the information of safe condition, not limit herein specifically.
Specifically, for example, the cloud platform in the present embodiment can be the SaaS being deployed in public network in practice
(Software-as-a-Service) cloud platform of class, user need not install corresponding cloud platform software client, and user only needs
To log in that the SaaS cloud platforms can manage that main frame belonging to the user and storing extracts from main frame in Web it is a large amount of in real time
Data.The cloud platform can virtualize container technique using Docker according to different user and create completely self-contained virtualization
Safety management platform, and pipework is used for the IP address of virtual management platform configuration independence.
It is understood that client can be carried out during data are transmitted to cloud platform according to the demand of user
Encrypt or without encryption, do not limit herein.
In the present embodiment, the client being deployed on the multiple host of different user can gather the day of respective hosts respectively
Will information is simultaneously uploaded to cloud platform, and log information can be forwarded to the safety management platform belonging to corresponding user by the cloud platform,
The safety management platform can parse log information and configure corresponding security strategy, finally, safety management according to log information
Security strategy is sent to the destination client of the corresponding destination host of log information and performs the security strategy by platform.That is this hair
Bright embodiment can with the log information of the multiple host of real-time automatic collecting user to the safety management platform for being deployed in cloud platform,
Relative to manually periodically log information is extracted one by one, the efficiency of safety monitoring is improved, user can pass through safety management platform
Manage multiple host concentratedly, real time parsing log information simultaneously configures corresponding security strategy, reduces Security incident handling in time
During the possibility that is delayed.
Secondly, the safety management platform in the present embodiment can pass through big data safety analysis, artificial intelligence detecting and alarm
Analysis, the score value computation model of credit system and the huge prestige list storehouse of the scale of construction, the data that are collected to client carry out
Safety detection, improves the accuracy of detection, without being detected on main frame to user journal information, reduces the fortune of main frame
Expense is calculated, host resource is saved.
It is apparent to those skilled in the art that, for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method can be with
Realize by another way.For example, device embodiment described above is only schematical, for example, the unit
Divide, only a kind of division of logic function there can be other dividing mode when actually realizing, such as multiple units or component
Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or
The coupling each other discussed or direct-coupling or communication connection can be the indirect couplings of device or unit by some interfaces
Close or communicate to connect, can be electrical, machinery or other forms.
The unit illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
If the integrated unit is realized using in the form of SFU software functional unit and as independent production marketing or used
When, it can be stored in a computer read/write memory medium.Understood based on such, technical scheme is substantially
The part contributed in other words to prior art or all or part of the technical scheme can be in the form of software products
Embody, the computer software product is stored in a storage medium, including some instructions are to cause a computer
Equipment (can be personal computer, server, or network equipment etc.) performs the complete of each embodiment methods described of the invention
Portion or part steps.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can store journey
The medium of sequence code.
Described above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to before
Embodiment is stated the present invention is described in detail, it will be understood by those within the art that:It still can be to preceding
State the technical scheme described in each embodiment to modify, or equivalent substitution is carried out to which part technical characteristic;And these
Modification is replaced, and the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (14)
1. a kind of safety detection method of the main frame based on centralized management, it is characterised in that including:
The client being deployed on the multiple host of different user gathers the log information of respective hosts and is uploaded to cloud and puts down respectively
Platform, the cloud platform is deployed in global network, it is necessary to which each main frame of safety detection is provided with a client;
The cloud platform pats the bursting tube that the log information is forwarded to belonging to the corresponding user of the log information respectively
Platform, the cloud platform includes at least one described safety management platform;
The safety management platform parses the log information and generates security threat information simultaneously according to the log information respectively
Show user.
2. according to the method described in claim 1, it is characterised in that also include:
Client detects preset security incident whether occurs in corresponding main frame in real time according to presetting rule;
If the generation preset security incident, the preset security incident is handled according to presetting rule immediately.
3. method according to claim 2, it is characterised in that described to handle the preset safety immediately according to presetting rule
Event includes:
When client is monitored in real time according to presetting rule there is malicious file in corresponding main frame, client automatism isolation or delete
Except the malicious file.
4. method according to claim 3, it is characterised in that described to handle the preset safety immediately according to presetting rule
Event, in addition to:
When client is monitored according to presetting rule there is Brute Force attack in corresponding main frame, client blocks the violence
Crack the IP address of the attack source of attack.
5. method according to any one of claim 1 to 4, it is characterised in that
The end that hardware assets information of the log information including main frame, operation system information, network connection information, main frame are opened
One or more in message breath, progress information, network traffic information and security log information;
The safety management platform parses the log information, and shows the log information to user.
6. method according to claim 5, it is characterised in that also include:
After user configures corresponding security strategy according to the security threat information, the safety management platform is by the peace
Full strategy is sent to the destination client of the corresponding destination host of the log information or is sent to all belonging to the user
The client of main frame.
7. method according to claim 6, it is characterised in that the safety management platform is to use Docker container techniques
It is deployed in the application program of the virtualization of the cloud platform.
8. a kind of safety detecting system of the main frame based on centralized management, it is characterised in that including:
Cloud platform and client, wherein,
The client deployment gathers the log information of respective hosts and is uploaded to cloud respectively in the multiple host of different user
Platform is, it is necessary to which each main frame of safety detection is provided with a client;
The cloud platform is deployed in global network, corresponding for the log information to be forwarded into the log information respectively
Safety management platform belonging to user, the cloud platform includes at least one described safety management platform;
The safety management platform parses the log information respectively, generates security threat information according to the log information and opens up
Show to user.
9. system according to claim 8, it is characterised in that the client includes:
Detection module, for detecting in main frame whether occur preset security incident according to presetting rule, and be according to presetting rule
When handle the preset security incident.
10. system according to claim 9, it is characterised in that the detection module includes:
First detection unit, whether there is malicious file, if there is the evil for being monitored in real time according to presetting rule in main frame
File of anticipating then automatism isolation or deletes the malicious file.
11. system according to claim 10, it is characterised in that the detection module also includes:
Second detection unit, for monitoring in main frame with the presence or absence of Brute Force attack, is blocked if it there is Brute Force attack
The IP address of the attack source of the Brute Force attack.
12. the system according to any one of claim 8 to 11, it is characterised in that the log information includes main frame
Hardware assets information, operation system information, network connection information, the port information of main frame opening, progress information, network traffics letter
One or more in breath and security log information, the safety management platform also includes:
Secure visual module, the log information is shown for parsing the log information, and to user.
13. system according to claim 12, it is characterised in that the safety management platform also includes:
Security policy module, after user configures corresponding security strategy according to the security threat information, the bursting tube
The security strategy is sent to the destination client of the corresponding destination host of the log information or is sent to described by platform
The client of All hosts belonging to user.
14. system according to claim 13, it is characterised in that the safety management platform is to use Docker container skills
Art is deployed in the application program of the virtualization of the cloud platform.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710703313.7A CN107295021B (en) | 2017-08-16 | 2017-08-16 | Security detection method and system of host based on centralized management |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710703313.7A CN107295021B (en) | 2017-08-16 | 2017-08-16 | Security detection method and system of host based on centralized management |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107295021A true CN107295021A (en) | 2017-10-24 |
CN107295021B CN107295021B (en) | 2021-06-04 |
Family
ID=60106915
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710703313.7A Active CN107295021B (en) | 2017-08-16 | 2017-08-16 | Security detection method and system of host based on centralized management |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107295021B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108429754A (en) * | 2018-03-19 | 2018-08-21 | 深信服科技股份有限公司 | A kind of high in the clouds Distributed Detection method, system and relevant apparatus |
CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
CN109246125A (en) * | 2018-10-09 | 2019-01-18 | 郑州云海信息技术有限公司 | A kind of Host Security condition evaluation system |
CN109660550A (en) * | 2018-12-29 | 2019-04-19 | 中国电力科学研究院有限公司 | A kind of system and method for built-in terminal Prevention-Security |
CN110519270A (en) * | 2019-08-27 | 2019-11-29 | 杭州安恒信息技术股份有限公司 | The method and device of WebShell is quickly detected based on document source |
CN110658770A (en) * | 2019-10-22 | 2020-01-07 | 深圳市芝麻自动化科技有限公司 | SAP manufacturing execution system data processing interface driving method |
CN111464345A (en) * | 2020-03-23 | 2020-07-28 | 广东电网有限责任公司 | Centralized equipment management system and method |
CN111526156A (en) * | 2020-04-30 | 2020-08-11 | 广州知弘科技有限公司 | Big data based security cloud platform system |
CN112929357A (en) * | 2021-02-01 | 2021-06-08 | 深信服科技股份有限公司 | Virtual machine data analysis method, device, equipment and storage medium |
CN114615089A (en) * | 2022-05-09 | 2022-06-10 | 远江盛邦(北京)网络安全科技股份有限公司 | Dynamic self-adaptive configuration method and device for server |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101018119A (en) * | 2007-02-09 | 2007-08-15 | 浪潮电子信息产业股份有限公司 | Hardware-based server network security centralized management system without relevance to the operation system |
CN101247263A (en) * | 2008-03-18 | 2008-08-20 | 浪潮电子信息产业股份有限公司 | Server centralized management method based on data link layer |
CN103124293A (en) * | 2012-12-31 | 2013-05-29 | 中国人民解放军理工大学 | Cloud data safe auditing method based on multi-Agent |
CN202975775U (en) * | 2012-12-23 | 2013-06-05 | 珠海市鸿瑞软件技术有限公司 | Security management platform |
CN103227797A (en) * | 2013-05-08 | 2013-07-31 | 上海电机学院 | Distributive management system of information network security for power enterprises |
WO2014056076A1 (en) * | 2012-10-08 | 2014-04-17 | Maintenance Assistant Inc. | System and method for populating assets to a maintenance management system |
CN104378364A (en) * | 2014-10-30 | 2015-02-25 | 广东电子工业研究院有限公司 | Collaborative analysis method of information security operation centers |
CN104392175A (en) * | 2014-11-26 | 2015-03-04 | 华为技术有限公司 | System and method and device for processing cloud application attack behaviors in cloud computing system |
CN106385416A (en) * | 2016-09-14 | 2017-02-08 | 北京鼎普科技股份有限公司 | Information safety system platform building method and information safety management platform |
-
2017
- 2017-08-16 CN CN201710703313.7A patent/CN107295021B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101018119A (en) * | 2007-02-09 | 2007-08-15 | 浪潮电子信息产业股份有限公司 | Hardware-based server network security centralized management system without relevance to the operation system |
CN101247263A (en) * | 2008-03-18 | 2008-08-20 | 浪潮电子信息产业股份有限公司 | Server centralized management method based on data link layer |
WO2014056076A1 (en) * | 2012-10-08 | 2014-04-17 | Maintenance Assistant Inc. | System and method for populating assets to a maintenance management system |
CN202975775U (en) * | 2012-12-23 | 2013-06-05 | 珠海市鸿瑞软件技术有限公司 | Security management platform |
CN103124293A (en) * | 2012-12-31 | 2013-05-29 | 中国人民解放军理工大学 | Cloud data safe auditing method based on multi-Agent |
CN103227797A (en) * | 2013-05-08 | 2013-07-31 | 上海电机学院 | Distributive management system of information network security for power enterprises |
CN104378364A (en) * | 2014-10-30 | 2015-02-25 | 广东电子工业研究院有限公司 | Collaborative analysis method of information security operation centers |
CN104392175A (en) * | 2014-11-26 | 2015-03-04 | 华为技术有限公司 | System and method and device for processing cloud application attack behaviors in cloud computing system |
CN106385416A (en) * | 2016-09-14 | 2017-02-08 | 北京鼎普科技股份有限公司 | Information safety system platform building method and information safety management platform |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108429754A (en) * | 2018-03-19 | 2018-08-21 | 深信服科技股份有限公司 | A kind of high in the clouds Distributed Detection method, system and relevant apparatus |
CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
CN108763031B (en) * | 2018-04-08 | 2022-05-24 | 奇安信科技集团股份有限公司 | Log-based threat information detection method and device |
CN109246125A (en) * | 2018-10-09 | 2019-01-18 | 郑州云海信息技术有限公司 | A kind of Host Security condition evaluation system |
CN109660550A (en) * | 2018-12-29 | 2019-04-19 | 中国电力科学研究院有限公司 | A kind of system and method for built-in terminal Prevention-Security |
CN110519270B (en) * | 2019-08-27 | 2022-01-28 | 杭州安恒信息技术股份有限公司 | Method and device for rapidly detecting WebShell based on file source |
CN110519270A (en) * | 2019-08-27 | 2019-11-29 | 杭州安恒信息技术股份有限公司 | The method and device of WebShell is quickly detected based on document source |
CN110658770A (en) * | 2019-10-22 | 2020-01-07 | 深圳市芝麻自动化科技有限公司 | SAP manufacturing execution system data processing interface driving method |
CN111464345A (en) * | 2020-03-23 | 2020-07-28 | 广东电网有限责任公司 | Centralized equipment management system and method |
CN111526156A (en) * | 2020-04-30 | 2020-08-11 | 广州知弘科技有限公司 | Big data based security cloud platform system |
CN112929357A (en) * | 2021-02-01 | 2021-06-08 | 深信服科技股份有限公司 | Virtual machine data analysis method, device, equipment and storage medium |
CN114615089A (en) * | 2022-05-09 | 2022-06-10 | 远江盛邦(北京)网络安全科技股份有限公司 | Dynamic self-adaptive configuration method and device for server |
CN114615089B (en) * | 2022-05-09 | 2022-07-29 | 远江盛邦(北京)网络安全科技股份有限公司 | Dynamic self-adaptive configuration method and device for server |
Also Published As
Publication number | Publication date |
---|---|
CN107295021B (en) | 2021-06-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107295021A (en) | The safety detection method and system of a kind of main frame based on centralized management | |
CN110677408B (en) | Attack information processing method and device, storage medium and electronic device | |
Moore | Detecting ransomware with honeypot techniques | |
CN114584405B (en) | Electric power terminal safety protection method and system | |
CN104811447B (en) | One kind is based on the associated safety detection method of attack and system | |
CN107332863A (en) | The safety detection method and system of a kind of main frame based on centralized management | |
CN106131023A (en) | A kind of Information Security Risk strength identifies system | |
Wattanapongsakorn et al. | A practical network-based intrusion detection and prevention system | |
Sibiya et al. | Digital forensic framework for a cloud environment | |
KR20040035572A (en) | Integrated Emergency Response System in Information Infrastructure and Operating Method therefor | |
CN103227798A (en) | Immunological network system | |
Beigh et al. | Intrusion Detection and Prevention System: Classification and Quick | |
CN107276858A (en) | A kind of access relation carding method and system | |
CN113794276A (en) | Power distribution network terminal safety behavior monitoring system and method based on artificial intelligence | |
CN113901450A (en) | Industrial host terminal safety protection system | |
CN110401638A (en) | Network traffic analysis method and device | |
CN113904829B (en) | Application firewall system based on machine learning | |
Skendžić et al. | Management and monitoring security events in a business organization-siem system | |
CN113489703A (en) | Safety protection system | |
KR20070072835A (en) | Web hacking responses through real time web log collection | |
Lakka et al. | Incident handling for healthcare organizations and supply-chains | |
Lock | Five steps to beating ransomware's five-minute warning | |
Wonghirunsombat et al. | A centralized management framework of network-based intrusion detection and prevention system | |
Jain et al. | The role of decision tree technique for automating intrusion detection system | |
Gnatyuk et al. | Cloud-Based Cyber Incidents Response System and Software Tools |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |