CN115333774A - Method, system, device and storage medium for security detection - Google Patents

Method, system, device and storage medium for security detection Download PDF

Info

Publication number
CN115333774A
CN115333774A CN202210790545.1A CN202210790545A CN115333774A CN 115333774 A CN115333774 A CN 115333774A CN 202210790545 A CN202210790545 A CN 202210790545A CN 115333774 A CN115333774 A CN 115333774A
Authority
CN
China
Prior art keywords
data
detected
module
security detection
safety detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210790545.1A
Other languages
Chinese (zh)
Inventor
曲宇辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Cloud Computing Ltd
Original Assignee
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Cloud Computing Ltd filed Critical Alibaba Cloud Computing Ltd
Priority to CN202210790545.1A priority Critical patent/CN115333774A/en
Publication of CN115333774A publication Critical patent/CN115333774A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/062Generation of reports related to network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a method, a system, equipment and a storage medium for safety detection, wherein the method comprises the following steps: by applying the technical scheme of the application, the purpose of calculating the safety detection result of the client side can be achieved by the agent module and the safety detection module which are deployed in the user environment instead of calculating the safety detection result of the client side by the cloud server side, and the safety detection result is uploaded to the cloud server side after being obtained. On one hand, data interaction between the client and the cloud is reduced, and flow overhead of the user is reduced. On the other hand, computing resources of the cloud server can be saved, and the problem that the accuracy and the real-time performance of the safety detection effect cannot be guaranteed when the cloud server is in a high-load state is solved. On the other hand, the method can also carry out localized security detection on the private data with strong sensitivity in the client, so that the problem that the private data is easy to steal due to uploading to the cloud is avoided.

Description

Method, system, device and storage medium for security detection
Technical Field
The present application belongs to the field of computer technology, and in particular, relates to a method, system, device and storage medium for security detection.
Background
With the continuous change of the external environment of the internet industry and the rapid development of cloud computing, in order to better adapt to the change of the environment, many working platforms deploy work in the cloud environment for processing.
In the related technology, in a security detection mode of data on the cloud, the real-time data on the client is mainly collected and reported to the cloud to perform corresponding security rule matching, and finally a detection result is generated.
However, the security detection method in the related art involves a large amount of data interaction between the client and the cloud server, including acquisition and transmission of machine software package information, uploading and downloading of detection data, frequent network requests, and the like, thereby increasing traffic overhead between cloud devices and increasing user cost.
Disclosure of Invention
The application provides a security detection method, a security detection system, security detection equipment and a storage medium, which can solve the problem that in the related technology, the flow overhead between cloud equipment is increased due to the fact that a large amount of data of a client and a cloud server are interacted under a cloud scene.
An embodiment of a first aspect of the present application provides a security detection method, where the method is applied to an agent module deployed in a user environment, and includes:
receiving data to be detected uploaded by a client;
sending data to be detected, which needs to be subjected to security detection, to a security detection module, wherein the security detection module is deployed in the user environment;
and receiving a safety detection result obtained by the safety detection module performing safety detection on the data to be detected, and sending the safety detection result to a cloud server.
The embodiment of the second aspect of the present application provides a method for security detection, where the method is applied to a security detection module deployed in a user environment, and the method includes:
receiving data to be detected sent by an agent module deployed in the user environment;
carrying out security detection on the data to be detected to obtain a security detection result;
and sending the security detection result to the agent module so that the agent module forwards the security detection result to a cloud server.
An embodiment of a third aspect of the present application provides a security detection method, where the method is applied to a cloud server, and includes:
receiving a security detection result sent by the agent module, wherein the security detection result is obtained by performing security detection on data to be detected of a client by the security detection module, and the agent module and the security detection module are both deployed in a user environment;
and displaying the safety detection result.
An embodiment of a fourth aspect of the present application provides a system for security detection, including:
the client is deployed in the user environment and used for sending the data to be detected to the agent module;
the agent module is deployed in the user environment and used for sending the received data to be detected to a security detection module and sending a security detection result to a cloud server after receiving the security detection result generated by the security detection module based on the data to be detected;
the security detection module is deployed in the user environment and used for receiving the data to be detected sent by the agent module, performing security detection on the data to be detected to obtain a security detection result and sending the security detection result to the agent module;
and the cloud server is used for receiving the safety detection result sent by the agent module and then displaying the safety detection result.
An embodiment of a fifth aspect of the present application provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the methods of the first, second, and third aspects.
An embodiment of a sixth aspect of the present application provides a computer-readable storage medium, on which a computer program is stored, where the program is executed by a processor to implement the methods described in the first, second, and third aspects.
The technical scheme provided in the embodiment of the application has at least the following technical effects or advantages:
in the embodiment of the application, the client deployed in the user environment is used for sending the data to be detected to the agent module; the agent module is deployed in the user environment and used for sending the received data to be detected to the safety detection module and sending the safety detection result to the cloud server after receiving the safety detection result generated by the safety detection module based on the data to be detected; the safety detection module is deployed in the user environment and used for receiving the data to be detected sent by the agent module, then carrying out safety detection on the data to be detected to obtain a safety detection result and sending the safety detection result to the agent module; and the cloud server is used for receiving the safety detection result sent by the agent module and displaying the safety detection result. By applying the technical scheme of the application, the purpose of calculating the safety detection result of the client side can be achieved by the agent module and the safety detection module which are deployed in the user environment instead of calculating the safety detection result of the client side by the cloud server side, and the safety detection result is uploaded to the cloud server side after being obtained. On one hand, data interaction between the client and the cloud is reduced, and flow overhead of a user is reduced. On the other hand, computing resources of the cloud server can be saved, and the problem that the accuracy and the real-time performance of the safety detection effect cannot be guaranteed when the cloud server is in a high-load state is solved. On the other hand, the method can also carry out local security detection on the private data with strong sensitivity in the client, so that the problem that the private data are easy to steal due to uploading to the cloud is avoided.
Additional aspects and advantages of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
Various additional advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings.
In the drawings:
FIG. 1 is a schematic diagram illustrating a method for security detection provided by an embodiment of the present application;
FIG. 2 is a system architecture diagram illustrating a security detection system according to an embodiment of the present application;
FIG. 3 illustrates a flow chart of a method of security detection provided by an embodiment of the present application;
FIG. 4 illustrates another flow chart of a method for security detection provided by an embodiment of the present application;
FIG. 5 is a flow chart of a method of security detection provided by an embodiment of the present application;
FIG. 6 illustrates a system flow diagram for security detection provided by an embodiment of the present application;
fig. 7 is a schematic structural diagram illustrating a further apparatus for security detection according to an embodiment of the present application;
FIG. 8 is a schematic diagram illustrating another apparatus for security detection provided by an embodiment of the present application;
FIG. 9 is a schematic diagram of another security detection apparatus provided in an embodiment of the present application;
fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 11 shows a schematic diagram of a storage medium provided in an embodiment of the present application.
Detailed Description
Exemplary embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present application are shown in the drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
It is to be noted that, unless otherwise specified, technical terms or scientific terms used herein shall have the ordinary meaning as understood by those skilled in the art to which this application belongs.
A method, a system, a device and a storage medium for security detection according to embodiments of the present application are described below with reference to the accompanying drawings.
According to the method, the agent module deployed in the user environment receives the data to be detected and sends the data to the safety detection module, and after receiving a safety detection result generated by the safety detection module based on the data to be detected, the safety detection result is sent to the cloud server side.
Referring to fig. 1, the method is applied to an agent module deployed in a user environment, and specifically includes the following steps:
step 101: and receiving the data to be detected uploaded by the client.
The data to be detected uploaded by the client side are not specifically limited. In one mode, the data may be working data, and the data includes data that needs to be security-checked and corresponds to the security check rule. Including, for example, system number, rpm package number, process data, and version number data, among others.
As an example, the client may collect a plurality of working data of the user machine in advance and label the different types of data, so as to distinguish the different types of data, such as system information, rpm package information, and process information.
In one mode, the number of clients is not specifically limited in the embodiments of the present application, and may be, for example, one or more. One client can upload one to-be-detected data or a plurality of to-be-detected data.
It can be understood that, in the embodiment of the application, each client does not need to have the capability of connecting the service on the cloud, and the original data of the user machine does not need to be collected and reported to the cloud server in full. Instead, an agent module with rule configuration and forwarding capability is deployed in the user environment, so that each client establishes tcp long connection with the agent module, and client data is reported to the agent module through the long connection.
In one mode, the proxy module in the present application may be one computing unit, one server, or a server cluster formed by multiple servers. For example, if the agent module is a server cluster formed by a plurality of servers, one agent module may be responsible for receiving data to be detected uploaded by a client in a certain area or a certain working range.
Step 102: and sending the data to be detected, which needs to be subjected to safety detection, to a safety detection module, wherein the safety detection module is deployed in a user environment.
The security detection module is not specifically limited in the embodiments of the present application, and may be, for example, a security detection module for detecting a data vulnerability, or a security detection module for detecting alarm information. But also a security detection module for detecting file compliance, etc.
In one mode, the number of the safety detection modules may be one or more. In the embodiment of the application, after receiving the data to be detected, the agent module may send the data to be detected, which needs to be subjected to security detection, to one of the security detection modules. Or the data to be detected can be selected to be sent to a plurality of corresponding safety detection modules according to different types of safety detection.
In one mode, the security detection module in the present application may be a computing unit, may also be a server, and may also be a server cluster formed by multiple servers. By way of example, the security detection module and the proxy module may be one computing unit or one server (i.e., deployed in different functional areas of the same server), or may be different computing units or different servers. This is not a limitation of the present application.
In one mode, taking a security detection module as a data vulnerability detection server as an example, in the related art, the detection mode of the Saas vulnerability detection product on the cloud mainly comprises the steps of collecting real-time data on a client and reporting the real-time data to the cloud for rule matching; issuing a script to a user environment, executing a detection script on a machine to carry out local detection, and finally reporting a detection result to a cloud end; or, constructing network traffic through a scanner to remotely scan assets exposed by a user public network, and the like.
Furthermore, in a mixed cloud scene, a user environment needs to be communicated with a cloud product, the user can be realized by deploying an agent or pulling a special line, and finally, the detection effect like on-cloud machine detection can be realized.
However, the vulnerability detection mode involves a large amount of data interaction, including collection and transmission of machine software package information, uploading and downloading of detection scripts, frequent network requests, and the like. Therefore, a series of problems can be caused in a cloud scene. For example, whether the cloud end is compliant or not is uploaded to machine data, a large amount of potential flow overhead caused by data interaction of a public network is relied on, the detection effect of the network quality on the system is influenced, and the cost problem of a special line is solved.
Based on the above problems, the present application provides a security detection method, which sinks the cloud vulnerability detection logic (or other security detection logic) to the user environment, thereby implementing a scheme of directly performing data acquisition, forwarding and security detection in the user environment, and reporting the detection result by the agent module.
Step 103: and receiving a safety detection result obtained by carrying out safety detection on the data to be detected by the safety detection module, and sending the safety detection result to the cloud server.
In one mode, as shown in fig. 2, the system architecture diagram for security detection provided in the present application includes a client (client), an agent module (proxy) deployed in a user environment, a security detection module (vul-engine) deployed in the user environment, and a cloud server (server) in a cloud.
As can be seen from fig. 2, the client in the embodiment of the present application does not need to have the capability of communicating with the service on the cloud as in the prior art, and does not need to collect the raw data of the user machine and report the raw data to the cloud server in full. Instead, an agent module with rule configuration and forwarding capability is deployed in the user environment, so that each client establishes tcp long connection with the agent module, and client data is reported to the agent module through the long connection.
Further, the agent module in the embodiment of the present application is used as an outlet of the user environment, and needs to have a capability of communicating with the cloud server. In one mode, after long connection is established between each client and the proxy module, each client realizes transparent proxy and forwarding of data to be detected through such a bidirectional connection.
In one mode, the agent module needs to maintain an independent long connection with the cloud server to serve as a channel of the agent module itself, and receives the preset matching rules (including the preset current limiting rule, the preset forwarding rule and the like) issued by the cloud server by maintaining such a channel.
In addition, the channel and a data channel for reporting the security detection result by the agent module. As an example, to implement security detection of the user environment, the security detection module needs to be deployed together with the agent module. The two servers may be deployed as the same server or on different servers. This is not a limitation of the present application.
In one mode, after receiving the data to be detected reported by the client through the long connection, the proxy module may forward the data to be detected, which is filtered according to a preset forwarding rule, to the security detection module. And subsequently reporting the final safety detection result to a cloud server.
It can be understood that, in the embodiment of the present application, by sinking the steps of security detection to the user environment, data reporting is greatly reduced, and meanwhile, the pressure of data storage and calculation at the server is reduced. In addition, network data transmission is reduced, the bandwidth occupation is lower, the deployment cost of a user is reduced, and the storage and calculation pressure of a cloud server is reduced. Moreover, the system has the functions of flow statistics, bandwidth control, configuration-based data flow limitation and forwarding. The system can also realize the purposes of facilitating the expansion, facilitating the data access of users, creating the own detection platform of clients and the like.
In the embodiment of the application, the client deployed in the user environment is used for sending the data to be detected to the agent module; the proxy module is deployed in the user environment and used for sending the received data to be detected to the safety detection module and sending a safety detection result to the cloud server after receiving a safety detection result generated by the safety detection module based on the data to be detected; the safety detection module is deployed in the user environment and used for receiving the data to be detected sent by the agent module, then carrying out safety detection on the data to be detected to obtain a safety detection result and sending the safety detection result to the agent module; and the cloud server is used for receiving the safety detection result sent by the agent module and displaying the safety detection result. By applying the technical scheme of the application, the purpose of calculating the safety detection result of the client side can be achieved by the agent module and the safety detection module which are deployed in the user environment instead of calculating the safety detection result of the client side by the cloud server side, and the safety detection result is uploaded to the cloud server side after being obtained. On one hand, data interaction between the client and the cloud is reduced, and flow overhead of the user is reduced. On the other hand, computing resources of the cloud server can be saved, and the problem that the accuracy and the real-time performance of the safety detection effect cannot be guaranteed when the cloud server is in a high-load state is solved.
In an optional embodiment, after receiving the to-be-detected data uploaded by the client, the method further includes:
determining whether the data to be detected needs to be subjected to safety detection or not based on a preset matching rule issued by a cloud server;
if yes, sending the data to be detected to a safety detection module;
and if not, discarding the data to be detected, and sending a notification message of the event discarding to the cloud server.
In one mode, after the agent module collects data to be detected uploaded by the client, whether the agent module needs to perform safety detection or not is determined based on a preset matching rule issued by the cloud server.
As an example, if security detection is required, the data to be detected is sent to the security detection module. As another example, if not required, the agent module may discard or invalidate the security check module in order to avoid unnecessary interaction with it. In one mode, it needs to send a notification message of this discarding event to the cloud server, so that the server can know the acquisition state of the client in time.
In an optional embodiment, the determining whether to perform security detection on the data to be detected based on the preset matching rule issued by the cloud server when the preset matching rule includes a preset current limiting rule and a preset forwarding rule includes:
determining whether the data to be detected needs to be subjected to current limiting or not based on a preset current limiting rule; and the number of the first and second groups,
and determining whether safety detection needs to be carried out on the data to be detected or not based on a preset forwarding rule.
In one mode, for the current limiting matching, the agent module may perform traffic detection on the current network environment according to the preset current limiting rule, so as to determine whether the current network environment is capable of performing data forwarding. It is to be appreciated that, if possible, it is determined that current limiting of the data to be detected is not required. Otherwise, determining that the current limitation needs to be carried out on the data to be detected.
In another way, for forwarding matching, the agent module may perform data matching according to the preset forwarding rule to determine whether there is data to be detected that needs to be subjected to security detection. It can be understood that, if not, it is determined that the step of forwarding the data to be detected to the security detection module is not required. Otherwise, determining that the data to be detected needs to be forwarded to the safety detection module.
In one mode, the agent module maintains a bidirectional connection for each client, realizes load balancing through cluster deployment, and limits the current of original data reported by the clients according to rules issued by the server, and directly reports or forwards the original data.
As an example, in a certain time window, the agent module may count the number of corresponding events, and collect information used for representing the workload state of the agent module, such as water level information of the agent module, and report the information to the cloud server. For each type of working data reported by the client, a corresponding rule can be configured according to the tag, the bandwidth and QPS are supported by the current-limiting rule, and the mode of forwarding the working data to a local scanning engine or reporting the working data to the cloud or writing the working data into a local file is supported by the forwarding rule, so that the data access of the user can be facilitated, and a management platform of the user can be created.
In an optional embodiment, after obtaining the preset forwarding rule sent by the cloud server, the method further includes:
determining a data label which is contained in a preset forwarding rule and needs to be subjected to security detection;
determining whether the data to be detected contains data corresponding to the data tag;
if yes, sending the data to be detected to a safety detection module; or, sending the data corresponding to the data label to the security detection module.
In one mode, after receiving the data to be detected reported by the client through the long connection, the agent module forwards the required data (i.e., the data corresponding to the data tag, for example, when the data tag points to the preset version, the data in the preset version is the data corresponding to the data tag) or all the data of the data to be detected, which is filtered according to the preset forwarding rule, to the security detection module. And subsequently reporting the final detection result to the cloud service. By sinking the scanning engine to the user environment, data reporting is greatly reduced, and the pressure of data storage and calculation of the server is reduced
In an optional embodiment, before receiving the to-be-detected data uploaded by the client, the method further includes:
the method comprises the steps that a preset forwarding rule sent by a cloud server side is obtained, and the preset forwarding rule is used for indicating the type needing safety detection and a corresponding data label;
and sending the preset forwarding rule to a safety detection module.
In one mode, as shown in fig. 3, a schematic diagram of a security detection method provided in the present application is shown, in which a proxy module is a hybrid cloud proxy module, and a security detection module is a bug detection server (vul-engine) for example, where:
firstly, a client acquires host data of the client and marks different types of data, so that different data types such as system information, rpm packet information, process information and the like are distinguished, and data to be detected are generated.
In addition, after the client reports the data to be detected to the agent module, the hybrid cloud agent module judges a preset matching rule through the identification data tag, and discards the data to be detected and records an event if the current limiting rule is triggered; and if the data type needs to be concerned by the vulnerability detection server, the step of forwarding the value vulnerability detection server is needed.
Furthermore, the vulnerability detection server generates a vulnerability after vulnerability rule matching is carried out on data to be detected and reports the vulnerability to the cloud end through the proxy module. As an example, if the data to be detected is of a data type that does not need attention at present or does not have a security risk, the event may be directly discarded and recorded.
By applying the technical scheme of the application, the purpose of calculating the safety detection result of the client side can be achieved by the agent module and the safety detection module which are deployed in the user environment instead of calculating the safety detection result of the client side by the cloud server side, and the safety detection result is uploaded to the cloud server side after being obtained. On one hand, data interaction between the client and the cloud is reduced, and flow overhead of the user is reduced. On the other hand, computing resources of the cloud server can be saved, and the problem that the accuracy and the real-time performance of the safety detection effect cannot be guaranteed when the cloud server is in a high-load state is solved.
Referring to fig. 4, an embodiment of the present application further provides a security detection method, where the method is applied to a security detection module deployed in a user environment, and the method includes:
step 201: and receiving the data to be detected sent by the agent module deployed in the user environment.
The security detection module is not specifically limited in the embodiments of the present application, and may be, for example, a security detection module for detecting a data vulnerability, or a security detection module for detecting alarm information. But also a security detection module for detecting file compliance, etc.
In one mode, the number of the safety detection modules may be one or more. In the embodiment of the application, after receiving the data to be detected, the agent module may send the data to be detected, which needs to be subjected to security detection, to one of the security detection modules. Or the data to be detected can be selectively sent to a plurality of corresponding safety detection modules according to different types of safety detection.
Step 202: and carrying out safety detection on the data to be detected to obtain a safety detection result.
Step 203: and sending the security detection result to the agent module so that the agent module forwards the security detection result to the cloud server.
In one mode, the security detection module needs to determine a data tag that needs to be subjected to security detection according to a forwarding rule issued by the cloud server (the data tag may be set by a manager according to needs, such as a system type, rpm software package version information, and the like). And the security detection of the data to be detected is realized by depending on the data (namely, the data to be detected corresponding to the data tag) such as the corresponding system type, the rpm software package version information, the process-associated related middleware version information and the like contained in the data to be detected reported by the client, so that a security detection result is obtained.
Further, similarly, the client needs to collect host data of the client and mark different types of data, so as to distinguish different data types such as system information, rpm packet information, process information, and the like, and generate data to be detected.
In addition, after the client reports the data to be detected to the agent module, the cloud agent module judges a preset matching rule through the identification data tag, and discards the data to be detected and records an event if the current limiting rule is triggered; and if the data type needs to be concerned by the security detection module, a step of forwarding the value vulnerability detection server is needed.
Furthermore, the security detection module generates a security result after performing security rule matching on the data to be detected and reports the security result to the cloud end through the proxy module. As an example, if the data to be detected is of a data type that does not need attention at present or has no potential safety hazard, the safety detection module may directly discard the data to be detected and record the event.
By applying the technical scheme of the application, the purpose of calculating the safety detection result of the client side can be achieved by the agent module and the safety detection module which are deployed in the user environment instead of calculating the safety detection result of the client side by the cloud server side, and the safety detection result is uploaded to the cloud server side after being obtained. On one hand, data interaction between the client and the cloud is reduced, and flow overhead of the user is reduced. On the other hand, computing resources of the cloud server can be saved, and the problem that the accuracy and the real-time performance of the safety detection effect cannot be guaranteed when the cloud server is in a high-load state is solved.
In an optional embodiment, before receiving the data to be detected sent by the proxy module, the method further includes:
and receiving a preset forwarding rule sent by the agent module, wherein the preset forwarding rule is issued to the agent module by the cloud server.
In an optional embodiment, after receiving the data to be detected sent by the proxy module, the method further includes:
determining a data label needing to be subjected to security detection based on a preset forwarding rule;
selecting the data to be detected corresponding to the data label from the data to be detected;
and carrying out safety detection on the data to be detected corresponding to the data tag to obtain a safety detection result.
In one mode, for forwarding matching, the security detection module may perform corresponding security detection on the data to be detected according to the preset forwarding rule. Namely, the corresponding data to be detected is determined according to the data label in the preset forwarding rule. And subsequently, the corresponding data to be detected determined by the data label is subjected to security detection to obtain a security detection result.
For example, when the data tag points to the 1.0 version of the system a, all data belonging to the 1.0 version of the system a in the to-be-detected data sent by the client are data corresponding to the data tag, and the security detection module performs security detection on the data in the 1.0 version of the system a, obtains a security detection result, and sends the security detection result to the agent module.
In an optional embodiment, if it is determined that the data to be detected points to the safety detection result without potential safety hazard, the safety detection result without potential safety hazard is not processed.
As an example, if the data to be detected points to a safety detection result with a potential safety hazard, the data needs to be immediately sent to the agent module so as to be subsequently fed back to the cloud server.
As another example, if the data to be detected points to a security detection result without potential security hazard, the security detection module may discard or invalidate the data to be detected in order to avoid unnecessary interaction with the agent module. In one approach, it is desirable to record the discard event for subsequent viewing by the user.
Referring to fig. 5, an embodiment of the present application further provides a security detection method, where the method is applied to a cloud server, and includes:
s301, receiving a security detection result sent by the agent module, wherein the security detection result is obtained by performing security detection on to-be-detected data of the client by the security detection module, and the agent module and the security detection module are both deployed in a user environment.
S302, displaying the safety detection result.
The cloud server in the embodiment of the present application may include key management, rule configuration management, detection statistics, and display of a security detection result, which are issued to the agent module.
The key management mainly relates to encryption and decryption of data to be detected reported by client data, so that plaintext transmission of the data is avoided. The rule configuration refers to relevant rules which take effect at the agent side, and the relevant rules comprise a preset current limiting rule, a preset forwarding rule and the like.
Optionally, the agent module may collect, in real time, related detection information such as a current limiting event, a client connection number, a machine water level, and the like, and report the current limiting event, the client connection number, the machine water level, and the like to the cloud server. So that the cloud server side can uniformly manage the proxy module, and the stability of the proxy module is ensured. In one mode, as a security detection module, a security detection result needs to be output, and a cloud server needs to perform final processing (for example, operations such as storing and screening out duplicates) on a final security detection result reported by an agent module and then perform console display.
In a possible implementation manner, in the user environment, the agent module may perform main functions of event statistics, network throttling, connection management, transparent agent, rule management, key management, load balancing, configuration forwarding, and the like on the client.
In an optional embodiment, before receiving the security detection result sent by the agent module, the method further includes:
issuing a preset forwarding rule to the agent module, wherein the preset forwarding rule is used for indicating the type of safety detection to be carried out and a corresponding data label; and the number of the first and second groups,
and issuing a current limiting detection rule to the agent module, wherein the current limiting detection rule is used for indicating the agent module to determine whether to limit the current of the data to be detected according to the network environment.
By applying the technical scheme of the application, the safety detection result of the client can be calculated not by the cloud server, but by the agent module and the safety detection module which are deployed in the user environment, the purpose of calculating the safety detection result of the client is achieved, and the safety detection result is uploaded to the cloud server after being obtained. On one hand, data interaction between the client and the cloud is reduced, and flow overhead of the user is reduced. On the other hand, computing resources of the cloud server can be saved, and the problem that the accuracy and the real-time performance of the safety detection effect cannot be guaranteed when the cloud server is in a high-load state is solved.
The embodiment of the present application further provides a security detection system, where the system is used to execute operations executed by the agent module, the security detection module, and the client in the security detection method provided in any of the above embodiments. Wherein, this system includes:
the client is deployed in the user environment and used for sending the data to be detected to the agent module;
the agent module is deployed in the user environment and used for sending the received data to be detected to a security detection module and sending a security detection result to a cloud server after receiving the security detection result generated by the security detection module based on the data to be detected;
the security detection module is deployed in the user environment and used for receiving the data to be detected sent by the agent module, performing security detection on the data to be detected to obtain a security detection result and sending the security detection result to the agent module;
and the cloud server is used for receiving the safety detection result sent by the agent module and then displaying the safety detection result.
As shown in fig. 6, a schematic diagram of operations executed by the agent module, the security detection module, and the client in the method for performing security detection provided in any of the above embodiments by using a security detection system provided by the present application is shown, where:
firstly, a client acquires host data of the client and marks different types of data, so that different data types such as system information, rpm package information, process information and the like are distinguished, and data to be detected are generated.
In addition, after the client reports the data to be detected to the agent module, the hybrid cloud agent module judges a preset matching rule through the identification data tag, and discards the data to be detected and records an event if the current limiting rule is triggered; and if the data type needs to be concerned by the vulnerability detection server, the step of forwarding the value vulnerability detection server is needed.
Furthermore, the vulnerability detection server generates the vulnerability after carrying out vulnerability rule matching on the data to be detected and reports the vulnerability to the cloud end by the agent module. As an example, if the data to be detected does not need to be of the concerned data type or has no potential safety hazard at present, the event can be directly discarded and recorded.
By applying the technical scheme of the application, the purpose of calculating the safety detection result of the client side can be achieved by the agent module and the safety detection module which are deployed in the user environment instead of calculating the safety detection result of the client side by the cloud server side, and the safety detection result is uploaded to the cloud server side after being obtained. On one hand, data interaction between the client and the cloud is reduced, and flow overhead of the user is reduced. On the other hand, computing resources of the cloud server can be saved, and the problem that the accuracy and the real-time performance of the safety detection effect cannot be guaranteed when the cloud server is in a high-load state is solved.
The device for safety detection provided by the above embodiment of the present application and the method for safety detection provided by the embodiment of the present application are based on the same inventive concept, and have the same beneficial effects as the method adopted, operated or implemented by the application program stored in the device.
The embodiments of the present application further provide a security detection apparatus, where the apparatus is configured to perform operations performed in the security detection method provided in any of the embodiments. As shown in fig. 7, the apparatus is applied to an agent module deployed in a user environment, and includes:
the first receiving module 301 is configured to receive data to be detected uploaded by a client;
a first sending module 302, configured to send to-be-detected data to be subjected to security detection to a security detection module, where the security detection module is deployed in the user environment;
the second receiving module 303 is configured to receive a security detection result obtained by performing security detection on the to-be-detected data by the security detection module, and send the security detection result to the cloud server.
In another embodiment of the present application, the first sending module 302 is configured to perform the steps including:
determining whether the data to be detected needs to be subjected to safety detection or not based on a preset matching rule issued by the cloud server;
if yes, sending the data to be detected to the safety detection module;
and if not, discarding the data to be detected, and sending a notification message of the event discarding to the cloud server.
In another embodiment of the present application, the first sending module 302 is configured to perform the steps including:
determining whether the data to be detected needs to be subjected to current limiting or not based on the preset current limiting rule; and (c) a second step of,
and determining whether safety detection needs to be carried out on the data to be detected or not based on the preset forwarding rule.
In another embodiment of the present application, the first sending module 302 is configured to perform the steps including:
determining a data label which is included in the preset forwarding rule and needs to be subjected to security detection;
determining whether the data to be detected contains data corresponding to the data tag;
if yes, sending the data to be detected to the safety detection module; or sending the data corresponding to the data label to the security detection module.
In another embodiment of the present application, the first sending module 302 is configured to perform the steps including:
acquiring a preset forwarding rule sent by the cloud server, wherein the preset forwarding rule is used for indicating the type of safety detection to be carried out and a corresponding data label;
and sending the preset forwarding rule to the safety detection module.
The embodiment of the present application further provides a security detection apparatus, which is configured to perform operations performed in the security detection method provided in any of the above embodiments. As shown in fig. 8, the apparatus is applied to a security detection module deployed in a user environment, and includes:
a second receiving module 304, configured to receive to-be-detected data sent by an agent module deployed in the user environment;
the detection module 305 is configured to perform security detection on the data to be detected to obtain a security detection result;
a third sending module 306, configured to send the security detection result to the agent module, so that the agent module forwards the security detection result to a cloud server.
In another embodiment of the present application, the detecting module 305 is configured to perform the steps of:
and receiving a preset forwarding rule sent by the agent module, wherein the preset forwarding rule is issued to the agent module by a cloud server.
In another embodiment of the present application, the detecting module 305 is configured to perform the following steps:
determining a data label needing to be subjected to security detection based on the preset forwarding rule;
selecting the data to be detected corresponding to the data label from the data to be detected;
and carrying out safety detection on the data to be detected corresponding to the data tag to obtain the safety detection result.
In another embodiment of the present application, the detecting module 305 is configured to perform the steps of:
and if the data to be detected points to the safety detection result without potential safety hazard, not processing the safety detection result without potential safety hazard.
The embodiments of the present application further provide a security detection apparatus, where the apparatus is configured to perform operations performed in the security detection method provided in any of the embodiments. As shown in fig. 9, the apparatus is applied to a security detection module deployed in a user environment, and includes:
a third receiving module 307, configured to receive a security detection result sent by the proxy module, where the security detection result is obtained by performing security detection on to-be-detected data of a client by the security detection module, and the proxy module and the security detection module are both deployed in a user environment;
and a display module 308, configured to display the security detection result.
In another embodiment of the present application, the presentation module 308 is configured to perform the following steps:
issuing a preset forwarding rule to the agent module, wherein the preset forwarding rule is used for indicating the type of safety detection and a corresponding data tag; and the number of the first and second groups,
and issuing a current limit detection rule to the agent module, wherein the current limit detection rule is used for indicating the agent module to determine whether to limit the current of the data to be detected according to a network environment.
The device for security detection provided by the above embodiment of the present application and the method for security detection provided by the embodiment of the present application have the same advantages as the method adopted, operated or implemented by the application program stored in the device for security detection.
The embodiment of the application also provides electronic equipment to execute the security detection method. Referring to fig. 10, a schematic diagram of an electronic device provided in some embodiments of the present application is shown. As shown in fig. 10, the electronic apparatus 4 includes: a processor 400, a memory 401, a bus 402 and a communication interface 403, wherein the processor 400, the communication interface 403 and the memory 401 are connected through the bus 402; the memory 401 stores a computer program that can be executed on the processor 400, and the processor 400 executes the computer program to perform the method for security detection provided in any of the foregoing embodiments of the present application.
The Memory 401 may include a high-speed Random Access Memory (RAM) and may further include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the apparatus and at least one other network element is realized through at least one communication interface 403 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, etc. may be used.
Bus 402 can be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. The memory 401 is configured to store a program, and the processor 400 executes the program after receiving an execution instruction, and the method for security detection disclosed in any of the foregoing embodiments of the present application may be applied to the processor 400, or implemented by the processor 400.
Processor 400 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 400. The Processor 400 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 401, and the processor 400 reads the information in the memory 401 and completes the steps of the method in combination with the hardware.
The electronic equipment provided by the embodiment of the application and the method for safety detection provided by the embodiment of the application have the same inventive concept and have the same beneficial effects as the method adopted, operated or realized by the electronic equipment.
Referring to fig. 11, the computer readable storage medium is an optical disc 50, on which a computer program (i.e., a program product) is stored, and when the computer program is executed by a processor, the computer program performs the method for security detection provided by any of the foregoing embodiments.
It should be noted that examples of the computer-readable storage medium may also include, but are not limited to, a phase change memory (PRAM), a Static Random Access Memory (SRAM), a Dynamic Random Access Memory (DRAM), other types of Random Access Memories (RAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a flash memory, or other optical and magnetic storage media, which are not described in detail herein.
The computer-readable storage medium provided by the above-mentioned embodiment of the present application and the method for security detection provided by the embodiment of the present application have the same beneficial effects as the method adopted, executed or implemented by the application program stored in the computer-readable storage medium.
It should be noted that:
in the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the application may be practiced without these specific details. In some instances, well-known structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the application, various features of the application are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the application and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted to reflect the following schematic: this application is intended to cover such departures from the present disclosure as come within known or customary practice in the art to which this invention pertains. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this application.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the application and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The above description is only for the preferred embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (14)

1. A method for security detection, the method being applied to an agent module deployed in a user environment, and comprising:
receiving data to be detected uploaded by a client;
sending data to be detected, which needs to be subjected to security detection, to a security detection module, wherein the security detection module is deployed in the user environment;
and receiving a safety detection result obtained by the safety detection module performing safety detection on the data to be detected, and sending the safety detection result to a cloud server.
2. The method according to claim 1, further comprising, after receiving the data to be detected uploaded by the client, the following steps:
determining whether the data to be detected needs to be subjected to safety detection or not based on a preset matching rule issued by the cloud server;
if yes, sending the data to be detected to the safety detection module;
and if not, discarding the data to be detected, and sending a notification message of the event discarding to the cloud server.
3. The method according to claim 2, wherein the preset matching rules include a preset current limiting rule and a preset forwarding rule, and the determining whether the data to be detected needs to be subjected to security detection based on the preset matching rule issued by the cloud server includes:
determining whether the data to be detected needs to be subjected to current limiting or not based on the preset current limiting rule; and (c) a second step of,
and determining whether the data to be detected needs to be subjected to security detection or not based on the preset forwarding rule.
4. The method according to claim 3, wherein after the obtaining of the preset forwarding rule sent by the cloud server, the method further comprises:
determining a data label which is included in the preset forwarding rule and needs to be subjected to security detection;
determining whether the data to be detected contains data corresponding to the data tag;
if yes, sending the data to be detected to the safety detection module; or, sending the data corresponding to the data label to the security detection module.
5. The method according to claim 1, further comprising, before receiving the data to be detected uploaded by the client, the following steps:
acquiring a preset forwarding rule sent by the cloud server, wherein the preset forwarding rule is used for indicating the type of safety detection and a corresponding data tag;
and sending the preset forwarding rule to the safety detection module.
6. A method for security detection, which is applied to a security detection module deployed in a user environment, includes:
receiving data to be detected sent by an agent module deployed in the user environment;
carrying out safety detection on the data to be detected to obtain a safety detection result;
and sending the security detection result to the agent module so that the agent module forwards the security detection result to a cloud server.
7. The method according to claim 6, further comprising, before the receiving the data to be detected sent by the proxy module:
and receiving a preset forwarding rule sent by the agent module, wherein the preset forwarding rule is issued to the agent module by a cloud server.
8. The method according to claim 7, further comprising, after receiving the data to be detected sent by the proxy module:
determining a data label needing to be subjected to security detection based on the preset forwarding rule;
selecting the data to be detected corresponding to the data label from the data to be detected;
and carrying out safety detection on the data to be detected corresponding to the data tag to obtain the safety detection result.
9. The method of claim 6, further comprising:
and if the data to be detected point to the safety detection result without the potential safety hazard, not processing the safety detection result without the potential safety hazard.
10. A security detection method is applied to a cloud server and comprises the following steps:
receiving a security detection result sent by the agent module, wherein the security detection result is obtained by performing security detection on data to be detected of a client by the security detection module, and the agent module and the security detection module are both deployed in a user environment;
and displaying the safety detection result.
11. The method according to claim 10, further comprising, before said receiving the security detection result sent by the agent module:
issuing a preset forwarding rule to the agent module, wherein the preset forwarding rule is used for indicating the type of safety detection and a corresponding data tag; and the number of the first and second groups,
and issuing a current limiting detection rule to the agent module, wherein the current limiting detection rule is used for indicating the agent module to determine whether to limit the current of the data to be detected according to a network environment.
12. A system for security detection, the system comprising:
the client is deployed in the user environment and used for sending the data to be detected to the agent module;
the agent module is deployed in the user environment and used for sending the received data to be detected to a security detection module and sending a security detection result to a cloud server after receiving the security detection result generated by the security detection module based on the data to be detected;
the safety detection module is deployed in the user environment and used for receiving the data to be detected sent by the agent module, carrying out safety detection on the data to be detected to obtain a safety detection result and sending the safety detection result to the agent module;
and the cloud server is used for receiving the safety detection result sent by the agent module and then displaying the safety detection result.
13. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the computer program to implement the method of any one of claims 1-11.
14. A computer-readable storage medium, on which a computer program is stored, characterized in that the program is executed by a processor to implement the method of any of claims 1-11.
CN202210790545.1A 2022-07-06 2022-07-06 Method, system, device and storage medium for security detection Pending CN115333774A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210790545.1A CN115333774A (en) 2022-07-06 2022-07-06 Method, system, device and storage medium for security detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210790545.1A CN115333774A (en) 2022-07-06 2022-07-06 Method, system, device and storage medium for security detection

Publications (1)

Publication Number Publication Date
CN115333774A true CN115333774A (en) 2022-11-11

Family

ID=83917255

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210790545.1A Pending CN115333774A (en) 2022-07-06 2022-07-06 Method, system, device and storage medium for security detection

Country Status (1)

Country Link
CN (1) CN115333774A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140237538A1 (en) * 2013-02-21 2014-08-21 International Business Machines Corporation Input prediction in a database access control system
CN108234223A (en) * 2018-04-19 2018-06-29 郑州云海信息技术有限公司 A kind of security service design method of data center's total management system
US20190140926A1 (en) * 2017-11-03 2019-05-09 International Business Machines Corporation System and method for detecting changes in cloud service up-time
CN109885399A (en) * 2019-01-17 2019-06-14 平安普惠企业管理有限公司 Data processing method, electronic device, computer equipment and storage medium
CN113127320A (en) * 2021-04-08 2021-07-16 支付宝(杭州)信息技术有限公司 Application program abnormity detection method, device, equipment and system
CN113342772A (en) * 2021-05-11 2021-09-03 浪潮卓数大数据产业发展有限公司 Cloud storage method, equipment and medium capable of being locally deployed
WO2022073340A1 (en) * 2020-10-09 2022-04-14 平安科技(深圳)有限公司 Mobile terminal application security detection method and system, terminal, and storage medium
CN114450920A (en) * 2019-11-20 2022-05-06 阿里巴巴集团控股有限公司 Distributed security detection system, method, device and storage medium
CN114615035A (en) * 2022-02-28 2022-06-10 亚信科技(成都)有限公司 Security detection method, server and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140237538A1 (en) * 2013-02-21 2014-08-21 International Business Machines Corporation Input prediction in a database access control system
US20190140926A1 (en) * 2017-11-03 2019-05-09 International Business Machines Corporation System and method for detecting changes in cloud service up-time
CN108234223A (en) * 2018-04-19 2018-06-29 郑州云海信息技术有限公司 A kind of security service design method of data center's total management system
CN109885399A (en) * 2019-01-17 2019-06-14 平安普惠企业管理有限公司 Data processing method, electronic device, computer equipment and storage medium
CN114450920A (en) * 2019-11-20 2022-05-06 阿里巴巴集团控股有限公司 Distributed security detection system, method, device and storage medium
WO2022073340A1 (en) * 2020-10-09 2022-04-14 平安科技(深圳)有限公司 Mobile terminal application security detection method and system, terminal, and storage medium
CN113127320A (en) * 2021-04-08 2021-07-16 支付宝(杭州)信息技术有限公司 Application program abnormity detection method, device, equipment and system
CN113342772A (en) * 2021-05-11 2021-09-03 浪潮卓数大数据产业发展有限公司 Cloud storage method, equipment and medium capable of being locally deployed
CN114615035A (en) * 2022-02-28 2022-06-10 亚信科技(成都)有限公司 Security detection method, server and storage medium

Similar Documents

Publication Publication Date Title
CN111901327B (en) Cloud network vulnerability mining method and device, electronic equipment and medium
US11856426B2 (en) Network analytics
US7519504B2 (en) Method and apparatus for representing, managing and problem reporting in surveillance networks
US20160234238A1 (en) System and method for web-based log analysis
CN109190402A (en) A kind of casualty data wiring method and device, equipment, storage medium
CN110633195A (en) Performance data display method and device, electronic equipment and storage medium
CN112363935A (en) Data joint debugging method and device, electronic equipment and storage medium
CN111030915A (en) Advertisement putting effect monitoring method and device
CN115333774A (en) Method, system, device and storage medium for security detection
CN112688924A (en) Network protocol analysis system
WO2021073413A1 (en) Method and apparatus for sending system performance parameters, management device, and storage medium
CN114625407A (en) Method, system, equipment and storage medium for implementing AB experiment
CN114650236A (en) Log processing method and device and storage medium
CN112650180A (en) Safety warning method, device, terminal equipment and storage medium
CN109586788B (en) Monitoring system fault diagnosis method and device, computer equipment and storage medium
CN115883330B (en) Alarm event processing method, system, equipment and storage medium
CN117215900A (en) Log acquisition method, device and equipment
CN112738175B (en) Request processing method and related equipment
CN111522642B (en) Method for acquiring and inquiring state monitoring data of wind turbine generator, and electronic equipment
CN115878358A (en) Abnormal log analysis method and device, electronic equipment and storage medium
CN112800130A (en) Data uplink method, system, device, equipment and storage medium
US10289518B2 (en) Legitimacy determination of reported problems
CN116866666B (en) Video stream picture processing method and device in rail transit environment
CN112380107B (en) Operation and maintenance system data acquisition system and method based on management information system
CN117455751B (en) Road section image processing system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination