[go: up one dir, main page]

CN103916376A - Cloud system with attack protection mechanism and its protection method - Google Patents

Cloud system with attack protection mechanism and its protection method Download PDF

Info

Publication number
CN103916376A
CN103916376A CN201310007908.0A CN201310007908A CN103916376A CN 103916376 A CN103916376 A CN 103916376A CN 201310007908 A CN201310007908 A CN 201310007908A CN 103916376 A CN103916376 A CN 103916376A
Authority
CN
China
Prior art keywords
main frame
server
safety regulation
host
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201310007908.0A
Other languages
Chinese (zh)
Inventor
洪瑞聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HOPE BAY TECHNOLOGIES Inc
Original Assignee
Delta Electronics Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Delta Electronics Inc filed Critical Delta Electronics Inc
Priority to CN201310007908.0A priority Critical patent/CN103916376A/en
Publication of CN103916376A publication Critical patent/CN103916376A/en
Pending legal-status Critical Current

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种具攻击防护机制的云端系统及其防护方法,该系统包括一安全中心服务器、一监控服务器及一主机。主机开机后接受监控服务器的部署,以安装一感测程序并运行一本地端安全规则。主机通过感测程序自我监控,并于任一数据超过一门限值时回报监控服务器。监控服务器依回报的相关数据判断主机是否遭受攻击,并于确定遭受攻击时通知安全中心服务器。安全中心服务器收到通知时,会依相关数据分析主机遭受何种攻击,并于分析后产生新的安全规则。最后,安全中心服务器依据新的安全规则对遭受攻击的主机重新进行部署,以更新主机中运行的本地端安全规则。

The present invention discloses a cloud system with an attack protection mechanism and a protection method thereof, the system comprising a security center server, a monitoring server and a host. After the host is turned on, it accepts the deployment of the monitoring server to install a sensing program and run a local security rule. The host monitors itself through the sensing program and reports to the monitoring server when any data exceeds a threshold value. The monitoring server determines whether the host is under attack based on the relevant data reported, and notifies the security center server when it is determined to be under attack. When the security center server receives the notification, it analyzes what kind of attack the host has suffered based on the relevant data, and generates new security rules after the analysis. Finally, the security center server redeploys the attacked host according to the new security rules to update the local security rules running in the host.

Description

具攻击防护机制的云端系统及其防护方法Cloud system with attack protection mechanism and its protection method

技术领域technical field

本发明有关于云端系统,尤其更有关于具备攻击防护机制的云端系统,及该云端系统所使用的防护方法。The present invention relates to a cloud system, in particular to a cloud system with an attack protection mechanism, and a protection method used in the cloud system.

背景技术Background technique

一般来说,当云端系统遭受攻击时(例如遭受骇客由外部入侵,或是主机被植入木马而于内部展开攻击),需于管理人员查觉后进行判断,或是导入算法来分析,以得出攻击的模式、来源及目的等信息。Generally speaking, when the cloud system is under attack (for example, a hacker invades from the outside, or the host is implanted with a Trojan horse to launch an internal attack), it is necessary for the administrator to make a judgment after detection, or import an algorithm for analysis. In order to obtain information such as the mode, source and purpose of the attack.

并且,除了找出上述攻击的信息以外,还必须进一步分析出解决的方法,如此,管理人员才可以登入被攻击的主机中,并依据解决方法来手动修改该主机内部的设定,进而让该主机可以排除该攻击。Moreover, in addition to finding out the above-mentioned attack information, it is necessary to further analyze the solution, so that the administrator can log in to the attacked host, and manually modify the internal settings of the host according to the solution, and then let the host The host can rule out this attack.

再者,部分云端系统会增设一个可以提供封包过滤功能的过滤服务器,所有要进入该云端系统中的包括数据及/或指令的封包,皆会先被导入该过滤服务器中进行过滤。待该过滤服务器确认数据或指令没有问题后,才会被送到云端系统中的对应主机。然而,于这样的系统架构下,一旦该过滤服务器毁坏,就会断除该云端系统中的所有主机与外部的联系,因而会造成该云端系统中的所有主机都无法被存取的问题。Furthermore, some cloud systems will add a filtering server that can provide packet filtering function, and all packets including data and/or instructions that will enter the cloud system will be first imported into the filtering server for filtering. After the filtering server confirms that there is no problem with the data or command, it will be sent to the corresponding host in the cloud system. However, under such a system architecture, once the filtering server is destroyed, all hosts in the cloud system will be disconnected from the outside, thus causing the problem that all hosts in the cloud system cannot be accessed.

并且,因为该云端系统中的所有封包都必须先经由该过滤服务器进行过滤,因此整个云端系统的网络流量(traffic)都会集中在该过滤服务器之上,如此一来,将会对整个云端系统造成很大的负担,进而容易影响到云端系统的运作。Moreover, because all packets in the cloud system must first be filtered by the filter server, the network traffic (traffic) of the entire cloud system will be concentrated on the filter server, which will cause serious damage to the entire cloud system. It is a huge burden, which can easily affect the operation of the cloud system.

发明内容Contents of the invention

本发明的主要目的,在于提供一种具攻击防护机制的云端系统及其防护方法,可于主机遭受攻击时,产生新的安全规则并对遭受攻击的主机重新进行部署,以排除主机所遭受的攻击。The main purpose of the present invention is to provide a cloud system with an attack protection mechanism and its protection method, which can generate new security rules and re-deploy the attacked host when the host is attacked, so as to eliminate the attack on the host attack.

为达上述目的,本发明提供了一种具攻击防护机制的云端系统,包括:To achieve the above purpose, the present invention provides a cloud system with an attack protection mechanism, including:

一主机,安装有一感测程序,监控该主机的各项数据,并且该主机于任一项该数据超过一门限值时触发一事件;A host is installed with a sensing program to monitor various data of the host, and the host triggers an event when any of the data exceeds a threshold value;

一监控服务器,连接该主机,依据该事件判断该主机是否遭受攻击,并于确定该主机遭受攻击时对外发出一警告信息;及a monitoring server, connected to the host, judging whether the host is under attack according to the event, and sending a warning message to the outside when it is determined that the host is under attack; and

一安全中心服务器,连接该监控服务器及该主机,接收该监控服务器的该警告信息;A security center server, connected to the monitoring server and the host, to receive the warning information from the monitoring server;

其中,该安全中心服务器分析该警告信息并产生一更新后安全规则,并以该更新后安全规则对该主机重新进行部署。Wherein, the security center server analyzes the warning information and generates an updated security rule, and redeploys the host computer according to the updated security rule.

本发明还提供了一种云端系统的攻击防护方法,其中该云端系统包括一主机、与该主机连接的一监控服务器,及与该主机及该监控服务器连接的一安全中心服务器,该攻击防护方法包括:The present invention also provides a cloud system attack protection method, wherein the cloud system includes a host, a monitoring server connected to the host, and a security center server connected to the host and the monitoring server, the attack protection method include:

a)该主机通过一感测程序监控各项数据;a) The host monitors various data through a sensing program;

b)当有任一项该数据超过一门限值时触发一事件;b) an event is triggered when any item of the data exceeds a threshold value;

c)该监控服务器依据该事件判断该主机是否遭受攻击;c) The monitoring server judges whether the host is attacked according to the event;

d)该监控服务器于确定该主机遭受攻击时产生一警告信息并通知该安全中心服务器;d) The monitoring server generates a warning message and notifies the security center server when it is determined that the host is under attack;

e)该安全中心服务器接收该监控服务器的该警告信息,据以分析该主机遭受何种攻击,并依分析结果产生一更新后安全规则;及e) The security center server receives the warning information from the monitoring server, analyzes what kind of attack the host is subjected to, and generates an updated security rule according to the analysis result; and

f)该安全中心服务器依据该更新后安全规则对该主机重新进行部署。f) The security center server redeploys the host according to the updated security rules.

本发明还提供了一种具攻击防护机制的云端系统,包括:The present invention also provides a cloud system with an attack protection mechanism, including:

一主机,安装有一感测程序,监控该主机的各项数据,并且该主机内部运行有一本地端安全规则,以进行该主机的安全防护并设定一门限值,该主机于任一项该数据超过该门限值时触发一事件;A host is installed with a sensing program to monitor various data of the host, and a local safety rule is run inside the host to protect the host and set a threshold value. An event is triggered when the data exceeds the threshold;

一监控服务器,连接该主机,依据该事件判断该主机是否遭受攻击,并于确定该主机遭受攻击时对外发出一警告信息;A monitoring server, connected to the host, judging whether the host is under attack according to the event, and sending a warning message to the outside when it is determined that the host is under attack;

一安全中心服务器,连接该监控服务器及该主机,接收该监控服务器的该警告信息,据以分析该主机遭受何种攻击,并依据分析结果产生一更新后安全规则;及A security center server, connected to the monitoring server and the host, receives the warning information from the monitoring server, analyzes the attack on the host, and generates an updated security rule based on the analysis result; and

一知识库,连接该安全中心服务器,存储该安全中心服务器产生的该更新后安全规则;A knowledge base, connected to the security center server, storing the updated security rules generated by the security center server;

其中,该安全中心服务器以该更新后安全规则对该主机重新进行部署,以更新该主机内部运行的该本地端安全规则。Wherein, the security center server redeploys the host with the updated security rules, so as to update the local security rules running inside the host.

本发明对照先前技术所能达成的功效在于,主机在监控自己的各项数据时,若发现有遭受攻击的现象,可经由监控服务器来通知安全中心服务器。由此,安全中心服务器可以分析主机可能遭受了怎样的攻击,并且以排除该攻击为目的,产生一个新的安全规则,再以该新的安全规则来为主机重新进行部署。由于新的安全规则是因应该攻击而生,因此当主机以新的安全规则重新部署后,即可有效地排除该攻击,对该攻击产生防护效果。如此一来,实有助于提升整个云端系统的安全性。Compared with the previous technology, the present invention can achieve the effect that when the host monitors its own data, if it finds that it is under attack, it can notify the security center server through the monitoring server. Thus, the security center server can analyze what kind of attack the host may have suffered, and generate a new security rule for the purpose of excluding the attack, and then redeploy the host with the new security rule. Since the new security rules are generated in response to the attack, when the host is re-deployed with the new security rules, the attack can be effectively ruled out and the attack can be prevented. In this way, it really helps to improve the security of the entire cloud system.

附图说明Description of drawings

图1为本发明的一较佳具体实施例的系统架构图。FIG. 1 is a system architecture diagram of a preferred embodiment of the present invention.

图2为本发明的一较佳具体实施例的云端机房的机柜示意图。FIG. 2 is a schematic diagram of a cabinet of a cloud computer room according to a preferred embodiment of the present invention.

图3为本发明的一较佳具体实施例的系统方块图。FIG. 3 is a system block diagram of a preferred embodiment of the present invention.

图4为本发明的一较佳具体实施例的部署流程图。Fig. 4 is a deployment flowchart of a preferred embodiment of the present invention.

图5为本发明的一较佳具体实施例的安全规则更新流程图。Fig. 5 is a flow chart of updating security rules in a preferred embodiment of the present invention.

图6为本发明的一较佳具体实施例的攻击通知流程图。Fig. 6 is a flow chart of attack notification in a preferred embodiment of the present invention.

图7为本发明的一较佳具体实施例的攻击防护流程图。Fig. 7 is a flow chart of attack protection in a preferred embodiment of the present invention.

图8为本发明的另一较佳具体实施例的系统方块图。FIG. 8 is a system block diagram of another preferred embodiment of the present invention.

图9为本发明的一较佳具体实施例的防护时序流程图。FIG. 9 is a flowchart of a protection sequence in a preferred embodiment of the present invention.

其中,附图标记说明如下:Wherein, the reference signs are explained as follows:

1…监控服务器1…monitoring server

10…通知规则10...notification rules

2、2’…安全中心服务器2, 2'...Security Center Server

20…攻击分析算法20…Attack Analysis Algorithm

3…知识库3… knowledge base

30…更新后安全规则30…Updated Safety Rules

4…主机4…host

40…感测程序40…Sensing program

400…本地端安全规则400...local security rules

41…运算端点主机41…computing endpoint host

42…存储端点主机42…Storage Endpoint Host

43…网络交换机43…Network switch

5…机柜5…cabinet

S10~S16…步骤S10~S16...steps

S20~S24…步骤S20~S24...steps

S30~S42…步骤S30~S42...steps

S50~S58…步骤S50~S58...steps

S60~S80…步骤S60~S80...Steps

具体实施方式Detailed ways

兹就本发明的一较佳实施例,配合图式,详细说明如后。A preferred embodiment of the present invention will be described in detail below in conjunction with the drawings.

首请参阅图1,为本发明的一较佳具体实施例的系统架构图。本发明主要揭露一种具攻击防护机制的云端系统,如图所示,该云端系统主要包括一监控服务器1(management server)、一安全中心服务器2(security center)、一知识库3(knowledge base)及至少一主机4(node)。本实施例中,该些主机4可为各式实体机器(Physical Machine,PM),如实体的运算端点主机41(computingnode)、存储端点主机42(storage node)或网络交换机43(switch),或者,也可为各式的虚拟机器(Virtual Machine,VM),如虚拟端点主机(virtual node)或虚拟交换机(virtual switch)等,并不加以限定。为方便叙述,下面将于说明书中,以单一台该主机4来举例说明,但该主机4的数量实不以一台为限。First please refer to FIG. 1 , which is a system architecture diagram of a preferred embodiment of the present invention. The present invention mainly discloses a cloud system with an attack protection mechanism. As shown in the figure, the cloud system mainly includes a monitoring server 1 (management server), a security center server 2 (security center), and a knowledge base 3 (knowledge base ) and at least one host 4 (node). In this embodiment, these hosts 4 can be various physical machines (Physical Machine, PM), such as physical computing endpoint host 41 (computingnode), storage endpoint host 42 (storage node) or network switch 43 (switch), or , and may also be various virtual machines (Virtual Machine, VM), such as a virtual endpoint host (virtual node) or a virtual switch (virtual switch), etc., without limitation. For the convenience of description, a single host 4 will be used as an example in the description below, but the number of the host 4 is not limited to one.

该主机4主要是担任该云端系统中的对应角色,以为客户端提供服务。该监控服务器1连接该主机4,以监视该主机4的运作状况,当该主机4产生异常时,会回报给该监控服务器1,由该监控服务器1来判断是否为该主机4遭受攻击而产生的异常。The host 4 mainly acts as a corresponding role in the cloud system to provide services for clients. The monitoring server 1 is connected to the host 4 to monitor the operation status of the host 4. When the host 4 is abnormal, it will report to the monitoring server 1, and the monitoring server 1 will determine whether the host 4 is attacked. exception.

本实施例中所指的攻击,主要是指病毒或骇客的攻击行为,而该些攻击行为一般会造成例如该主机4的对外吞吐量(throughput)突然上升,或是内部的某个文件被植入木马而导致存取率异常等。上述状况一旦回报给该监控服务器1,该监控服务器1即可判断该主机4的确是遭受到了攻击。The attack referred to in this embodiment mainly refers to the attack behavior of viruses or hackers, and these attack behaviors will generally cause, for example, a sudden increase in the external throughput (throughput) of the host 4, or a certain internal file is destroyed. Implantation of Trojan horses leads to abnormal access rate, etc. Once the above situation is reported to the monitoring server 1, the monitoring server 1 can determine that the host 4 has indeed been attacked.

当该监控服务器1认为该主机4遭受到了攻击后,会依据当时所监控到的信息,以事件(even)方式通知该安全中心服务器2,由该安全中心服务器2来进行事件评估分析及处理。该安全中心服务器2为整个云端系统的资安核心,当该安全中心服务器2收到该监控服务器1的事件通知时,即可依据其提供的对应数据,经由算法评估、分析出该主机4是遭受到哪一种攻击。如此一来,该安全中心服务器2可以依据分析结果即时产生一套解决方式,并对遭受攻击的该主机4重新进行资安规则的部署(re-deployment),由此,令该主机4可于重新部署后,以新的资安规则排除原先所遭受到的攻击。When the monitoring server 1 thinks that the host 4 has been attacked, it will notify the security center server 2 in the form of an event based on the monitored information at that time, and the security center server 2 will perform event evaluation, analysis and processing. The security center server 2 is the information security core of the entire cloud system. When the security center server 2 receives the event notification from the monitoring server 1, it can evaluate and analyze the host computer 4 according to the corresponding data provided by the algorithm. What kind of attack was encountered. In this way, the security center server 2 can generate a set of solutions in real time according to the analysis results, and re-deploy information security rules for the host 4 that has been attacked, so that the host 4 can be After re-deployment, use the new information security rules to rule out the previous attacks.

值得一提的是,该安全中心服务器2在每一次分析后,都会将其分析结果,以及依分析结果产生的解决方式皆存储至该知识库3中。由此,当该云端系统中有新的主机被启动时,可以直接以最新的资安规则来进行部署,以令新的主机可以防护其他主机的前遭受过的攻击。It is worth mentioning that, after each analysis, the security center server 2 will store the analysis result and the solution generated according to the analysis result in the knowledge base 3 . Thus, when a new host is activated in the cloud system, it can be directly deployed with the latest information security rules, so that the new host can protect other hosts from previous attacks.

续请参阅图2,为本发明的一较佳具体实施例的云端机房的机柜示意图。本实施例中,该云端系统中的该监控服务器1、该安全中心服务器2、该知识库3及该主机4,皆可设置在云端机房的同一个机柜5之中,彼此通过该机柜5中的网络交换机(图未标示)的实体连接线来连接。再者,本实施例中以云端机房中的单一个该机柜5为例,于其他实施例当中,该监控服务器1、该安全中心服务器2、该知识库3及该主机4也可设置于同一个云端机房中的不同机柜,并且彼此通过网络互相连接。然而,以上仅为本发明的一较佳具体实施例,不应以此为限。Please refer to FIG. 2 , which is a schematic diagram of a cabinet of a cloud computer room according to a preferred embodiment of the present invention. In this embodiment, the monitoring server 1, the security center server 2, the knowledge base 3 and the host 4 in the cloud system can all be set in the same cabinet 5 in the cloud computer room, and pass through the cabinet 5 to each other. Connect with the physical cable of the network switch (not shown in the figure). Furthermore, in this embodiment, the single cabinet 5 in the cloud computer room is taken as an example. In other embodiments, the monitoring server 1, the security center server 2, the knowledge base 3 and the host 4 can also be set in Different cabinets in a cloud computer room are connected to each other through the network. However, the above is only a preferred specific embodiment of the present invention and should not be limited thereto.

参阅图3,为本发明的一较佳具体实施例的系统方块图。该主机4启动后,系接受该监控服务器1的部署动作(deployment),由此,将一感测程序40及一本地端安全规则400安装至该主机4中。该主机4运行该本地端安全规则400,由此进行安全防护,并且为该主机4的各项数据分别设定一对应的门限值。值得一提的是,该监控服务器1对该主机4部署的该本地端安全规则400,主要可为一种防火墙规则,以令该主机4可以防护各种可能发生的恶意攻击,但并不加以限定。Referring to FIG. 3 , it is a system block diagram of a preferred embodiment of the present invention. After the host 4 is started, it accepts the deployment of the monitoring server 1 , thereby installing a sensing program 40 and a local security rule 400 into the host 4 . The host 4 runs the local security rule 400 to perform security protection, and sets a corresponding threshold value for each data of the host 4 . It is worth mentioning that the local security rule 400 deployed by the monitoring server 1 to the host 4 is mainly a firewall rule, so that the host 4 can protect against various possible malicious attacks, but does not impose limited.

该主机4更通过该感测程序40来自我监控,以监视该主机4的各项数据,例如对外的吞吐量(throughput)、CPU的使用率、硬盘容量、温度、文件的存取率等等。当该感测程序40监视发现有任一项的数据超过该本地端安全规则400设定的该门限值时,将会触发一事件产生,并且回报给该监控服务器1。The host 4 is self-monitored through the sensing program 40 to monitor various data of the host 4, such as external throughput, CPU usage, hard disk capacity, temperature, file access rate, etc. . When the sensing program 40 monitors and finds that any item of data exceeds the threshold set by the local security rule 400 , an event will be triggered and reported to the monitoring server 1 .

更具体而言,该感测程序40由该监控服务器1来部署并安装至该主机4中,因此该主机主要4可通过该感测程序40来回报该监控服务器1。该主机4可于该事件触发时,产生一事件相关数据(即,超过该门限值的该项数据的相关数据),并且同时将该事件相关数据回报给该监控服务器1。More specifically, the sensing program 40 is deployed by the monitoring server 1 and installed into the host 4 , so the host 4 can report back to the monitoring server 1 through the sensing program 40 . When the event is triggered, the host 4 can generate event-related data (ie, the data related to the data exceeding the threshold), and report the event-related data to the monitoring server 1 at the same time.

当该事件被触发时,该监控服务器1可依据该事件,判断该主机4是否遭受到攻击,或只是因为其他问题而产生数据的不稳定。更具体而言,该监控服务器1可于内部运行一通知规则10,该监控服务器1通过该通知规则10来分析所接收的该事件相关数据,由此,判断该主机4是否的确遭受攻击。When the event is triggered, the monitoring server 1 can judge according to the event whether the host 4 is under attack, or the data is unstable due to other problems. More specifically, the monitoring server 1 can run a notification rule 10 internally, and the monitoring server 1 analyzes the received event-related data through the notification rule 10, thereby determining whether the host 4 is indeed under attack.

若该事件是因为其他因素而引起,则该监控服务器1会执行相对应的作动,而若判断该主机4的确遭受攻击,则该监控服务器1会依据该事件相关数据产生一警告信息,并以事件方式通知该安全中心服务器2。更具体而言,该监控服务器1可于分析后,判断是否符合该通知规则10制定的通知标准,并且于符合时,发出该警告信息以通知该安全中心服务器2,其中该警告信息中包含了该事件相关数据。If the event is caused by other factors, the monitoring server 1 will perform corresponding actions, and if it is determined that the host 4 is indeed under attack, the monitoring server 1 will generate a warning message based on the event-related data, and The security center server 2 is notified in an event mode. More specifically, after analysis, the monitoring server 1 can judge whether it complies with the notification standard established by the notification rule 10, and if it is met, send the warning message to notify the security center server 2, wherein the warning message includes Data related to this event.

该安全中心服务器2收到该监控服务器1的通知(即,收到该警告信息)后,会对该事件进行评估,据以分析该主机4遭受到何种攻击,并且,再依据分析结果来产生一个更新后安全规则30,并存储至该知识库3中。更具体而言,该安全中心服务器2可于内部运行一攻击分析算法20,该安全中心服务器2主要通过该攻击分析算法20来分析该事件相关数据,由此得出该主机4所遭受的攻击模式,进而发展出一相对应的解决方式。并且,由该解决方式来产生该更新后安全规则30。After the security center server 2 receives the notification from the monitoring server 1 (that is, receives the warning message), it will evaluate the event to analyze what kind of attack the host 4 has suffered, and then according to the analysis results An updated security rule 30 is generated and stored in the knowledge base 3 . More specifically, the security center server 2 can run an attack analysis algorithm 20 internally, and the security center server 2 mainly analyzes the event-related data through the attack analysis algorithm 20, thereby obtaining the attack on the host 4. model, and then develop a corresponding solution. And, the updated security rule 30 is generated by the solution.

最后,该安全中心服务器2依据该更新后安全规则30对遭受攻击的该主机4重新进行部署,由此将该主机4内部的该本地端安全规则400更新为一个新的版本。本发明的技术特征在于,该更新后安全规则30是针对该主机4所遭受的攻击而产生,因此在该主机4部署了该更新后安全规则30后,即可轻易地排除该攻击,对于管理人员实具有相当大的效益。值得一提的是,该更新后安全规则30主要可为一种防火墙规则,用以令该主机4可以防护各种可能发生的攻击,但并不加以限定。Finally, the security center server 2 redeploys the attacked host 4 according to the updated security rules 30 , thereby updating the local security rules 400 inside the host 4 to a new version. The technical feature of the present invention is that the updated security rule 30 is generated for the attack suffered by the host 4, so after the host 4 deploys the updated security rule 30, the attack can be easily ruled out. personnel has considerable benefits. It is worth mentioning that the updated security rule 30 can mainly be a firewall rule, which is used to protect the host 4 from various possible attacks, but it is not limited thereto.

举例来说,当该攻击为外来攻击,该安全中心服务器2可依该事件相关数据计算出该攻击的来源(source address),由此在该更新后安全规则30中,阻挡该来源的存取动作。再例如,若该攻击为内部攻击,该安全中心服务器2也可依该事件相关数据计算出是哪一个程序或文件在发动攻击,由此在该更新后安全规则30中,隔离该程序或文件,令其无法骚扰该主机4中的其他程序或文件,并且于该主机4闲置(idle)时再将之删除。然而,以上所述仅为本发明的一较佳具体实例,该安全中心服务器2实可就不同的攻击方式来分析出不同的结果,进而产生不同的该更新后安全规则30,不应以此为限。For example, when the attack is an external attack, the security center server 2 can calculate the source (source address) of the attack according to the event-related data, thereby blocking the access of the source in the updated security rule 30 action. For another example, if the attack is an internal attack, the security center server 2 can also calculate which program or file is launching the attack according to the event-related data, and thus isolate the program or file in the updated security rule 30 , so that it cannot disturb other programs or files in the host 4, and delete it when the host 4 is idle. However, the above description is only a preferred specific example of the present invention. The security center server 2 can actually analyze different results for different attack methods, and then generate different updated security rules 30. limit.

再者,除了遭受攻击的该主机4之外,该安全中心服务器2还可依据该更新后安全规则30,对该云端系统中的所有主机重新进行部署,由此,预防该云端系统中的其它主机遭受到相同的攻击,因此可以达到有效的防护机制。Furthermore, in addition to the host 4 under attack, the security center server 2 can also redeploy all hosts in the cloud system according to the updated security rules 30, thereby preventing other hosts in the cloud system from The host is subjected to the same attack, so an effective defense mechanism can be achieved.

接续请同时参阅图4及图5,分别为发明的一较佳具体实施例的部署流程图及安全规则更新流程图。首请参阅图4,要建立本发明的云端系统,首先管理人员需先令该主机4开机(步骤S10)。更具体而言,若该主机4为一实体机器,管理人员可通过在线启动(wake on lan)的方式来开机,或直接按压该主机4上的实体开机按键(图未标示)来开机;若该主机4为一虚拟机器,则管理人员可通过标准的虚拟机器生成方式,来产生该主机4。Please refer to FIG. 4 and FIG. 5 at the same time, which are respectively a deployment flow chart and a security rule update flow chart of a preferred embodiment of the invention. Referring first to FIG. 4 , to establish the cloud system of the present invention, firstly, the administrator needs to first order the host computer 4 to start up (step S10 ). More specifically, if the host 4 is a physical machine, the administrator can start it up by means of wake on lan, or directly press the physical power-on button (not shown) on the host 4 to start it; if The host 4 is a virtual machine, and the administrator can generate the host 4 through a standard virtual machine generation method.

接着,该监控服务器1会得知该主机4的存在,并且为该主机4部署相对应的该感测程序40(步骤S12),由此,由该感测程序40来为该主机4进行自我监控。并且,该监控服务器1更可为该主机4部署所需的该本地端安全规则400(步骤S14),由此,让该主机4运行该本地端安全规则400以进行安全防护(S16),并且依据该本地端安全规则400来设定该主机4的各项数据的门限值。于该步骤S16后,该主机4即正式成为本发明的该云端系统中的对应角色。Then, the monitoring server 1 will know the existence of the host 4, and deploy the corresponding sensing program 40 for the host 4 (step S12), thus, the sensing program 40 will perform self-control for the host 4 monitor. And, the monitoring server 1 can further deploy the required local security rules 400 for the host 4 (step S14), thereby allowing the host 4 to run the local security rules 400 for security protection (S16), and According to the local security rules 400, the threshold values of various data of the host 4 are set. After the step S16, the host 4 officially becomes the corresponding role in the cloud system of the present invention.

接着如图5所示,当该主机4被部署了该本地端安全规则400后,该主机4可进一步依该本地端安全规则400向该安全中心服务器2提出询问(步骤S20),并且,由该安全中心服务器2来查询是否已有该更新后安全规则30产生(步骤S22)。更具体而言,该主机4可以MD5或Hash table的方式来向该安全中心服务器2提出询问,以确认该本地端安全规则400的版本,与该知识库3中的安全规则的版本的新旧关系。Next, as shown in FIG. 5 , when the host 4 is deployed with the local-end security rule 400, the host 4 can further ask the security center server 2 according to the local-end security rule 400 (step S20), and, by The security center server 2 inquires whether the updated security rule 30 has been generated (step S22). More specifically, the host 4 can ask the security center server 2 in the form of MD5 or Hash table to confirm the old and new relationship between the version of the local security rule 400 and the version of the security rule in the knowledge base 3 .

若该安全中心服务器2查询后发现尚未有该更新后安全规则30产生,表示该本地端安全规则400为最新版本的安全规则,因此该主机4及该安全中心服务器2不做任何动作。若该安全中心服务器2查询后发现该知识库3中有该更新后安全规则30,则该安全中心服务器2会用该更新后安全规则30来对该主机4重新进行部署(步骤S24)。由此,更新该主机4中的该本地端安全规则400的版本,以让该主机4可以运行在最佳的防护状态。If the security center server 2 inquires and finds that the updated security rule 30 has not been generated, it means that the local security rule 400 is the latest version of the security rule, so the host 4 and the security center server 2 do not take any action. If the security center server 2 inquires and finds that the knowledge base 3 has the updated security rule 30, then the security center server 2 will use the updated security rule 30 to redeploy the host 4 (step S24). Thus, the version of the local security rule 400 in the host 4 is updated so that the host 4 can run in the best protection state.

续请参阅图6,为本发明的一较佳具体实施例的攻击通知流程图。首先,该主机4通过内部的该感测程序40来进行自我监控(步骤S30),由此,得到该主机4本身的各项数据,例如throughput、CPU使用率、硬盘转速、硬盘容量、温度、湿度、各程序或文件的存取率等。接着,定期判断是否有任一项的数据超过该本地端安全规则400所设定的门限值(步骤S32)。若所有数据都正确,没有超过该门限值的现象,则该主机4不做任何动作,并且持续通过该感测程序40来自我监控。Continue referring to FIG. 6 , which is a flow chart of attack notification in a preferred embodiment of the present invention. First, the host 4 carries out self-monitoring through the internal sensing program 40 (step S30), thereby obtaining various data of the host 4 itself, such as throughput, CPU usage, hard disk speed, hard disk capacity, temperature, Humidity, access rate of each program or file, etc. Next, periodically determine whether any item of data exceeds the threshold set by the local security rule 400 (step S32 ). If all the data are correct and there is no phenomenon exceeding the threshold value, then the host 4 does not take any action, and continues to monitor itself through the sensing program 40 .

再者,当有任一项的数据超过该门限值时,该主机4即触发一事件启动,并且自动回报该监控服务器1(步骤S34)。更具体而言,该主机4可于该事件触发启动时,同时将该事件相关数据(即,超过该门限值的该项数据的相关数据)回报给该监控服务器1,以令该监控服务器1可以进行详细的分析。Furthermore, when any item of data exceeds the threshold, the host 4 triggers an event and automatically reports to the monitoring server 1 (step S34). More specifically, the host 4 can report the event-related data (that is, the data related to the data that exceeds the threshold) to the monitoring server 1 when the event is triggered, so that the monitoring server 1 for detailed analysis.

该事件被触发后,该监控服务器1主要是接收该主机4回报的该事件相关数据(步骤S36),并且,依据内部运行的该通知规则10来分析该事件相关数据(步骤S38),由此,判断该主机4是否的确遭受到攻击(步骤S40)。若该监控服务器1分析后发现未达该通知规则10所制定的通知标准,则表示该主机4并未遭受攻击,而是因为其他因素而造成数据的不稳定。于此一情况下,该监控服务器1会执行对应的动作(例如记录数据或是通知管理人员等),但不会通知该安全中心服务器2。After the event is triggered, the monitoring server 1 mainly receives the event-related data reported by the host 4 (step S36), and analyzes the event-related data according to the notification rule 10 of internal operation (step S38), thus , judging whether the host 4 is really under attack (step S40). If the monitoring server 1 finds that the notification standard set by the notification rule 10 is not met after analysis, it means that the host 4 is not attacked, but the data is unstable due to other factors. In this case, the monitoring server 1 will perform corresponding actions (such as recording data or notifying management personnel, etc.), but will not notify the security center server 2 .

然而,若该监控服务器1分析后发现该主机4的确是遭受到了攻击,则该监控服务器1会以该警告信息通知该安全中心服务器2(步骤S42)。更具体而言,该监控服务器1主要是依据该事件相关数据产生该警告信息,以通知该安全中心服务器2,由此,令该安全中心服务器2可以通过该事件相关数据,对攻击的模式进行详细的分析。However, if the monitoring server 1 finds that the host 4 is indeed under attack after analysis, the monitoring server 1 will notify the security center server 2 with the warning message (step S42). More specifically, the monitoring server 1 mainly generates the warning information based on the event-related data to notify the security center server 2, thereby allowing the security center server 2 to monitor the attack mode through the event-related data. detailed analysis.

接着请同时参阅图7,为本发明的一较佳具体实施例的攻击防护流程图。当该主机4疑似遭受攻击时,会回报该监控服务器1,并且当该监控服务器1确认该主机4的确是遭受攻击时,会通知该安全中心服务器2。该安全中心服务器2接收该监控服务器1的该警告信息(步骤S50),并且,分析该主机4遭受何种攻击。更具体而言,该安全中心服务器2通过内部运行的该攻击分析算法20来分析该事件相关数据(步骤S52),由此分析出该攻击的模式,再依据分析结果来产生该更新后安全规则30(步骤S54)。也就是说,该更新后安全规则30是依据原本的安全规则,加上分析后得出的解决方式所更新而成,因此采用该更新后安全规则30,实可有效排除该攻击。Next, please refer to FIG. 7 , which is a flow chart of attack protection in a preferred embodiment of the present invention. When the host 4 is suspected of being attacked, it will report to the monitoring server 1, and when the monitoring server 1 confirms that the host 4 is indeed attacked, it will notify the security center server 2. The security center server 2 receives the warning information from the monitoring server 1 (step S50 ), and analyzes what kind of attack the host 4 is subjected to. More specifically, the security center server 2 analyzes the event-related data through the attack analysis algorithm 20 running internally (step S52), thereby analyzing the attack pattern, and then generates the updated security rule according to the analysis result 30 (step S54). That is to say, the updated security rule 30 is updated based on the original security rule and the solution obtained after analysis. Therefore, the updated security rule 30 can effectively eliminate the attack.

该步骤S54后,该安全中心服务器2即使用该更新后安全规则30来对遭受攻击的该主机4重新进行部署(步骤S56)。并且如上所述,该更新后安全规则30因应该攻击而生,因此当该主机4部署了该更新后安全规则30后,即可轻易地排除该攻击,进而使得该主机4的运作以及各项数据恢复正常。值得一提的是,除了遭受攻击的该主机4以外,该安全中心服务器2更可用该更新后安全规则30,对该云端系统中的所有主机皆重新进行部署(步骤S58)。这样的好处在于,该更新后安全规则30增加了对该攻击的防护方式,因此当该云端系统中的所有主机皆部署该更新后安全规则30,则该些主机不会受遭受该主机4曾经遭受的攻击。也就是说,对于其他的主机而言,实可有效地达到预防的效力。After the step S54, the security center server 2 uses the updated security rules 30 to redeploy the attacked host 4 (step S56). And as mentioned above, the updated security rule 30 is born due to the attack, so when the host 4 deploys the updated security rule 30, the attack can be easily ruled out, so that the operation of the host 4 and various Data returned to normal. It is worth mentioning that, except the host 4 under attack, the security center server 2 can use the updated security rules 30 to redeploy all hosts in the cloud system (step S58). The advantage of this is that the updated security rule 30 increases the protection against the attack, so when all the hosts in the cloud system deploy the updated security rule 30, these hosts will not be affected by the host 4 once. suffered attacks. That is to say, for other hosts, it can effectively achieve the effect of prevention.

通过本发明的系统与方法,只要该云端系统中的任一主机遭受到攻击,并且该攻击经由该监控服务器1通知该安全中心服务器2,由该安全中心服务器2进行分析,并针分析结果产生该更新后安全规则30后,只要云端系统中的所有主机皆接受重新部署,并运行该更新后安全规则30,则该云端系统中的所有主机,皆不会再受到同一种攻击模式的影响。Through the system and method of the present invention, as long as any host in the cloud system is attacked, and the attack is notified to the security center server 2 via the monitoring server 1, the security center server 2 will analyze it and generate After the updated security rule 30, as long as all hosts in the cloud system accept redeployment and run the updated security rule 30, all hosts in the cloud system will no longer be affected by the same attack mode.

参阅图8,为本发明的另一较佳具体实施例的系统方块图。于前述实施例当中,该知识库3主要以该云端系统中的一个独立服务器为例,担任存储该更新后安全规则30的角色,并且通过实体连接线或网络连接该安全中心服务器2。然而,于本实施例中,该云端系统也可提供另一安全中心服务器2’,该安全中心服务器2’内部提供一存储单元,并且以该存储单元来担任该云端系统中的该知识库3。于本实施例当中,该云端系统不必再提供额外的实体服务器来做为该知识库3,因此可以有效节省服务器的数量。然而,上述仅为本发明的另一具体实例,该知识库3由实体独立的服务器来担任,或与该安全中心服务器2’合为一体,应视云端系统的实际所需而定,不应以此为限。Referring to FIG. 8 , it is a system block diagram of another preferred embodiment of the present invention. In the foregoing embodiments, the knowledge base 3 mainly takes an independent server in the cloud system as an example, which is responsible for storing the updated security rules 30 and is connected to the security center server 2 through a physical connection line or network. However, in this embodiment, the cloud system can also provide another security center server 2', the security center server 2' internally provides a storage unit, and uses the storage unit as the knowledge base 3 in the cloud system . In this embodiment, the cloud system does not need to provide an additional physical server as the knowledge base 3, so the number of servers can be effectively saved. However, the above is only another specific example of the present invention. The knowledge base 3 is served by an independent server, or integrated with the security center server 2', depending on the actual needs of the cloud system, and should not This is the limit.

参阅图9,为本发明的一较佳具体实施例的防护时序流程图。本发明的云端系统中,首先需由该监控服务器1来为所有的该主机4部署该感测程序40(步骤S60),并且,再由该监控服务器1来为所有的该主机4部署该本地端安全规则400(步骤S62)。接着,该主机4依据该本地端安全规则400,询问该安全中心服务器2是否为最新版本(步骤S64),接着,若为最新版本,该安全中心服务器2可回复该主机4为最新版本;而若该知识库3中有该更新后安全规则30产生,则该安全中心服务器2可为该主机4重新进行部署,以将该本地端安全规则400升级为该更新后安全规则30(步骤S66)。Referring to FIG. 9 , it is a flowchart of a protection sequence in a preferred embodiment of the present invention. In the cloud system of the present invention, the monitoring server 1 first needs to deploy the sensing program 40 for all the hosts 4 (step S60), and then the monitoring server 1 deploys the local Terminal security rules 400 (step S62). Then, the host 4 inquires whether the security center server 2 is the latest version according to the local security rules 400 (step S64), and then, if it is the latest version, the security center server 2 can reply that the host 4 is the latest version; and If the updated security rule 30 is generated in the knowledge base 3, the security center server 2 can redeploy the host computer 4 to upgrade the local security rule 400 to the updated security rule 30 (step S66) .

该主机4启动后,即通过该感测程序40持续自我监控,以感测该主机4的各项数据(步骤S68)。并且,当有任一项数据超过该本地端安全规则400所制定的门限值时,触发一事件启动,并回报该监控服务器1(步骤S70)。该监控服务器1接受回报后,先针对该事件进行分析,判断该主机4是否遭受攻击(步骤S72),并且于确定该主机4遭受攻击时,以该警告信息通知该安全中心服务器2(步骤S74)。After the host 4 is started, it continuously monitors itself through the sensing program 40 to sense various data of the host 4 (step S68 ). And, when any item of data exceeds the threshold set by the local security rule 400, an event is triggered and reported to the monitoring server 1 (step S70). After the monitoring server 1 accepts the report, it first analyzes the event to determine whether the host 4 is attacked (step S72), and when it is determined that the host 4 is attacked, it notifies the security center server 2 with the warning message (step S74 ).

该安全中心服务器2接收该警告信息后,即对攻击模式进行分析,并且依据分析结果,产生该更新后安全规则30(步骤S76),并且将该更新后安全规则30存储至该知识库3中(步骤78),由此将该知识库3中既有的安全规则升级为该更新后安全规则30。最后,该安全中心服务器2依据该更新后安全规则30,对遭受攻击的该主机4重新进行部署(步骤S80),由此,更新该主机4内部的该本地端安全规则400,进而令更新后的该本地端安全规则400可以排除该主机4受遭受的攻击,以令该主机4恢复稳定地运作。并且,该步骤S80的后,该主机4仍持续通过该感测程序40来自我监控,以监视下一次可能的攻击产生。After the security center server 2 receives the warning information, it analyzes the attack mode, and according to the analysis result, generates the updated security rule 30 (step S76), and stores the updated security rule 30 in the knowledge base 3 (Step 78 ), thereby upgrading the existing security rules in the knowledge base 3 to the updated security rules 30 . Finally, the security center server 2 re-deploys the attacked host 4 according to the updated security rules 30 (step S80), thereby updating the local security rules 400 inside the host 4, so that the updated The local security rule 400 can exclude the host 4 from being attacked, so that the host 4 can resume stable operation. Moreover, after the step S80, the host 4 continues to monitor itself through the sensing program 40, so as to monitor the next possible attack.

以上所述仅为本发明的较佳具体实例,非因此即局限本发明的专利范围,故举凡运用本发明内容所为的等效变化,均同理皆包含于本发明的范围内,合予陈明。The above descriptions are only preferred specific examples of the present invention, and are not intended to limit the patent scope of the present invention. Therefore, all equivalent changes made by using the content of the present invention are all included in the scope of the present invention in the same way, and are suitable for the present invention. Chen Ming.

Claims (20)

1. tool is attacked a high in the clouds system for preventing mechanism, comprising:
One main frame, is provided with a detection procedure, monitors every data of this main frame, and this main frame triggers an event in the time that these data of any one exceed a threshold value;
One monitoring server, connects this main frame, judges according to this event whether this main frame is attacked, and externally sends a warning message in the time that definite this main frame is attacked; And
One security centre's server, connects this monitoring server and this main frame, receives this warning message of this monitoring server;
Wherein, this security centre's server analyze this warning message and produce a renewal after safety regulation, and with safety regulation after this renewal, this main frame is re-started to deployment.
2. high in the clouds as claimed in claim 1 system, wherein this main frame internal operation one local side safety regulation, to carry out the security protection of this main frame and to set this threshold value, this security centre's server with this renewal after safety regulation this main frame is re-started to deployment, to upgrade this local side safety regulation.
3. high in the clouds as claimed in claim 2 system, wherein after this local side safety regulation and this renewal, safety regulation is a firewall rule.
4. high in the clouds as claimed in claim 1 system, wherein this main frame is entity machine, virtual machine, the network switch or virtual network switch.
5. tool as claimed in claim 1 is attacked the high in the clouds system of preventing mechanism, wherein also comprises a knowledge base, connects this security centre's server, stores safety regulation after this renewal that this security centre's server produces.
6. high in the clouds as claimed in claim 5 system, wherein this main frame, this monitoring server, this security centre's server and this knowledge base are arranged in the same rack of high in the clouds machine room.
7. high in the clouds as claimed in claim 1 system, when wherein this main frame triggers this event, return an event related data to this monitoring server simultaneously, this monitoring server internal operation one notification rule, analyze this event related data according to this notification rule, to judge whether this main frame is attacked, and in the time that definite this main frame is attacked, this monitoring server produces this warning message to notify this security centre's server according to this event related data.
8. high in the clouds as claimed in claim 7 system, wherein this security centre's server internal operation one attack analysis algorithm, this security centre's server is according to this this event related data of attack analysis Algorithm Analysis, with the attack mode that show that this main frame suffers, and produces according to this safety regulation after this renewal.
9. an attack guarding method for high in the clouds system, the monitoring server that wherein this high in the clouds system comprises a main frame, is connected with this main frame, and the security centre's server being connected with this main frame and this monitoring server, this attack guarding method comprises:
A) this main frame is monitored every data by a detection procedure;
B) in the time having these data of any one to exceed a threshold value, trigger an event;
C) this monitoring server judges according to this event whether this main frame is attacked;
D) this monitoring server produces a warning message and notifies this security centre's server in the time that definite this main frame is attacked;
E) this security centre's server receives this warning message of this monitoring server, analyzes according to this this main frame and attacked by which kind of, and produce the rear safety regulation of a renewal according to analysis result; And
F) this security centre's server according to this renewal after safety regulation this main frame is re-started to deployment.
10. attack guarding method as claimed in claim 9, wherein also comprises a step g: this security centre's server according to this renewal after safety regulation, all main frames of being attacked in this high in the clouds system are re-started to deployment.
11. attack guarding methods as claimed in claim 9, wherein this step c comprises the following steps:
C1) this monitoring server receives the event related data that this main frame produces and returns according to this event; And
C2) this monitoring server is analyzed this event related data according to a notification rule, to judge whether this main frame is attacked;
Wherein, in this steps d, this monitoring server produces this warning message to notify this security centre's server according to this event related data.
12. attack guarding methods as claimed in claim 11, wherein this step e comprises the following steps:
E1) this security centre's server receives this event related data;
E2) according to an attack analysis algorithm, this event related data is analyzed, to judge this main frame is attacked by which kind of; And
E2) produce safety regulation after this renewal according to analysis result.
13. attack guarding methods as claimed in claim 9, wherein also comprise the following steps: before this step a
A01) this main frame start;
A02) this monitoring server is disposed this detection procedure for this main frame;
A03) this monitoring server is disposed a local side safety regulation for this main frame; And
A04) this main frame moves this local side safety regulation, to carry out security protection and to set this threshold value.
14. attack guarding methods as claimed in claim 13, wherein also comprise the following steps: before this step a
A05) this main frame proposes inquiry according to this local side safety regulation to this security centre's server;
A06) whether this security centre's server lookup has safety regulation after this renewal; And
A07) if there is safety regulation after this renewal, this security centre's server re-starts deployment according to safety regulation after this renewal to this main frame, to upgrade this local side safety regulation.
15. attack guarding methods as claimed in claim 14, wherein this high in the clouds system also comprises a knowledge base that connects this security centre's server, store safety regulation after this renewal, in this step a06, this security centre's server inquires about whether there is safety regulation after this renewal in this knowledge base.
16. attack guarding methods as claimed in claim 13, wherein after this local side safety regulation and this renewal, safety regulation is a firewall rule.
17. 1 kinds of tools are attacked the high in the clouds system of preventing mechanism, comprising:
One main frame, one detection procedure is installed, monitors every data of this main frame, and this main frame internal operation there is a local side safety regulation, to carry out the security protection of this main frame and to set a threshold value, this main frame triggers an event in the time that these data of any one exceed this threshold value;
One monitoring server, connects this main frame, judges according to this event whether this main frame is attacked, and externally sends a warning message in the time that definite this main frame is attacked;
One security centre's server, connects this monitoring server and this main frame, receives this warning message of this monitoring server, analyzes according to this this main frame and attacked by which kind of, and produce the rear safety regulation of a renewal according to analysis result; And
One knowledge base, connects this security centre's server, stores safety regulation after this renewal that this security centre server produces;
Wherein, this security centre's server with this renewal after safety regulation this main frame is re-started to deployment, to upgrade this local side safety regulation of this main frame internal operation.
18. high in the clouds as claimed in claim 17 systems, when wherein this main frame triggers this event, return an event related data to this monitoring server simultaneously, this monitoring server internal operation one notification rule, analyze this event related data according to this notification rule, to judge whether this main frame is attacked, and in the time that definite this main frame is attacked, this monitoring server produces this warning message to notify this security centre's server according to this event related data.
19. high in the clouds as claimed in claim 18 systems, wherein this security centre's server internal operation one attack analysis algorithm, this security centre's server is according to this this event related data of attack analysis Algorithm Analysis, with the attack mode that show that this main frame suffers, and produce according to this safety regulation after this renewal.
20. high in the clouds as claimed in claim 17 systems, wherein this knowledge base is arranged in this security centre's server.
CN201310007908.0A 2013-01-09 2013-01-09 Cloud system with attack protection mechanism and its protection method Pending CN103916376A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310007908.0A CN103916376A (en) 2013-01-09 2013-01-09 Cloud system with attack protection mechanism and its protection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310007908.0A CN103916376A (en) 2013-01-09 2013-01-09 Cloud system with attack protection mechanism and its protection method

Publications (1)

Publication Number Publication Date
CN103916376A true CN103916376A (en) 2014-07-09

Family

ID=51041783

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310007908.0A Pending CN103916376A (en) 2013-01-09 2013-01-09 Cloud system with attack protection mechanism and its protection method

Country Status (1)

Country Link
CN (1) CN103916376A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104717212A (en) * 2014-10-21 2015-06-17 中华电信股份有限公司 Protection method and system for cloud virtual network security
CN106534174A (en) * 2016-12-07 2017-03-22 北京奇虎科技有限公司 Cloud protection method, apparatus and system of sensitive data
CN106973058A (en) * 2017-03-31 2017-07-21 北京奇艺世纪科技有限公司 A kind of Web application firewalls rule update method, apparatus and system
CN109218336A (en) * 2018-11-16 2019-01-15 北京知道创宇信息技术有限公司 Loophole defence method and system
CN109347846A (en) * 2018-10-30 2019-02-15 郑州市景安网络科技股份有限公司 A kind of website clearance method, apparatus, equipment and readable storage medium storing program for executing

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697404A (en) * 2005-06-10 2005-11-16 广东省电信有限公司研究院 System and method for detecting network worm in interactive mode
CN101056198A (en) * 2006-04-10 2007-10-17 华为技术有限公司 An information security management platform
US20080244745A1 (en) * 2001-01-25 2008-10-02 Solutionary, Inc. Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures
CN101567787A (en) * 2008-04-25 2009-10-28 联想(北京)有限公司 Computer system, computer network and data communication method
CN102546638A (en) * 2012-01-12 2012-07-04 冶金自动化研究设计院 Scene-based hybrid invasion detection method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080244745A1 (en) * 2001-01-25 2008-10-02 Solutionary, Inc. Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures
CN1697404A (en) * 2005-06-10 2005-11-16 广东省电信有限公司研究院 System and method for detecting network worm in interactive mode
CN101056198A (en) * 2006-04-10 2007-10-17 华为技术有限公司 An information security management platform
CN101567787A (en) * 2008-04-25 2009-10-28 联想(北京)有限公司 Computer system, computer network and data communication method
CN102546638A (en) * 2012-01-12 2012-07-04 冶金自动化研究设计院 Scene-based hybrid invasion detection method and system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104717212A (en) * 2014-10-21 2015-06-17 中华电信股份有限公司 Protection method and system for cloud virtual network security
CN104717212B (en) * 2014-10-21 2018-05-11 中华电信股份有限公司 Protection method and system for cloud virtual network security
CN106534174A (en) * 2016-12-07 2017-03-22 北京奇虎科技有限公司 Cloud protection method, apparatus and system of sensitive data
CN106973058A (en) * 2017-03-31 2017-07-21 北京奇艺世纪科技有限公司 A kind of Web application firewalls rule update method, apparatus and system
CN109347846A (en) * 2018-10-30 2019-02-15 郑州市景安网络科技股份有限公司 A kind of website clearance method, apparatus, equipment and readable storage medium storing program for executing
CN109218336A (en) * 2018-11-16 2019-01-15 北京知道创宇信息技术有限公司 Loophole defence method and system

Similar Documents

Publication Publication Date Title
TWI474213B (en) Cloud system for threat protection and protection method using for the same
US20220239687A1 (en) Security Vulnerability Defense Method and Device
US10432650B2 (en) System and method to protect a webserver against application exploits and attacks
CN109829297B (en) Monitoring device, method and computer storage medium thereof
EP3214568B1 (en) Method, apparatus and system for processing cloud application attack behaviours in cloud computing system
CN103391216B (en) A kind of illegal external connection is reported to the police and blocking-up method
JP4196989B2 (en) Method and system for preventing virus infection
US20140181968A1 (en) Monitoring Operational Activities In Networks And Detecting Potential Network Intrusions And Misuses
US10579797B2 (en) Program integrity monitoring and contingency management system and method
US20150074756A1 (en) Signature rule processing method, server, and intrusion prevention system
JP2023010967A (en) Methods and Measurable SLA Security and Compliance Platforms to Prevent Root Level Access Attacks
US20160110544A1 (en) Disabling and initiating nodes based on security issue
CN103916376A (en) Cloud system with attack protection mechanism and its protection method
JP2012526501A (en) Network contents tampering prevention equipment, method and system
US20230007032A1 (en) Blockchain-based host security monitoring method and apparatus, medium and electronic device
WO2016032491A1 (en) Distributed detection of malicious cloud actors
CN110688653A (en) Client security protection method and device and terminal equipment
US20200067981A1 (en) Deception server deployment
EP3252648B1 (en) Security measure invalidation prevention device, security measure invalidation prevention method, and security measure invalidation prevention program
RU2630415C2 (en) Method for detecting anomalous work of network server (options)
CN113672912B (en) Network security monitoring system based on computer hardware indication and behavior analysis
JP2006146600A (en) Operation monitoring server, terminal device, and operation monitoring system
CN105978908A (en) Non-real-time information website security protection method and apparatus
CN113377623B (en) Automatic generation method and device of alarm rules and electronic equipment
KR20230156262A (en) System and method for machine learning based malware detection

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
ASS Succession or assignment of patent right

Owner name: HOPE BAY TECHNOLOGIES, INC.

Free format text: FORMER OWNER: TAIDA ELECTRONIC INDUSTRY CO. LTD.

Effective date: 20150114

C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20150114

Address after: Chau Street China Neihu district of Taipei city Taiwan 48 Building No. 2

Applicant after: HOPE BAY TECHNOLOGIES, INC.

Address before: China Taiwan Taoyuan County

Applicant before: Delta Optoelectronics Inc.

WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20140709

WD01 Invention patent application deemed withdrawn after publication