Security detection method and system of cloud host, electronic equipment and storage medium
By generating backup hosts in cloud servers for security testing, and using a virtualization platform to create image files and trigger testing tools, the resource consumption and latency issues caused by deploying agent intelligence are resolved, achieving efficient and accurate cloud server security testing.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- NEW H3C SECURITY TECH CO LTD
- Filing Date
- 2026-04-27
- Publication Date
- 2026-06-16
AI Technical Summary
When deploying agent-based intelligent agents in cloud servers for security detection, existing technologies consume computing and storage resources, affecting the operation of cloud server services and causing delays.
Security testing is performed by generating backup hosts. The backup host image file is created using a virtualization platform, and the testing is conducted based on the trigger information of the testing tool, thus avoiding the deployment of agent intelligent agents on the cloud host to be tested.
It enables security testing of cloud hosts without consuming their resources, avoiding business delays, and improving testing efficiency and accuracy.
Smart Images

Figure CN122226486A_ABST
Abstract
Description
Technical Field
[0001] This disclosure belongs to the field of security testing technology, specifically relating to a security testing method, system, electronic device, and storage medium for cloud hosts. Background Technology
[0002] Cloud server security testing refers to the security testing of virtual hosts within cloud servers. Related technologies employ deploying agent-based intelligent systems on the cloud servers, and then using these agents to perform security testing.
[0003] However, the above-mentioned deployment and operation of agent intelligence requires the use of cloud host computing and storage resources, and may affect the operation of regular business on the cloud host during security testing, resulting in cloud host business delays and other issues. Summary of the Invention
[0004] This disclosure proposes a security detection method, system, electronic device, and storage medium for cloud hosts.
[0005] The first aspect of this disclosure provides a security detection method for cloud hosts, applied to a cloud security detection platform, the method comprising: In response to a security detection request received from a cloud host to be detected, a backup request is sent to the virtualization platform to trigger the virtualization platform to generate a backup host for the cloud host to be detected. The backup host includes at least one of the operating system files, runtime files, port files, and configuration files of the cloud host to be detected. In response to receiving an access address from the backup host of the virtualization platform, trigger information for at least one detection tool is determined; For any detection tool, the detection tool is triggered via the access address based on the triggering information of the detection tool to detect the backup host in order to determine whether the backup host has any security risks.
[0006] In this embodiment of the disclosure, determining the triggering information of at least one detection tool includes: The items to be tested for the cloud host to be tested are determined based on the service type of the cloud host to be tested; Identify at least one detection tool that matches the item to be detected; For any detection tool, the calling mode of the detection tool is determined according to the storage location of the detection tool. The calling mode is either local calling or remote calling.
[0007] In this embodiment of the disclosure, determining the invocation mode of the detection tool based on its storage location includes: If the detection tool is located on the cloud security detection platform, then the calling mode is determined to be a local call; If the detection tool is not located on the cloud security detection platform, then the invocation mode is determined to be a remote invocation.
[0008] In this embodiment of the disclosure, triggering the detection tool to detect the backup host based on the triggering information of the detection tool via the access address includes: If the calling mode of the detection tool is local calling, the detection tool is called via the calling port contained in the triggering information, so that the detection tool can detect the files corresponding to the backup host through the access address; If the calling mode of the detection tool is remote calling, a first trigger message is sent to the server hosting the detection tool to trigger the server to call the detection tool to detect the file corresponding to the backup host through the access address; and the detection result of the detection tool is received.
[0009] In this embodiment of the disclosure, triggering the detection tool to detect the backup host based on the triggering information of the detection tool via the access address includes: If the detection tool is a static detection tool, then the static detection tool is invoked based on the calling port contained in the trigger information, and a network probe packet is sent to the backup host with the access address as the scanning target; the network probe packet is used to scan the backup host for at least one of the following: open network ports, service type identification, and vulnerability scanning. If the detection tool is a dynamic detection tool, a second trigger message is sent to the virtualization platform to trigger the virtualization platform to deploy the dynamic detection tool indicated by the second trigger message in the backup host, and to run the deployed dynamic detection tool to detect the backup host.
[0010] In this embodiment of the disclosure, the static detection tool includes at least one of a vulnerability scanning detection tool, a port scanning tool, and a service type identification tool for accessing ports of the backup host; The dynamic detection tools include virus detection tools for detecting viruses and baseline verification detection tools for detecting configuration files.
[0011] In this embodiment of the disclosure, the method further includes: After receiving the security test results, an instruction to delete the backup host is sent to the virtualization platform.
[0012] An embodiment of the second aspect of this disclosure provides a security detection method for a cloud host, applied to a virtualization platform, the method comprising: In response to receiving a backup request from the cloud security detection platform, obtain the image file of the cloud host to be detected corresponding to the backup request; After starting the image file and obtaining the backup host, the access address of the backup host is sent to the cloud security detection platform. The system responds to the detection operation of the cloud security detection platform. The detection operation is triggered by the cloud security detection platform based on the access address, which determines the trigger information of at least one detection tool. For any detection tool, the system triggers the detection tool to detect the backup host based on the trigger information of the detection tool via the access address.
[0013] In this embodiment of the disclosure, responding to the detection operation of the cloud security detection platform includes: If the detection tool is a static detection tool, the detection operation refers to calling the static detection tool based on the calling port contained in the trigger information, and sending a network probe packet to the backup host with the access address as the scanning target; the network probe packet is used to scan the backup host for open network ports, identify service types, and perform vulnerability scanning at least one of the following: If the detection tool is a dynamic detection tool, the detection operation refers to sending a second trigger message to the virtualization platform to trigger the virtualization platform to deploy the dynamic detection tool indicated by the second trigger message in the backup host, and to run the deployed dynamic detection tool to detect the backup host.
[0014] An embodiment of the third aspect of this disclosure provides a security detection system for cloud hosts, the system comprising a cloud security detection platform and a virtualization platform. The cloud security detection platform is used to send a backup request to the virtualization platform in response to a security detection request received from the cloud host to be detected, so as to trigger the virtualization platform to generate a backup host for the cloud host to be detected. The backup host includes at least one of the operating system files, runtime files, port files and configuration files of the cloud host to be detected. The virtualization platform is used to respond to a backup request sent by the cloud security detection platform, obtain the image file of the cloud host to be detected corresponding to the backup request; start the image file, obtain the backup host, and then send the access address of the backup host to the cloud security detection platform. The cloud security detection platform is also configured to, in response to receiving an access address from the backup host of the virtualization platform, determine trigger information for at least one detection tool; for any detection tool, trigger the detection tool to detect the backup host via the access address based on the trigger information of the detection tool, so as to determine whether the backup host has any security risks.
[0015] An embodiment of the fourth aspect of this disclosure provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the methods described in the first aspect, any optional embodiment of the first aspect, the second aspect, or any optional embodiment of the second aspect.
[0016] An embodiment of the fifth aspect of this disclosure provides a computer-readable storage medium having a computer program stored thereon, the program being executed by a processor to implement the methods described in the first aspect, any optional embodiment of the first aspect, the second aspect, or any optional embodiment of the second aspect.
[0017] The technical solutions provided in this disclosure have at least the following technical effects or advantages: In response to a security detection request received from the cloud host to be tested, this embodiment sends a backup request to the virtualization platform to trigger the virtualization platform to generate a backup host for the cloud host to be tested. The backup host includes at least one of the operating system files, runtime files, port files, and configuration files of the cloud host to be tested. Therefore, security detection of the backup host can achieve a one-to-one detection of the cloud host to be tested. Furthermore, in response to receiving the access address of the backup host from the virtualization platform, trigger information for at least one detection tool is determined. For any detection tool, the detection tool is triggered via the access address based on the trigger information of the detection tool to detect the backup host, thereby determining whether the backup host has any security risks. This avoids deploying and running agent intelligence on the cloud host to be tested, reduces the resource consumption of the cloud host to be tested, and thus prevents the cloud host to be tested from experiencing service delays due to security detection.
[0018] Additional aspects and advantages of this disclosure will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of this disclosure. Attached Figure Description
[0019] Various other advantages and benefits will become apparent to those skilled in the art upon reading the following detailed description of preferred embodiments. The accompanying drawings are for illustrative purposes only and are not intended to limit the scope of this disclosure. Furthermore, the same reference numerals denote the same parts throughout the drawings. In the drawings: Figure 1 This diagram illustrates the structure of a security detection system for a cloud host provided in one embodiment of the present disclosure. Figure 2 A flowchart of a security detection method for cloud hosts provided in an embodiment of this disclosure is shown; Figure 3A flowchart of a security detection method for a cloud host provided in yet another embodiment of this disclosure is shown; Figure 4 This diagram illustrates the structure of a security detection device for a cloud host provided in an embodiment of the present disclosure. Figure 5 A schematic diagram of the structure of a security detection device for a cloud host provided in another embodiment of this disclosure is shown; Figure 6 A schematic diagram of the structure of an electronic device provided in an embodiment of the present disclosure is shown; Figure 7 A schematic diagram of a storage medium provided according to an embodiment of the present disclosure is shown. Detailed Implementation
[0020] Exemplary embodiments of the present disclosure will now be described in more detail with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
[0021] It should be noted that, unless otherwise stated, the technical or scientific terms used in this disclosure shall have the ordinary meaning as understood by one of ordinary skill in the art to which this disclosure pertains.
[0022] The following describes the implementation scenarios and related technologies involved in the embodiments of this disclosure.
[0023] With the development of computer networks, cloud servers are being used in all aspects of work and life. To ensure the secure application of cloud servers, related technologies typically require the deployment of agent-based intelligent systems on the cloud servers to perform regular security checks.
[0024] However, deploying agent intelligence on cloud servers requires regular maintenance of the feature library of relevant detection tools. This feature library consumes a significant amount of storage resources on the cloud server. Furthermore, when the agent intelligence is running on the cloud server for security detection, it also consumes some of the computing and network resources of the cloud server's services, which may lead to delays in cloud server services.
[0025] In view of the above, this disclosure provides a security detection method, system, electronic device, and storage medium for cloud hosts. The technical solutions of this disclosure are described in detail below with reference to specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments. The embodiments of this disclosure will now be described with reference to the accompanying drawings.
[0026] See Figure 1 , Figure 1 An exemplary system architecture diagram of the cloud host security detection system provided in this disclosure is shown. The cloud host security detection system provided in this disclosure includes a cloud security detection platform 10 and a virtualization platform 11, which communicate with each other via a network.
[0027] like Figure 1 As shown, after receiving a security detection request, the cloud security detection platform 10 sends a backup request to the virtualization platform based on the security detection request. This backup request may include information such as the identifier of the cloud host to be detected to identify the host. This allows the virtualization platform 11 to determine the cloud host to be detected based on the identifier information and establish a backup host for the cloud host to be detected. After the virtualization platform 11 establishes the backup host, it can send the access address of the backup host back to the security detection platform 10, so that the security detection platform 10 can perform security detection on the backup host based on the access address.
[0028] Specifically, the cloud security detection platform 10 is used to send a backup request to the virtualization platform in response to the security detection request of the cloud host to be detected, so as to trigger the virtualization platform to generate a backup host of the cloud host to be detected. The backup host includes at least one of the operating system files, runtime files, port files and configuration files of the cloud host to be detected.
[0029] The virtualization platform 11 is used to respond to the backup request sent by the cloud security detection platform, obtain the image file of the cloud host to be detected corresponding to the backup request; start the image file, obtain the backup host, and then send the access address of the backup host to the cloud security detection platform.
[0030] The cloud security detection platform 10 is also used to respond to receiving the access address of the backup host from the virtualization platform, determine the trigger information of at least one detection tool; for any detection tool, the detection tool is triggered to detect the backup host based on the trigger information of the detection tool via the access address, so as to determine whether there is a security risk on the backup host.
[0031] In some embodiments, the security detection platform 10 and the virtualization platform 11 can be located on the same server or on different servers. When establishing a backup host, the backup host can be created in a different storage area than the cloud host to be detected, thereby avoiding the backup host from preempting the resources of the host to be detected. Typically, a dedicated storage area can be set up in the virtualization platform to establish and run the backup host for security detection of the host to be detected.
[0032] In some embodiments, the detection tools used for security detection of backup hosts can be deployed on servers that are the same as or different from the security platform 10 and the virtualization platform 11. Typically, only one signature database needs to be maintained for the same type of detection tool; it is not feasible to set up a detection tool and maintain a corresponding signature database for each backup host. If there are multiple backup hosts corresponding to cloud hosts to be detected, then only the corresponding detection tool needs to be called to detect the respective backup hosts. Maintaining only one set of detection tools avoids the resource waste caused by maintaining a separate set of detection tools for each cloud host to be detected.
[0033] It is understood that the structure of the examples in this disclosure does not constitute a specific limitation on the security detection system for cloud hosts. In other embodiments of this disclosure, the security detection system for cloud hosts may include more than Figure 1 The number of devices shown is not limited herein. The algorithms and networks included in the above system are illustrative examples of this disclosure and do not constitute a limitation on the modules of the system in the embodiments of this disclosure. The algorithms included in the system in the embodiments of this disclosure can be flexibly deployed by those skilled in the art according to actual conditions. No limitations are imposed here.
[0034] The following is combined Figure 1 The illustrated embodiments are used to describe a security detection method for a cloud host according to embodiments of this disclosure. For example... Figure 2 As shown in the embodiments of this disclosure, a security detection method for cloud hosts is provided. This method can be applied to a security detection platform, and the method includes: In step S21, in response to receiving a security detection request from the cloud host to be detected, a backup request is sent to the virtualization platform to trigger the virtualization platform to generate a backup host for the cloud host to be detected.
[0035] The backup host includes at least one of the following: the operating system files, runtime files, port files, and configuration files of the cloud host to be tested.
[0036] For example, a security detection request can be generated by a user logging into the cloud host to be tested through a client device, which can be a hardware device such as a computer, mobile phone, or tablet. For instance, a user can select a security detection service for the cloud host requiring security detection on the cloud security detection platform's interface to generate the corresponding security detection request.
[0037] The security detection request may include the identification information of the cloud host to be detected, so as to generate a backup request for the cloud host to be detected based on the identification information. This backup request is then sent to the virtualization platform or its publicly available API (Application Programming Interface) for creating snapshots is invoked. Based on this backup request, the virtualization platform can obtain a snapshot file of the cloud host to be detected at the corresponding moment. This snapshot file is a bootable image file, which, once booted, serves as a backup host for the cloud host to be detected.
[0038] The virtualization platform can invoke the snapshot management module to locate the cloud host to be tested and immediately create a snapshot for it. This snapshot replicates the complete state of the cloud host at the moment of creation, forming a backup host. The documentation clearly states that this backup includes the host's disk data (i.e., operating system files, application runtime files, user data, etc.) and memory state. Generating a backup host physically achieves a time-slice replication of the production host, providing subsequent scanning operations with a detection target that is completely identical to but completely isolated from the actual host. This ensures detection accuracy while achieving non-intrusiveness and zero impact.
[0039] After successfully creating a backup host, the virtualization platform will return a success response to the cloud security detection platform that initiated the request. This response may include information such as the unique identifier of the newly created snapshot and its storage path.
[0040] In step S22, in response to receiving the access address of the backup host from the virtualization platform, trigger information for at least one detection tool is determined.
[0041] For example, the access address can be the IP address (Internet Protocol Address) of the backup host; the detection tool can be a security detection scanning component managed by the security detection platform, which may include vulnerability scanning components, endpoint antivirus components, and baseline verification components; the trigger information refers to the initiation of a specific security scan task, and the security detection platform needs to provide the corresponding security detection scanning component with the corresponding instructions and calling parameters.
[0042] Upon receiving the snapshot creation success response from the virtualization platform, the cloud security detection platform does not immediately obtain a directly scannable access address. It first needs to call another API of the virtualization platform to request that the backup host (snapshot) created in the previous step be mounted as a temporary, independent virtual machine instance and started. This temporary virtual machine is started in an isolated security domain that is interconnected with the networks of various detection tools. After completing the startup operation, the virtualization platform assigns an IP address (access address) to this temporary virtual machine and returns this address to the cloud security management platform via an API response. Dynamically transforming the static snapshot file into an interactive, network-accessible, real-time running environment provides the necessary conditions for all subsequent scanning methods that require proactive probing and login checks.
[0043] After receiving a response containing the access address, the cloud security management platform will bind it to the current security detection request task to form a complete scan task. This scan task may include the access address to be scanned, the user information that initiated the scan, the corresponding cloud host identifier to be detected, and the scan permissions that the user may have pre-configured.
[0044] The cloud security management platform retrieves the relevant trigger information for each detection tool in the scanning task from the pre-set mapping table related to each detection tool, and then triggers the corresponding detection tool to detect the backup host based on the trigger information.
[0045] In some embodiments, determining trigger information for at least one detection tool includes: determining the items to be detected for the cloud host to be detected based on the service type of the cloud host to be detected; determining at least one detection tool that matches the items to be detected; and for any detection tool, determining the calling mode of the detection tool according to the storage location of the detection tool, wherein the calling mode is a local call or a remote call.
[0046] For example, the business type refers to the category of applications or services hosted on the cloud host to be tested. For instance, the cloud host under test might be used to run a web server, database, mail server, or general-purpose application server. Different business types face different security threats and compliance requirements; the items to be tested refer to the specific content or set of objects that need to be security checked, derived from the host's business type. Examples include specific open service ports, running critical software and their versions, and related configuration files.
[0047] The invocation mode refers to the specific method by which the cloud security management platform executes the functions of the detection tool. Local invocation means that the functional modules of the detection tool, in the form of library files, plugins, or service processes, are deployed on the same physical / virtual server or within the same tightly integrated software stack as the cloud security management platform. The platform directly uses its capabilities through inter-process communication, local function calls, or local APIs. Remote invocation means that the detection tool is deployed as an independent device or service on a network node outside the cloud security management platform. The platform needs to send commands to the device's preset invocation port via network protocols (usually HTTP / HTTPS APIs) to trigger its operation.
[0048] After the cloud security detection platform receives a scanning task, it determines the business type of the cloud host to be detected. This can be done through user-specified content, the host's tag information, or proactive probing. Once the business type is determined, the corresponding security detection strategy is established based on the mapping relationship between the business type and the security detection strategy. This strategy includes the ports and software to be detected. This achieves refined scanning based on business type, improving scanning efficiency and the usability of the scan results compared to a full scan.
[0049] After identifying the items to be tested, each item is matched with a testing tool that the current cloud security testing platform can schedule, thus assigning a corresponding testing tool to each item. Following the determination of the testing tools, the invocation mode for each tool needs to be further determined. This invocation mode is based on the storage location of the testing tool; the cloud security testing platform records the deployment information of each testing tool. If the testing tool is located on the cloud security testing platform, the invocation mode is determined to be local; if the testing tool is not located on the cloud security testing platform, the invocation mode is determined to be remote.
[0050] For example, if the core engine or scanning component of a detection tool is deployed within the same system environment as the cloud security detection platform, its storage location is local storage. For detection tools with local storage, a direct call command can be sent to the detection tool via an API call, allowing the tool to access the files corresponding to the backup host. If the detection tool is a standalone hardware device or a software service deployed on a separate server from the security detection platform, its storage location is remote storage. For detection tools with remote storage, a command needs to be sent to the server where the detection tool resides to remotely invoke the tool to detect the backup host. Different storage locations enable different forms of the cloud security detection platform, allowing both local and remote detection tools to be invoked, thus improving the compatibility and scalability of security detection to a certain extent.
[0051] In some embodiments, the detection tool for remote storage may also be deployed on the same virtualization platform as the backup host. This application does not limit the storage location of the detection tool, and those skilled in the art can set it according to the actual situation.
[0052] In practical applications, if the calling mode of the detection tool is local calling, the detection tool is called via the calling port contained in the triggering information, so that the detection tool can detect the file corresponding to the backup host through the access address; if the calling mode of the detection tool is remote calling, a first triggering information is sent to the server hosting the detection tool, so that the server can call the detection tool to detect the file corresponding to the backup host through the access address; and the detection result of the detection tool is received.
[0053] For example, the calling port is the network port provided to the outside world by the corresponding scanning component. The security detection platform can send commands through the calling port to control the scanning component to perform security scanning and other tasks. The first triggering information is an instruction sent to the server hosting the detection tool. This instruction is used to instruct the server to call the detection tool so that the detection tool can detect the files on the backup host through the access address. It should be noted that the first triggering information does not contain direct calling information of the detection tool, but only an instruction to the server. The calling information of the detection tool can be generated by the server.
[0054] For the local call mode, the cloud security detection platform can access the call port of the detection tool through the communication mechanism between local processes to invoke the detection tool. Local calls can achieve high-performance and low-latency detection tool invocation, improving the efficiency of security detection.
[0055] For detection tools in local call mode, the detection tool can be directly invoked to detect the backup host.
[0056] For detection tools using remote call mode, the cloud security detection platform generates initial trigger information, typically an HTTP / HTTPS request. This request explicitly specifies the access address of the backup host to be detected and the relevant detection policies. This request is sent to the server hosting the detection tool via the network. Upon receiving the initial trigger information, the server generates its own detection tool call information based on the access address and relevant detection policies. The detection tool then accesses the backup host according to this call information and the corresponding detection policies. This achieves a certain degree of cross-system distributed calling, enabling the cloud security management platform to flexibly schedule professional security devices deployed anywhere in the network and fully utilize their computing resources. After receiving a valid instruction, the detection tool actively initiates a connection using the backup host's access address as the target. Depending on the detection tool type, it performs operations such as port scanning, vulnerability verification, virus signature matching, and configuration compliance comparison. For local calls, the cloud security management platform receives return data from the local process synchronously or asynchronously; for remote calls, the cloud security management platform listens to callback interfaces or actively polls the task status to obtain detection results.
[0057] In step S23, for any detection tool, the detection tool is triggered via the access address based on the trigger information of the detection tool to detect the backup host in order to determine whether there is a security risk on the backup host.
[0058] For example, security risks refer to potential problems identified through security checks on backup hosts that could be exploited by threats, leading to asset loss, service interruption, or data leakage. Examples include open sensitive ports, software versions with known vulnerabilities, system configurations that do not meet security baselines, and implanted viruses or malware.
[0059] Upon receiving the trigger information from the cloud security management platform, the detection tool first parses the information to extract the access address of the backup host and the optional scanning policy identifier. Using this access address as the sole target for this scan, it attempts to establish a preliminary network connection to confirm that the target host is accessible and active. After confirming the target's reachability, the detection tool initiates a security detection process based on its own type and the policy possibly specified in the trigger information. This process can be parallel or executed in a specific order to identify security risks from different dimensions.
[0060] In some embodiments, some detection tools can perform detection without starting the backup host or without installing related applications on the backup host, such as port scanning detection tools; other detection tools require starting the backup host or installing related applications on the backup host to perform detection, such as baseline verification detection tools. This application refers to the first type as a static detection tool and the second type as a dynamic detection tool. If the detection tool is a static detection tool, it is invoked based on the calling port contained in the trigger information, and a network probe packet is sent to the backup host with the access address as the scanning target; the network probe packet is used to scan the backup host for open network ports, identify service types, and perform vulnerability scanning at least one of the following: If the detection tool is a dynamic detection tool, a second trigger information is sent to the virtualization platform to trigger the virtualization platform to deploy the dynamic detection tool indicated by the second trigger information on the backup host, and run the deployed dynamic detection tool to detect the backup host.
[0061] The second triggering information is an instruction from the virtualization platform to deploy dynamic detection tools on the backup host. Typically, the second triggering information includes the dynamic detection identifier and the backup host identifier, enabling the virtualization platform to deploy the corresponding dynamic detection tools on the backup host based on this information. Static detection tools include at least one of the following: vulnerability scanning tools for accessing ports on the backup host, port scanning tools, and service type identification tools. Dynamic detection tools include virus detection tools for detecting viruses and baseline verification tools for checking configuration files.
[0062] For example, vulnerability scanning and detection tools can first perform port scanning on the target access address to identify all open TCP / UDP ports. For the discovered open ports, service fingerprinting is performed by sending specific probe packets and analyzing response characteristics to determine the type of service (such as HTTP, MySQL) running on the port and its specific software version. Virus detection tools can obtain a list of files on the backup host through authorized access (such as SSH passwords / keys) or file system mounting. Subsequently, through algorithms such as signature comparison, heuristic scanning, and behavioral analysis, executable files, scripts, documents, etc., are analyzed to identify viruses and other malicious code. Baseline verification tools can obtain information such as system configuration files, registry entries, account policies, password policies, and service status, and automatically compare them with predefined security baselines to find non-compliant configuration items. Through systematic and automated multi-layered detection, the tools can comprehensively detect the security status of the backup host.
[0063] To conserve virtualization platform resources, after receiving the security test results from the virtualization platform, a command to delete the backup host is sent to the virtualization platform to release resources within the virtualization platform.
[0064] In summary, in response to a security detection request from the cloud host to be tested, this embodiment sends a backup request to the virtualization platform to trigger the virtualization platform to generate a backup host for the cloud host to be tested. The backup host includes at least one of the operating system files, runtime files, port files, and configuration files of the cloud host to be tested. Therefore, security detection of the backup host can achieve a one-to-one detection of the cloud host to be tested. Furthermore, in response to receiving the access address of the backup host from the virtualization platform, trigger information for at least one detection tool is determined. For any detection tool, the detection tool is triggered via the access address based on the trigger information of the detection tool to detect the backup host, thereby determining whether the backup host has security risks. This avoids deploying and running agent intelligence on the cloud host to be tested, reduces the resource consumption of the cloud host to be tested, and prevents the cloud host to be tested from experiencing service delays due to security detection.
[0065] correspond Figure 2 The illustrated cloud host security detection method, in this disclosure embodiment, also provides another cloud host security detection method, applied to a virtualization platform, such as... Figure 3 As shown, the method includes: In step S31, in response to receiving a backup request sent by the cloud security detection platform, the image file of the cloud host to be detected corresponding to the backup request is obtained; In step S32, after starting the image file and obtaining the backup host, the access address of the backup host is sent to the cloud security detection platform. In step S33, the cloud security detection platform responds to a detection operation. The detection operation is triggered by the cloud security detection platform based on the access address, which determines the trigger information of at least one detection tool. For any detection tool, the detection tool is triggered via the access address based on the trigger information of the detection tool to detect the backup host.
[0066] If the detection tool is a static detection tool, the detection operation refers to invoking the static detection tool based on the calling port contained in the trigger information, and sending a network probe packet to the backup host with the access address as the scanning target; the network probe packet is used to scan the backup host for at least one of open network ports, identify service types, and perform vulnerability scanning; if the detection tool is a dynamic detection tool, the detection operation refers to sending a second trigger information to the virtualization platform to trigger the virtualization platform to deploy the dynamic detection tool indicated by the second trigger information on the backup host, and run the deployed dynamic detection tool to detect the backup host.
[0067] For example, specific implementation methods of the embodiments of this disclosure are described above. Figure 2 The corresponding descriptions of the security detection methods for cloud servers will not be repeated here.
[0068] correspond Figure 2 The illustrated cloud server security detection method, in this disclosure embodiment, also provides a cloud server security detection device, which can be deployed on... Figure 1 In the cloud security testing platform 10, operations are used to perform security testing methods for cloud hosts, such as... Figure 4 As shown, the device includes: The backup request module 401 is used to send a backup request to the virtualization platform in response to a security detection request for the cloud host to be detected, so as to trigger the virtualization platform to generate a backup host for the cloud host to be detected. The backup host includes at least one of the operating system files, runtime files, port files and configuration files of the cloud host to be detected. Trigger module 402 is used to determine trigger information for at least one detection tool in response to receiving an access address from the backup host of the virtualization platform; The detection module 403 is used to trigger the detection tool to detect the backup host based on the trigger information of the detection tool via the access address, in order to determine whether the backup host has any security risks.
[0069] The cloud host security detection device provided in the above embodiments of this disclosure is similar to the one provided in the embodiments of this disclosure. Figure 2 The corresponding security detection method for cloud servers is based on the same inventive concept and has the same beneficial effects as the methods used, run or implemented by the applications stored therein.
[0070] correspond Figure 3 The illustrated security detection method for cloud servers also provides a security detection device for cloud servers, which can be deployed on... Figure 1 In the virtualization platform 11, operations used to perform security detection methods for cloud hosts, such as... Figure 5 As shown, the device includes: The image acquisition module 501 is used to obtain the image file of the cloud host to be tested corresponding to the backup request sent by the cloud security detection platform in response to the backup request. The image module 502 is started to start the image file and, after obtaining the backup host, sends the access address of the backup host to the cloud security detection platform. The response detection module 503 is used to respond to the detection operation of the cloud security detection platform; the detection operation is the triggering information of at least one detection tool determined by the cloud security detection platform based on the access address, and for any detection tool, the detection tool is triggered to detect the backup host based on the triggering information of the detection tool via the access address.
[0071] The cloud host security detection device provided in the above embodiments of this disclosure is similar to the one provided in the embodiments of this disclosure. Figure 3 The corresponding security detection method for cloud servers is based on the same inventive concept and has the same beneficial effects as the methods used, run or implemented by the applications stored therein.
[0072] This disclosure also provides an electronic device for performing a security detection method for cloud hosts. Please refer to... Figure 6 This illustrates a schematic diagram of an electronic device provided by some embodiments of the present disclosure. For example... Figure 6 As shown, the electronic device 6 includes: a processor 600, a memory 601, a bus 602, and a communication interface 603. The processor 600, the communication interface 603, and the memory 601 are connected via the bus 602. The memory 601 stores a computer program that can run on the processor 600. When the processor 600 runs the computer program, it executes the cloud host security detection method provided in any of the foregoing embodiments of this disclosure.
[0073] The memory 601 may include high-speed random access memory (RAM) or non-volatile memory, such as at least one disk storage device. Communication between the virtual devices in the system is achieved through at least one communication interface 603 (which can be wired or wireless), such as the Internet, wide area network, local area network, or metropolitan area network.
[0074] Bus 602 can be an ISA bus, PCI bus, or EISA bus, etc. The bus can be divided into an address bus, a data bus, a control bus, etc. The memory 601 is used to store programs. After receiving an execution instruction, the processor 600 executes the program. The security detection method for the cloud host disclosed in any of the foregoing embodiments of this disclosure can be applied to the processor 600, or implemented by the processor 600.
[0075] The processor 600 may be an integrated circuit chip with signal processing capabilities. In implementation, each step of the above method can be completed by the integrated logic circuitry in the hardware of the processor 600 or by instructions in software form. The processor 600 may be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it may also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of this disclosure. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the methods disclosed in the embodiments of this disclosure can be directly embodied in the execution of a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules may reside in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. The storage medium is located in memory 601. Processor 600 reads the contents of memory 601 and, in conjunction with its hardware, completes the steps of the above method.
[0076] The electronic device provided in this disclosure and the security detection method for the cloud host provided in this disclosure are based on the same inventive concept and have the same beneficial effects as the methods they adopt, operate or implement.
[0077] This disclosure also provides a computer-readable storage medium corresponding to the cloud host security detection method provided in the foregoing embodiments. Please refer to... Figure 7 The computer-readable storage medium shown is an optical disc 30, on which a computer program (i.e., a program product) is stored. When the microprocessor runs, the computer program executes the cloud host security detection method provided in any of the foregoing embodiments.
[0078] It should be noted that examples of the computer-readable storage medium may also include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other optical and magnetic storage media, which will not be elaborated here.
[0079] The computer-readable storage medium provided in the above embodiments of this disclosure and the security detection method for cloud hosts provided in the embodiments of this disclosure are based on the same inventive concept and have the same beneficial effects as the methods adopted, run or implemented by the applications stored therein.
[0080] Although alternative embodiments of this disclosure have been described, those skilled in the art, upon learning the basic inventive concept, can make further changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of this disclosure.
[0081] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of this disclosure. It should be understood that the above description is only a specific embodiment of this disclosure and is not intended to limit the scope of protection of this disclosure. Any modifications, equivalent substitutions, improvements, etc., made on the basis of the technical solution of this disclosure should be included within the scope of protection of this invention.
Claims
1. A security detection method for cloud servers, characterized in that, The method, applied to a cloud security detection platform, includes: In response to a security detection request received from a cloud host to be detected, a backup request is sent to the virtualization platform to trigger the virtualization platform to generate a backup host for the cloud host to be detected. The backup host includes at least one of the operating system files, runtime files, port files, and configuration files of the cloud host to be detected. In response to receiving an access address from the backup host of the virtualization platform, trigger information for at least one detection tool is determined; For any detection tool, the detection tool is triggered via the access address based on the triggering information of the detection tool to detect the backup host in order to determine whether the backup host has any security risks.
2. The method according to claim 1, characterized in that, The determination of trigger information for at least one detection tool includes: The items to be tested for the cloud host to be tested are determined based on the service type of the cloud host to be tested; Identify at least one detection tool that matches the item to be detected; For any detection tool, the calling mode of the detection tool is determined according to the storage location of the detection tool. The calling mode is either local calling or remote calling.
3. The method according to claim 2, characterized in that, The step of determining the invocation mode of the detection tool based on its storage location includes: If the detection tool is located on the cloud security detection platform, then the calling mode is determined to be a local call; If the detection tool is not located on the cloud security detection platform, then the invocation mode is determined to be a remote invocation.
4. The method according to claim 2 or 3, characterized in that, The step of triggering the detection tool to detect the backup host via the access address based on the trigger information of the detection tool includes: If the calling mode of the detection tool is local calling, the detection tool is called via the calling port contained in the triggering information, so that the detection tool can detect the files corresponding to the backup host through the access address; If the calling mode of the detection tool is remote calling, a first trigger message is sent to the server hosting the detection tool to trigger the server to call the detection tool to detect the file corresponding to the backup host through the access address; and the detection result of the detection tool is received.
5. The method according to claim 2 or 3, characterized in that, The step of triggering the detection tool to detect the backup host via the access address based on the trigger information of the detection tool includes: If the detection tool is a static detection tool, then the static detection tool is invoked based on the calling port contained in the trigger information, and a network probe packet is sent to the backup host with the access address as the scanning target; the network probe packet is used to scan the backup host for at least one of the following: open network ports, service type identification, and vulnerability scanning. If the detection tool is a dynamic detection tool, a second trigger message is sent to the virtualization platform to trigger the virtualization platform to deploy the dynamic detection tool indicated by the second trigger message in the backup host, and to run the deployed dynamic detection tool to detect the backup host.
6. The method according to claim 5, characterized in that, The static detection tool includes at least one of the following: a vulnerability scanning and detection tool for accessing ports of the backup host, a port scanning tool, and a service type identification tool; The dynamic detection tools include virus detection tools for detecting viruses and baseline verification detection tools for detecting configuration files.
7. The method according to claim 1, characterized in that, The method further includes: After receiving the security test results, an instruction to delete the backup host is sent to the virtualization platform.
8. A security detection method for cloud servers, characterized in that, Applied to a virtualization platform, the method includes: In response to receiving a backup request from the cloud security detection platform, obtain the image file of the cloud host to be detected corresponding to the backup request; After starting the image file and obtaining the backup host, the access address of the backup host is sent to the cloud security detection platform. The system responds to the detection operation of the cloud security detection platform. The detection operation is triggered by the cloud security detection platform based on the access address, which determines the trigger information of at least one detection tool. For any detection tool, the system triggers the detection tool to detect the backup host based on the trigger information of the detection tool via the access address.
9. The method according to claim 8, characterized in that, The response to the detection operation of the cloud security detection platform includes: If the detection tool is a static detection tool, the detection operation refers to calling the static detection tool based on the calling port contained in the trigger information, and sending a network probe packet to the backup host with the access address as the scanning target; the network probe packet is used to scan the backup host for open network ports, identify service types, and perform vulnerability scanning at least one of the following: If the detection tool is a dynamic detection tool, the detection operation refers to sending a second trigger message to the virtualization platform to trigger the virtualization platform to deploy the dynamic detection tool indicated by the second trigger message in the backup host, and to run the deployed dynamic detection tool to detect the backup host.
10. A security detection system for cloud servers, characterized in that, The system includes a cloud security detection platform and a virtualization platform. The cloud security detection platform is used to send a backup request to the virtualization platform in response to a security detection request received from the cloud host to be detected, so as to trigger the virtualization platform to generate a backup host for the cloud host to be detected. The backup host includes at least one of the operating system files, runtime files, port files and configuration files of the cloud host to be detected. The virtualization platform is used to respond to a backup request sent by the cloud security detection platform and obtain the image file of the cloud host to be detected corresponding to the backup request; After starting the image file and obtaining the backup host, the access address of the backup host is sent to the cloud security detection platform. The cloud security detection platform is also used to determine trigger information for at least one detection tool in response to receiving an access address from the backup host of the virtualization platform. For any detection tool, the detection tool is triggered via the access address based on the triggering information of the detection tool to detect the backup host in order to determine whether the backup host has any security risks.
11. An electronic device comprising a memory, a processor, and a computer program stored in the memory, wherein the processor, when executing the computer program, implements the method of any one of claims 1 to 9.
12. A computer-readable storage medium storing a computer program that, when executed by a processor, implements the method of any one of claims 1 to 9.