CN114640571A - A terminal security analysis method, system, computer equipment and storage medium - Google Patents

Abstract

The invention relates to a terminal security analysis method, a system, computer equipment and a storage medium, wherein the method comprises the following steps: installing terminal agent software on a user terminal, acquiring a virtual table adapted to the user terminal through the terminal agent software, and mapping system information of the user terminal to the adapted virtual table; the server side sends a structured query statement to the terminal agent software, and the terminal agent software executes query operation on the adaptive virtual table after receiving the structured query statement; acquiring a query result, and transmitting the query result to a database or a preset position of a server; and the server executes monitoring operation and acquires monitoring information from the database. By adopting the method, the safety analysis of the user terminals of different platforms does not need to use a special safety analysis tool any more, and the virtual table can be inquired by issuing a structured inquiry statement through the server management software, so that the universality of the safety analysis tool is improved.

Description

A terminal security analysis method, system, computer equipment and storage medium

technical field

The invention relates to the field of security analysis, in particular to a terminal security analysis method, system, computer equipment and storage medium.

Background technique

Traditional terminal security analysis work requires security engineers to use platform-limited security tools for security monitoring on different platforms. The technical threshold is high, and the analysis results of different platforms are difficult to manage and maintain in a unified manner.

SUMMARY OF THE INVENTION

Based on this, it is necessary to provide a terminal security analysis method, system, computer equipment and storage medium that can uniformly use server management software to realize user terminal security analysis of different platforms.

In one aspect, a terminal security analysis method is provided, the method comprising:

Install terminal agent software on the user terminal, obtain a virtual table adapted to the user terminal through the terminal agent software, and map the system information of the user terminal to the adapted virtual table;

The server sends a structured query statement to the terminal agent software, and the terminal agent software performs a query operation on the adapted virtual table after receiving the structured query statement;

Obtain query results, and transmit the query results to the database or preset location of the server;

The server performs monitoring operations, and obtains monitoring information from the database.

In one embodiment, the terminal agent software is installed on the user terminal, a virtual table adapted to the user terminal is obtained through the terminal agent software, and the system information of the user terminal is mapped to the virtual table on, including:

acquiring a virtual table adapted to the user terminal and a processing function corresponding to the adapted virtual table;

Install terminal agent software on the user terminal;

The terminal agent software establishes a mapping relationship between the system information of the user terminal and the adapted virtual table through the processing function.

In one embodiment, the server includes server management software and server monitoring software, and before the server sends a structured query statement to the terminal agent software, it further includes:

The information configuration performed by the operation and maintenance personnel through the server management software and the server monitoring software is received.

In one embodiment, the query operation of the adapted virtual table specifically includes:

Get task configuration;

Obtain a list of timed query tasks from the task configuration;

Execute the query task of the state table and the event table according to the timed query task list;

Wherein, the virtual table includes the state table and the event table, the state table is a virtual table with no query time set, and the event table is a virtual table with set query time.

In one embodiment, a communication interface is set on the server, and the query results involving monitoring information in the query results are all returned to the server through the communication interface and stored in the database.

In one embodiment, the monitoring operation specifically includes:

the server receives the monitoring instruction;

The server pulls the monitoring information from the database;

Whether to execute an alarm is determined according to the monitoring information.

In one embodiment, the communication interface specifically includes:

an activity detection interface, used to detect whether the user terminal is in an active state;

a task acquisition interface, used for the user terminal to acquire a query task from the server;

a temporary query interface, used for the server to issue a temporary structured query statement to the user terminal;

The result return interface is used for the user terminal to return the query result to the server.

In another aspect, a terminal security analysis system is provided, the system comprising:

The server module is used to issue structured query statements and store query results to the user terminal module;

The user terminal module is used to execute the structured query statement to complete the query operation and output the query result;

The virtual table module is used to obtain the system information of the user terminal module through the mapping relationship.

In another aspect, a computer device is provided, comprising a memory, a processor, and a computer program stored on the memory and running on the processor, wherein the processor implements the following steps when executing the computer program:

Install terminal agent software on the user terminal, obtain a virtual table adapted to the user terminal through the terminal agent software, and map the system information of the user terminal to the adapted virtual table;

The server sends a structured query statement to the terminal agent software, and the terminal agent software performs a query operation on the adapted virtual table after receiving the structured query statement;

Obtain query results, and transmit the query results to the database or preset location of the server;

The server performs monitoring operations, and obtains monitoring information from the database.

In yet another aspect, a computer-readable storage medium is provided, and the computer-readable storage medium stores a program, which, when the program is executed by a processor, causes the processor to perform the following steps:

Install terminal agent software on the user terminal, obtain a virtual table adapted to the user terminal through the terminal agent software, and map the system information of the user terminal to the adapted virtual table;

The server sends a structured query statement to the terminal agent software, and the terminal agent software performs a query operation on the adapted virtual table after receiving the structured query statement;

Obtain query results, and transmit the query results to the database or preset location of the server;

The server performs monitoring operations, and obtains monitoring information from the database.

The above-mentioned technical scheme of the present invention has the following advantages compared with the prior art:

The above-mentioned terminal security analysis method, system, computer equipment and storage medium establish a virtual table suitable for user terminals of different platforms. When performing a query operation, the terminal agent software obtains the virtual table adapted to the user terminal; the server sends the terminal agent to the terminal agent. The software sends a structured query statement and executes the query operation on the adapted virtual table; obtains the query result, and transmits the query result to the database or preset location of the server; the server performs the monitoring operation and obtains the monitoring information from the database, Due to the existence of virtual tables, the security analysis of user terminals on different platforms no longer needs to use special security analysis tools. The virtual table can be queried by issuing structured query statements through the server management software, which improves the generality of security analysis tools. sex.

Description of drawings

In order to illustrate the technical solutions in the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the accompanying drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

Fig. 1 is the first method flow chart of the terminal security analysis method of the present invention;

Fig. 2 is the second method flow chart of the terminal security analysis method of the present invention;

Fig. 3 is the system structure diagram of the terminal security analysis system of the present invention;

FIG. 4 is a device structure diagram of the computer device of the present invention.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present application more clear, the present application will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present application, but not to limit the present application.

Example 1:

1 to 2, FIG. 1 is a flowchart of the first method of terminal security analysis of the present invention; FIG. 2 is a flowchart of the second method of the terminal security analysis method of the present invention .

The method includes the following steps:

Install terminal proxy software on the user terminal, obtain a virtual table suitable for the user terminal through the terminal proxy software, and map the system information of the user terminal to the adapted virtual table;

In the security analysis of the prior art, each platform (such as the Windows platform, the macOS platform, and the Linux platform) needs to use its own dedicated security analysis tool to perform related system information query work. The invention realizes the unified use of the server management software to obtain the query results of different platforms by establishing a virtual table, so as to carry out security analysis and improve the generality of the security analysis tool. First, obtain the virtual table adapted to the user terminal on the user terminal, install the terminal agent software, and map the system information of the user terminal to the virtual table adapted to the user terminal through the terminal agent software. The server needs to obtain the user terminal. When the system information is stored, the information on the virtual table can be read only by issuing a query command through the server management software or configuring a timed query task. User terminals of different platforms adapt to different virtual tables. System information to be obtained, that is, the information on the virtual table, including basic system-related information, such as operating system, hardware information, and disk information; running status information, such as process list, port list, and network connection list; operation log Information, such as file operation logs, etc. Users can also create additional virtual tables according to specific needs.

The server sends a structured query statement to the terminal agent software, and the terminal agent software executes the query operation of the adapted virtual table after receiving the structured query statement;

After the adapted virtual table is obtained on the user terminal, the terminal agent software is installed, and the mapping relationship between the adapted virtual table and the system information of the user terminal is established, the server can query the virtual table through structured query statements. Query, or query by configuring a timed query task, to obtain the system information in the virtual table, that is, the system information of the user terminal, and the system information, that is, the information related to the user terminal to be queried by the server. The interaction between the server and the user terminal is established through the virtual table, and the system information of different platforms can be obtained only through a unified structured query statement or the configuration of timed query tasks on the server management software. The structured query statement adopts an SQL-like query statement.

Obtain query results, and transmit the query results to the database or preset location of the server;

After the query operation is performed, the query result can be obtained. The user terminal transmits the query result to the database of the server through the communication interface of the server, and saves the query result, so as to facilitate the security analysis of the system information and further obtain monitoring from the system information. information. Or output query results to preset locations, including local locations, interface return locations, and ElasticSearch-search engines.

The server performs monitoring operations, and obtains monitoring information from the database.

When the server performs monitoring operations, the server monitoring software will directly obtain monitoring information from the database, so as to facilitate security analysis through the monitoring information.

Among them, the server installs server management software and server monitoring software, and the server should set up its system firewall to allow the server to open a communication interface to the outside, so that the user terminal can exchange information with the user terminal through the communication interface. The server management software can configure timing query, monitoring conditions, alarms, etc. The server monitoring software can configure monitoring logs, alarm trigger conditions, etc., and the server monitoring software will automatically connect to the database. When the server installs the server management software and server monitoring software, it includes the following steps: initialize the server environment and database environment, install dependencies; allow the server to open the communication interface in the server system firewall; deploy the server management software source code And run; the server management software automatically connects to the database and opens the communication interface, waiting for the user terminal to connect; configure the relevant content on the server management software interface; deploy the server monitoring software source code and run; the server monitoring software automatically connects to the database, on the server Configure related content on the monitoring software interface, such as monitoring log storage content and alarm conditions.

In one embodiment, the terminal agent software is installed on the user terminal, a virtual table adapted to the user terminal is obtained through the terminal agent software, and the system information of the user terminal is mapped to the virtual table on, including:

acquiring a virtual table adapted to the user terminal and a processing function corresponding to the adapted virtual table;

In order to realize the security analysis of different platforms through the unified server management software, it is necessary to first obtain the virtual table adapted to the user terminal and the corresponding processing function of the virtual table adapted to the user terminal on the user terminal. It is used to establish the mapping relationship between the virtual table adapted to the user terminal and the system information of the user terminal.

Install terminal agent software on the user terminal;

Install the terminal agent software to facilitate the mapping between the virtual table and the system information of the user terminal. The communication interface of the server should be configured on the terminal agent software to facilitate the information exchange with the server.

The terminal agent software also automatically obtains the query task from the server through the communication interface. Installing the terminal agent software includes the following steps: initialize the user terminal environment and install dependencies; deploy the terminal agent software, and configure the communication interface address and output address; run the terminal agent software; the terminal agent software will automatically obtain local tasks from the server; After the terminal agent software executes the task, the query log is output according to the configuration.

The terminal agent software establishes a mapping relationship between the system information of the user terminal and the adapted virtual table through the processing function.

After the terminal agent software is installed on the user terminal, the terminal agent software establishes a mapping relationship between the system information of the user terminal and the adapted virtual table through the processing function, so as to obtain the system information of the user terminal by querying the virtual table through the processing function.

In one embodiment, the server includes server management software and server monitoring software, and before the server sends a structured query statement to the terminal agent software, it further includes:

Receive the information configuration performed by the operation and maintenance personnel through the server management software and the server monitoring software;

The server includes two softwares, a server management software and a server monitoring software. The server management software is mainly used to realize the query operation of the user terminal to obtain the process information, file modification records and other information of the user terminal. Therefore, it is necessary to configure the query information through the server management software, such as configuring the timing query task. , configuration log output and other information. Server-side monitoring software is mainly used to implement server-side monitoring operations to obtain monitoring data and vulnerability monitoring results. Therefore, it is necessary to configure the monitoring information through the server monitoring software, such as configuring monitoring conditions, configuring alarm methods and other information. The server management software provides related configuration interfaces, such as displaying the information interface of the user terminal connected to the server interface, displaying the interface for the operation and maintenance personnel to modify the timed query task, displaying the interface for manually entering the query statement and waiting for the query result, and displaying the interface for the operation and maintenance personnel. The interface for configuring log monitoring conditions, and the interface for displaying who and how the operation and maintenance personnel configure the alarm.

In one embodiment, the query operation of the virtual table specifically includes:

Get task configuration;

Task configuration, such as query task ID, query statement, result format, output location, etc. Among them, the result form includes the full result and the changed result; if the result form of a query task configuration in the task list is the full result, then the full result is output at the end of the query, that is, all the results of the latest query; if the task If the result of a query task configuration in the list is a changed result, then at the end of the query, output the changed place compared with the last query result, that is, the changed result compared with the last query result. The output location, that is, the preset location, includes the local location, the interface return location, and ElasticSearch-search engine, etc. The interface return location refers to the result return interface set on the server, and the user terminal can return the query result to the server through the result interface on the server. In addition, the task is not only a query task configured locally on the user terminal, but also includes a query task obtained from the server through the task obtaining interface.

Obtain a list of timed query tasks from the task configuration;

The scheduled query task list is stored in the task configuration. The scheduled query list lists the query tasks to be executed and the configuration of related query tasks, such as task ID, query statement, result format, and output location.

Execute the query task of the state table and the event table according to the timed query task list;

After obtaining the scheduled query task list, perform the query in sequence according to the scheduled query task list, and complete the query task according to the task configuration. The query tasks include query tasks for the status table and query tasks for the event table.

Wherein, the virtual table includes the state table and the event table, the state table is a virtual table with no query time set, and the event table is a virtual table with set query time.

The status table is a virtual table with no query time set, and the query task can be executed according to the configuration of the scheduled task list; the event table is a virtual table with set query time, and the timetable will set a time period when querying, When the query task is executed, the system information in the time period is automatically queried, that is, the system events of the user terminal are monitored.

In one embodiment, a communication interface is set on the server, and query results involving monitoring information in the query results are returned to the server through the communication interface and stored in the database.

A communication interface will be set on the server to realize the information exchange between the user terminal and the server when performing the query task. A lot of information, such as monitoring information, will be stored in the query result obtained through the query. In the present invention, the server management software and the server monitoring software share a database, and all the information obtained from the query are stored in this database. Generally, the output location includes three options, namely, the local location, the interface return location, and ElasticSearch-search engine. System information other than monitoring information will be output according to the output position in the task configuration; however, system information involving monitoring information will be uniformly returned to the server through the communication interface and saved to the database, so that the server monitoring software can directly access the database from the database. Obtain monitoring information and conduct security analysis.

The monitoring operation specifically includes:

the server receives the monitoring instruction;

The server will receive monitoring instructions to facilitate the start of monitoring group operations on the server.

The server pulls the monitoring information from the database;

After the server receives the monitoring instruction and starts the monitoring operation, the server monitoring software and the server management software share a database, and the server monitoring software directly obtains monitoring information from the database, which reduces the threshold for security engineers to use. Related monitoring configuration can also be performed, and the server monitoring software automatically obtains monitoring information from the database at regular intervals.

Whether to execute an alarm is determined according to the monitoring information.

After the server monitoring software obtains the monitoring information, it judges whether an alarm operation needs to be performed on the monitoring information. There are two types of monitoring information, one is the general information of the user terminal, such as CPU, memory and disk information; the other is vulnerability information, the server will obtain the installation package information of all the installed software on the user terminal, and the vulnerability library. Make a comparison to determine whether there is a vulnerability, and if there is a vulnerability, alert the operation and maintenance personnel.

In one embodiment, the communication interface specifically includes:

an activity detection interface, used to detect whether the user terminal is in an active state;

The activity detection interface is used to detect whether the user terminal is in an active state, that is, to detect whether the user terminal can respond to the query task sent by the server, so that the operation and maintenance personnel can deal with it in time when the user terminal cannot respond to the server.

a task acquisition interface, used for the user terminal to acquire a query task from the server;

The task acquisition interface is used for the user terminal to acquire the query task from the server, that is, the query task executed by the user terminal is not only the query task configured locally on the user terminal, but also includes the query acquired from the server through the task acquisition interface Task.

a temporary query interface, used for the server to issue a temporary structured query statement to the user terminal;

The temporary query interface is used for the server to issue a temporary structured query statement to the user terminal. The temporary query interface refers to the non-timed query statement of the server. For example, the server suddenly wants to query some data, but the data is not a scheduled task, but suddenly needs to be queried. At this time, the user terminal will regularly detect whether there is a temporary query task in the temporary query interface. If there is, execute the temporary query and return result.

The result return interface is used for the user terminal to return the query result to the server.

A lot of information will be saved in the query result obtained through the query. According to the information configuration, all the information that needs to be returned to the server will be returned to the database of the server through the result return interface, so that the monitoring software of the server can directly obtain the monitoring information from the database and perform Security Analysis. Preferably, according to the information configuration, the information that needs to be returned to the server is added with a to-be-submitted mark, and if there is a to-be-submitted mark, the information with the to-be-submitted mark is returned to the server through the result return interface.

Embodiment 2:

Referring to FIG. 2 , FIG. 2 is a flowchart of the second method of the terminal security analysis method of the present invention.

acquiring a virtual table adapted to the user terminal and a processing function corresponding to the adapted virtual table;

In order to realize the security analysis of different platforms through the unified server management software, it is necessary to first obtain the virtual table adapted to the user terminal and the corresponding processing function of the virtual table adapted to the user terminal on the user terminal. It is used to establish the mapping relationship between the virtual table adapted to the user terminal and the system information of the user terminal.

Install terminal agent software on the user terminal;

Install the terminal agent software to facilitate the mapping between the virtual table and the system information of the user terminal. The communication interface of the server should be configured on the terminal agent software to facilitate the information exchange with the server. The terminal agent software also automatically obtains the query task from the server through the communication interface.

The terminal agent software establishes a mapping relationship between the system information of the user terminal and the adapted virtual table through the processing function;

After the terminal agent software is installed on the user terminal, the terminal agent software establishes a mapping relationship between the system information of the user terminal and the adapted virtual table through the processing function, so as to obtain the system information of the user terminal by querying the virtual table.

Receive the information configuration performed by the operation and maintenance personnel through the server management software and the server monitoring software;

The server includes two softwares, a server management software and a server monitoring software. The server management software is mainly used to realize the query operation of the user terminal to obtain the process information, file modification records and other information of the user terminal. Therefore, it is necessary to configure the query information through the server management software, such as configuring the timing query task. , configuration log output and other information. Server-side monitoring software is mainly used to implement server-side monitoring operations to obtain monitoring data and vulnerability monitoring results. Therefore, it is necessary to configure the monitoring information through the server monitoring software, such as configuring monitoring conditions, configuring alarm methods and other information.

The server sends a structured query statement to the terminal agent software;

After the virtual table is established on the user terminal, the terminal agent software is installed, and the mapping relationship between the virtual table and the system information of the user terminal is established, the server can query the virtual table through a structured query statement to obtain the virtual table. The system information in the table is the system information of the user terminal, and the system information is the information of the user terminal to be queried by the server.

Get task configuration;

Task configuration, such as query task ID, query statement, result format, output location, etc.

Obtain a list of timed query tasks from the task configuration;

The scheduled query task list is stored in the task configuration. The scheduled query list lists the query tasks to be executed and the configuration of related query tasks, such as task ID, query statement, result format, and output location.

Execute the query task of the state table and the event table according to the timed query task list;

After obtaining the scheduled query task list, perform the query in sequence according to the scheduled query task list, and complete the query task according to the task configuration. Query tasks include query tasks for the status table and the event table.

Obtain query results, and transmit the query results to the database or preset location of the server;

After the query operation is performed, the query result can be obtained. The user terminal transmits the query result to the database of the server through the communication interface of the server, and saves the query result, so as to facilitate the security analysis of the system information and further obtain monitoring from the system information. information. Or output query results to preset locations, including local locations, interface return locations, and ElasticSearch-search engines.

The server performs monitoring operations, and obtains monitoring information from the database.

When the server performs monitoring operations, the server monitoring software will pull the monitoring information from the database to facilitate security analysis through the monitoring information.

It should be understood that although the steps in the flowcharts of FIGS. 1-2 are sequentially displayed according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, the execution of these steps is not strictly limited to the order, and these steps may be performed in other orders. Moreover, at least a part of the steps in FIGS. 1 to 2 may include multiple sub-steps or multiple stages. These sub-steps or stages are not necessarily executed at the same time, but may be executed at different times. These sub-steps or stages are not necessarily completed at the same time. The order of execution of the steps is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of sub-steps or stages of other steps.

Embodiment three:

Referring to FIG. 3 , FIG. 3 is a system structure diagram of the terminal security analysis system of the present invention.

The terminal security analysis system of this embodiment includes:

The server module is used to issue structured query statements and store query results to the user terminal module;

The server module includes server management software and server monitoring software. Through the server module, the server management software can be used uniformly to issue structured query statements to the user terminal module to obtain system information of user terminals on different platforms, that is, query results, and save the query results to a preset location for security analysis.

The user terminal module is used to execute the structured query statement to complete the query operation and output the query result;

The user terminal module is used to receive the structured query statement issued by the user terminal module, and then execute the query operation of the virtual table to obtain the query result.

The virtual table module is used to obtain the system information of the user terminal module through the mapping relationship.

The virtual table module establishes a bridge between the server module and the user terminal module. Through this bridge, the server module can use the server management software to download structured query statements to the user terminal module to obtain user terminals on different platforms. system information.

For specific limitations of the terminal security analysis system, reference may be made to the limitations on the method above, which will not be repeated here. Each module in the above-mentioned terminal security analysis system may be implemented in whole or in part by software, hardware and combinations thereof. The above modules can be embedded in or independent of the processor in the computer device in the form of hardware, or stored in the memory in the computer device in the form of software, so that the processor can call and execute the operations corresponding to the above modules.

Embodiment 4:

This embodiment provides a computer device, including a memory, a processor, and a computer program stored in the memory and running on the processor, characterized in that, when the processor executes the computer program, the method for analyzing the terminal security is implemented. step.

The computer equipment may be a terminal, and its internal structure diagram may be as shown in FIG. 4 . The computer equipment includes a processor, memory, a network interface, a display screen, and an input device connected by a system bus. Among them, the processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium, an internal memory. The nonvolatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the execution of the operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used to communicate with an external terminal through a network connection. The computer program is executed by the processor to implement the terminal security analysis method. The display screen of the computer equipment may be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment may be a touch layer covered on the display screen, or a button, a trackball or a touchpad set on the shell of the computer equipment , or an external keyboard, trackpad, or mouse.

Those skilled in the art should understand that the structure shown in FIG. 4 is only a block diagram of a partial structure related to the solution of the present application, and does not constitute a limitation on the computer equipment to which the solution of the present application is applied. A device may include more or fewer components than shown in the figures, or combine certain components, or have a different arrangement of components.

In one of the embodiments, a computer device is provided, comprising a memory, a processor, and a computer program stored in the memory and running on the processor, and the processor implements the following steps when executing the computer program:

Install terminal agent software on the user terminal, obtain a virtual table adapted to the user terminal through the terminal agent software, and map the system information of the user terminal to the adapted virtual table;

The server sends a structured query statement to the terminal agent software, and the terminal agent software performs a query operation on the adapted virtual table after receiving the structured query statement;

Obtain query results, and transmit the query results to the database or preset location of the server;

The server performs monitoring operations, and obtains monitoring information from the database.

In one of the embodiments, the processor further implements the following steps when executing the computer program:

acquiring a virtual table adapted to the user terminal and a processing function corresponding to the adapted virtual table;

Install terminal agent software on the user terminal;

The terminal agent software establishes a mapping relationship between the system information of the user terminal and the adapted virtual table through the processing function.

In one of the embodiments, the processor further implements the following steps when executing the computer program:

The information configuration performed by the operation and maintenance personnel through the server management software and the server monitoring software is received.

In one of the embodiments, the processor further implements the following steps when executing the computer program:

Get task configuration;

Obtain a list of timed query tasks from the task configuration;

The query task of the state table and the event table is executed according to the list of timed query tasks.

In one of the embodiments, the processor further implements the following steps when executing the computer program:

the server receives the monitoring instruction;

The server pulls the monitoring information from the database;

Whether to execute an alarm is determined according to the monitoring information.

Embodiment 5:

This embodiment provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:

Install terminal agent software on the user terminal, obtain a virtual table adapted to the user terminal through the terminal agent software, and map the system information of the user terminal to the adapted virtual table;

The server sends a structured query statement to the terminal agent software, and the terminal agent software performs a query operation on the adapted virtual table after receiving the structured query statement;

Obtain query results, and transmit the query results to the database or preset location of the server;

The server performs monitoring operations, and obtains monitoring information from the database.

In one of the embodiments, the processor further implements the following steps when executing the computer program:

acquiring a virtual table adapted to the user terminal and a processing function corresponding to the adapted virtual table;

Install terminal agent software on the user terminal;

The terminal agent software establishes a mapping relationship between the system information of the user terminal and the adapted virtual table through the processing function.

In one of the embodiments, the processor further implements the following steps when executing the computer program:

The information configuration performed by the operation and maintenance personnel through the server management software and the server monitoring software is received.

In one of the embodiments, the processor further implements the following steps when executing the computer program:

Get task configuration;

Obtain a list of timed query tasks from the task configuration;

The query task of the state table and the event table is executed according to the list of timed query tasks.

In one of the embodiments, the processor further implements the following steps when executing the computer program:

the server receives the monitoring instruction;

The server pulls the monitoring information from the database;

Whether to execute an alarm is determined according to the monitoring information.

Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented by instructing relevant hardware through a computer program, and the computer program can be stored in a non-volatile computer-readable storage In the medium, when the computer program is executed, it may include the processes of the above-mentioned method embodiments. Wherein, any reference to memory, storage, database or other medium used in the various embodiments provided in this application may include non-volatile and/or volatile memory. Nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory may include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in various forms such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous chain Road (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.

The technical features of the above embodiments can be combined arbitrarily. In order to make the description simple, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features It is considered to be the range described in this specification.

The above-mentioned embodiments only represent several embodiments of the present application, and the descriptions thereof are specific and detailed, but should not be construed as a limitation on the scope of the invention patent. It should be pointed out that for those skilled in the art, without departing from the concept of the present application, several modifications and improvements can be made, which all belong to the protection scope of the present application. Therefore, the scope of protection of the patent of the present application shall be subject to the appended claims.

Claims (10)

1. a terminal security analysis method, is characterized in that, described method comprises: Install terminal agent software on the user terminal, obtain a virtual table adapted to the user terminal through the terminal agent software, and map the system information of the user terminal to the adapted virtual table; The server sends a structured query statement to the terminal agent software, and the terminal agent software performs a query operation on the adapted virtual table after receiving the structured query statement; Obtain query results, and transmit the query results to the database or preset location of the server; The server performs monitoring operations, and obtains monitoring information from the database. 2 . The terminal security analysis method according to claim 1 , wherein the terminal agent software is installed on the user terminal, a virtual table adapted to the user terminal is obtained through the terminal agent software, and the The system information of the user terminal is mapped to the virtual table, which specifically includes: acquiring a virtual table adapted to the user terminal and a processing function corresponding to the adapted virtual table; Install terminal agent software on the user terminal; The terminal agent software establishes a mapping relationship between the system information of the user terminal and the adapted virtual table through the processing function. 3. The terminal security analysis method according to claim 1, wherein the server comprises server management software and server monitoring software, and before the server sends a structured query statement to the terminal agent software, Also includes: The information configuration performed by the operation and maintenance personnel through the server management software and the server monitoring software is received. 4. The terminal security analysis method according to claim 1, wherein the query operation of the adapted virtual table specifically comprises: Get task configuration; Obtain a list of timed query tasks from the task configuration; Execute the query task of the state table and the event table according to the timed query task list; Wherein, the virtual table includes the state table and the event table, the state table is a virtual table with no query time set, and the event table is a virtual table with set query time. 5. The terminal security analysis method according to claim 1, wherein a communication interface is set on the server, and the query results involving monitoring information in the query results are returned to the server through the communication interface and returned to the server. stored in the database. 6. The terminal security analysis method according to claim 1, wherein the monitoring operation specifically comprises: the server receives the monitoring instruction; The server pulls the monitoring information from the database; Whether to execute an alarm is determined according to the monitoring information. 7. The terminal security analysis method according to claim 5, wherein the communication interface specifically comprises: an activity detection interface, used to detect whether the user terminal is in an active state; a task acquisition interface, used for the user terminal to acquire a query task from the server; a temporary query interface, used for the server to issue a temporary structured query statement to the user terminal; The result return interface is used for the user terminal to return the query result to the server. 8. A terminal security analysis system, wherein the system comprises: The server module is used to issue structured query statements and store query results to the user terminal module; The user terminal module is used to execute the structured query statement to complete the query operation and output the query result; The virtual table module is used to obtain the system information of the user terminal module through the mapping relationship. 9. A computer device, comprising a memory, a processor and a computer program stored in the memory and running on the processor, wherein the processor implements any of claims 1 to 7 when executing the computer program A step of the method. 10. A computer-readable storage medium, characterized in that: the computer-readable storage medium stores a program, and when the program is executed by a processor, the processor is made to execute any one of claims 1 to 7. The steps of the method described in item.

Images