CN115499203A - Security event monitoring method and device, computer equipment and storage medium - Google Patents
Security event monitoring method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN115499203A CN115499203A CN202211120915.7A CN202211120915A CN115499203A CN 115499203 A CN115499203 A CN 115499203A CN 202211120915 A CN202211120915 A CN 202211120915A CN 115499203 A CN115499203 A CN 115499203A
- Authority
- CN
- China
- Prior art keywords
- data
- scanned
- scanning
- security event
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000012544 monitoring process Methods 0.000 title claims abstract description 39
- 238000004590 computer program Methods 0.000 claims description 17
- 231100000279 safety data Toxicity 0.000 claims description 8
- 238000012806 monitoring device Methods 0.000 claims description 7
- 238000007726 management method Methods 0.000 description 29
- 238000012545 processing Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000009286 beneficial effect Effects 0.000 description 5
- 238000001514 detection method Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000013500 data storage Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
本申请涉及一种安全事件监测方法、装置、计算机设备和存储介质。所述方法包括:获取待处理请求;基于所述待处理请求确定待扫描数据,所述待扫描数据携带有预设标识;对所述待扫描数据进行扫描,确定是否存在安全事件。实现了在数据上传至网络站点前对该数据进行扫描,实现对站内上传数据的事前预警,进而全面提高了网络站点的安全性。
The present application relates to a security event monitoring method, device, computer equipment and storage medium. The method includes: acquiring a request to be processed; determining data to be scanned based on the request to be processed, the data to be scanned carries a preset identifier; scanning the data to be scanned to determine whether there is a security event. It realizes the scanning of the data before the data is uploaded to the network site, realizes the pre-warning of the uploaded data in the site, and thus comprehensively improves the security of the network site.
Description
技术领域technical field
本申请涉及网络安全技术领域,特别是涉及一种安全事件监测方法、装置、计算机设备和存储介质。The present application relates to the technical field of network security, in particular to a security event monitoring method, device, computer equipment and storage medium.
背景技术Background technique
随着互联网技术的迅速发展,在目前的日常生活中,政府,高校、医院等单位已实现了互联网的全面覆盖,其面临着暗链,外链、篡改、信息泄漏等多种类型的安全事件威胁,给社会政治和经济均带来了极大的影响。因此,网络安全问题也成为了当今社会中高度重视的问题之一。With the rapid development of Internet technology, in the current daily life, the government, universities, hospitals and other units have achieved full coverage of the Internet, and they are faced with various types of security incidents such as dark chains, external chains, tampering, and information leakage. Threats have brought great impact on society, politics and economy. Therefore, network security issues have become one of the issues that are highly valued in today's society.
在现有的网络安全技术中,可利用云端检测平台对用户使用的网络站点进行监测,在用户通过网络站点上传文件后,通过制定扫描服务程序对网络站点的安全性进行实时监测。但在上述方法中,扫描内容存在局限性,并不能实现对网络站点全流量进行扫描,仅能对上传的文件格式的流量进行扫描。In the existing network security technology, the cloud detection platform can be used to monitor the network site used by the user. After the user uploads the file through the network site, the security of the network site can be monitored in real time by formulating a scanning service program. However, in the above method, there are limitations in scanning content, and it is not possible to scan the entire traffic of the website, but only the traffic in the uploaded file format.
针对相关技术中如何全面提高网络站点安全性的问题,目前还没有提出有效的解决方案。Aiming at the problem of how to comprehensively improve the security of a network site in related technologies, no effective solution has been proposed so far.
发明内容Contents of the invention
基于此,有必要针对上述技术问题,提供一种能够全面提高网络站点安全性的安全事件监测方法、装置、计算机设备和存储介质。Based on this, it is necessary to provide a security event monitoring method, device, computer equipment, and storage medium that can comprehensively improve the security of a network site in view of the above technical problems.
第一方面,本申请提供了一种安全事件监测方法,应用于网站流量分类管理平台,其特征在于,所述方法包括:In the first aspect, the present application provides a security event monitoring method applied to a website traffic classification management platform, wherein the method includes:
获取待处理请求;Get pending requests;
基于所述待处理请求确定待扫描数据,所述待扫描数据携带有预设标识;determining data to be scanned based on the request to be processed, where the data to be scanned carries a preset identifier;
对所述待扫描数据进行扫描,确定是否存在安全事件。Scan the data to be scanned to determine whether there is a security event.
在其中一个实施例中,所述基于所述待处理请求确定待扫描数据,所述待扫描数据携带有预设标识之前包括:In one of the embodiments, the determining the data to be scanned based on the request to be processed, the data to be scanned before carrying the preset identifier includes:
响应于用户指令,接收预设标识并进行存储。Responding to a user instruction, receiving and storing a preset identifier.
在其中一个实施例中,所述对所述待扫描数据进行扫描,确定是否存在安全事件包括:In one of the embodiments, the scanning of the data to be scanned and determining whether there is a security event includes:
将所述待扫描数据发送到云端进行扫描,并接收所述云端返回的扫描结果。Send the data to be scanned to the cloud for scanning, and receive the scanning result returned by the cloud.
在其中一个实施例中,所述对所述待扫描数据进行扫描,确定是否存在安全事件之后还包括:In one of the embodiments, after scanning the data to be scanned and determining whether there is a security incident, it further includes:
若不存在安全事件,则将所述待扫描数据发送到目标站点;If there is no security event, the data to be scanned is sent to the target site;
若存在安全事件,则将所述待扫描数据发送到上位机。If there is a security event, the data to be scanned is sent to the host computer.
在其中一个实施例中,所述将所述待扫描数据发送到上位机之后还包括:In one of the embodiments, after sending the data to be scanned to the host computer, it also includes:
接收上位机返回的所述待扫描数据,所述待扫描数据不携带所述预设标识;receiving the data to be scanned returned by the host computer, the data to be scanned does not carry the preset identification;
将所述待扫描数据发送到目标站点。Send the data to be scanned to the target site.
在其中一个实施例中,所述基于所述待处理请求确定待扫描数据之后还包括:In one of the embodiments, after determining the data to be scanned based on the pending request, it further includes:
将安全数据发送到目标站点,所述安全数据不携带所述预设标识。Sending the safety data to the target site, where the safety data does not carry the preset identifier.
在其中一个实施例中,所述对所述待扫描数据进行扫描,确定是否存在安全事件之后还包括:In one of the embodiments, after scanning the data to be scanned and determining whether there is a security incident, it further includes:
将所述扫描结果进行展示。The scan results are displayed.
第二方面,本申请还提供了一种安全事件监测装置,应用于网站流量分类管理平台,所述装置包括:In the second aspect, the present application also provides a security event monitoring device, which is applied to a website traffic classification management platform, and the device includes:
获取模块,用于获取待处理请求;An acquisition module, used to acquire pending requests;
分类模块,用于基于所述待处理请求确定待扫描数据,所述待扫描数据携带有预设标识;A classification module, configured to determine data to be scanned based on the request to be processed, the data to be scanned carries a preset identifier;
扫描模块,用于对所述待扫描数据进行扫描,确定是否存在安全事件。The scanning module is configured to scan the data to be scanned to determine whether there is a security incident.
第三方面,本申请还提供了一种计算机设备。所述计算机设备包括存储器和处理器,所述存储器存储有计算机程序,所述处理器执行所述计算机程序时实现以下步骤:In a third aspect, the present application also provides a computer device. The computer device includes a memory and a processor, the memory stores a computer program, and the processor implements the following steps when executing the computer program:
获取待处理请求;Get pending requests;
基于所述待处理请求确定待扫描数据,所述待扫描数据携带有预设标识;determining data to be scanned based on the request to be processed, where the data to be scanned carries a preset identifier;
对所述待扫描数据进行扫描,确定是否存在安全事件。Scan the data to be scanned to determine whether there is a security event.
第四方面,本申请还提供了一种计算机可读存储介质。所述计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现以下步骤:In a fourth aspect, the present application also provides a computer-readable storage medium. The computer-readable storage medium has a computer program stored thereon, and when the computer program is executed by a processor, the following steps are implemented:
获取待处理请求;Get pending requests;
基于所述待处理请求确定待扫描数据,所述待扫描数据携带有预设标识;determining data to be scanned based on the request to be processed, where the data to be scanned carries a preset identifier;
对所述待扫描数据进行扫描,确定是否存在安全事件。Scan the data to be scanned to determine whether there is a security event.
上述安全事件监测方法、装置、计算机设备和存储介质,利用网站流量分类管理平台获取待处理请求;基于所述待处理请求确定待扫描数据,所述待扫描数据携带有预设标识;将对应待扫描数据引流占比对应的扫描平台对所述待扫描数据进行扫描,确定是否存在安全事件。实现了在数据上传至网络站点前对该数据进行扫描,实现对站内上传数据的事前预警,进而全面提高了网络站点的安全性。The above-mentioned security event monitoring method, device, computer equipment, and storage medium use the website traffic classification management platform to obtain pending requests; determine the data to be scanned based on the pending requests, and the data to be scanned carries a preset identifier; The scanning platform corresponding to the proportion of scanned data diversion scans the data to be scanned to determine whether there is a security incident. It realizes the scanning of the data before the data is uploaded to the network site, realizes the pre-warning of the uploaded data in the site, and thus comprehensively improves the security of the network site.
附图说明Description of drawings
图1为一个实施例中安全事件监测方法的应用环境图;Fig. 1 is an application environment diagram of a security event monitoring method in an embodiment;
图2为一个实施例中安全事件监测方法的流程示意图;Fig. 2 is a schematic flow diagram of a security event monitoring method in an embodiment;
图3为一个优选实施例中安全事件监测方法的流程示意图;Fig. 3 is a schematic flow diagram of a security event monitoring method in a preferred embodiment;
图4为另一个优选实施例中安全事件监测方法的流程示意图;FIG. 4 is a schematic flow diagram of a security event monitoring method in another preferred embodiment;
图5为一个实施例中安全事件监测装置的结构框图;Fig. 5 is a structural block diagram of a safety event monitoring device in an embodiment;
图6为一个实施例中计算机设备的内部结构图。Figure 6 is an internal block diagram of a computer device in one embodiment.
具体实施方式detailed description
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical solution and advantages of the present application clearer, the present application will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present application, and are not intended to limit the present application.
在传统的用于确保网络站点安全的方式中,一般采用将网络站点接入云监测平台,通过云监测平台对该网络站点上的所有数据进行实时监测。传统云监测平台由于无需建设成本、运维成本、部署方便无感知、不需要占用硬件空间、智能防护等优势,逐步有取代硬件扫描器或监测软件的趋势,越来越多的用户将业务系统接入云监测平台中,与云WAF配合使用,但是云端也因传统的“只监测已有页面安全事件”工作原理,无法进行全面的事前事件监测预警,无法在事前消除潜在安全事件,减少不必要的负面影响,只能在站点内容、文件上传至互联网后,通过爬取页面的模式将站点数据采集并进行事件分析,此种监测告警方式受爬虫设计、站点层级目录深度等技术问题影响,无法对站点进行全方位的监测告警,有时会出现页面无法监测导致未及时清理不良内容,导致找出严重的负面影响,降低用户的体验感。In a traditional method for ensuring the security of a network site, the network site is generally connected to a cloud monitoring platform, and all data on the network site are monitored in real time through the cloud monitoring platform. Due to the advantages of no construction cost, operation and maintenance cost, convenient deployment without perception, no need to occupy hardware space, and intelligent protection, the traditional cloud monitoring platform gradually has a tendency to replace hardware scanners or monitoring software. More and more users use business system It is connected to the cloud monitoring platform and used in conjunction with cloud WAF. However, due to the traditional working principle of "only monitoring existing page security events", the cloud cannot perform comprehensive pre-event monitoring and early warning, and cannot eliminate potential security events in advance to reduce unnecessary security events. Necessary negative effects can only be collected by crawling pages and event analysis after the site content and files are uploaded to the Internet. This monitoring and alarming method is affected by technical issues such as crawler design and site level directory depth. It is impossible to monitor and warn the site in all directions. Sometimes the pages cannot be monitored and bad content is not cleaned up in time, which leads to the identification of serious negative impacts and reduces the user experience.
因此,行业用户迫切需要一个使用简洁、可以事前预警安全事件的平台,减少安全事件发生率。Therefore, industry users urgently need a platform that is simple to use and can provide early warning of security incidents to reduce the incidence of security incidents.
本申请实施例提供的安全事件监测方法,可以应用于如图1所示的应用环境中。其中,终端102通过网络与服务器104进行通信。数据存储系统可以存储服务器104需要处理的数据。数据存储系统可以集成在服务器104上,也可以放在云上或其他网络服务器上。具体的,可通过终端102获取到待处理请求,将上述待处理请求发送至服务器104中;然后由服务器104对待处理请求进行初步处理,从待处理请求中确定待扫描数据,该待扫描数据中携带有预设标识;最后再有服务器104对待扫描数据进行扫描确定是否存在安全事件。在扫描确定不存在安全事件的情况下,可将待扫描数据存储至数据存储系统中。进一步的,在数据存储系统中还可以存储对应的预设标识,便于服务器104对待处理请求进行初步处理。需要说明的是,上述终端102可以但不限于是各种个人计算机、笔记本电脑、智能手机、平板电脑、物联网设备和便携式可穿戴设备,便携式可穿戴设备可为智能手表、智能手环、头戴设备等。服务器104可以用独立的服务器或者是多个服务器组成的服务器集群来实现。The security event monitoring method provided in the embodiment of the present application may be applied to the application environment shown in FIG. 1 . Wherein, the terminal 102 communicates with the
在本实施例中提供了一种安全事件监测方法,图2是本实施例的安全事件监测方法的流程图,如图2所示,该流程包括如下步骤:A security event monitoring method is provided in this embodiment, and Fig. 2 is a flow chart of the security event monitoring method in this embodiment, as shown in Fig. 2, the process includes the following steps:
步骤S201,获取待处理请求;Step S201, obtaining pending requests;
在本实施例中,主要应用于网站流量分类管理平台,通过对用户上传的数据进行预先的分类管理来实现对网络站点的安全事件进行监测。具体的,网站流量分类管理平台为一种拦截网站上传数据的平台,在用户向网站上传数据时,进行数据拦截,然后对拦截到的数据进行分析处理,确认不同类别数据的处理方式。In this embodiment, it is mainly applied to the website traffic classification management platform, and the security events of the website are monitored by performing classification management on the data uploaded by users in advance. Specifically, the website traffic classification management platform is a platform for intercepting data uploaded by websites. When users upload data to the website, the data is intercepted, and then the intercepted data is analyzed and processed to confirm the processing methods of different types of data.
其中,待处理请求为用户通过网络站点上传的请求,该网络站点可以是浏览器中的网页,专用的业务服务系统或软件程序等,例如,校园论坛,机构的官方网站,网络社区等。待处理请求可以是用户上传文件,评论内容中的文字,分享的网络链接等。Wherein, the request to be processed is a request uploaded by a user through a website, which may be a web page in a browser, a dedicated business service system or software program, etc., for example, a campus forum, an institution's official website, an online community, etc. A pending request can be a file uploaded by a user, text in a comment, a shared web link, etc.
步骤S202,基于所述待处理请求确定待扫描数据,所述待扫描数据携带有预设标识;Step S202, determining data to be scanned based on the request to be processed, the data to be scanned carries a preset identifier;
其中,所述预设标识为由站点管理员通过上位机预先设置的流量标识,用于区分需要进行扫描的数据以及不需要进行扫描的数据。在本实施例中,预设标识可以是基于统一资源定位系统确定的指定信息(Uniform Resource Locator,简称URL)。在HTTP或FTP等Internet协议中,URL标识为能够识别具体计算机、目录或文件位置的标识信息。在用户网络站点上传文件以及发表评论等操作,均属于指定URL下进行的操作。进一步的,网站流量分类管理平台可以根据待处理请求中是否含有预设标识确定从待处理请求的类型,以及对应的转发目的地。可将含有预设标识的待处理请求作为可能存在安全风险的数据,需要提取其待扫描数据转发至对应的扫描平台。Wherein, the preset identifier is a traffic identifier preset by the site administrator through the host computer, and is used to distinguish data that needs to be scanned and data that does not need to be scanned. In this embodiment, the preset identifier may be specified information (Uniform Resource Locator, URL for short) determined based on a Uniform Resource Locator system. In Internet protocols such as HTTP or FTP, a URL is identified as identification information that can identify a specific computer, directory, or file location. Operations such as uploading files and posting comments on the user's network site are all operations performed under the specified URL. Further, the website traffic classification management platform can determine the type of the pending request and the corresponding forwarding destination according to whether the pending request contains a preset identifier. Pending requests with preset identifiers can be regarded as data that may pose a security risk, and the data to be scanned needs to be extracted and forwarded to the corresponding scanning platform.
步骤S203,对所述待扫描数据进行扫描,确定是否存在安全事件。Step S203, scanning the data to be scanned to determine whether there is a security event.
其中,安全事件可表示为待扫描数据中存在敏感内容或恶意连接,将给网络站点带来负面影响。示例性的,安全事件可以是待扫描文件中包含有违反社会公德或法律法规的内容连接,用户的身份特征信息,敏感政治内容,游戏链接或恶意病毒连接。Wherein, a security event may be expressed as sensitive content or a malicious connection in the data to be scanned, which will bring negative effects to the network site. Exemplarily, the security event may be that the file to be scanned contains content links that violate social morality or laws and regulations, user identity feature information, sensitive political content, game links, or malicious virus links.
具体的,在进行扫描时,可调用扫描平台的事件扫描引擎待扫描数据进行内容识别,根据自定义词库以及威胁链接库进行字段匹配。若匹配到存在部分内容与自定义词库或威胁链接库相吻合,则说明存在安全事件,需要生成告警信息反馈至上位机。Specifically, when scanning, the event scanning engine of the scanning platform can be called to perform content identification on the data to be scanned, and field matching can be performed according to the custom word library and threat link library. If some of the content matches the custom word library or threat link library, it means that there is a security incident, and an alarm message needs to be generated and fed back to the host computer.
示例性的,在网络站点为校园服务站点时,可自定义选择超链接引擎识别隐藏在文字中的无关游戏链接,识别用户身份证号码等敏感信息。并生成对应的告警信息。Exemplarily, when the network site is a campus service site, the hyperlink engine can be customized to identify irrelevant game links hidden in text, and identify sensitive information such as user ID numbers. And generate corresponding alarm information.
通过上述步骤S201至步骤S203,在获取到待处理请求后,可依据网站流量分类管理平台中自定义的预设标识,对待处理请求进行分流,确认含有预设标识的待处理请求对应的数据包为待扫描数据,并在其上传至目标站点前对其进行扫描,识别待扫描数据中是否存在安全事件,进而实现了在数据上传至目标站点前对其进行预先告警,预先消除其潜在的安全风险,全面提高网络站点安全性。Through the above steps S201 to S203, after the pending request is obtained, the pending request can be distributed according to the customized preset identifier in the website traffic classification management platform, and the data packet corresponding to the pending request containing the preset identifier can be confirmed Scan the data to be scanned and scan it before uploading it to the target site to identify whether there are security incidents in the data to be scanned, and then realize the pre-warning of the data before it is uploaded to the target site, eliminating its potential security in advance risks, and comprehensively improve the security of network sites.
需要说明的是,本申请实施例中的网络站点属于SaaS(Softwar as a Service)化的Web站点。可通过SaaS提供商为企业搭建信息化所需要的所有网络基础设施及软件、硬件运作平台,并负责所有前期的实施、后期的维护等一系列服务,企业无需购买软硬件、建设机房、招聘IT人员,即可通过互联网使用信息系统。Web站点又称万维网,或Web系统,是一种以超文本标注语言HTML(Hyper Text Markup Language)与超文本传输协议HTTP(HyperText Transfer Protocol)为基础,能够提供面向Internet服务的、一致的用户界面的信息浏览系统。It should be noted that the website in the embodiment of the present application belongs to a SaaS (Software as a Service) website. Through the SaaS provider, we can build all the network infrastructure, software and hardware operation platforms required for informatization for enterprises, and are responsible for a series of services such as all early implementation and later maintenance. Enterprises do not need to purchase software and hardware, build computer rooms, and recruit IT. Personnel can use the information system through the Internet. The Web site, also known as the World Wide Web, or the Web system, is based on the Hypertext Markup Language HTML (Hyper Text Markup Language) and the Hypertext Transfer Protocol HTTP (HyperText Transfer Protocol), which can provide a consistent user interface for Internet services. information browsing system.
在其中一个实时例中,确定待扫描数据的具体过程包括:In one of the real-time examples, the specific process of determining the data to be scanned includes:
步骤一:通过域名系统(Domain Name System,简称DNS)对获取到的待处理请求进行引流,将所述待处理请求引流至网站流量分类管理平台中;Step 1: Drain the obtained pending requests through the Domain Name System (DNS for short), and divert the pending requests to the website traffic classification management platform;
步骤二:在网站流量分类管理平台中判断待处理请求中是否存在预设标识,若存在预设标识,则获取待处理请求中的待扫描数据,并将待扫描数据转发至事前扫描预警平台;若不存在预设标识,则直接将待扫描数据上传至网络站点。Step 2: Determine whether there is a preset identifier in the pending request in the website traffic classification management platform, and if there is a preset identifier, obtain the data to be scanned in the pending request, and forward the data to be scanned to the pre-scan early warning platform; If there is no preset identification, the data to be scanned is directly uploaded to the network site.
示例性的,若将上传文件的操作请求记为URL标识,在获取到待处理请求为用户上传文件请求时,可将对应上传的文件转发至事前扫描预警平台进行扫描处理。Exemplarily, if the operation request for uploading a file is recorded as a URL identifier, when the request to be processed is obtained as a user uploading a file request, the corresponding uploaded file can be forwarded to the pre-scan early warning platform for scanning processing.
在上述步骤中,通过网站流量分类管理平台对待处理请求进行分类处理,仅含有预设标识的请求引流至事前扫描预警平台,避免了对DNS解析进行多次重复更改,提高了对待处理请求的处理效率。In the above steps, through the website traffic classification management platform, the requests to be processed are classified and processed, and only the requests containing the preset identifiers are diverted to the pre-scan and early warning platform, which avoids repeated changes to DNS resolution and improves the processing of pending requests efficiency.
在其中的一些实施例中,所述基于所述待处理请求确定待扫描数据,所述待扫描数据携带有预设标识之前包括:响应于用户指令,接收预设标识并进行存储。In some of the embodiments, the determining the data to be scanned based on the request to be processed, before the data to be scanned carries a preset identifier, includes: receiving and storing the preset identifier in response to a user instruction.
其中,预设标识可以是根据实际使用场景或者用户的实际需求,由站点管理员通过上位机自定义进行添加至少一个URL标识。可选的上述URL标识并不是固定的,根据使用场景的不同或其他因素,新增URL标识或删除URL标识。可选的,上述URL标识可以限定文件的上传路径,对通过指定路径上传的数据进行扫描,例如,对于校园网络站点,需要对用户上传的所有数据进行扫描,若用户的待处理请求为搜索请求或者查看请求,则不进行扫描。Wherein, the preset identifier may be based on actual use scenarios or actual needs of users, and at least one URL identifier may be added by the site administrator through customization of the host computer. The above optional URL identifiers are not fixed, and URL identifiers can be added or deleted according to different usage scenarios or other factors. Optionally, the above URL identifier can limit the file upload path, and scan the data uploaded through the specified path. For example, for a campus network site, all data uploaded by the user needs to be scanned. If the user’s pending request is a search request Or view requests without scanning.
在本实施例中,根据实际的应用场景以及用户需求设定预设标识,有利于在后续将上传文件对应的请求与其它用户请求进行区分,避免了对所有请求数据进行扫描,进而提高扫描效率。In this embodiment, the preset identifier is set according to the actual application scenario and user needs, which is beneficial to distinguish the request corresponding to the uploaded file from other user requests in the future, avoiding scanning all request data, and improving scanning efficiency .
在其中的一些实施例中,所述对所述待扫描数据进行扫描,确定是否存在安全事件包括:将所述待扫描数据发送到云端进行扫描,并接收所述云端返回的扫描结果。In some of the embodiments, the scanning the data to be scanned to determine whether there is a security event includes: sending the data to be scanned to a cloud for scanning, and receiving a scanning result returned by the cloud.
可选的,可在云端上的事前扫描预警平台对待扫描数据进行扫描,检测待扫描数据中是否含有敏感信息或者威胁链接。具体的,可根据实际使用场景或用户意愿先定义选择识别敏感信息,生成自定义词库。示例性的,自定义词库可以是身份证号码相关内容,垃圾广告文字,涉及违法相关内容词汇。对于威胁连接,可以根据现有已知的网络病毒链接生成威胁链接库,进一步的,还可以将游戏推广链接添加至威胁链接库中,通过敏感词识别筛选敏感连接,将上述敏感连接更新至威胁链接库中。Optionally, the pre-scan early warning platform on the cloud can scan the data to be scanned to detect whether the data to be scanned contains sensitive information or threat links. Specifically, according to actual usage scenarios or user wishes, you can first define, select and identify sensitive information, and generate a custom thesaurus. Exemplarily, the custom-defined vocabulary can include ID number-related content, junk advertisement text, and vocabulary related to illegal content. For threat links, a threat link library can be generated based on existing known network virus links. Further, game promotion links can also be added to the threat link library, sensitive links can be screened through sensitive word identification, and the above sensitive links can be updated to threat links. link library.
可选的,在通过事前扫描预警平台的扫描后,可根据扫描结果进行反馈。Optionally, after scanning through the pre-scan early warning platform, feedback can be given according to the scanning results.
在本实施例中,通过事前扫描预警平台对待扫描数据进行预先扫描,提前排除安全事件达到网络站点的可能性。实现了对安全事件的预先告警,进而进一步提高了网络站点的安全性。In this embodiment, pre-scanning data to be scanned is pre-scanned by the pre-scan early warning platform, and the possibility of security incidents reaching the network site is ruled out in advance. The advance warning of security incidents is realized, thereby further improving the security of the network site.
在其中的一些实施例中,所述对所述待扫描数据进行扫描,确定是否存在安全事件之后还包括:若不存在安全事件,则将所述待扫描数据发送到目标站点;若存在安全事件,则将所述待扫描数据发送到上位机。In some of these embodiments, after scanning the data to be scanned and determining whether there is a security event, it further includes: if there is no security event, sending the data to be scanned to the target site; if there is a security event , then send the data to be scanned to the host computer.
若存在安全事件,可根据扫描结果生成告警信息,并返回至上位机处,进行预,然后由站点管理员对上位机接收到的告警信息进行处理。If there is a security incident, alarm information can be generated according to the scanning results, and returned to the host computer for pre-preparation, and then the site administrator will process the alarm information received by the host computer.
若不存在安全事件则说明待扫描数据中不存在威胁链接以及敏感信息,可直接将该信息转发至目标站点。可选的,目标站点可以是目标网络站点,也可以是监测漏扫平台。其中目标站点即为数据最终的存储位置,监测漏扫平台是指传统的为客户提供实时的事后安全事件预警、漏洞预警,对事后收集到的站点风险信息进行人工审核、下发告警通知的平台。能够在文件上传至网络站点后对网络站点内的所有数据进行实时监测,避免事前预扫描时存在漏扫的情况,同时也能在事后监测到安全事件时,进行溯源查看。If there is no security event, it means that there are no threat links and sensitive information in the data to be scanned, and the information can be directly forwarded to the target site. Optionally, the target site may be a target network site, or a platform for monitoring missed scans. The target site is the final storage location of the data, and the monitoring and scanning platform refers to the traditional platform that provides customers with real-time post-event security incident warnings and vulnerability warnings, manually reviews the site risk information collected after the event, and issues alarm notifications . It can monitor all the data in the network site in real time after the file is uploaded to the network site, avoiding missing scans during pre-scanning, and can also perform traceability inspection when security incidents are detected after the event.
在本实施例中,通过将存在安全事件与不存在安全事件的情况进行分类处理,有利于提高对数据的处理效率,同时在检测到安全事件时能够及时进行告警。In this embodiment, by classifying and processing situations in which security incidents exist and situations in which security incidents do not exist, it is beneficial to improve data processing efficiency, and at the same time, an alarm can be issued in time when a security incident is detected.
在其中的一些实施例中,所述将所述待扫描数据发送到上位机之后还包括:接收上位机返回的所述待扫描数据,所述待扫描数据不携带所述预设标识;将所述待扫描数据发送到目标站点。In some of the embodiments, after sending the data to be scanned to the host computer, it further includes: receiving the data to be scanned returned by the host computer, the data to be scanned does not carry the preset identification; The data to be scanned is sent to the target site.
可以理解的是,在进行安全事件的预先告警时,由于预设标识为人为确定,根据应用场景的变化,不同场景下的预设标识并不相同,因此可能存在标识设定误差。因此上位机在接收到告警信息之后,站点管理员可在上位机中对对应的待扫描数据与扫描结果进行查看,若对应的待扫描数据不属于安全事件,则直接向目标站点或监测漏扫平台返回待扫描数据。It can be understood that when pre-alarming security events, since the preset logo is determined manually, according to the change of the application scenario, the preset logo in different scenarios is not the same, so there may be logo setting errors. Therefore, after the upper computer receives the alarm information, the site administrator can check the corresponding data to be scanned and the scanning results in the upper computer. The platform returns the data to be scanned.
可选的,还可以确定当前待扫描数据对应的URL标识,将该URL标识从网站流量分类管理中的预设标识库中进行删除。Optionally, the URL identifier corresponding to the current data to be scanned may also be determined, and the URL identifier is deleted from the preset identifier library in the website traffic classification management.
在本实施例中,通过上位机对安全事件再次进行审核,排除标识错误的情况,避免了错检情况的发生,提高了安全事件监测的成功率。In this embodiment, the security event is checked again through the host computer to eliminate the situation of wrong identification, avoid the occurrence of false detection, and improve the success rate of security event monitoring.
在其中的一些实施例中,所述基于所述待处理请求确定待扫描数据之后还包括:将安全数据发送到目标站点,所述安全数据不携带所述预设标识。In some of the embodiments, after determining the data to be scanned based on the request to be processed, the method further includes: sending safety data to a target site, where the safety data does not carry the preset identifier.
具体的,在对待处理请求进行引流时,若待处理请求中不含有预设标识,可认为该待处理请求为安全数据,不需要通过事前扫描预警平台的扫描,可直接将待处理请求引流至目标站点。Specifically, when draining pending requests, if the pending request does not contain a preset identifier, the pending request can be considered as safe data, and the pending request can be directly drained to target site.
在本实施例中,将不带有预设标识的数据包直接发送至目标站点,而不是在扫描平台进行扫描,有利于提高数据的传输效率。In this embodiment, the data packets without the preset identifier are directly sent to the target site instead of being scanned on the scanning platform, which is beneficial to improve the efficiency of data transmission.
在其中的一些实施例中,所述对所述待扫描数据进行扫描,确定是否存在安全事件之后还包括:将所述扫描结果进行展示。In some of the embodiments, after scanning the data to be scanned and determining whether there is a security incident, the scanning further includes: displaying the scanning result.
具体的,扫描结果可以包括数据包中的敏感词集合以及威胁链接的集合。在获取到扫描结果之后,可向上位机进行展示,以便于在上位机中再次确认安全事件是否存在。Specifically, the scan result may include a set of sensitive words in the data packet and a set of threat links. After the scan result is obtained, it can be displayed on the upper computer, so as to reconfirm whether the security event exists in the upper computer.
在本实施例中,通过扫描结果的展示有利于在上位机中直观的了解到安全事件的内容,以便于在上位机中进行再次确认,有利于提高上位机的处理效率。In this embodiment, the display of the scanning result is beneficial to intuitively understand the content of the security event in the host computer, so as to facilitate reconfirmation in the host computer, and is beneficial to improve the processing efficiency of the host computer.
图3是本优选实施例的安全事件监测方法的流程示意图,,如图3所示,该安全事件监测方法包括如下步骤:Fig. 3 is a schematic flow chart of the security event monitoring method of this preferred embodiment, as shown in Fig. 3, the security event monitoring method includes the following steps:
步骤S301,通过上位机将需要监测预警的主站点域名加入网站流量分类管理平台,并在网站流量分类管理平台中自定义添加文件上传路径URL信息,确定URL标识。Step S301, adding the domain name of the main site that needs to be monitored and warned to the website traffic classification management platform through the host computer, and custom-adding URL information of the file upload path in the website traffic classification management platform to determine the URL identification.
步骤S302,将获取到的待处理请求传输至网站流量分类管理平台,在网站流量分类管理平台中进行DNS解析,确定待处理请求中是否包含URL标识。In step S302, the acquired request to be processed is transmitted to the website traffic classification management platform, and DNS analysis is performed on the website traffic classification management platform to determine whether the request to be processed contains a URL identifier.
可选的,上述DNS解析的方式可以为CNAME引流,是一种将流量牵引至指定域名后,再将流量转发至指定站点的技术方式。Optionally, the above DNS resolution method can be CNAME diversion, which is a technical way to divert traffic to a designated domain name and then forward the traffic to a designated site.
步骤S303,若存在URL标识,则确定对应的待扫描数据,并将待扫描数据转发至事前扫描预警平台,进行数据扫描;若不存在URL标识,则通过事前扫描预警平台将待处理请求中包含的数据同步至监测漏扫平台。Step S303, if there is a URL identifier, then determine the corresponding data to be scanned, and forward the data to be scanned to the pre-scan early warning platform for data scanning; if there is no URL identifier, then use the pre-scan early warning platform to include The data is synchronized to the monitoring missing scan platform.
步骤S304,事前扫描预警平台对待扫描数据进行数据扫描,确定待扫描数据中是否存在安全事件。Step S304, the pre-scan early warning platform scans the data to be scanned to determine whether there is a security event in the data to be scanned.
步骤S305,若不存在安全事件则将待扫描数据直接转发至目标站点,同时将数。In step S305, if there is no security event, the data to be scanned is directly forwarded to the target site, and the data is saved at the same time.
步骤S306,若存在安全事件,则将扫描结果反馈至上位机。Step S306, if there is a security incident, feed back the scanning result to the host computer.
步骤S307,上位机接收到扫描结果后,自定义是否继续上传待扫描数据,若继续上传则在网站流量分类管理平台中删除对应的URL标识,并继续通过网站流量分类管理平台将待扫描数据转发至目标站点;若不上传,则丢弃对应的数据包。Step S307, after the upper computer receives the scanning result, customize whether to continue to upload the data to be scanned, if continue to upload, delete the corresponding URL identifier in the website traffic classification management platform, and continue to forward the data to be scanned through the website traffic classification management platform to the target site; if not uploaded, the corresponding data packet will be discarded.
步骤S308,待数据包发送至目标站点后,对目标站点的所有数据进行实时监测。Step S308, after the data packet is sent to the target site, real-time monitoring is performed on all data of the target site.
本实施例中,在获取到待处理请求后,可依据网站流量分类管理平台中自定义的预设标识,对待处理请求进行分流,确认含有预设标识的待处理请求对应的数据包为待扫描数据,并在其上传至目标站点前对其进行扫描,识别待扫描数据中是否存在安全事件,进而实现了在数据上传至目标站点前对其进行预先告警,预先消除其潜在的安全风险。同时加入了传统的监测漏检平台,对网络站点内的所有数据进行实时监测,在数据上传之后也能够确保其安全性,配合事前扫描预警平台实现了对网络站点接收数据前与接收数据后的全程监测保护,进而全面提高网络站点安全性。In this embodiment, after the request to be processed is obtained, the request to be processed can be divided according to the customized preset identifier in the website traffic classification management platform, and the data packet corresponding to the pending request containing the preset identifier is confirmed to be scanned It scans the data before it is uploaded to the target site to identify whether there are security incidents in the data to be scanned, and then realizes the pre-warning of the data before it is uploaded to the target site, and eliminates its potential security risks in advance. At the same time, the traditional monitoring and missing detection platform is added to monitor all the data in the network site in real time, and its safety can be ensured after the data is uploaded. It cooperates with the pre-scan early warning platform to realize the monitoring of the network site before and after receiving the data. Monitor and protect the whole process, and then comprehensively improve the security of the network site.
可选的,在本申请的另一个实施例中,还可以实现产品联动,即同时使用2个或2个以上产品,经过简单的调整设置,出现新的功能或原有单一产品是功能更便捷、完善。示例性的,可将网站流量分类管理平台与云WAF平台进行产品联动。通过云WAF实现网站流量分类管理平台对接收到待处理请求进行分类引流的功能,当网络站点接入云WAF后,将对向目标站点发起的访问请求进行安全检测、防护拦截,将正常的请求引回目标站点。在云WAF产品中可通过改DNS解析模式为cname的方式对站点7层流量进行清洗的站点安全防护。Optionally, in another embodiment of the present application, product linkage can also be realized, that is, two or more products are used at the same time. After simple adjustments and settings, new functions appear or the original single product makes the function more convenient. ,Complete. Exemplarily, the website traffic classification management platform can be linked with the cloud WAF platform. Through the cloud WAF, the website traffic classification management platform can classify and divert traffic received from pending requests. When the network site is connected to the cloud WAF, it will perform security detection, protection and interception on the access requests initiated to the target site, and normal requests will be lead back to the target site. In the cloud WAF product, the site security protection can be cleaned by changing the DNS resolution mode to cname to clean the site layer 7 traffic.
图4是本申请另一个优选实施例的安全事件监测方法的流程图,如图4所示,该安全事件监测方法包括如下步骤:Fig. 4 is the flowchart of the security event monitoring method of another preferred embodiment of the present application, as shown in Fig. 4, this security event monitoring method comprises the following steps:
步骤S401,通过上位机将需要监测预警的主站点域名加入云WAF网站流量分类管理平台,并在云WAF网站流量分类管理平台中自定义添加文件上传路径URL信息,确定URL标识。Step S401, add the domain name of the main site that needs monitoring and warning to the cloud WAF website traffic classification management platform through the host computer, and add file upload path URL information in the cloud WAF website traffic classification management platform to determine the URL identification.
步骤S402,将获取到的待处理请求传输至云WAF网站流量分类管理平台,在云WAF网站流量分类管理平台中进行DNS解析,确定待处理请求中是否包含URL标识。In step S402, the obtained request to be processed is transmitted to the cloud WAF website traffic classification management platform, and the DNS analysis is performed on the cloud WAF website traffic classification management platform to determine whether the pending request contains a URL identifier.
步骤S403,若存在URL标识,则确定对应的待扫描数据,并将待扫描数据转发至事前扫描预警平台,进行数据扫描;若不存在URL标识,则直接将数据包发送至目标站点。Step S403, if there is a URL identifier, determine the corresponding data to be scanned, and forward the data to be scanned to the pre-scan early warning platform for data scanning; if there is no URL identifier, directly send the data packet to the target site.
步骤S404,事前扫描预警平台对待扫描数据进行数据扫描,确定待扫描数据中是否存在安全事件。Step S404, the pre-scan early warning platform scans the data to be scanned to determine whether there is a security event in the data to be scanned.
步骤S405,若不存在安全事件则将待扫描数据直接转发至目标站点,同时将数。Step S405, if there is no security event, directly forward the data to be scanned to the target site, and at the same time transfer the data.
步骤S406,若存在安全事件,则将扫描结果反馈至上位机。Step S406, if there is a security incident, feed back the scanning result to the host computer.
步骤S407,上位机接收到扫描结果后,自定义是否继续上传待扫描数据,若继续上传,则在云WAF网站流量分类管理平台中删除对应的URL标识,并继续通过网站流量分类管理平台将待扫描数据转发至目标站点;若不上传,则丢弃对应的数据包。Step S407, after the upper computer receives the scanning result, customize whether to continue to upload the data to be scanned, if continue uploading, delete the corresponding URL identifier in the cloud WAF website traffic classification management platform, and continue to pass the website traffic classification management platform to upload the data to be scanned. The scanned data is forwarded to the target site; if not uploaded, the corresponding data packet is discarded.
步骤S408,待数据包发送至目标站点后,对目标站点的所有数据进行实时监测。Step S408, after the data packets are sent to the target site, all data of the target site are monitored in real time.
本实施例中,通过在云WAF内预先设置URL标识,在拦截到对目标站点进行访问的待处理请求后,对待处理请求进行分流,确认含有URL标识的待处理请求对应的数据包为待扫描数据,并在其上传至目标站点前对其进行扫描,识别待扫描数据中是否存在安全事件,进而实现了在数据上传至目标站点前对其进行预先告警,预先消除其潜在的安全风险。同时加入了传统的监测漏检平台,对网络站点内的所有数据进行实时监测,在数据上传之后也能够确保其安全性,配合云WAF实现了对网络站点接收数据前与接收数据后的全程监测保护,进而全面提高网络站点安全性。进一步的,配合传统云防护产品与传统云监测产品联动使用,给客户带来更好的使用体验。In this embodiment, by pre-setting the URL identifier in the cloud WAF, after intercepting the pending request for accessing the target site, the pending request is divided, and it is confirmed that the data packet corresponding to the pending request containing the URL identifier is to be scanned It scans the data before it is uploaded to the target site to identify whether there are security incidents in the data to be scanned, and then realizes the pre-warning of the data before it is uploaded to the target site, and eliminates its potential security risks in advance. At the same time, the traditional monitoring and missing detection platform is added to monitor all the data in the network site in real time, and its security can also be ensured after the data is uploaded. Cooperating with the cloud WAF to realize the whole process monitoring of the network site before and after receiving the data Protection, and thus comprehensively improve the security of the network site. Furthermore, it can be used in conjunction with traditional cloud protection products and traditional cloud monitoring products to bring customers a better experience.
应该理解的是,虽然如上所述的各实施例所涉及的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,这些步骤可以以其它的顺序执行。而且,如上所述的各实施例所涉及的流程图中的至少一部分步骤可以包括多个步骤或者多个阶段,这些步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,这些步骤或者阶段的执行顺序也不必然是依次进行,而是可以与其它步骤或者其它步骤中的步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that although the steps in the flow charts involved in the above embodiments are shown sequentially according to the arrows, these steps are not necessarily executed sequentially in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order restriction on the execution of these steps, and these steps can be executed in other orders. Moreover, at least some of the steps in the flow charts involved in the above-mentioned embodiments may include multiple steps or stages, and these steps or stages are not necessarily executed at the same time, but may be performed at different times For execution, the execution order of these steps or stages is not necessarily performed sequentially, but may be executed in turn or alternately with other steps or at least a part of steps or stages in other steps.
基于同样的发明构思,本申请实施例还提供了一种用于实现上述所涉及的安全事件监测方法的安全事件监测装置。该装置所提供的解决问题的实现方案与上述方法中所记载的实现方案相似,故下面所提供的一个或多个安全事件监测装置实施例中的具体限定可以参见上文中对于安全事件监测方法的限定,在此不再赘述。Based on the same inventive concept, an embodiment of the present application further provides a security event monitoring device for implementing the above mentioned security event monitoring method. The solution to the problem provided by the device is similar to the implementation described in the above method, so the specific limitations in one or more embodiments of the security event monitoring device provided below can be referred to above for the security event monitoring method limited and will not be repeated here.
在一个实施例中,如图5所示,提供了一种安全事件监测装置,应用于网站流量分类管理平台,包括:获取模块51、分类模块52和扫描模块53,其中:In one embodiment, as shown in FIG. 5 , a security event monitoring device is provided, which is applied to a website traffic classification management platform, including: an
获取模块51,用于获取待处理请求;An
分类模块52,用于基于所述待处理请求确定待扫描数据,所述待扫描数据携带有预设标识;A
扫描模块53,用于对所述待扫描数据进行扫描,确定是否存在安全事件。The scanning module 53 is configured to scan the data to be scanned to determine whether there is a security incident.
通过本申请实施例装置,在获取到待处理请求后,可依据网站流量分类管理平台中自定义的预设标识,对待处理请求进行分流,确认含有预设标识的待处理请求对应的数据包为待扫描数据,并在其上传至目标站点前对其进行扫描,识别待扫描数据中是否存在安全事件,进而实现了在数据上传至目标站点前对其进行预先告警,预先消除其潜在的安全风险,全面提高网络站点安全性。Through the device of the embodiment of the present application, after obtaining the pending request, the pending request can be distributed according to the customized preset identifier in the website traffic classification management platform, and it is confirmed that the data packet corresponding to the pending request containing the preset identifier is Scan the data to be scanned and scan it before it is uploaded to the target site to identify whether there are security incidents in the data to be scanned, and then realize the pre-warning of the data before it is uploaded to the target site, and eliminate its potential security risks in advance , Comprehensively improve the security of the website.
进一步的,所述获取模块51还用于响应于用户指令,接收预设标识并进行存储。Further, the
进一步的,所述扫描模块53还用于将所述待扫描数据发送到云端进行扫描,并接收所述云端返回的扫描结果。Further, the scanning module 53 is also configured to send the data to be scanned to the cloud for scanning, and receive the scanning result returned by the cloud.
进一步的,所述扫描模块53还用于若存在安全事件,则将所述待扫描数据发送到上位机。Further, the scanning module 53 is also configured to send the data to be scanned to the host computer if there is a security event.
进一步的,所述扫描模块53还用于接收上位机返回的所述待扫描数据,所述待扫描数据不携带所述预设标识;将所述待扫描数据发送到目标站点。Further, the scanning module 53 is also used to receive the data to be scanned returned by the host computer, the data to be scanned does not carry the preset identification; and send the data to be scanned to the target site.
进一步的,所述分类模块52还用于将安全数据发送到目标站点,所述安全数据不携带所述预设标识。Further, the
进一步的,所述装置还包括展示模块用于将所述扫描结果进行展示。Further, the device further includes a display module for displaying the scanning results.
上述安全事件监测装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。Each module in the above-mentioned safety event monitoring device can be fully or partially realized by software, hardware and a combination thereof. The above-mentioned modules can be embedded in or independent of the processor in the computer device in the form of hardware, and can also be stored in the memory of the computer device in the form of software, so that the processor can invoke and execute the corresponding operations of the above-mentioned modules.
在一个实施例中,提供了一种计算机设备,该计算机设备可以是终端,其内部结构图可以如图6所示。该计算机设备包括通过系统总线连接的处理器、存储器、通信接口、显示屏和输入装置。其中,该计算机设备的处理器用于提供计算和控制能力。该计算机设备的存储器包括非易失性存储介质、内存储器。该非易失性存储介质存储有操作系统和计算机程序。该内存储器为非易失性存储介质中的操作系统和计算机程序的运行提供环境。该计算机设备的通信接口用于与外部的终端进行有线或无线方式的通信,无线方式可通过WIFI、移动蜂窝网络、NFC(近场通信)或其他技术实现。该计算机程序被处理器执行时以实现一种安全事件监测方法。该计算机设备的显示屏可以是液晶显示屏或者电子墨水显示屏,该计算机设备的输入装置可以是显示屏上覆盖的触摸层,也可以是计算机设备外壳上设置的按键、轨迹球或触控板,还可以是外接的键盘、触控板或鼠标等。In one embodiment, a computer device is provided. The computer device may be a terminal, and its internal structure may be as shown in FIG. 6 . The computer device includes a processor, a memory, a communication interface, a display screen and an input device connected through a system bus. Wherein, the processor of the computer device is used to provide calculation and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used to communicate with an external terminal in a wired or wireless manner, and the wireless manner can be realized through WIFI, mobile cellular network, NFC (Near Field Communication) or other technologies. When the computer program is executed by the processor, a security event monitoring method is implemented. The display screen of the computer device may be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer device may be a touch layer covered on the display screen, or a button, a trackball or a touch pad provided on the casing of the computer device , and can also be an external keyboard, touchpad, or mouse.
本领域技术人员可以理解,图6中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的计算机设备的限定,具体的计算机设备可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。Those skilled in the art can understand that the structure shown in FIG. 6 is only a block diagram of a part of the structure related to the solution of this application, and does not constitute a limitation on the computer equipment to which the solution of this application is applied. The specific computer equipment can be More or fewer components than shown in the figures may be included, or some components may be combined, or have a different arrangement of components.
在一个实施例中,提供了一种计算机设备,包括存储器和处理器,存储器中存储有计算机程序,该处理器执行计算机程序时实现以下步骤:In one embodiment, a computer device is provided, including a memory and a processor, a computer program is stored in the memory, and the processor implements the following steps when executing the computer program:
获取待处理请求;Get pending requests;
基于所述待处理请求确定待扫描数据,所述待扫描数据携带有预设标识;determining data to be scanned based on the request to be processed, where the data to be scanned carries a preset identifier;
对所述待扫描数据进行扫描,确定是否存在安全事件。Scan the data to be scanned to determine whether there is a security event.
在一个实施例中,提供了一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现以下步骤:In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
获取待处理请求;Get pending requests;
基于所述待处理请求确定待扫描数据,所述待扫描数据携带有预设标识;determining data to be scanned based on the request to be processed, where the data to be scanned carries a preset identifier;
对所述待扫描数据进行扫描,确定是否存在安全事件。Scan the data to be scanned to determine whether there is a security event.
需要说明的是,本申请所涉及的用户信息(包括但不限于用户设备信息、用户个人信息等)和数据(包括但不限于用于分析的数据、存储的数据、展示的数据等),均为经用户授权或者经过各方充分授权的信息和数据。It should be noted that the user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data used for analysis, stored data, displayed data, etc.) involved in this application are all Information and data authorized by the user or fully authorized by all parties.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一非易失性计算机可读取存储介质中,该计算机程序在执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的各实施例中所使用的对存储器、数据库或其它介质的任何引用,均可包括非易失性和易失性存储器中的至少一种。非易失性存储器可包括只读存储器(Read-OnlyMemory,ROM)、磁带、软盘、闪存、光存储器、高密度嵌入式非易失性存储器、阻变存储器(ReRAM)、磁变存储器(Magnetoresistive Random Access Memory,MRAM)、铁电存储器(Ferroelectric Random Access Memory,FRAM)、相变存储器(Phase Change Memory,PCM)、石墨烯存储器等。易失性存储器可包括随机存取存储器(Random Access Memory,RAM)或外部高速缓冲存储器等。作为说明而非局限,RAM可以是多种形式,比如静态随机存取存储器(Static Random Access Memory,SRAM)或动态随机存取存储器(Dynamic RandomAccess Memory,DRAM)等。本申请所提供的各实施例中所涉及的数据库可包括关系型数据库和非关系型数据库中至少一种。非关系型数据库可包括基于区块链的分布式数据库等,不限于此。本申请所提供的各实施例中所涉及的处理器可为通用处理器、中央处理器、图形处理器、数字信号处理器、可编程逻辑器、基于量子计算的数据处理逻辑器等,不限于此。Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented through computer programs to instruct related hardware, and the computer programs can be stored in a non-volatile computer-readable memory In the medium, when the computer program is executed, it may include the processes of the embodiments of the above-mentioned methods. Wherein, any reference to storage, database or other media used in the various embodiments provided in the present application may include at least one of non-volatile and volatile storage. Non-volatile memory can include read-only memory (Read-Only Memory, ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive variable memory (ReRAM), magnetic variable memory (Magnetoresistive Random Access Memory, MRAM), Ferroelectric Random Access Memory (FRAM), Phase Change Memory (Phase Change Memory, PCM), graphene memory, etc. The volatile memory may include random access memory (Random Access Memory, RAM) or external cache memory. As an illustration and not a limitation, the RAM can be in various forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM). The databases involved in the various embodiments provided in this application may include at least one of a relational database and a non-relational database. The non-relational database may include a blockchain-based distributed database, etc., but is not limited thereto. The processors involved in the various embodiments provided by this application can be general-purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, data processing logic devices based on quantum computing, etc., and are not limited to this.
以上实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above embodiments can be combined arbitrarily. To make the description concise, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features, they should be It is considered to be within the range described in this specification.
以上所述实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对本申请专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请的保护范围应以所附权利要求为准。The above-mentioned embodiments only express several implementation modes of the present application, and the description thereof is relatively specific and detailed, but should not be construed as limiting the patent scope of the present application. It should be noted that those skilled in the art can make several modifications and improvements without departing from the concept of the present application, and these all belong to the protection scope of the present application. Therefore, the protection scope of the present application should be determined by the appended claims.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211120915.7A CN115499203A (en) | 2022-09-15 | 2022-09-15 | Security event monitoring method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211120915.7A CN115499203A (en) | 2022-09-15 | 2022-09-15 | Security event monitoring method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115499203A true CN115499203A (en) | 2022-12-20 |
Family
ID=84469247
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211120915.7A Withdrawn CN115499203A (en) | 2022-09-15 | 2022-09-15 | Security event monitoring method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115499203A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116566669A (en) * | 2023-05-09 | 2023-08-08 | 杭州安恒信息技术股份有限公司 | A processing method, device and readable storage medium of a security event |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030110258A1 (en) * | 2001-12-06 | 2003-06-12 | Wolff Daniel Joseph | Handling of malware scanning of files stored within a file storage device of a computer network |
| CN101877710A (en) * | 2010-07-13 | 2010-11-03 | 成都市华为赛门铁克科技有限公司 | Proxy gateway antivirus implementation method, pre-classifier and proxy gateway |
| US20130227640A1 (en) * | 2010-09-09 | 2013-08-29 | NSFOCUS Information Technology Co., Ltd. | Method and apparatus for website scanning |
| CN114036529A (en) * | 2021-11-11 | 2022-02-11 | 福建瑞网科技有限公司 | Vulnerability scanning method and device and computer equipment |
-
2022
- 2022-09-15 CN CN202211120915.7A patent/CN115499203A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030110258A1 (en) * | 2001-12-06 | 2003-06-12 | Wolff Daniel Joseph | Handling of malware scanning of files stored within a file storage device of a computer network |
| CN101877710A (en) * | 2010-07-13 | 2010-11-03 | 成都市华为赛门铁克科技有限公司 | Proxy gateway antivirus implementation method, pre-classifier and proxy gateway |
| US20130227640A1 (en) * | 2010-09-09 | 2013-08-29 | NSFOCUS Information Technology Co., Ltd. | Method and apparatus for website scanning |
| CN114036529A (en) * | 2021-11-11 | 2022-02-11 | 福建瑞网科技有限公司 | Vulnerability scanning method and device and computer equipment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116566669A (en) * | 2023-05-09 | 2023-08-08 | 杭州安恒信息技术股份有限公司 | A processing method, device and readable storage medium of a security event |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110413908B (en) | Method and device for classifying uniform resource locators based on website content | |
| US20240250965A1 (en) | Method and System for Efficient Cybersecurity Analysis of Endpoint Events | |
| US12229275B2 (en) | Security model utilizing multi-channel data with risk-entity facing cybersecurity alert engine and portal | |
| US12130909B1 (en) | Enterprise search | |
| US9838419B1 (en) | Detection and remediation of watering hole attacks directed against an enterprise | |
| US12452290B2 (en) | Security model utilizing multi-channel data with vulnerability remediation circuitry | |
| US11012493B2 (en) | Systems and methods for tag inspection | |
| US10891393B2 (en) | System and method for enterprise privacy information compliance | |
| US11044269B2 (en) | Techniques for determining threat intelligence for network infrastructure analysis | |
| US9003023B2 (en) | Systems and methods for interactive analytics of internet traffic | |
| US11238169B2 (en) | Privacy score | |
| US20160006760A1 (en) | Detecting and preventing phishing attacks | |
| US20130054702A1 (en) | Monitoring of regulated associates | |
| US9363140B2 (en) | System and method for analyzing and reporting gateway configurations and rules | |
| CN114070619A (en) | Monitoring method, monitoring system, equipment and storage medium for abnormal access of database | |
| US20240195841A1 (en) | System and method for manipulation of secure data | |
| US20240073222A1 (en) | Techniques for managing projects and monitoring network-based assets | |
| US11455407B2 (en) | Data loss prevention expression building for a DLP engine | |
| US10291492B2 (en) | Systems and methods for discovering sources of online content | |
| US11848830B2 (en) | Techniques for detection and analysis of network assets under common management | |
| CN104363252A (en) | Website security detecting method and device | |
| CN115499203A (en) | Security event monitoring method and device, computer equipment and storage medium | |
| US11805138B2 (en) | Data loss prevention on images | |
| US20250165633A1 (en) | System and method for enhanced visualization of exfiltration activities | |
| CN116886441A (en) | A website detection method, device, electronic equipment and readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20221220 |