1. Background and status of cloud technology
Since the 1990s, the origin of anti-virus technology in China has been based on a variety of signature detection methods of malicious code and based on file data, program behavior heuristic detection. With the development of cloud computing technology, manufacturers have put forward their own cloud security technology concepts and corresponding products. However, most of these products do not deviate from the feature detection method, but the feature extraction and matching calculation methods have changed.
The first is the migration of virus signatures from the client to the Cloud collection. In order to solve the constant expansion of file data, malicious code to increase the user's memory, hard disk, IO and other burdens, cloud security technology first use cloud computing to achieve the characteristics of the cloud, users need to detect when the local extraction characteristics sent to the cloud detection, further in the cloud to obtain relevant disposal methods. Software that uses such techniques can be called cloud security software.
Secondly, cloud security introduces a richer sample collection method. From the traditional user escalation, manufacturers to take the initiative (download sites, reptiles, CD-ROM procurement, etc.), turned to a network composed of all users on the basis of the network to collect, and the sample became extremely rich:
1 The digital signature can be used to collect trusted files and untrusted files. The documents signed by the credit certificate can be collected and combined with back-end analysis to reduce the false positives of malicious code features.
2 The distribution of the file can be based on the distribution of popular file collection, the discovery of popular malicious code, spread quickly malicious code can be found faster.
3 The source of the document can be trusted to collect, for vulnerable computer terminals (or the spread of malicious code site), the newly found file suspicious degree is higher, timely collection can be faster to find malicious programs.
4 through the API monitoring technology and sandbox technology for specific behavior trigger collection. This way for account information theft, sensitive information theft Trojan class collection is extremely effective. Cloud technology, however, can provide constant updates to sensitive locations and sensitive data.
Furthermore, cloud security technology introduces new methods of malicious code analysis. The malicious program can be analyzed and tested based on the distribution breadth of the file, the digital signature of the file and the actual behavior of the file at the computer terminal. Cloud This detection from the original post analysis into the user site in the actual environment of the collection and record, for the cloud is needed for these collected data to carry out more calculation and analysis, to determine the file black and white. Regardless of the use of virtual machines, sandbox, API monitoring or network data capture, such as any technology to provide data for cloud security equipment, can be called cloud security devices.
Finally, the cloud security device provides the ability to collect data on demand, which forms the basis for analyzing and extracting the characteristics of malicious code. Cloud security software provides the ability to detect and dispose of malicious code by feature. Cloud security devices and cloud security software to provide manufacturers with user requirements, vendors can provide users with customized security services, and manufacturers need to collect which malicious program samples and install the client needs to be allowed before the user. These two types of security services on demand form the existing cloud security technology system. But the security system surrounding the discovery of malicious code has a glaring weakness in the face of new security threats.
2. The significance of building private cloud security platform
With the comprehensive development of informatization of Enterprise Management, government affairs informationization and so on, there are new requirements for the safety of enterprises, government agencies, organizations and specific closed environments. In order to satisfy the applicability of the closed environment, it is necessary to change the security defense mode based on the malicious Code feature detection, and to change the security defense model which is completely closed by the security manufacturer and is almost undefined by the user.
With the promulgation of relevant regulations and policies such as "level protection", "grading protection" and "enterprise internal control", especially the large state-owned enterprises and government organs with the national livelihood, it is urgent to implement the intellectual property rights and the need of the secret information protection. To break the boundary of traditional network transportation and security protection, to construct autonomous and controllable intelligent information Terminal security operation and maintenance system, to implement the complete "discovery, evaluation, disposal and audit" threat monitoring process of the network is an important prerequisite to ensure the safe and stable operation of the key information system in the new situation. Based on the complete "Monitoring, discovery, removal, recovery, audit" threat monitoring process, it is necessary to comprehensively utilize the highly open platform of cloud security devices and cloud security software-private cloud security platform to deal with the threat of future security.
3. Private cloud Security definition
The private cloud security platform is developed to deal with the next generation security threats represented by APT, using cloud security software and cloud security devices, combined with a complete threat "discovery, assessment, disposal, audit" process, while providing the next Generation Security Service technology that users need to participate in the process. This technology discovers potential security threats through cloud security software monitoring ability, relies on the multi-level analysis system which the custom user can participate to evaluate the threat, provides the user completely controllable Security strategy disposition scheme, and guarantees that all the above operations can be traced through audit serve.
4. Private cloud security features
The private cloud security platform has the following features:
1 to provide a threat-independent ability to blacklist, to form a scalable, customized security baseline based on a fundamentally stable software ecosystem within the enterprise. With a security baseline, you can convert a "pan-security logic" that originally relied on blacklist protection to "precise security logic."
2 Improve the cloud security software monitoring, real-time discovery of the network of newly generated programs, software or data.
3 Multi-dimensional file analysis and identification System, a comprehensive variety of static, dynamic file identification system to provide a comprehensive basis for the security of the documents to identify.
4 Real-time threat risk assessment, through a variety of cloud security equipment (client terminal software, based on cloud security technology network detection equipment, mobile detection equipment, etc.), to the network threat risk real-time change feedback.
5 multilevel security defense, threat disposal strategy, according to the results of the threat assessment and the user's assessment of the value of the assets, the security defense and threat disposal strategy for the formulation of power and recommendations to the user. Reducing users ' attention to Non-core value assets leads to the decentralization and waste of human and material investment. The process flow is shown in Figure 1.
6 Multi-level malicious code detection, from the local feature library to the intranet Cloud feature library, and then to the superior feature library and public network feature library, multiple hierarchical feature library can be difficult to dispose of malicious programs and new detection of malicious programs first time perception, further reduce the latency of threat discovery.
7 The traceability of the source and distribution of the threat, depending on the traceability of the whole-network document, tracing its origin at the first time of the discovery (potential) threat, and assessing its distribution and possible consequences. Provide strong support for administrators in security emergency response decision making.
8 Comprehensive audit ability, provide comprehensive audit support for all operation, provide the reference for the follow-up plugging and responsibility for the safety accident caused by man-made.
9 A highly open user-defined interface, all potential threat discovery, document and data identification, security policy formulation and implementation, audit content definition are users can participate through the Open interface, to adapt to different scenarios personalized user needs.