Search

CN-121997341-A - Digital asset security monitoring method, apparatus, device, medium and program product

CN121997341ACN 121997341 ACN121997341 ACN 121997341ACN-121997341-A

Abstract

The application discloses a digital asset security monitoring method, a device, equipment, a medium and a program product, which belong to the technical field of security monitoring, and the method comprises the steps of sending a security engine installation package and an engine deployment instruction to an agent terminal, wherein the engine deployment instruction is used for indicating the agent terminal to deploy a security engine on a target host; the method comprises the steps of sending first configuration information to an agent terminal, wherein the first configuration information is used for indicating the agent terminal to start a security engine to conduct digital asset security monitoring, obtaining a digital asset security monitoring event sent by the agent terminal, wherein the digital asset security monitoring event is obtained by the agent terminal through the security engine in digital asset security monitoring, and analyzing the digital asset security monitoring event to obtain a digital asset security monitoring result. The application does not need to carry out complex processes such as code reconstruction, version iteration, upgrading and the like on the proxy terminal, improves the safety operation efficiency and reduces the problem of safety response lag.

Inventors

  • CAI JIAYONG
  • ZHANG XUJUN
  • HE XIN
  • WEN XUEGANG
  • XU LIANG

Assignees

  • 中移动信息技术有限公司
  • 中国移动通信集团有限公司

Dates

Publication Date
20260508
Application Date
20260127

Claims (20)

  1. 1. A digital asset security monitoring method, applied to a first device, the method comprising: sending a security engine installation package and an engine deployment instruction to a proxy terminal, wherein the security engine installation package comprises a security engine for digital asset security monitoring, and the engine deployment instruction is used for instructing the proxy terminal to deploy the security engine on a target host; sending first configuration information to the proxy terminal, wherein the first configuration information is used for indicating the proxy terminal to start the security engine for digital asset security monitoring; Acquiring a digital asset security monitoring event sent by the proxy terminal, wherein the digital asset security monitoring event is obtained by the proxy terminal through digital asset security monitoring by utilizing the security engine; and analyzing the digital asset security monitoring event to obtain a digital asset security monitoring result.
  2. 2. The method of claim 1, wherein prior to sending the security engine installation package and the engine deployment instruction to the proxy terminal, the method further comprises: generating the security engine according to the digital asset security detection task; Configuring the security engine to read second configuration information, wherein the second configuration information comprises at least one of address information of a first message queue, a connection port of the proxy terminal and the security engine, and a theme of a transmission channel of the digital asset security monitoring event in the first message queue; configuring the security engine to output a file format of the digital asset security monitoring event; and generating the security engine installation package according to the security engine.
  3. 3. The method of claim 2, wherein the generating the security engine installation package from the security engine comprises: Compiling the script of the security engine to obtain a binary file; carrying out hash calculation on the binary file to obtain a hash file; And packaging the binary file and the hash file to obtain the security engine installation package.
  4. 4. The method of claim 1, wherein prior to the acquiring the digital asset security monitoring event sent by the proxy terminal, the method further comprises: deploying a security engine result analysis service according to the security engine result analysis service installation package and the analysis service deployment instruction, wherein the security engine result analysis service is used for analyzing the digital asset security monitoring event; analyzing the digital asset security monitoring event to obtain a digital asset security monitoring result, including: and analyzing the digital asset security monitoring event by utilizing the security engine result analysis service to obtain the digital asset security monitoring result.
  5. 5. The method of claim 4, wherein deploying the security engine result resolution service according to the security engine result resolution service installation package and the resolution service deployment instruction comprises: Configuring a security engine result according to the analysis service deployment instruction to monitor and read second configuration information, wherein the second configuration information comprises at least one of address information of a first message queue, a connection port of the proxy terminal and the security engine, and a theme of a transmission channel of the digital asset security monitoring event in the first message queue; and configuring the file format of the digital asset security monitoring event parsed by the security engine result parsing service.
  6. 6. The method of claim 4, wherein the security engine result resolution service installation package is obtained by packaging a script, a start script, and a stop script of the security engine result resolution service; The method for deploying the security engine result analysis service according to the security engine result analysis service installation package and the analysis service deployment instruction comprises the following steps: registering the security engine result analysis service installation package according to the analysis service deployment instruction; decompressing the security engine result analysis service installation package according to the analysis service deployment instruction to obtain a script of the security engine result analysis service, the starting script and the stopping script; and deploying the security engine result analysis service according to the script of the security engine result analysis service, the starting script and the stopping script.
  7. 7. The method of claim 1, wherein before sending the security engine installation package and the engine deployment instruction to the proxy terminal, the method further comprises: Transmitting third configuration information to the proxy terminal, wherein the third configuration information is used for registering the proxy terminal on a server corresponding to the proxy terminal, and the third configuration information comprises at least one item of address information of the server corresponding to the proxy terminal and a port registered by the proxy terminal; and receiving the registration information sent by the proxy terminal.
  8. 8. The method of claim 1, wherein the sending the security engine installation package and the engine deployment instruction to the proxy terminal comprises: Sending the engine deployment instruction to the proxy terminal through a server corresponding to the proxy terminal; the engine deployment instruction comprises an identifier of the proxy terminal and a download address of the security engine installation package; The server corresponding to the proxy terminal is used for analyzing the engine deployment instruction to obtain the identifier of the proxy terminal, and sending the engine deployment instruction to the proxy terminal according to the identifier of the proxy terminal; the proxy terminal is used for acquiring the security engine installation package according to the download address of the security engine installation package.
  9. 9. The method of claim 1, wherein the obtaining the digital asset security monitoring event sent by the proxy terminal comprises: Acquiring the digital asset security monitoring event sent by the proxy terminal through the second configuration information and the first message queue; The second configuration information comprises at least one of address information of a first message queue, a connection port of the proxy terminal and the security engine, and a theme of a transmission channel of the digital asset security monitoring event in the first message queue.
  10. 10. The method of claim 1, wherein the obtaining the digital asset security monitoring event sent by the proxy terminal comprises: sending a first message to the proxy terminal, wherein the first message is used for indicating the proxy terminal to monitor the digital asset security monitoring event; and receiving the digital asset security monitoring event sent by the proxy terminal.
  11. 11. A digital asset security monitoring method, applied to a proxy terminal, the method comprising: Receiving a security engine installation package and an engine deployment instruction sent by first equipment, and deploying a security engine on a target host according to the engine deployment instruction and the security engine installation package, wherein the security engine installation package comprises a security engine for digital asset security monitoring; Receiving first configuration information sent by the first equipment, and starting the security engine to perform digital asset security monitoring according to the first configuration information; And utilizing the security engine to conduct digital asset security monitoring to obtain a digital asset security monitoring event, and sending the digital asset security monitoring event to the first device.
  12. 12. The method of claim 11, wherein prior to receiving the security engine installation package and the engine deployment instruction sent by the first device, the method further comprises: Receiving third configuration information sent by the first device, and registering on a server corresponding to the proxy terminal according to the third configuration information to obtain registration information, wherein the third configuration information comprises at least one item of address information of the server corresponding to the proxy terminal and a port registered by the proxy terminal; And sending the registration information to the first equipment.
  13. 13. The method of claim 11, wherein receiving the security engine installation package and the engine deployment instruction sent by the first device, deploying the security engine on the target host according to the engine deployment instruction and the security engine installation package, comprises: receiving the engine deployment instruction sent by a server corresponding to the proxy terminal, wherein the engine deployment instruction comprises an identifier of the proxy terminal and a download address of the security engine installation package; and acquiring the security engine installation package according to the download address of the security engine installation package.
  14. 14. The method of claim 11, wherein the digital asset security monitoring with the security engine results in a digital asset security monitoring event, comprising: receiving a first message sent by the first equipment; generating task description information according to the first message; And carrying out digital asset security monitoring according to the task description information and the security engine to obtain a digital asset security monitoring event.
  15. 15. A digital asset security monitoring device, the device comprising: The system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for sending a security engine installation package and an engine deployment instruction to the proxy terminal, the security engine installation package comprises a security engine for digital asset security monitoring, and the engine deployment instruction is used for instructing the proxy terminal to deploy the security engine on a target host; The second sending module is used for sending first configuration information to the proxy terminal, wherein the first configuration information is used for indicating the proxy terminal to start the security engine for digital asset security monitoring; The first acquisition module is used for acquiring a digital asset security monitoring event sent by the proxy terminal, wherein the digital asset security monitoring event is obtained by the proxy terminal through digital asset security monitoring by utilizing the security engine; And the first processing module is used for analyzing the digital asset security monitoring event to obtain a digital asset security monitoring result.
  16. 16. A digital asset security monitoring device, the device comprising: The second processing module is used for receiving a security engine installation package and an engine deployment instruction sent by the first equipment, and deploying a security engine on a target host according to the engine deployment instruction and the security engine installation package, wherein the security engine installation package comprises a security engine for digital asset security monitoring; The third processing module is used for receiving the first configuration information sent by the first equipment, and starting the security engine to perform digital asset security monitoring according to the first configuration information; And the fourth processing module is used for carrying out digital asset security monitoring by utilizing the security engine to obtain a digital asset security monitoring event and sending the digital asset security monitoring event to the first equipment.
  17. 17. An electronic device comprising a processor, a memory and a program stored on the memory and executable on the processor, the program when executed by the processor implementing the steps in the digital asset security monitoring method of any one of claims 1 to 10.
  18. 18. A terminal device comprising a processor, a memory and a program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the digital asset security monitoring method of any of claims 11 to 14.
  19. 19. A readable storage medium, having stored thereon a program, which when executed by a processor, implements the steps of the digital asset security monitoring method according to any one of claims 1 to 10, or the steps of the digital asset security monitoring method according to any one of claims 11 to 14.
  20. 20. A computer program product comprising computer instructions which, when executed by a processor, implement the steps in the digital asset security monitoring method of any one of claims 1 to 10 or the steps in the digital asset security monitoring method of any one of claims 11 to 14.

Description

Digital asset security monitoring method, apparatus, device, medium and program product Technical Field The application belongs to the technical field of safety monitoring, and particularly relates to a digital asset safety monitoring method, device, equipment, medium and program product. Background With the rapid development of information technology, enterprises and individuals are increasingly dependent on digital assets. However, this dependence also presents new security challenges. Security threats such as network attack, malicious software, data leakage and the like are endless, and huge security risks are brought to enterprise operation and personal privacy. And security threats are continuously evolving, network attack modes are more diversified, traditional attack modes such as viruses, worms, trojans and the like still exist, but attack means become more complex and hidden. With the popularization of big data and cloud computing, the data volume collected and stored by enterprises is increased sharply, and data leakage events caused by security threats and network attacks are frequent, so that economic losses are brought to the enterprises, and legal disputes and reputation damages can be caused. Internal threats increase and malicious behavior or negligence of internal employees or partners becomes an important safety hazard. Since an attacker already has access to the system, internal threats are often more difficult to prevent. In summary, the information technology (Information Technology, IT) environment of modern enterprises becomes more and more complex, and various forms such as physical servers, virtual machines, containers, cloud services and the like are involved, and the complexity increases the difficulty of management and protection. Against increasingly complex security threats, traditional data asset security monitoring audit products are unable to meet demand. The existing data asset security monitoring audit products often realize restoration, monitoring and audit of data asset circulation through a bypass flow mirror mode or agent (agent) probe, wherein the monitoring capability and scope of the data asset depend on the function implementation of a specific agent in a manner of end-of-light agent at a near-source host, such as configuration baseline scanning, content baseline scanning and the like, but have defects in expansibility, and if the data asset monitoring type, such as file transfer Protocol (FILE TRANSFER Protocol, FTP) files, static resource files or other monitoring requirements, needs to be increased, the agent probe needs to undergo development and compiling processes, and needs to update and upgrade complex processes and the like at the near-source host side, which leads to security response hysteresis and difficult to cope with the rapid evolution of novel threats. Disclosure of Invention The embodiment of the application provides a digital asset security monitoring method, device, equipment, medium and program product, which are used for solving the problem of delayed security response of the existing method for coping with digital asset security threats by upgrading proxy probes. In a first aspect, an embodiment of the present application provides a digital asset security monitoring method, applied to a first device, the method including: sending a security engine installation package and an engine deployment instruction to a proxy terminal, wherein the security engine installation package comprises a security engine for digital asset security monitoring, and the engine deployment instruction is used for instructing the proxy terminal to deploy the security engine on a target host; sending first configuration information to the proxy terminal, wherein the first configuration information is used for indicating the proxy terminal to start the security engine for digital asset security monitoring; Acquiring a digital asset security monitoring event sent by the proxy terminal, wherein the digital asset security monitoring event is obtained by the proxy terminal through digital asset security monitoring by utilizing the security engine; and analyzing the digital asset security monitoring event to obtain a digital asset security monitoring result. Optionally, before sending the security engine installation package and the engine deployment instruction to the proxy terminal, the method further comprises: generating the security engine according to the digital asset security detection task; Configuring the security engine to read second configuration information, wherein the second configuration information comprises at least one of address information of a first message queue, a connection port of the proxy terminal and the security engine, and a theme of a transmission channel of the digital asset security monitoring event in the first message queue; configuring the security engine to output a file format of the digital asset security monitoring event; and generati