Search

CN-122001600-A - Data processing method, device, apparatus, medium and program product

CN122001600ACN 122001600 ACN122001600 ACN 122001600ACN-122001600-A

Abstract

The application discloses a data processing method, a device, equipment, a medium and a program product, which are applied to the technical field of communication. The method comprises the steps of obtaining a treatment strategy corresponding to a target cloud host from preset treatment strategies of a plurality of cloud hosts under the condition that network communication with the target cloud host is abnormal, obtaining first serial port communication parameters corresponding to a first virtual serial interface of the target cloud host, wherein the treatment strategy comprises reference abnormal behaviors and treatment information corresponding to the reference abnormal behaviors, the treatment strategy is used for indicating an EDR agent program of the target cloud host to process information of the target cloud host based on the treatment information under the condition that the reference abnormal behaviors comprise the abnormal behaviors of the target cloud host is determined, establishing a serial port communication link of a management platform and the target cloud host according to the first serial port communication parameters, and sending the treatment strategy to the target cloud host through the serial port communication link.

Inventors

  • CHEN TENG
  • ZHOU ZHENGWU
  • CHI WEI
  • JI SHUXIAN
  • HAN RUI

Assignees

  • 中移(杭州)信息技术有限公司
  • 中国移动通信集团有限公司

Dates

Publication Date
20260508
Application Date
20241105

Claims (15)

  1. 1. A data processing method for use with an endpoint detection and response EDR management platform, the method comprising: In the case of determining that network communication with a target cloud host is abnormal, acquiring a treatment policy corresponding to the target cloud host and acquiring first serial port communication parameters corresponding to a first virtual serial interface of the target cloud host from preset treatment policies of a plurality of cloud hosts, wherein the treatment policy comprises reference abnormal behaviors and treatment information corresponding to the reference abnormal behaviors, and the treatment policy is used for indicating an EDR agent program of the target cloud host to process information of the target cloud host based on the treatment information when determining that the reference abnormal behaviors comprise the abnormal behaviors of the target cloud host; Establishing a serial port communication link between the EDR management platform and the target cloud host according to the first serial port communication parameters; and sending the treatment strategy to the target cloud host through the serial port communication link.
  2. 2. The method of claim 1, wherein the establishing a serial communication link between the EDR management platform and the target cloud host according to the first serial communication parameter comprises: generating a second serial port communication parameter of the EDR management platform according to the first serial port communication parameter; Determining a second virtual serial interface of the EDR management platform according to the second serial port communication parameters; and establishing a serial port communication link between the EDR management platform and the target cloud host through the first virtual serial interface and the second virtual serial interface.
  3. 3. The method of claim 1, wherein the obtaining a first serial port communication parameter corresponding to a first virtual serial interface of the target cloud host comprises: and acquiring a first serial port communication parameter corresponding to a first virtual serial interface of the target cloud host according to the correlation information of the preset serial port communication parameters of the preset cloud host and the preset virtual serial interface by the host where the target cloud host is located.
  4. 4. A method according to any one of claims 1 to 3, wherein after said sending the treatment policy to the target cloud host over the serial communications link, the method further comprises: Receiving a treatment result sent by the target cloud host, wherein the treatment result is generated by the target cloud host after executing the treatment policy; Generating update information according to feedback information when the treatment result comprises the feedback information used for representing updating of the EDR agent of the target cloud host, wherein the update information comprises at least one of update information of an abnormal behavior processing algorithm and update information of an operating system of the target cloud host; And sending the updated information to the target cloud host through the serial port communication link.
  5. 5. A method according to any one of claims 1 to 3, wherein, in the case where it is determined that network communication with a target cloud host is abnormal, before acquiring a treatment policy corresponding to the target cloud host from preset treatment policies of a plurality of cloud hosts and acquiring first serial port communication parameters corresponding to a first virtual serial interface of the target cloud host, the method further includes: sending heartbeat information to the target cloud host; Under the condition that response information of the target cloud host based on the heartbeat information is not received within a preset time period, acquiring a service configuration strategy associated with the target cloud host according to a preset service configuration strategy and association information between preset cloud hosts; Determining that network communication between the EDR management platform and the cloud host is abnormal in the case that the service configuration policy does not include information for characterizing interruption of network communication between the EDR management platform and the cloud host.
  6. 6. A data processing method, applied to a target cloud host, the method comprising: Receiving a treatment policy corresponding to the target cloud host, wherein the treatment policy is sent by an EDR management platform through a serial communication link under the condition that network communication with the EDR management platform is abnormal, the serial communication link is established by the EDR management platform according to first serial communication parameters corresponding to a first virtual serial interface of the target cloud host, the treatment policy is determined by the EDR management platform based on preset treatment policies of a plurality of cloud hosts, and the treatment policy comprises reference abnormal behaviors and treatment information corresponding to the reference abnormal behaviors; and processing information of the target cloud host based on the treatment information by an EDR agent program of the target cloud host under the condition that the reference abnormal behavior is determined to comprise the abnormal behavior of the target cloud host.
  7. 7. The method of claim 6, wherein the reference abnormal behavior comprises n reference abnormal behaviors, wherein the method further comprises, in the event that the reference abnormal behavior is determined to comprise an abnormal behavior of the target cloud host, prior to processing information of the target cloud host based on the disposition information by an EDR agent of the target cloud host: Matching the abnormal behavior of the target cloud host with the n reference abnormal behaviors through the EDR agent program of the target cloud host to obtain a matching result; and under the condition that the matching result comprises the abnormal behavior used for representing the target cloud host and the n reference abnormal behaviors are successfully matched, determining that the reference abnormal behavior comprises the abnormal behavior of the target cloud host.
  8. 8. The method of claim 6 or 7, wherein the abnormal behavior comprises behavior of connecting a preset abnormal server, the disposition information comprises information of disconnecting the target cloud host from the preset abnormal server, and wherein the processing, by the EDR agent of the target cloud host, the information of the target cloud host based on the disposition information in a case where the reference abnormal behavior is determined to comprise the abnormal behavior of the target cloud host comprises: And under the condition that the reference abnormal behavior comprises the behavior that the target cloud host is connected with a preset abnormal server, disconnecting the target cloud host and the preset abnormal server through an EDR agent program of the target cloud host.
  9. 9. The method of claim 6 or 7, wherein the abnormal behavior comprises a known abnormal behavior feature, the disposition information comprises information for looking up and deleting a process corresponding to the known abnormal behavior feature, and wherein the processing, by the EDR agent of the target cloud host, the information of the target cloud host based on the disposition information if the reference abnormal behavior is determined to comprise the abnormal behavior of the target cloud host comprises: And under the condition that the reference abnormal behavior comprises the known abnormal behavior characteristics of the target cloud host, searching and deleting the process corresponding to the known abnormal behavior characteristics through the EDR agent program of the target cloud host.
  10. 10. The method of claim 6 or 7, wherein the abnormal behavior comprises an unknown abnormal behavior feature, the disposition information comprises information for instructing the EDR agent to send operational information corresponding to the unknown abnormal behavior feature to the EDR management platform, the processing, by the EDR agent of the target cloud host, information of the target cloud host based on the disposition information if the reference abnormal behavior is determined to comprise the abnormal behavior of the target cloud host, comprising: under the condition that the reference abnormal behavior comprises the unknown abnormal behavior characteristics of the target cloud host, acquiring operation information corresponding to the unknown abnormal behavior characteristics through an EDR agent program of the target cloud host, and sending the operation information corresponding to the unknown abnormal behavior characteristics to the EDR management platform.
  11. 11. A data processing apparatus for application to an EDR management platform, the apparatus comprising: A first obtaining module, configured to obtain a handling policy corresponding to a target cloud host from preset handling policies of a plurality of cloud hosts and obtain a first serial port communication parameter corresponding to a first virtual serial interface of the target cloud host, where the handling policy includes a reference abnormal behavior and handling information corresponding to the reference abnormal behavior, where the handling policy is used to instruct an EDR agent of the target cloud host to process information of the target cloud host based on the handling information if it is determined that the reference abnormal behavior includes an abnormal behavior of the target cloud host; the first establishing module is used for establishing a serial port communication link between the EDR management platform and the target cloud host according to the first serial port communication parameters; And the first sending module is used for sending the treatment strategy to the target cloud host through the serial port communication link.
  12. 12. A data processing apparatus for application to a target cloud host, the apparatus comprising: The first receiving module is used for receiving a treatment strategy corresponding to the target cloud host, which is sent by the EDR management platform through a serial port communication link under the condition that network communication with the EDR management platform is abnormal, wherein the serial port communication link is established by the EDR management platform according to a first serial port communication parameter corresponding to a first virtual serial interface of the target cloud host, the treatment strategy is determined by the EDR management platform based on preset treatment strategies of a plurality of cloud hosts, and the treatment strategy comprises reference abnormal behaviors and treatment information corresponding to the reference abnormal behaviors; the first processing module is used for processing information of the target cloud host based on the treatment information through an EDR agent program of the target cloud host under the condition that the reference abnormal behavior is determined to comprise the abnormal behavior of the target cloud host.
  13. 13. An electronic device comprising a processor and a memory storing computer program instructions; The processor, when executing the computer program instructions, implements the data processing method according to any of claims 1-5 or performs the data processing method according to any of claims 6-10.
  14. 14. A computer-readable storage medium, having stored thereon computer program instructions which, when executed by a processor, implement the data processing method according to any of claims 1-5, or perform the data processing method according to any of claims 6-10.
  15. 15. A computer program product comprising a computer program which, when executed, is processed to implement a data processing method as claimed in any one of claims 1 to 5, or to perform a data processing method as claimed in any one of claims 6 to 10.

Description

Data processing method, device, apparatus, medium and program product Technical Field The present application relates to the field of communications technologies, and in particular, to a data processing method, apparatus, device, medium, and program product. Background An endpoint detection and response (Endpoint Detection and Response, EDR) system includes an EDR agent deployed on an endpoint side and an EDR management platform on a cloud side that provides services to the endpoint side. The EDR agent program is generally arranged in a cloud host at an endpoint side, and is used for monitoring and collecting behavior data of the cloud host, detecting the behavior of the cloud host according to an engine and a sample library which are built in the cloud host in advance, and judging whether the behavior of the cloud host is abnormal or not. The EDR management platform is provided with analysis components such as a threat information library, a virus library, an analysis and killing center based on big data and the like. Once the EDR agent program detects that the cloud host has abnormal behaviors, the EDR agent program sends behavior data of the cloud host to the EDR management platform so that the EDR management platform can further analyze the cloud host by utilizing the analysis component, and formulates corresponding disposal strategies, and then sends the disposal strategies to the cloud host. In the related art, whether the EDR agent program transmits behavior data of the cloud host to the EDR management platform or the EDR management platform transmits a disposal policy to the cloud host, depends on network transmission. However, when the cloud host is abnormal and network connection between the cloud host and the EDR management platform is interrupted, the cloud host cannot receive the disposition policy sent by the EDR management platform and process the abnormal behavior on the cloud host, so that the security of the cloud host running environment is reduced. Disclosure of Invention The embodiment of the application provides a data processing method, a device, equipment, a medium and a program product, which can improve the safety of a cloud host operating environment. In a first aspect, an embodiment of the present application provides a data processing method applied to an endpoint detection and response EDR management platform, where the data processing method includes: In the case that network communication with the target cloud host is abnormal, acquiring a treatment strategy corresponding to the target cloud host and acquiring first serial port communication parameters corresponding to a first virtual serial interface of the target cloud host from preset treatment strategies of a plurality of cloud hosts, wherein the treatment strategy comprises reference abnormal behaviors and treatment information corresponding to the reference abnormal behaviors, and the treatment strategy is used for indicating an EDR agent program of the target cloud host to process information of the target cloud host based on the treatment information when the reference abnormal behaviors comprise the abnormal behaviors of the target cloud host; establishing a serial port communication link between the EDR management platform and the target cloud host according to the first serial port communication parameters; and sending the treatment strategy to the target cloud host through the serial port communication link. In a second aspect, an embodiment of the present application provides a data processing method, applied to a target cloud host, where the method includes: Receiving a treatment policy corresponding to a target cloud host, which is sent by an EDR management platform through a serial communication link under the condition that network communication with the EDR management platform is abnormal, wherein the serial communication link is established by the EDR management platform according to first serial communication parameters corresponding to a first virtual serial interface of the target cloud host, and the treatment policy is determined by the EDR management platform based on preset treatment policies of a plurality of cloud hosts, and the treatment policy comprises reference abnormal behaviors and treatment information corresponding to the reference abnormal behaviors; In the event that the reference abnormal behavior is determined to include an abnormal behavior of the target cloud host, information of the target cloud host is processed based on the disposition information by an EDR agent of the target cloud host. In a third aspect, an embodiment of the present application provides a data processing apparatus, applied to an EDR management platform, including: A first obtaining module, configured to obtain, in a case where it is determined that network communication with a target cloud host is abnormal, a handling policy corresponding to the target cloud host from preset handling policies of a plurality of cl