[go: up one dir, main page]

WO2025092706A1 - Virus detection and removal drilling method and apparatus, device, and storage medium - Google Patents

Virus detection and removal drilling method and apparatus, device, and storage medium Download PDF

Info

Publication number
WO2025092706A1
WO2025092706A1 PCT/CN2024/127999 CN2024127999W WO2025092706A1 WO 2025092706 A1 WO2025092706 A1 WO 2025092706A1 CN 2024127999 W CN2024127999 W CN 2024127999W WO 2025092706 A1 WO2025092706 A1 WO 2025092706A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
virus detection
recovery
killing
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/127999
Other languages
French (fr)
Chinese (zh)
Inventor
刘�东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aishu Technology Corp
Original Assignee
Aishu Technology Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aishu Technology Corp filed Critical Aishu Technology Corp
Publication of WO2025092706A1 publication Critical patent/WO2025092706A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1448Management of the data involved in backup or backup restore

Definitions

  • the present application relates to the field of data security technology, and for example, to a virus detection and killing drill method, device, equipment and storage medium.
  • the main method at the data level is to use backup or disaster recovery systems to regularly back up necessary data to the disaster recovery system.
  • the data in the disaster recovery system can be used to quickly restore it and minimize the loss.
  • this method cannot solve all anti-ransomware problems. If the production data has been infected before the backup or the file is in the virus infection incubation period during the backup, the backup can no longer prevent the virus from infecting the data.
  • the general solution is to use the disaster recovery system to regularly restore backup data, and then use antivirus software to detect viruses on the restored data to ensure data security.
  • This method is called a virus detection drill.
  • each virus detection may affect the production environment, causing greater and incalculable losses.
  • the present application provides a virus detection and killing drill method, device, equipment and storage medium, which solves the problem of the antivirus environment and the production environment not being isolated, avoids the impact of the virus detection and killing process on the production environment, realizes virus detection and killing while ensuring the security of production data in the production environment, and reduces economic losses in production.
  • an embodiment of the present application provides a virus detection and killing drill method, comprising:
  • the backup data is obtained from the disaster recovery system
  • a virus detection and killing drill is performed on the target recovery data in a pre-built data sandbox with a one-way isolation function.
  • a backup data recovery module is configured to obtain backup data from a disaster recovery system after receiving a workflow start instruction
  • a recovery data determination module configured to perform data recovery on the backup data and determine target recovery data
  • the virus detection and killing drill module is configured to perform a virus detection and killing drill on the target recovery data in a pre-built data sandbox with a one-way isolation function.
  • FIG1 is a flow chart of a virus detection and killing drill method provided in Example 1 of the present application.
  • FIG2 is a schematic diagram of the structure of a data sandbox involved in a virus detection and killing drill method provided in Example 1 of the present application;
  • Example 3 is a flow chart of a data sandbox construction involved in a virus detection and killing drill method provided in Example 1 of the present application;
  • FIG4 is a flow chart of a virus detection and killing drill method provided in Example 2 of the present application.
  • FIG5 is a schematic diagram of a virus detection and killing drill provided in Example 2 of the present application.
  • FIG6 is a schematic diagram of an open integrated antivirus engine involved in a virus detection and killing drill method provided in Example 2 of the present application;
  • FIG7 is a schematic diagram of the structure of a virus detection and killing drill device provided in Example 3 of the present application.
  • FIG8 is a schematic diagram of the structure of an electronic device provided in Embodiment 4 of the present application.
  • Figure 1 is a flow chart of a virus detection and killing drill method provided in Example 1 of the present application. This embodiment can be applied to the situation of performing virus detection and killing drills in a data sandbox with a one-way isolation function. The method can be executed by a virus detection and killing drill device, and the virus detection and killing drill device can be implemented in the form of hardware and/or software.
  • the present application proposes a method for performing virus detection and killing drills in a data sandbox, which is isolated from the production environment. By performing virus detection and killing in the data sandbox, the security of the virus detection and killing drills is ensured.
  • the virus detection and killing drill method proposed in the present application is open and supports the integration of multiple antivirus engines, which can effectively respond to different virus detection and killing needs.
  • the method includes:
  • the workflow start instruction can be understood as an instruction for starting the overall operation process.
  • the disaster recovery system can be understood as a backup system for preventing disaster situations, which is used to back up production data in the production environment.
  • the production environment is the customer's business environment.
  • the backup data can be understood as the data generated by backing up the production data of the production environment in the disaster recovery system.
  • a workflow start instruction when a workflow start instruction is received, it can be determined that the current virus detection and killing drill can be started and executed. Therefore, it is necessary to first obtain backup data from the disaster recovery system so as to perform a virus detection and killing drill based on the backup data later.
  • S102 Restore the backup data and determine target recovery data.
  • the target recovery data can be understood as the recovery data used for virus detection and killing drills.
  • the data content of the target recovery data is the same as the production data.
  • the backup data is restored to a resource directory in a pre-built data sandbox according to a preset data recovery algorithm, wherein the preset data recovery algorithm can be determined according to actual needs.
  • the data sandbox includes at least one recovery resource, and there are multiple resource directories on the recovery resource.
  • the recovery data formed after the backup data is restored is stored in the resource directory in the data sandbox.
  • S103 Perform virus detection and elimination drill on target recovery data in a pre-built data sandbox with a one-way isolation function.
  • the data sandbox is a line of defense for network security. All programs running in the sandbox are simulated exercises, not real applications. The working process of the sandbox is to run the program in an isolated space, and the program running in the sandbox is readable but not writable, so as to prevent the program from causing permanent modification or damage to other programs and data on the computer.
  • the understanding of the data sandbox can be: the computer is a piece of paper, the running and modification of the program is like writing on the paper, and the sandbox is equivalent to a piece of glass placed on the paper. The running and modification of the program can only be written on that piece of glass, and the paper is still clean.
  • the data sandbox in this embodiment can provide a network environment isolated from the production network.
  • a data sandbox with a one-way isolation function is pre-built. Except for designated data, the data sandbox cannot interact with the production environment. Therefore, to ensure the security of the production environment, in the data sandbox with a one-way isolation function, a virus detection drill is performed on the target recovery data restored to the resource directory in the data sandbox according to a pre-selected virus detection engine.
  • a virus detection and killing drill method obtained in an embodiment of the present application obtains backup data from a disaster recovery system after receiving a workflow start instruction; performs data recovery on the backup data and determines the target recovery data; and performs virus detection and killing drills on the target recovery data in a pre-built data sandbox with a one-way isolation function.
  • the backup data is restored to a network-isolated recovery resource for virus detection and killing, thereby avoiding the impact on the production environment, and virus detection and killing of data under the specified path of the recovery resource is achieved, thereby ensuring the security of the recovery data.
  • the problem of the antivirus environment and the production environment not being isolated is solved, and the impact of the virus detection and killing process on the production environment is avoided. While achieving virus detection and killing, the security of production data in the production environment is guaranteed, thereby reducing economic losses in production.
  • the method further includes:
  • the virus detection and killing drill report can be understood as a report formed according to the results of the virus detection and killing drill.
  • the server can be understood as a server.
  • the server, the client, and the electronic device as the execution subject of the embodiment of the present application are all remotely wirelessly connected, and data interaction between any two parties can be achieved.
  • the client can also interact with the user.
  • a corresponding virus detection drill report is generated based on the results of the virus detection drill, and the virus detection drill report is uploaded to the server.
  • the server can send the virus detection drill report to the client for user query and display according to the client's calling requirements.
  • FIG. 2 is a schematic diagram of the structure of a data sandbox involved in a virus detection and killing drill method provided in Example 1 of the present application.
  • the data sandbox includes at least a proxy device and a virtual switch vSwitch2 without an uplink.
  • a virtual network card vNic1 connected to the outside and multiple virtual network cards vNic2, vNic3, vNic4... connected to the inside are created on the proxy device.
  • Multiple isolated network port groups are created on the virtual switch vSwitch2.
  • Multiple internally connected virtual network cards and multiple isolated network port groups are connected one by one to build a network.
  • the steps of building a data sandbox are further added, including:
  • the target virtualization platform is a virtualization platform determined based on the selection of the client user.
  • a virtual switch without an uplink can be understood as a switch with a unidirectional isolation function.
  • the virtual switch is the basis for the data sandbox to have isolation capabilities. Since there is no uplink, the virtual switch is isolated from the external network. At this time, any virtual machine connected to the virtual switch network is isolated from the external network.
  • the isolated network port can be understood as a network port used for networking.
  • the isolated network is a mapping of the production network of the external environment. Each production network can be mapped to an isolated network. Through mapping, multiple isolated networks inside the data sandbox together form a network similar to the production network. The difference is that the network is inside the data sandbox, isolated from the outside world, and will not affect the external environment.
  • the virtualization platform selected by the client and the user through interaction is determined as the target virtualization platform, and a data sandbox is constructed on the target virtualization platform based on the program.
  • a virtual switch without an uplink is created on the target virtualization platform, and a preset number of isolated network ports are created on the created virtual switch without an uplink, wherein the preset number of isolated network ports is a mapping of the production network ports in the data sandbox, and therefore, the preset number may be the same as the number of production network ports in the production network, and may be less than the number of production network ports under certain conditions.
  • a virtual machine of the Linux operating system is created on the target virtualization platform, and the routing The forwarding function determines the virtual machine as a proxy device for transferring between virtual machines within the data sandbox and between the data sandbox and the target virtualization platform.
  • a virtual network card is created on the proxy device, the virtual network card is connected to a production network of the target virtualization platform, and an Internet Protocol (IP) address is configured to establish a connection between the virtual network card and the production network, thereby realizing the connection between the proxy device and the target virtualization platform.
  • IP Internet Protocol
  • multiple virtual network cards are created on the proxy device, the number of which is the same as the number of isolated network ports, the virtual network cards created on the proxy device with the same number of isolated network ports are configured with addresses corresponding to the isolated network ports, and connections between the multiple virtual network cards and the isolated network are established to realize the connection between the proxy device and the isolated network ports.
  • establishing a connection between the proxy device and the isolated network port includes:
  • a preset number of virtual network cards are created on the proxy device, the number of virtual network cards is consistent with the number of isolated network ports, and the virtual network cards are connected to the isolated network ports in a one-to-one correspondence.
  • the production network mapped by the isolated network is determined, and the gateway address corresponding to the production network is determined, and the gateway address of the production network is determined as the IP address of the virtual network card connected to the isolated network.
  • the network configuration information can be understood as the network address information input by the user when the client interacts with the user.
  • the network configuration information of the client including the subnet mask and camouflage network segment configuration information of the virtual network card, and configuring the subnet mask and camouflage network segment of the virtual network card according to the network configuration information transmitted by the client.
  • the firewall configuration information can be understood as the configuration information of the network filter (iptables).
  • the firewall configuration information is information configured by the user during the process of interaction between the client and the user. Therefore, the firewall configuration information transmitted by the client is received, and the corresponding iptables configuration (firewall rule configuration) is performed on the proxy device according to the firewall configuration information.
  • FIG3 is a flowchart of the data sandbox construction involved in a virus detection and killing drill method provided in Example 1 of the present application.
  • the data sandbox constructed based on this has three functions: one-way external connectivity, internal intercommunication, and support for active requests from the inside of the data sandbox to the outside according to the specified IP and port.
  • the external one-way connectivity function allows active access to the inside of the data sandbox from the outside of the data sandbox, and allows the internal response to go out, and does not allow the data sandbox to actively access the outside of the data sandbox.
  • the proxy device Since the proxy device is the only bridge for communication between the inside of the data sandbox and the outside world, the one-way isolation is mainly achieved by configuring the corresponding iptables rules on the proxy device; the internal intercommunication function, multiple networks inside the data sandbox support mutual connectivity, and the internal intercommunication is mainly achieved by marking the traffic inside the isolated network on the proxy device, and setting the corresponding routing strategy; support for the active request function of opening the data sandbox from the inside to the outside according to the specified IP and port is a special case of the external one-way connectivity function. According to actual needs, it can allow the request to access the specified IP address and port from the inside of the data sandbox to pass, and this function is also achieved by configuring the corresponding iptables rules on the proxy device.
  • Select a virtualization platform Select a virtualization platform (for deploying a data sandbox).
  • S12. Create a proxy device and enable routing forwarding: create a virtual machine of a Linux operating system on the virtualization platform and enable routing forwarding function.
  • Add a virtual network card on the proxy device connect it to a production network external to the virtualization platform, and configure an IP address: Add a virtual network card on the proxy device, connect the virtual network card to a production network external to the virtualization platform, and configure an IP address.
  • N is the number of production networks that need to be mapped: create multiple isolated network port groups on the virtual switch according to the number of production networks that need to be mapped, and the number of isolated network port groups is the same as the number of production networks that need to be mapped.
  • step S17 determine whether the isolated network is interconnected: if the isolated network is interconnected, execute step S18; if the isolated network is not interconnected, execute step S19.
  • Figure 4 is a flow chart of a virus detection and killing drill method provided in Example 2 of the present application.
  • This embodiment is an optimization of any of the above embodiments and can be applied to situations where virus detection and killing drills are performed in a data sandbox with a one-way isolation function.
  • the method can be executed by a virus detection and killing drill device, which can be implemented in the form of hardware and/or software.
  • the method includes:
  • S202 Restore the backup data to the recovery resources in the data sandbox to form initial recovery data and verify it.
  • the initial recovery data may be understood as the backup data directly restored to the recovery resource without verification.
  • Mounting recovery refers to mounting backup data to recovery resources through protocols such as Network File System (NFS), Internet Small Computer System Interface (iSCSI), Fibre Channel Storage Area Network (FC SAN), Simple Storage Service (S3), Distributed File System (Hadoop Distributed File System, HDFS), and Container Storage Interface (CSI).
  • NFS Network File System
  • iSCSI Internet Small Computer System Interface
  • FC SAN Fibre Channel Storage Area Network
  • S3 Simple Storage Service
  • S3 Simple Storage Service
  • Distributed File System Hadoop Distributed File System
  • HDFS Container Storage Interface
  • CSI Container Storage Interface
  • the initial recovery data is verified by a preset verification method to determine whether the data content of the initial recovery data is consistent with the production data backed up by the backup data. If so, it is determined that the initial recovery data verification has passed; if not, it is determined that the initial recovery data verification has failed.
  • S203 Determine the verified initial recovery data as the target recovery data.
  • the target recovery data can be understood as recovery data that is consistent with the production data and can be used for virus detection and killing drills.
  • the initial recovery data passes verification, indicating that the data content is consistent with the production data and can be used for virus detection and killing drills. Therefore, the verified initial recovery data is determined as the target recovery data for virus detection and killing drills.
  • S204 Send virus detection engine options to the client, and receive target virus detection engine feedback from the client.
  • the virus detection engine option can be understood as a virus detection engine that can be selected by the client user, including a software development kit (SDK), a license, and anti-virus software of a virus database, etc.
  • SDK software development kit
  • the target virus detection engine can be understood as a virus detection engine selected by the client user.
  • virus detection engines are sent to the client as options, and the client user selects one or more virus detection engines from the virus detection engine options, and the client transmits the selection information back to the electronic device that is the subject of the application execution.
  • the virus detection engine selected by the user is determined as the target virus detection engine.
  • a virus detection drill is performed on the target recovery data according to the target virus detection engine, wherein the data sandbox includes at least one recovery resource, each recovery resource includes at least one resource directory, and the target recovery data is in the resource directory.
  • the data sandbox with a one-way isolation function includes at least one recovery resource, each recovery resource includes at least one resource directory, and the target recovery data is on the resource directory.
  • Multiple virus detection engine instances are simultaneously pulled up on the recovery resource to perform parallel detection on the target path on the resource.
  • the configurable concurrency of the recovery resource and the concurrency configured for a single virus detection task are managed as a resource pool.
  • a parallel detection upper limit can be configured according to the actual situation of the recovery resource, and an expected concurrency can be configured for each virus detection task.
  • the resource pool is a configuration mechanism for recovery resources, which is used to manage the number of concurrent virus detection engines for recovery resources and the number of concurrency of a single virus detection task. The number of concurrent virus detection engines that can be used for virus detection tasks.
  • FIG. 5 is a schematic diagram of a virus killing drill provided in Example 2 of the present application.
  • a virus killing drill is performed on the target recovery data on the recovery resource in the data sandbox.
  • the production environment is the client business environment;
  • the distributed storage is the backup medium, which is used to store the backup data;
  • the virus killing configuration refers to the configuration of the killing path of the target recovery data for virus killing, which can be connected with other different types of configurations according to a certain topological relationship to form a specific task process, through which a series of functions such as data recovery, virus killing, recovery data verification, recovery resource cleaning and email notification can be realized in sequence;
  • the antivirus engine refers to the antivirus software including the virus killing SDK, license and virus library;
  • the recovery resource refers to the destination end used for data recovery, which can be the production environment or other environments that are interconnected with the production environment, and virus killing is also performed on this resource.
  • virus detection and killing drills are conducted in isolation and security from the production network, including: S21, creating a data sandbox, and deploying recovery resources and antivirus engine clients in the data sandbox, the data sandbox specifies the registration port of the antivirus engine client open to the outside world to the virus detection and killing drill server; S22, configuring the task process, wherein the virtualization platform on which the data sandbox is deployed is selected as the recovery resource in the recovery resource configuration of the disaster recovery configuration; S23, virus detection and killing configuration, selecting one or more paths on the recovery resource as the path to be virus detected and killed, and selecting the antivirus engine client in the data sandbox as the antivirus client, and then configuring virus detection and killing; S24, configuration of other nodes in the task process; S25, initiating the task process.
  • Figure 5 includes a built-in virus detection engine and a third-party virus detection engine, which can support different types of antivirus engines and realize open calls to multiple virus detection engines.
  • Figure 6 is a schematic diagram of an open integrated antivirus engine involved in a virus detection drill method provided in Example 2 of the present application.
  • the open integrated antivirus engine includes a virus detection scheduling layer, a virus detection adaptation layer, and a virus detection engine.
  • the virus detection scheduling layer mainly provides a set of public virus detection interface definitions, which are implemented by each virus detection engine adapter. When initiating virus detection, the specified virus detection engine public interface is directly called to implement it, regardless of the function of the virus detection engine.
  • the virus detection adaptation layer mainly stores adapters.
  • the adapter is a unified encapsulation for different types of antivirus engines. Different virus detection engines only need to implement a set of interfaces defined by the upper scheduling layer, and the scheduling and use of the virus detection engine are realized in the implementation of these interfaces.
  • the virus detection engine includes the virus detection SDK, license and virus library files.
  • the SDK contains a series of interfaces required for virus detection.
  • the license file is a file that authorizes the call of the interface.
  • the virus library is a file used to record virus characteristics.
  • performing virus detection drill on target recovery data according to the target virus detection engine includes:
  • the preset virus detection and killing interface can be understood as a public interface provided by the virus detection and killing scheduling layer.
  • the common virus detection interface definition can correspond to various types of virus detection adapters.
  • the virus detection scheduling layer calls a preset virus detection interface to connect with the virus detection adaptation layer, and calls the virus detection adapter corresponding to the target virus detection engine in the virus detection adaptation layer through the preset virus detection interface.
  • the corresponding target virus detection engine is called according to each adapter, and the target virus detection engine performs parallel virus detection drills on the target recovery data.
  • the present embodiment provides a method for virus detection and killing drill, which obtains backup data from the disaster recovery system after receiving a workflow start instruction; restores the backup data to the recovery resources in the data sandbox to form initial recovery data and verify it; determines the initial recovery data that has passed the verification as the target recovery data; sends the virus detection and killing engine option to the client, and receives the target virus detection and killing engine fed back by the client; in a pre-built data sandbox with a one-way isolation function, performs virus detection and killing drills on the target recovery data according to the target virus detection and killing engine, wherein the data sandbox includes at least one recovery resource, each recovery resource includes at least one resource directory, and the target recovery data is on the resource directory.
  • Different antivirus engines are openly integrated through the adaptation layer and the virus detection and killing scheduling layer, which solves the differences between multiple types of virus detection and killing engines and provides a technical foundation for the future integration of other virus detection and killing engines.
  • Users can freely configure virus detection and killing, making the virus detection and killing function more complete, and quickly provide detection and killing objects and resource pools through mounting and recovery to achieve full utilization of recovery resources.
  • the two mechanisms achieve efficient and parallel detection and killing. It solves the problem of the antivirus environment and the production environment not being isolated, avoids the impact of the virus detection process on the production environment, and ensures the security of production data in the production environment while achieving virus detection, thereby reducing economic losses in production.
  • the present application includes building a data sandbox with a one-way isolation function, and performing virus detection and killing drills on the recovered data on the recovery resources of the data sandbox.
  • the method includes:
  • vm1 will be restored to the virtualization platform A where the data sandbox is located.
  • the name of the restored virtual machine is vm2, and the network is connected to Isolated VM Network1.
  • ping 192.168.225.100 is used from outside the data sandbox to verify whether the recovery of vm2 is normal.
  • the /home path of vm2 is checked for viruses. Since the antivirus engine client and vm2 are both connected to Isolated VM Network1, and Isolated VM Network1 is in the data sandbox and isolated from the outside world, the security of the virus detection process can be ensured, and finally a report on this virus detection drill is generated.
  • FIG7 is a schematic diagram of the structure of a virus detection and killing drill device provided in Example 3 of the present application. As shown in FIG7 , the device includes:
  • the backup data recovery module 31 is configured to obtain backup data from the disaster recovery system after receiving a workflow start instruction
  • a recovery data determination module 32 is configured to perform data recovery on the backup data and determine target recovery data
  • the virus detection and killing drill module 33 is configured to perform a virus detection and killing drill on the target recovery data in a pre-built data sandbox with a one-way isolation function.
  • the virus detection and killing drill device adopted in this application solves the problem that the antivirus environment and the production environment are not isolated, avoids the impact of the virus detection and killing process on the production environment, realizes virus detection and killing while ensuring the security of production data in the production environment, and reduces economic losses in production.
  • the recovery data determination module 32 is configured to:
  • the initial restored data that has passed the verification is determined as the target restored data.
  • the virus detection and killing drill module 33 includes:
  • a target engine determination unit configured to send a virus detection engine option to a client, and receive a target virus detection engine feedback from the client;
  • the virus detection and killing drill unit is configured to perform virus detection and killing drills on the target recovery data according to the target virus detection and killing engine in a pre-built data sandbox with a one-way isolation function, wherein the data sandbox includes at least one recovery resource, each recovery resource includes at least one resource directory, and the target recovery data is on the resource directory.
  • virus detection drill unit is set to:
  • the target virus detection engine is called according to the adapter corresponding to the target virus detection engine to perform virus detection drill on the target recovery data.
  • the device further comprises:
  • the drill report generation module is configured to generate a virus detection and killing drill report and feed the virus detection and killing drill report back to the server.
  • the device further includes a data sandbox creation module, including:
  • an isolated network creation unit configured to create a virtual switch without an uplink on a target virtualization platform, and to create a preset number of isolated network ports on the virtual switch;
  • the proxy device determining unit is configured to create a virtual machine with a preset operating system on the target virtualization platform.
  • a virtual machine with a routing and forwarding function enabled is configured, and the virtual machine is determined as a proxy device;
  • an agent connection establishing unit configured to establish a connection between the agent device and the preset number of isolated network ports, and a connection between the agent device and the target virtualization platform;
  • the rule configuration unit is configured to receive the firewall configuration information of the client and perform corresponding firewall rule configuration on the proxy device according to the firewall configuration information.
  • the proxy connection establishment unit is set to:
  • the virus detection and killing drill device provided in the embodiment of the present application can execute the virus detection and killing drill method provided in any embodiment of the present application, and has the corresponding functional modules and beneficial effects of the execution method.
  • FIG8 shows a schematic diagram of an electronic device 40 that can be used to implement an embodiment of the present application.
  • the electronic device can represent various forms of digital computers, such as laptop computers, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers.
  • the electronic device can also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices (such as helmets, glasses, watches, etc.) and other similar computing devices.
  • the components shown herein, their connections and relationships, and their functions are by way of example.
  • the electronic device 40 includes at least one processor 41, and a memory connected to the at least one processor 41 in communication, such as a read-only memory (ROM) 42, a random access memory (RAM) 43, etc., wherein the memory stores a computer program that can be executed by at least one processor, and the processor 41 can perform various appropriate actions and processes according to the computer program stored in the ROM 42 or the computer program loaded from the storage unit 48 to the RAM 43.
  • Various programs and data required for the operation of the electronic device 40 can also be stored in the RAM 43.
  • the processor 41, the ROM 42, and the RAM 43 are connected to each other through a bus 44.
  • An input/output (I/O) interface 45 is also connected to the bus 44.
  • the I/O interface 45 Multiple components in the electronic device 40 are connected to the I/O interface 45, including: an input unit 46, such as a keyboard, a mouse, etc.; an output unit 47, such as various types of displays, speakers, etc.; a storage unit 48, and a communication unit 49, such as a network card, a modem, a wireless communication transceiver, etc.
  • the communication unit 49 allows the electronic device 40 to exchange information/data with other devices through a computer network such as the Internet and/or various telecommunication networks.
  • the processor 41 may be a variety of general and/or special processing components with processing and computing capabilities. Some examples of the processor 41 may include a central processing unit (CPU), a graphics processing unit (GPU), various dedicated artificial intelligence (AI) computing chips, various processors running machine learning model algorithms, digital signal processors (DSP), and any appropriate processors, controllers, microcontrollers, etc.
  • the processor 41 performs the various methods and processes described above, such as a virus detection and killing drill method.
  • the virus detection and killing drill method can be implemented as a computer program, which is tangibly contained in a computer-readable storage medium, such as a storage unit 48.
  • part or all of the computer program can be loaded and/or installed on the electronic device 40 via the ROM 42 and/or the communication unit 49.
  • the processor 41 can be configured to perform the virus detection and killing drill method in any other appropriate manner (for example, by means of firmware).
  • Various implementations of the systems and techniques described above herein may be implemented in digital electronic circuit systems, integrated circuit systems, field-programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), application specific standard parts (ASSPs), system on chip systems (SOCs), complex programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof.
  • FPGAs field-programmable gate arrays
  • ASICs application specific integrated circuits
  • ASSPs application specific standard parts
  • SOCs system on chip systems
  • CPLDs complex programmable logic devices
  • These various implementations may include: being implemented in one or more computer programs that are executable and/or interpreted on a programmable system that includes at least one programmable processor that may be a special purpose or general purpose programmable processor that may receive data and instructions from a storage system, at least one input device, and at least one output device, and transmit data and instructions to the storage system, the at least one input device, and the at least one output device.
  • the computer programs for implementing the methods of the present application may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, so that when the computer programs are executed by the processor, the functions/operations specified in the flow charts and/or block diagrams are implemented.
  • the computer programs may be executed entirely on the machine, partially on the machine, partially on the machine and partially on a remote machine as a stand-alone software package, or entirely on a remote machine or server.
  • a computer readable storage medium may be a tangible medium that may contain or store a computer program for use by or in conjunction with an instruction execution system, device, or apparatus.
  • a computer readable storage medium may include an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be a machine readable signal medium.
  • Examples of machine readable storage media may include an electrical connection based on one or more lines, a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (Electronic Programable Read Only Memory, EPROM), a flash memory, an optical fiber, a portable compact disk read-only memory (Compact Disc-Read Only Memory, CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
  • RAM random access memory
  • ROM read-only memory
  • EPROM erasable programmable read-only memory
  • EPROM Electrical Programable Read Only Memory
  • flash memory an optical fiber
  • Compact Disc-Read Only Memory Compact Disc-Read Only Memory
  • CD-ROM Compact Disc-Read Only Memory
  • the systems and techniques described herein may be implemented on an electronic device having: a display device (e.g., a cathode ray tube (CRT), a liquid crystal display (LCD), or a monitor) for displaying information to the user; and a keyboard and a pointing device (e.g., a mouse or a trackball), through which the user can provide input to the electronic device.
  • a display device e.g., a cathode ray tube (CRT), a liquid crystal display (LCD), or a monitor
  • a keyboard and a pointing device e.g., a mouse or a trackball
  • Other types of devices may also be used to provide interaction with the user; for example, the feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form (including acoustic input, voice input, or tactile input).
  • a computing system may include a client and a server.
  • the client and the server are generally remote from each other and usually interact through a communication network.
  • the relationship between the client and the server is generated by computer programs running on the corresponding computers and having a client-server relationship with each other.
  • the server may be a cloud server, also known as a cloud computing server or a cloud host, which is a host product in the cloud computing service system to solve the defects of difficult management and weak business scalability in traditional physical hosts and virtual private servers (VPS) services.
  • VPN virtual private servers

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A virus detection and removal drilling method and apparatus, a device, and a storage medium. The method comprises: when receiving a workflow starting instruction, acquiring backup data from a disaster recovery system (S101); carrying out data recovery on the backup data, and determining target recovery data (S102); and carrying out a virus detection and removal drill on the target recovery data in a preconstructed data sandbox having a unidirectional isolation function (S103).

Description

病毒查杀演练方法、装置、设备及存储介质Virus detection and killing drill method, device, equipment and storage medium

本申请要求在2023年10月31日提交中国专利局、申请号为202311436379.6的中国专利申请的优先权,该申请的全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the China Patent Office on October 31, 2023, with application number 202311436379.6, the entire contents of which are incorporated by reference into this application.

技术领域Technical Field

本申请涉及数据安全技术领域,例如涉及一种病毒查杀演练方法、装置、设备及存储介质。The present application relates to the field of data security technology, and for example, to a virus detection and killing drill method, device, equipment and storage medium.

背景技术Background Art

近年来,计算机病毒特别是勒索病毒对业务系统的可用性和数据安全性影响非常大,且越来越猖獗。In recent years, computer viruses, especially ransomware, have had a significant impact on the availability and data security of business systems and have become increasingly rampant.

针对以上威胁,目前在数据层面主要的应对方法是利用备份或容灾系统定期将必要的数据备份到灾备系统中,一旦生产环境的数据感染了病毒,可以利用灾备系统中的数据快速恢复,将损失降到最低。但这个方法不能解决所有防勒索病毒问题,如果在备份前生产数据已经被感染或备份期间文件在病毒感染的潜伏期,此时通过备份已经无法阻止病毒感染数据。In response to the above threats, the main method at the data level is to use backup or disaster recovery systems to regularly back up necessary data to the disaster recovery system. Once the data in the production environment is infected with a virus, the data in the disaster recovery system can be used to quickly restore it and minimize the loss. However, this method cannot solve all anti-ransomware problems. If the production data has been infected before the backup or the file is in the virus infection incubation period during the backup, the backup can no longer prevent the virus from infecting the data.

一般的解决方案是利用灾备系统定期进行备份数据恢复,再利用杀毒软件对恢复后的数据进行病毒查杀,确保数据的安全性,这种方法称为病毒查杀演练。然而,在杀毒过程中若杀毒环境与生产环境不是隔离的,则每次病毒查杀都可能导致生产环境受影响,造成更大的不可估计的损失。The general solution is to use the disaster recovery system to regularly restore backup data, and then use antivirus software to detect viruses on the restored data to ensure data security. This method is called a virus detection drill. However, if the antivirus environment is not isolated from the production environment during the antivirus process, each virus detection may affect the production environment, causing greater and incalculable losses.

发明内容Summary of the invention

本申请提供了一种病毒查杀演练方法、装置、设备及存储介质,解决了杀毒环境与生产环境不隔离的问题,避免了病毒查杀过程对生产环境的影响,实现病毒查杀的同时保障了生产环境中生产数据的安全性,降低生产的经济损失。The present application provides a virus detection and killing drill method, device, equipment and storage medium, which solves the problem of the antivirus environment and the production environment not being isolated, avoids the impact of the virus detection and killing process on the production environment, realizes virus detection and killing while ensuring the security of production data in the production environment, and reduces economic losses in production.

第一方面,本申请实施例提供了一种病毒查杀演练方法,包括:In a first aspect, an embodiment of the present application provides a virus detection and killing drill method, comprising:

接收到工作流启动指令后,从灾备系统中获取备份数据;After receiving the workflow start instruction, the backup data is obtained from the disaster recovery system;

对所述备份数据进行数据恢复,并确定目标恢复数据;Performing data recovery on the backup data and determining target recovery data;

在预先构建的具备单向隔离功能的数据沙箱中对所述目标恢复数据进行病毒查杀演练。A virus detection and killing drill is performed on the target recovery data in a pre-built data sandbox with a one-way isolation function.

第二方面,本申请实施例提供了一种病毒查杀演练装置,包括: In a second aspect, an embodiment of the present application provides a virus detection and killing drill device, including:

备份数据恢复模块,设置为接收到工作流启动指令后,从灾备系统中获取备份数据;A backup data recovery module is configured to obtain backup data from a disaster recovery system after receiving a workflow start instruction;

恢复数据确定模块,设置为对所述备份数据进行数据恢复,并确定目标恢复数据;A recovery data determination module, configured to perform data recovery on the backup data and determine target recovery data;

病毒查杀演练模块,设置为在预先构建的具备单向隔离功能的数据沙箱中对所述目标恢复数据进行病毒查杀演练。The virus detection and killing drill module is configured to perform a virus detection and killing drill on the target recovery data in a pre-built data sandbox with a one-way isolation function.

第三方面,本申请实施例提供了一种电子设备,包括:In a third aspect, an embodiment of the present application provides an electronic device, including:

至少一个处理器;以及at least one processor; and

与至少一个处理器通信连接的存储器;其中,a memory communicatively connected to at least one processor; wherein,

存储器存储有可被至少一个处理器执行的计算机程序,计算机程序被至少一个处理器执行,以使至少一个处理器能够执行上述第一方面实施例提供的病毒查杀演练方法。The memory stores a computer program that can be executed by at least one processor, and the computer program is executed by at least one processor so that the at least one processor can execute the virus detection and killing drill method provided in the above-mentioned first aspect embodiment.

第四方面,本申请实施例提供了一种计算机可读存储介质,计算机可读存储介质存储有计算机指令,计算机指令用于使处理器执行时实现上述第一方面实施例提供的病毒查杀演练方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, which stores computer instructions, and the computer instructions are used to enable a processor to implement the virus detection and killing drill method provided in the embodiment of the first aspect above when executed.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

下面将对实施例描述中所需要使用的附图作介绍,下面描述中的附图是本申请的一些实施例附图,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。The following is an introduction to the drawings required for use in the description of the embodiments. The drawings described below are drawings of some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without any creative work.

图1是本申请实施例一提供的一种病毒查杀演练方法的流程图;FIG1 is a flow chart of a virus detection and killing drill method provided in Example 1 of the present application;

图2是本申请实施例一提供的一种病毒查杀演练方法中所涉及数据沙箱的结构示意图;FIG2 is a schematic diagram of the structure of a data sandbox involved in a virus detection and killing drill method provided in Example 1 of the present application;

图3是本申请实施例一提供的一种病毒查杀演练方法中所涉及数据沙箱构建的流程图;3 is a flow chart of a data sandbox construction involved in a virus detection and killing drill method provided in Example 1 of the present application;

图4是本申请实施例二提供的一种病毒查杀演练方法的流程图;FIG4 is a flow chart of a virus detection and killing drill method provided in Example 2 of the present application;

图5是本申请实施例二提供的一种病毒查杀演练示意图;FIG5 is a schematic diagram of a virus detection and killing drill provided in Example 2 of the present application;

图6是本申请实施例二提供的一种病毒查杀演练方法中所涉及开放性集成杀毒引擎示意图;FIG6 is a schematic diagram of an open integrated antivirus engine involved in a virus detection and killing drill method provided in Example 2 of the present application;

图7是本申请实施例三提供的一种病毒查杀演练装置的结构示意图;FIG7 is a schematic diagram of the structure of a virus detection and killing drill device provided in Example 3 of the present application;

图8是本申请实施例四提供的一种电子设备的结构示意图。 FIG8 is a schematic diagram of the structure of an electronic device provided in Embodiment 4 of the present application.

具体实施方式DETAILED DESCRIPTION

为了使本技术领域的人员理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例进行描述,所描述的实施例是本申请相关的一些实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本申请保护的范围。In order to make the technical personnel in this field understand the scheme of this application, the embodiments of this application will be described below in conjunction with the drawings in the embodiments of this application, and the described embodiments are some embodiments related to this application. Based on the embodiments in this application, all other embodiments obtained by ordinary technicians in this field without making creative work should fall within the scope of protection of this application.

本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”和“目标”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于列出的那些步骤或单元,而是可包括没有列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second" and "target" etc. in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the data used in this way can be interchangeable where appropriate, so that the embodiments of the present application described herein can be implemented in an order other than those illustrated or described herein. In addition, the terms "including" and "having" and any of their variations are intended to cover non-exclusive inclusions, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to those steps or units listed, but may include other steps or units that are not listed or inherent to these processes, methods, products or devices.

实施例一Embodiment 1

图1是本申请实施例一提供的一种病毒查杀演练方法的流程图,本实施例可适用于在具备单向隔离功能的数据沙箱中进行病毒查杀演练的情形,该方法可以由病毒查杀演练装置来执行,该病毒查杀演练装置可以采用硬件和/或软件的形式实现。Figure 1 is a flow chart of a virus detection and killing drill method provided in Example 1 of the present application. This embodiment can be applied to the situation of performing virus detection and killing drills in a data sandbox with a one-way isolation function. The method can be executed by a virus detection and killing drill device, and the virus detection and killing drill device can be implemented in the form of hardware and/or software.

本申请提出了一种在数据沙箱中进行病毒查杀演练的方法,数据沙箱是与生产环境隔离的,通过在数据沙箱中进行病毒查杀,确保了病毒查杀演练的安全性,并且本申请提出的病毒查杀演练方法具备开放性,支持集成多种杀毒引擎,可以有效应对不同的病毒查杀需求。The present application proposes a method for performing virus detection and killing drills in a data sandbox, which is isolated from the production environment. By performing virus detection and killing in the data sandbox, the security of the virus detection and killing drills is ensured. In addition, the virus detection and killing drill method proposed in the present application is open and supports the integration of multiple antivirus engines, which can effectively respond to different virus detection and killing needs.

如图1所示,该方法包括:As shown in FIG1 , the method includes:

S101、接收到工作流启动指令后,从灾备系统中获取备份数据。S101, after receiving a workflow start instruction, obtaining backup data from a disaster recovery system.

在本实施例中,工作流启动指令可以理解为用于启动整体作业流程的指令。灾备系统可以理解为用于预防灾难情况的备份系统,用于对生产环境中的生产数据进行备份。其中,生产环境为客户的业务环境。备份数据可以理解为生产环境的生产数据在灾备系统中备份所生成的数据。In this embodiment, the workflow start instruction can be understood as an instruction for starting the overall operation process. The disaster recovery system can be understood as a backup system for preventing disaster situations, which is used to back up production data in the production environment. The production environment is the customer's business environment. The backup data can be understood as the data generated by backing up the production data of the production environment in the disaster recovery system.

示例性的,在接收到工作流启动指令时,可以确定当前病毒查杀演练可开启执行,因此,需要先从灾备系统中获取备份数据,以便于后续根据备份数据进行病毒查杀演练。Exemplarily, when a workflow start instruction is received, it can be determined that the current virus detection and killing drill can be started and executed. Therefore, it is necessary to first obtain backup data from the disaster recovery system so as to perform a virus detection and killing drill based on the backup data later.

S102、对备份数据进行数据恢复,并确定目标恢复数据。S102: Restore the backup data and determine target recovery data.

在本实施例中,目标恢复数据可以理解为用于进行病毒查杀演练的恢复数 据,目标恢复数据的数据内容与生产数据相同。In this embodiment, the target recovery data can be understood as the recovery data used for virus detection and killing drills. The data content of the target recovery data is the same as the production data.

示例性的,根据预设的数据恢复算法将备份数据恢复至预先构建的数据沙箱中的资源目录上,其中,预设的数据恢复算法可根据实际需求确定。数据沙箱包括至少一个恢复资源,恢复资源上存在多个资源目录,对备份数据进行数据恢复后形成的恢复数据存储在数据沙箱中的资源目录上。Exemplarily, the backup data is restored to a resource directory in a pre-built data sandbox according to a preset data recovery algorithm, wherein the preset data recovery algorithm can be determined according to actual needs. The data sandbox includes at least one recovery resource, and there are multiple resource directories on the recovery resource. The recovery data formed after the backup data is restored is stored in the resource directory in the data sandbox.

S103、在预先构建的具备单向隔离功能的数据沙箱中对目标恢复数据进行病毒查杀演练。S103: Perform virus detection and elimination drill on target recovery data in a pre-built data sandbox with a one-way isolation function.

在本实施例中,数据沙箱为网络安全的一种防线,所有在沙箱中运行的程序都是模拟演习,并非真实应用。沙箱的工作过程是,将程序运行在一个隔离的空间内,且在沙箱中运行的程序可读不可写,从而避免程序对电脑的其它程序和数据造成永久性的修改或造成破坏。示例性的,对数据沙箱的理解可以是:电脑是一张纸,程序的运行与改动就是在纸上写字,而沙箱相当于放在纸上的一块玻璃,程序的运行与改动只能写在那块玻璃上,而纸还是干干净净的。In this embodiment, the data sandbox is a line of defense for network security. All programs running in the sandbox are simulated exercises, not real applications. The working process of the sandbox is to run the program in an isolated space, and the program running in the sandbox is readable but not writable, so as to prevent the program from causing permanent modification or damage to other programs and data on the computer. Exemplarily, the understanding of the data sandbox can be: the computer is a piece of paper, the running and modification of the program is like writing on the paper, and the sandbox is equivalent to a piece of glass placed on the paper. The running and modification of the program can only be written on that piece of glass, and the paper is still clean.

在一些实施例中,本实施例中的数据沙箱能够提供一种与生产网络隔离的网络环境。In some embodiments, the data sandbox in this embodiment can provide a network environment isolated from the production network.

示例性的,预先构建具备单向隔离功能的数据沙箱,除指定数据外,数据沙箱与生产环境无法进行交互,因此,为保障生产环境的安全性,在具备单向隔离功能的数据沙箱中,根据预先选定的病毒查杀引擎对恢复到数据沙箱中资源目录上的目标恢复数据进行病毒查杀演练。Exemplarily, a data sandbox with a one-way isolation function is pre-built. Except for designated data, the data sandbox cannot interact with the production environment. Therefore, to ensure the security of the production environment, in the data sandbox with a one-way isolation function, a virus detection drill is performed on the target recovery data restored to the resource directory in the data sandbox according to a pre-selected virus detection engine.

本申请实施例所提供的一种病毒查杀演练方法,通过接收到工作流启动指令后,从灾备系统中获取备份数据;对备份数据进行数据恢复,并确定目标恢复数据;在预先构建的具备单向隔离功能的数据沙箱中对目标恢复数据进行病毒查杀演练。将备份数据恢复到网络隔离的恢复资源中进行病毒查杀,避免了对生产环境产生影响,实现对恢复资源指定路径下的数据进行病毒查杀,确保恢复数据的安全性。解决了杀毒环境与生产环境不隔离的问题,避免了病毒查杀过程对生产环境的影响,实现病毒查杀的同时保障了生产环境中生产数据的安全性,降低生产的经济损失。A virus detection and killing drill method provided in an embodiment of the present application obtains backup data from a disaster recovery system after receiving a workflow start instruction; performs data recovery on the backup data and determines the target recovery data; and performs virus detection and killing drills on the target recovery data in a pre-built data sandbox with a one-way isolation function. The backup data is restored to a network-isolated recovery resource for virus detection and killing, thereby avoiding the impact on the production environment, and virus detection and killing of data under the specified path of the recovery resource is achieved, thereby ensuring the security of the recovery data. The problem of the antivirus environment and the production environment not being isolated is solved, and the impact of the virus detection and killing process on the production environment is avoided. While achieving virus detection and killing, the security of production data in the production environment is guaranteed, thereby reducing economic losses in production.

在一些实施例中,在上述实施例基础上,该方法还包括:In some embodiments, based on the above embodiments, the method further includes:

生成病毒查杀演练报告,并将病毒查杀演练报告反馈至服务端。Generate a virus detection and killing drill report and feed it back to the server.

在本实施例中,病毒查杀演练报告可以理解为根据病毒查杀演练的结果所形成的报告。服务端可以理解为服务器,服务端、客户端以及作为本申请实施例执行主体的电子设备三者均远程无线连接,能够实现任意双方的数据交互,客户端还能够与用户产生交互。 In this embodiment, the virus detection and killing drill report can be understood as a report formed according to the results of the virus detection and killing drill. The server can be understood as a server. The server, the client, and the electronic device as the execution subject of the embodiment of the present application are all remotely wirelessly connected, and data interaction between any two parties can be achieved. The client can also interact with the user.

示例性的,在数据沙箱内对目标恢复数据进行病毒查杀演练后,根据病毒查杀演练的结果生成对应的病毒查杀演练报告,将病毒查杀演练报告上传到服务端,服务端可以根据客户端的调用需求将病毒查杀演练报告发送至客户端以供用户查询展示。Exemplarily, after performing a virus detection drill on the target recovery data in the data sandbox, a corresponding virus detection drill report is generated based on the results of the virus detection drill, and the virus detection drill report is uploaded to the server. The server can send the virus detection drill report to the client for user query and display according to the client's calling requirements.

图2是本申请实施例一提供的一种病毒查杀演练方法中所涉及数据沙箱的结构示意图,数据沙箱中至少包括代理设备和不带上行链路的虚拟交换机vSwitch2,代理设备上创建有一张对外连通的虚拟网卡vNic1和多张对内连通的虚拟网卡vNic2、vNic3、vNic4…,虚拟交换机vSwitch2上创建有多个隔离网络端口组,多个对内连通的虚拟网卡和多个隔离网络端口组一一连接,构建网络。在上述实施例基础上,在一些实施例中,还增加了数据沙箱的构建步骤,包括:Figure 2 is a schematic diagram of the structure of a data sandbox involved in a virus detection and killing drill method provided in Example 1 of the present application. The data sandbox includes at least a proxy device and a virtual switch vSwitch2 without an uplink. A virtual network card vNic1 connected to the outside and multiple virtual network cards vNic2, vNic3, vNic4... connected to the inside are created on the proxy device. Multiple isolated network port groups are created on the virtual switch vSwitch2. Multiple internally connected virtual network cards and multiple isolated network port groups are connected one by one to build a network. Based on the above embodiments, in some embodiments, the steps of building a data sandbox are further added, including:

a1)在目标虚拟化平台上创建不带上行链路的虚拟交换机,并在虚拟交换机上创建预设数量的隔离网络端口。a1) Create a virtual switch without an uplink on the target virtualization platform, and create a preset number of isolated network ports on the virtual switch.

在本实施例中,目标虚拟化平台是基于客户端用户的选择所确定的虚拟化平台。不带上行链路的虚拟交换机可以理解为一种具备单向隔离功能的交换机,该虚拟交换机是数据沙箱具备隔离能力的基础,由于不带上行链路,因此该虚拟交换机与外部网络是隔离的,此时连接在该虚拟交换机网络上的任何虚拟机与外部网络都是隔离的。隔离网络端口可以理解为用于进行组网的网络端口,隔离网络是外部环境生产网络的映射,每个生产网络都可映射为一个隔离网络,通过映射,数据沙箱内部多个隔离网络共同组成了与生产网络类似的组网,区别是该组网是在数据沙箱内部的,与外界隔离,不会对外部环境造成影响。In this embodiment, the target virtualization platform is a virtualization platform determined based on the selection of the client user. A virtual switch without an uplink can be understood as a switch with a unidirectional isolation function. The virtual switch is the basis for the data sandbox to have isolation capabilities. Since there is no uplink, the virtual switch is isolated from the external network. At this time, any virtual machine connected to the virtual switch network is isolated from the external network. The isolated network port can be understood as a network port used for networking. The isolated network is a mapping of the production network of the external environment. Each production network can be mapped to an isolated network. Through mapping, multiple isolated networks inside the data sandbox together form a network similar to the production network. The difference is that the network is inside the data sandbox, isolated from the outside world, and will not affect the external environment.

将客户端与用户交互所选定的虚拟化平台确定为目标虚拟化平台,基于程序在目标虚拟化平台上构建数据沙箱。示例性的,在目标虚拟化平台上创建不带上行链路的虚拟交换机,在创建的不带上行链路的虚拟交换机上创建预设数量的隔离网络端口,其中,预设数量的隔离网络端口是生产网络端口在数据沙箱中的映射,因此,预设数量可以与生产网络中的生产网络端口数量相同,在一定条件下还可以少于生产网络端口数量。The virtualization platform selected by the client and the user through interaction is determined as the target virtualization platform, and a data sandbox is constructed on the target virtualization platform based on the program. Exemplarily, a virtual switch without an uplink is created on the target virtualization platform, and a preset number of isolated network ports are created on the created virtual switch without an uplink, wherein the preset number of isolated network ports is a mapping of the production network ports in the data sandbox, and therefore, the preset number may be the same as the number of production network ports in the production network, and may be less than the number of production network ports under certain conditions.

b1)在目标虚拟化平台上创建具备预设操作系统且开启路由转发功能的虚拟机,将虚拟机确定为代理设备。b1) Creating a virtual machine with a preset operating system and enabled routing and forwarding functions on the target virtualization platform, and determining the virtual machine as a proxy device.

在本实施例中,预设操作系统可以理解为Linux系统。代理设备可以理解为用于进行数据中转的设备,代理设备是一个开启了路由转发功能的Linux虚拟机,其具备多张虚拟网卡,其中一张连接在外部网络上,其它的连接在数据沙箱内部的隔离网络上,代理设备既是外界与数据沙箱内部沟通的唯一桥梁,又起到连通数据沙箱内部多个隔离网络的路由器的作用。In this embodiment, the preset operating system can be understood as a Linux system. The proxy device can be understood as a device for data transfer. The proxy device is a Linux virtual machine with routing and forwarding functions enabled. It has multiple virtual network cards, one of which is connected to the external network, and the others are connected to the isolated network inside the data sandbox. The proxy device is not only the only bridge for communication between the outside world and the inside of the data sandbox, but also acts as a router connecting multiple isolated networks inside the data sandbox.

示例性的,在目标虚拟化平台上创建Linux操作系统的虚拟机,并开启路由 转发功能,将该虚拟机确定为用于进行数据沙箱内部虚拟机之间中转,以及数据沙箱与目标虚拟化平台之间中转的代理设备。For example, a virtual machine of the Linux operating system is created on the target virtualization platform, and the routing The forwarding function determines the virtual machine as a proxy device for transferring between virtual machines within the data sandbox and between the data sandbox and the target virtualization platform.

c1)建立代理设备与隔离网络端口的连接,以及代理设备与目标虚拟化平台的连接。c1) Establishing a connection between the proxy device and the isolated network port, and a connection between the proxy device and the target virtualization platform.

在本实施例中,在代理设备上创建一张虚拟网卡,将该张虚拟网卡连接到目标虚拟化平台对外的一生产网络上,并配置互联网协议(Internet Protocol,ip)地址,建立该张虚拟网卡与生产网络的连接,实现代理设备与目标虚拟化平台的连接。在一些实施例中,在代理设备上创建多张虚拟网卡,虚拟网卡数量与隔离网络端口数量相同,将代理设备上创建的与隔离网络端口数量相同的虚拟网卡,配置与隔离网络端口相对应的地址,建立多个虚拟网卡各自与隔离网络之间的连接,实现代理设备与隔离网络端口的连接。In this embodiment, a virtual network card is created on the proxy device, the virtual network card is connected to a production network of the target virtualization platform, and an Internet Protocol (IP) address is configured to establish a connection between the virtual network card and the production network, thereby realizing the connection between the proxy device and the target virtualization platform. In some embodiments, multiple virtual network cards are created on the proxy device, the number of which is the same as the number of isolated network ports, the virtual network cards created on the proxy device with the same number of isolated network ports are configured with addresses corresponding to the isolated network ports, and connections between the multiple virtual network cards and the isolated network are established to realize the connection between the proxy device and the isolated network ports.

在一些实施例中,建立代理设备与隔离网络端口的连接,包括:In some embodiments, establishing a connection between the proxy device and the isolated network port includes:

c11)在代理设备上创建预设数量的虚拟网卡,将每个虚拟网卡与各自对应的隔离网络端口连接。c11) Creating a preset number of virtual network cards on the proxy device, and connecting each virtual network card to its corresponding isolated network port.

在本实施例中,在代理设备上创建预设数量的虚拟网卡,虚拟网卡数量与隔离网络端口的数量一致,将虚拟网卡与隔离网络端口一一对应连接。In this embodiment, a preset number of virtual network cards are created on the proxy device, the number of virtual network cards is consistent with the number of isolated network ports, and the virtual network cards are connected to the isolated network ports in a one-to-one correspondence.

c12)将每个隔离网络所映射的生产网络的网关地址确定为与隔离网络所对应的虚拟网卡的地址。c12) Determine the gateway address of the production network mapped to each isolated network as the address of the virtual network card corresponding to the isolated network.

在本实施例中,确定隔离网络所映射的生产网络,并确定该生产网络对应的网关地址,将生产网络的网关地址确定为与该隔离网络相连接的虚拟网卡的ip地址。In this embodiment, the production network mapped by the isolated network is determined, and the gateway address corresponding to the production network is determined, and the gateway address of the production network is determined as the IP address of the virtual network card connected to the isolated network.

c13)接收客户端的网络配置信息并根据网络配置信息对虚拟网卡的子网掩码和伪装网段进行配置。c13) Receive the network configuration information of the client and configure the subnet mask and camouflage network segment of the virtual network card according to the network configuration information.

在本实施例中,网络配置信息可以理解为客户端与用户交互时用户输入的网络地址信息。In this embodiment, the network configuration information can be understood as the network address information input by the user when the client interacts with the user.

示例性的,接收客户端的网络配置信息,客户端的网络配置信息包括虚拟网卡的子网掩码和伪装网断的配置信息。根据客户端传输的网络配置信息配置虚拟网卡的子网掩码和伪装网段。Exemplarily, receiving the network configuration information of the client, the network configuration information of the client including the subnet mask and camouflage network segment configuration information of the virtual network card, and configuring the subnet mask and camouflage network segment of the virtual network card according to the network configuration information transmitted by the client.

d1)接收客户端的防火墙配置信息并根据防火墙配置信息对代理设备进行对应的防火墙规则配置。d1) Receive the firewall configuration information of the client and configure the corresponding firewall rules for the proxy device according to the firewall configuration information.

在本实施例中,防火墙配置信息可以理解为网络过滤器(iptables)的配置信息。 In this embodiment, the firewall configuration information can be understood as the configuration information of the network filter (iptables).

示例性的,防火墙配置信息是在客户端与用户交互的过程中用户所配置的信息,因此,接收客户端传输的防火墙配置信息,并根据防火墙配置信息对代理设备进行对应的iptables配置(防火墙规则配置)。Exemplarily, the firewall configuration information is information configured by the user during the process of interaction between the client and the user. Therefore, the firewall configuration information transmitted by the client is received, and the corresponding iptables configuration (firewall rule configuration) is performed on the proxy device according to the firewall configuration information.

图3是本申请实施例一提供的一种病毒查杀演练方法中所涉及数据沙箱构建的流程图。基于此构建的数据沙箱,具备对外单向连通、内部互通以及支持根据指定ip和端口开放数据沙箱内部向外的主动请求三种功能。其中,对外单向连通功能,允许从数据沙箱外部主动访问数据沙箱内部,以及允许内部的响应出去,不允许数据沙箱内部主动访问数据沙箱外部。由于代理设备是数据沙箱内部与外界沟通的唯一桥梁,因此单向隔离性主要是通过在代理设备上配置相应的iptables规则实现;内部互通功能,数据沙箱内部的多个网络支持互相连通,内部互通性主要通过在代理设备上对隔离网络内部的流量打上特定标记,并设置相应的路由策略实现;支持根据指定ip和端口开放数据沙箱内部向外的主动请求功能,为对外单向连通功能中的特例,可以根据实际需求,允许从数据沙箱内部主动向外,访问指定ip地址和端口的请求通过,该功能也是在代理设备上通过配置相应的iptables规则实现。FIG3 is a flowchart of the data sandbox construction involved in a virus detection and killing drill method provided in Example 1 of the present application. The data sandbox constructed based on this has three functions: one-way external connectivity, internal intercommunication, and support for active requests from the inside of the data sandbox to the outside according to the specified IP and port. Among them, the external one-way connectivity function allows active access to the inside of the data sandbox from the outside of the data sandbox, and allows the internal response to go out, and does not allow the data sandbox to actively access the outside of the data sandbox. Since the proxy device is the only bridge for communication between the inside of the data sandbox and the outside world, the one-way isolation is mainly achieved by configuring the corresponding iptables rules on the proxy device; the internal intercommunication function, multiple networks inside the data sandbox support mutual connectivity, and the internal intercommunication is mainly achieved by marking the traffic inside the isolated network on the proxy device, and setting the corresponding routing strategy; support for the active request function of opening the data sandbox from the inside to the outside according to the specified IP and port is a special case of the external one-way connectivity function. According to actual needs, it can allow the request to access the specified IP address and port from the inside of the data sandbox to pass, and this function is also achieved by configuring the corresponding iptables rules on the proxy device.

如图3所示,数据沙箱的配置流程为:As shown in Figure 3, the configuration process of the data sandbox is as follows:

S10、选择虚拟化平台:选择一个虚拟化平台(用于部署数据沙箱)。S10. Select a virtualization platform: Select a virtualization platform (for deploying a data sandbox).

S11、创建不带上行链路的虚拟交换机:在该虚拟化平台上创建一个不带上行链路的虚拟交换机。S11. Create a virtual switch without an uplink: create a virtual switch without an uplink on the virtualization platform.

S12、创建代理设备,开启路由转发:在该虚拟化平台上创建一个linux操作系统的虚拟机,并开启路由转发功能。S12. Create a proxy device and enable routing forwarding: create a virtual machine of a Linux operating system on the virtualization platform and enable routing forwarding function.

S13、代理设备上增加一张虚拟网卡,连接到虚拟化平台对外的一生产网络,并配置ip:在代理设备上增加一张虚拟网卡,将该虚拟网卡连接到该虚拟化平台对外的一生产网络上,并配置ip地址。S13. Add a virtual network card on the proxy device, connect it to a production network external to the virtualization platform, and configure an IP address: Add a virtual network card on the proxy device, connect the virtual network card to a production network external to the virtualization platform, and configure an IP address.

S14、在之前创建的虚拟交换机上创建N个端口组,N为需要映射的生产网络的数量:根据需要映射的生产网络的数量,在虚拟交换机上创建多个隔离网络端口组,隔离网络端口组的数量与需要映射的生产网络数量相同。S14. Create N port groups on the previously created virtual switch, where N is the number of production networks that need to be mapped: create multiple isolated network port groups on the virtual switch according to the number of production networks that need to be mapped, and the number of isolated network port groups is the same as the number of production networks that need to be mapped.

S15、代理设备上增加N张虚拟网卡,分别连接到上一步创建的端口组,配置ip、子网掩码、伪装网段:在代理设备上再创建多张虚拟网卡,虚拟网卡与隔离网络一一连接,设置代理设备上创建的虚拟网卡的ip地址、子网掩码和伪装网段,其中ip地址需要设置成该虚拟网卡对应的隔离网络映射的生产网络的网关地址。S15. Add N virtual network cards on the proxy device, connect them to the port groups created in the previous step respectively, and configure the IP, subnet mask, and camouflage network segment: Create multiple virtual network cards on the proxy device, connect the virtual network cards to the isolated networks one by one, and set the IP address, subnet mask, and camouflage network segment of the virtual network cards created on the proxy device. The IP address needs to be set to the gateway address of the production network mapped to the isolated network corresponding to the virtual network card.

S16、代理设备上配置iptables规则和arptables规则:在代理设备上配置相 应的iptables规则和arptables规则,其中,arptables规则的基本思路和iptables一样,不过,arptables处理地址解析协议(Address Resolution Protocol,arp)有关的包。S16. Configure iptables rules and arptables rules on the proxy device: Configure the corresponding The corresponding iptables rules and arptables rules. The basic idea of arptables rules is the same as iptables, but arptables processes packets related to Address Resolution Protocol (arp).

S17、判断隔离网络内部是否互通:若隔离网络内部互通,执行步骤S18;若隔离网络内部不互通,执行步骤S19。S17, determine whether the isolated network is interconnected: if the isolated network is interconnected, execute step S18; if the isolated network is not interconnected, execute step S19.

S18、代理设备上给内部流量打标记,设置路由策略:若开启了隔离网络内部互通,则继续在代理设备上配置,给符合隔离网络内部特征的报文打标记,并指定相应的路由策略。S18. Mark the internal traffic on the proxy device and set the routing policy: If the internal interconnection of the isolated network is enabled, continue to configure on the proxy device, mark the messages that meet the internal characteristics of the isolated network, and specify the corresponding routing policy.

S19、判断是否开放指定的ip和端口:若开放指定的ip和端口,执行步骤S20,若未开放指定的ip和端口,结束数据沙箱构建流程,完成数据沙箱的构建。S19. Determine whether the specified IP and port are open: If the specified IP and port are open, execute step S20; if the specified IP and port are not open, end the data sandbox construction process and complete the construction of the data sandbox.

S20、代理设备上配置iptables规则:若指定了放开对外的一ip地址和端口的流量,则继续在代理设备上配置相应的iptables规则,配置完成后,结束数据沙箱构建流程,完成数据沙箱的构建。S20. Configure iptables rules on the proxy device: If the traffic of an IP address and port is specified to be released to the outside, continue to configure the corresponding iptables rules on the proxy device. After the configuration is completed, the data sandbox construction process ends and the construction of the data sandbox is completed.

实施例二Embodiment 2

图4是本申请实施例二提供的一种病毒查杀演练方法的流程图,本实施例是对上述任一实施例的优化,可适用于在具备单向隔离功能的数据沙箱中进行病毒查杀演练的情形,该方法可以由病毒查杀演练装置来执行,该病毒查杀演练装置可以采用硬件和/或软件的形式实现。Figure 4 is a flow chart of a virus detection and killing drill method provided in Example 2 of the present application. This embodiment is an optimization of any of the above embodiments and can be applied to situations where virus detection and killing drills are performed in a data sandbox with a one-way isolation function. The method can be executed by a virus detection and killing drill device, which can be implemented in the form of hardware and/or software.

如图4所示,该方法包括:As shown in FIG. 4 , the method includes:

S201、接收到工作流启动指令后,从灾备系统中获取备份数据。S201. After receiving a workflow start instruction, obtain backup data from a disaster recovery system.

S202、将备份数据恢复至数据沙箱中的恢复资源上,形成初始恢复数据并验证。S202: Restore the backup data to the recovery resources in the data sandbox to form initial recovery data and verify it.

在本实施例中,初始恢复数据可以理解为备份数据直接恢复至恢复资源上的,未经验证的数据。In this embodiment, the initial recovery data may be understood as the backup data directly restored to the recovery resource without verification.

示例性的,摒弃传统的数据恢复,采用挂载恢复方式进行数据恢复,挂载恢复指通过网络文件系统(Network File System,NFS)、互联网小型计算机系统接口(internet Small Computer System Interface,iSCSI)、光纤通道存储区域网络(Fibre Channel Storage Area Network,FC SAN)、简单存储服务(Simple Storage Service,S3)、分布式文件系统(Hadoop Distributed File System,HDFS)、容器存储接口(Container Storage Interface,CSI)等协议,将备份数据挂载到恢复资源,在恢复资源形成初始恢复数据,实现快速恢复业务,该方法无需占用 恢复资源的存储,不仅提升了数据恢复效率,还节约了成本。将备份数据恢复至数据沙箱中的恢复资源上形成初始恢复数据后,通过预设的验证方式对初始恢复数据进行验证,判断初始恢复数据与备份数据所备份的生产数据的数据内容是否一致,若是,确定初始恢复数据验证通过;若否,确定初始恢复数据验证不通过。For example, traditional data recovery is abandoned and data recovery is performed by mounting recovery. Mounting recovery refers to mounting backup data to recovery resources through protocols such as Network File System (NFS), Internet Small Computer System Interface (iSCSI), Fibre Channel Storage Area Network (FC SAN), Simple Storage Service (S3), Distributed File System (Hadoop Distributed File System, HDFS), and Container Storage Interface (CSI). Initial recovery data is formed on the recovery resource to achieve rapid recovery of services. This method does not require occupying The storage of recovery resources not only improves data recovery efficiency but also saves costs. After the backup data is restored to the recovery resources in the data sandbox to form the initial recovery data, the initial recovery data is verified by a preset verification method to determine whether the data content of the initial recovery data is consistent with the production data backed up by the backup data. If so, it is determined that the initial recovery data verification has passed; if not, it is determined that the initial recovery data verification has failed.

S203、将验证通过的初始恢复数据确定为目标恢复数据。S203: Determine the verified initial recovery data as the target recovery data.

在本实施例中,目标恢复数据可以理解为与生产数据一致的恢复数据,可用于进行病毒查杀演练。In this embodiment, the target recovery data can be understood as recovery data that is consistent with the production data and can be used for virus detection and killing drills.

示例性的,初始恢复数据验证通过,表征与生产数据的数据内容一致,可用于进行病毒查杀演练,因此,将验证通过的初始恢复数据确定为用于进行病毒查杀演练的目标恢复数据。Exemplarily, the initial recovery data passes verification, indicating that the data content is consistent with the production data and can be used for virus detection and killing drills. Therefore, the verified initial recovery data is determined as the target recovery data for virus detection and killing drills.

S204、向客户端发送病毒查杀引擎选项,并接收客户端反馈的目标病毒查杀引擎。S204: Send virus detection engine options to the client, and receive target virus detection engine feedback from the client.

在本实施例中,病毒查杀引擎选项可以理解为可供客户端用户选择的病毒查杀引擎,包括软件开发工具包(Software Development Kit,SDK),许可证(license)以及病毒库的杀毒软件等。目标病毒查杀引擎可以理解为客户端用户选定的病毒查杀引擎。In this embodiment, the virus detection engine option can be understood as a virus detection engine that can be selected by the client user, including a software development kit (SDK), a license, and anti-virus software of a virus database, etc. The target virus detection engine can be understood as a virus detection engine selected by the client user.

示例性的,将几种病毒查杀引擎均作为选项发送至客户端,客户端用户从病毒查杀引擎选项中选择所需的一个或多个病毒查杀引擎,客户端将该选择信息传回作为本申请执行主体的电子设备。将用户选定的病毒查杀引擎确定为目标病毒查杀引擎。Exemplarily, several virus detection engines are sent to the client as options, and the client user selects one or more virus detection engines from the virus detection engine options, and the client transmits the selection information back to the electronic device that is the subject of the application execution. The virus detection engine selected by the user is determined as the target virus detection engine.

S205、在预先构建的具备单向隔离功能的数据沙箱中,根据目标病毒查杀引擎对目标恢复数据进行病毒查杀演练,其中,数据沙箱中包括至少一个恢复资源,每个恢复资源包括至少一个资源目录,目标恢复数据在资源目录上。S205. In a pre-built data sandbox with a one-way isolation function, a virus detection drill is performed on the target recovery data according to the target virus detection engine, wherein the data sandbox includes at least one recovery resource, each recovery resource includes at least one resource directory, and the target recovery data is in the resource directory.

在本实施例中,具备单向隔离功能的数据沙箱中包括至少一个恢复资源,每个恢复资源包括至少一个资源目录,目标恢复数据在资源目录上。在恢复资源上同时拉起多个病毒查杀引擎实例(目标病毒查杀引擎)对该资源上的目标路径并行查杀,为了更好地控制恢复资源的资源使用情况,通过将恢复资源的可配置并发数和单个病毒查杀任务配置的并发数作为资源池来管理,可针对恢复资源的实际情况配置一个并行查杀上限,针对每个病毒查杀任务可配置一个期望的并发数,实际任务流程执行的时候,需要根据恢复资源并发数上限和实际查杀任务已使用的并发数来控制每个查杀任务实际可以并发的数量。该方法不仅充分利用了恢复资源,同时也保证了病毒查杀效率。其中,资源池是对恢复资源的一种配置机制,用于管理恢复资源可并发的病毒查杀引擎数和单个病 毒查杀任务可并发的病毒查杀引擎数。In this embodiment, the data sandbox with a one-way isolation function includes at least one recovery resource, each recovery resource includes at least one resource directory, and the target recovery data is on the resource directory. Multiple virus detection engine instances (target virus detection engines) are simultaneously pulled up on the recovery resource to perform parallel detection on the target path on the resource. In order to better control the resource usage of the recovery resource, the configurable concurrency of the recovery resource and the concurrency configured for a single virus detection task are managed as a resource pool. A parallel detection upper limit can be configured according to the actual situation of the recovery resource, and an expected concurrency can be configured for each virus detection task. When the actual task process is executed, it is necessary to control the number of concurrencies that can actually be used for each detection task based on the upper limit of the concurrency of the recovery resource and the concurrency used by the actual detection task. This method not only makes full use of the recovery resources, but also ensures the efficiency of virus detection. Among them, the resource pool is a configuration mechanism for recovery resources, which is used to manage the number of concurrent virus detection engines for recovery resources and the number of concurrency of a single virus detection task. The number of concurrent virus detection engines that can be used for virus detection tasks.

图5是本申请实施例二提供的一种病毒查杀演练示意图。如图5所示,对数据沙箱中恢复资源上的目标恢复数据进行病毒查杀演练,图中,生产环境为客户端业务环境;分布式存储为备份介质,用于备份数据的存储;病毒查杀配置指的是进行病毒查杀的目标恢复数据的查杀路径的相关配置,该配置可以和其他不同类型的配置按照一定的拓扑关系连接,组成特定的任务流程,通过该流程,可以依次实现数据恢复、病毒查杀、恢复数据验证、恢复资源清理和邮件通知等一系列功能;杀毒引擎指的是包括病毒查杀sdk,license以及病毒库的杀毒软件;恢复资源指的是用来做数据恢复的目的端,该资源可以是生产环境或者与生产环境互通的其他环境,病毒查杀也在该资源上进行。Figure 5 is a schematic diagram of a virus killing drill provided in Example 2 of the present application. As shown in Figure 5, a virus killing drill is performed on the target recovery data on the recovery resource in the data sandbox. In the figure, the production environment is the client business environment; the distributed storage is the backup medium, which is used to store the backup data; the virus killing configuration refers to the configuration of the killing path of the target recovery data for virus killing, which can be connected with other different types of configurations according to a certain topological relationship to form a specific task process, through which a series of functions such as data recovery, virus killing, recovery data verification, recovery resource cleaning and email notification can be realized in sequence; the antivirus engine refers to the antivirus software including the virus killing SDK, license and virus library; the recovery resource refers to the destination end used for data recovery, which can be the production environment or other environments that are interconnected with the production environment, and virus killing is also performed on this resource.

示例性的,如图5所示,与生产网络隔离安全进行病毒查杀演练,包括:S21、创建数据沙箱,并在数据沙箱中部署好恢复资源和杀毒引擎客户端,数据沙箱指定对外开放杀毒引擎客户端向病毒查杀演练服务端的注册端口;S22、配置任务流程,其中灾备配置的恢复资源配置中选择部署数据沙箱的虚拟化平台作为恢复资源;S23、病毒查杀配置,选择该恢复资源上的一个或多个路径作为将要进行病毒查杀的路径,并选择数据沙箱内的杀毒引擎客户端作为杀毒客户端,之后再配置查毒和杀毒;S24、任务流程中其它节点的配置;S25、发起任务流程。Exemplarily, as shown in Figure 5, virus detection and killing drills are conducted in isolation and security from the production network, including: S21, creating a data sandbox, and deploying recovery resources and antivirus engine clients in the data sandbox, the data sandbox specifies the registration port of the antivirus engine client open to the outside world to the virus detection and killing drill server; S22, configuring the task process, wherein the virtualization platform on which the data sandbox is deployed is selected as the recovery resource in the recovery resource configuration of the disaster recovery configuration; S23, virus detection and killing configuration, selecting one or more paths on the recovery resource as the path to be virus detected and killed, and selecting the antivirus engine client in the data sandbox as the antivirus client, and then configuring virus detection and killing; S24, configuration of other nodes in the task process; S25, initiating the task process.

图5中包含了内置病毒查杀引擎和第三方病毒查杀引擎,作用是可以支持不同类型的杀毒引擎,实现对多种病毒查杀引擎的开放性调用。图6是本申请实施例二提供的一种病毒查杀演练方法中所涉及开放性集成杀毒引擎示意图,如图6所示,开放性集成杀毒引擎包括病毒查杀调度层、病毒查杀适配层以及病毒查杀引擎。其中,病毒查杀调度层主要是提供一套公共的病毒查杀接口定义,该接口由各个病毒查杀引擎适配器来实现,发起病毒查杀的时候直接调用指定的病毒查杀引擎公共接口来实现,不关心病毒查杀引擎的功能。病毒查杀适配层主要是存放适配器,适配器是针对不同类型的杀毒引擎进行一个统一的封装,不同的病毒查杀引擎只需要实现一套上层调度层定义的接口,在这些接口的实现里面实现对病毒查杀引擎的调度及使用。病毒查杀引擎包括病毒查杀sdk,license和病毒库文件,sdk包含病毒查杀所需的一系列接口,license文件是授权调用接口的文件,病毒库是用来记录病毒特征的文件。Figure 5 includes a built-in virus detection engine and a third-party virus detection engine, which can support different types of antivirus engines and realize open calls to multiple virus detection engines. Figure 6 is a schematic diagram of an open integrated antivirus engine involved in a virus detection drill method provided in Example 2 of the present application. As shown in Figure 6, the open integrated antivirus engine includes a virus detection scheduling layer, a virus detection adaptation layer, and a virus detection engine. Among them, the virus detection scheduling layer mainly provides a set of public virus detection interface definitions, which are implemented by each virus detection engine adapter. When initiating virus detection, the specified virus detection engine public interface is directly called to implement it, regardless of the function of the virus detection engine. The virus detection adaptation layer mainly stores adapters. The adapter is a unified encapsulation for different types of antivirus engines. Different virus detection engines only need to implement a set of interfaces defined by the upper scheduling layer, and the scheduling and use of the virus detection engine are realized in the implementation of these interfaces. The virus detection engine includes the virus detection SDK, license and virus library files. The SDK contains a series of interfaces required for virus detection. The license file is a file that authorizes the call of the interface. The virus library is a file used to record virus characteristics.

在一些实施例中,根据目标病毒查杀引擎对目标恢复数据进行病毒查杀演练,包括:In some embodiments, performing virus detection drill on target recovery data according to the target virus detection engine includes:

a2)、通过预设病毒查杀接口调用目标病毒查杀引擎所对应的适配器。a2) Calling the adapter corresponding to the target virus detection engine through the preset virus detection interface.

在本实施例中,预设病毒查杀接口可以理解为病毒查杀调度层所提供的公 共的病毒查杀接口定义,能够与多种类型的病毒查杀适配器对应。In this embodiment, the preset virus detection and killing interface can be understood as a public interface provided by the virus detection and killing scheduling layer. The common virus detection interface definition can correspond to various types of virus detection adapters.

示例性的,通过病毒查杀调度层调用预设病毒查杀接口与病毒查杀适配层连接,通过预设病毒查杀接口,在病毒查杀适配层调用目标病毒查杀引擎所对应的病毒查杀适配器。Exemplarily, the virus detection scheduling layer calls a preset virus detection interface to connect with the virus detection adaptation layer, and calls the virus detection adapter corresponding to the target virus detection engine in the virus detection adaptation layer through the preset virus detection interface.

b2)、根据目标病毒查杀引擎所对应的适配器调用目标病毒查杀引擎对目标恢复数据进行病毒查杀演练。b2) Calling the target virus detection engine according to the adapter corresponding to the target virus detection engine to perform virus detection drill on the target recovery data.

在本实施例中,通过病毒查杀调度层调用病毒查杀适配层的适配器后,根据各个适配器调用对应的目标病毒查杀引擎,根据目标病毒查杀引擎对目标恢复数据进行并行的病毒查杀演练。In this embodiment, after the virus detection scheduling layer calls the adapter of the virus detection adaptation layer, the corresponding target virus detection engine is called according to each adapter, and the target virus detection engine performs parallel virus detection drills on the target recovery data.

本实施例所提供的一种病毒查杀演练方法,通过接收到工作流启动指令后,从灾备系统中获取备份数据;将备份数据恢复至数据沙箱中的恢复资源上,形成初始恢复数据并验证;将验证通过的初始恢复数据确定为目标恢复数据;向客户端发送病毒查杀引擎选项,并接收客户端反馈的目标病毒查杀引擎;在预先构建的具备单向隔离功能的数据沙箱中,根据目标病毒查杀引擎对目标恢复数据进行病毒查杀演练,其中,数据沙箱中包括至少一个恢复资源,每个恢复资源包括至少一个资源目录,目标恢复数据在资源目录上。通过适配层和病毒查杀调度层开放性集成不同杀毒引擎,解决了多类型病毒查杀引擎的差异性,为以后集成其他病毒查杀引擎提供了技术基础,用户可自由配置病毒查和杀,使得病毒查杀功能更加完整,通过挂载恢复快速提供查杀对象和资源池实现恢复资源充分利用,两种机制实现高效、并行查杀。解决了杀毒环境与生产环境不隔离的问题,避免了病毒查杀过程对生产环境的影响,实现病毒查杀的同时保障了生产环境中生产数据的安全性,降低生产的经济损失。The present embodiment provides a method for virus detection and killing drill, which obtains backup data from the disaster recovery system after receiving a workflow start instruction; restores the backup data to the recovery resources in the data sandbox to form initial recovery data and verify it; determines the initial recovery data that has passed the verification as the target recovery data; sends the virus detection and killing engine option to the client, and receives the target virus detection and killing engine fed back by the client; in a pre-built data sandbox with a one-way isolation function, performs virus detection and killing drills on the target recovery data according to the target virus detection and killing engine, wherein the data sandbox includes at least one recovery resource, each recovery resource includes at least one resource directory, and the target recovery data is on the resource directory. Different antivirus engines are openly integrated through the adaptation layer and the virus detection and killing scheduling layer, which solves the differences between multiple types of virus detection and killing engines and provides a technical foundation for the future integration of other virus detection and killing engines. Users can freely configure virus detection and killing, making the virus detection and killing function more complete, and quickly provide detection and killing objects and resource pools through mounting and recovery to achieve full utilization of recovery resources. The two mechanisms achieve efficient and parallel detection and killing. It solves the problem of the antivirus environment and the production environment not being isolated, avoids the impact of the virus detection process on the production environment, and ensures the security of production data in the production environment while achieving virus detection, thereby reducing economic losses in production.

示例性的,为解释本申请实施例内容,在此做出举例,本申请包括构建具备单向隔离功能的数据沙箱,在数据沙箱的恢复资源上对恢复数据进行病毒查杀演练。Exemplarily, in order to explain the contents of the embodiments of the present application, an example is given here. The present application includes building a data sandbox with a one-way isolation function, and performing virus detection and killing drills on the recovered data on the recovery resources of the data sandbox.

示例性的,如图2和图5所示,该方法包括:Exemplarily, as shown in FIG. 2 and FIG. 5 , the method includes:

1.选择一个部署数据沙箱的虚拟化平台A;1. Select a virtualization platform A to deploy a data sandbox;

2.在A上创建一个不带上行链路的虚拟交换机vSwitch2;2. Create a virtual switch vSwitch2 without an uplink on A;

3.在A上创建一个linux操作系统的虚拟机设备代理(appliance proxy),并开启路由转发功能;3. Create a virtual machine appliance proxy for the Linux operating system on A and enable the routing and forwarding function;

4.在appliance proxy上增加一张虚拟网卡vNic1,将vNic1连接到A对外的一生产网络上,并配置ip地址;4. Add a virtual network card vNic1 to the appliance proxy, connect vNic1 to A's external production network, and configure the IP address;

5.在vSwitch2上创建一个隔离网络端口组Isolated VM Network1,在 appliance proxy上增加一张虚拟网卡vNic2,将vNic2连接到Isolated VM Network1,假设待恢复的虚拟机为vm1(ip地址为192.168.125.100),vm1连在生产网络VM Network1上,VM Network1的网关地址为192.168.125.254,则配置vNic2的ip地址为192.168.125.254,子网掩码配置为VM Network1的子网掩码,设置Isolated VM Network1的伪装网络为192.168.225.0/24;5. Create an isolated network port group Isolated VM Network1 on vSwitch2. Add a virtual network card vNic2 to the appliance proxy and connect vNic2 to Isolated VM Network1. Assume that the virtual machine to be restored is vm1 (IP address is 192.168.125.100), which is connected to the production network VM Network1. The gateway address of VM Network1 is 192.168.125.254. Then configure the IP address of vNic2 to 192.168.125.254 and the subnet mask to the subnet mask of VM Network1. Set the masquerade network of Isolated VM Network1 to 192.168.225.0/24.

6.假设病毒查杀演练服务端的ip地址为192.168.10.100,杀毒引擎客户端向服务端注册的端口为9614,则在数据沙箱上配置指定开放ip地址为192.168.10.100,端口为9614的报文;6. Assuming that the IP address of the virus detection and killing drill server is 192.168.10.100, and the port registered by the antivirus engine client to the server is 9614, configure the data sandbox to specify the open IP address as 192.168.10.100 and the port as 9614;

7.appliance proxy上设置相应的iptables规则;7. Set the corresponding iptables rules on the appliance proxy;

8.在Isolated VM Network1上部署一个安装了杀毒引擎客户端的虚拟机,假设为客户端1(client1);8. Deploy a virtual machine with an antivirus engine client installed on Isolated VM Network1, assuming it is client 1 (client1);

9.创建一个任务流程,其中灾备配置中恢复资源部分选择虚拟化平台A,应用配置部分待恢复的虚拟机选择vm1,恢复目的地选择A,恢复后虚拟机命名为vm2,网络连接选择Isolated VM Network1;9. Create a task flow, where in the recovery resource section of the disaster recovery configuration, select virtualization platform A, select vm1 as the virtual machine to be recovered in the application configuration section, select A as the recovery destination, name the recovered virtual machine vm2, and select Isolated VM Network1 as the network connection;

10.验证配置中,选择虚拟机验证的方式为ping,目标ip地址为192.168.225.100(vm1的伪装ip);10. In the verification configuration, select the virtual machine verification method as ping, and the target IP address is 192.168.225.100 (the masquerade IP of vm1);

11.病毒查杀配置中,杀毒引擎客户端选择client1(由于开放了192.168.10.100的9614端口,病毒查杀演练服务端可以发现client1),杀毒路径选择恢复后虚拟机vm2的/home路径,选择查毒并杀毒;11. In the virus detection configuration, select client1 as the antivirus engine client (since port 9614 of 192.168.10.100 is open, the virus detection drill server can find client1), select the /home path of the restored virtual machine vm2 as the antivirus path, and select virus detection and antivirus;

12.清理配置中选择脚本清理,指定清理的虚拟机为vm2;12. Select script cleanup in the cleanup configuration and specify the virtual machine to be cleaned as vm2;

13.配置好之后,执行该任务流程。13. After configuration, execute the task flow.

在本实施例中,按照之前配置好的任务流程,任务执行过程中会将vm1恢复到数据沙箱所在的虚拟化平台A,恢复后的虚拟机名称为vm2,网络连接到Isolated VM Network1上,在验证环节,从数据沙箱外部通过ping 192.168.225.100验证vm2的恢复是否正常,验证之后对vm2的/home路径进行病毒查杀,由于杀毒引擎客户端和vm2都连在Isolated VM Network1上,而Isolated VM Network1在数据沙箱内,与外界是隔离的,因此可以确保病毒查杀过程的安全性,最后生成此次病毒查杀演练的报告。In this embodiment, according to the previously configured task flow, during the task execution process, vm1 will be restored to the virtualization platform A where the data sandbox is located. The name of the restored virtual machine is vm2, and the network is connected to Isolated VM Network1. In the verification stage, ping 192.168.225.100 is used from outside the data sandbox to verify whether the recovery of vm2 is normal. After verification, the /home path of vm2 is checked for viruses. Since the antivirus engine client and vm2 are both connected to Isolated VM Network1, and Isolated VM Network1 is in the data sandbox and isolated from the outside world, the security of the virus detection process can be ensured, and finally a report on this virus detection drill is generated.

实施例三Embodiment 3

图7是本申请实施例三提供的一种病毒查杀演练装置的结构示意图。如图7所示,该装置包括: FIG7 is a schematic diagram of the structure of a virus detection and killing drill device provided in Example 3 of the present application. As shown in FIG7 , the device includes:

备份数据恢复模块31,设置为接收到工作流启动指令后,从灾备系统中获取备份数据;The backup data recovery module 31 is configured to obtain backup data from the disaster recovery system after receiving a workflow start instruction;

恢复数据确定模块32,设置为对所述备份数据进行数据恢复,并确定目标恢复数据;A recovery data determination module 32 is configured to perform data recovery on the backup data and determine target recovery data;

病毒查杀演练模块33,设置为在预先构建的具备单向隔离功能的数据沙箱中对所述目标恢复数据进行病毒查杀演练。The virus detection and killing drill module 33 is configured to perform a virus detection and killing drill on the target recovery data in a pre-built data sandbox with a one-way isolation function.

本申请采用的病毒查杀演练装置,解决了杀毒环境与生产环境不隔离的问题,避免了病毒查杀过程对生产环境的影响,实现病毒查杀的同时保障了生产环境中生产数据的安全性,降低生产的经济损失。The virus detection and killing drill device adopted in this application solves the problem that the antivirus environment and the production environment are not isolated, avoids the impact of the virus detection and killing process on the production environment, realizes virus detection and killing while ensuring the security of production data in the production environment, and reduces economic losses in production.

可选的,恢复数据确定模块32,是设置为:Optionally, the recovery data determination module 32 is configured to:

将所述备份数据恢复至数据沙箱中的恢复资源上,形成初始恢复数据并验证;Restoring the backup data to the recovery resources in the data sandbox to form initial recovery data and verifying it;

将验证通过的所述初始恢复数据确定为目标恢复数据。The initial restored data that has passed the verification is determined as the target restored data.

可选的,病毒查杀演练模块33,包括:Optionally, the virus detection and killing drill module 33 includes:

目标引擎确定单元,设置为向客户端发送病毒查杀引擎选项,并接收所述客户端反馈的目标病毒查杀引擎;A target engine determination unit, configured to send a virus detection engine option to a client, and receive a target virus detection engine feedback from the client;

病毒查杀演练单元,设置为在预先构建的具备单向隔离功能的数据沙箱中,根据所述目标病毒查杀引擎对所述目标恢复数据进行病毒查杀演练,其中,所述数据沙箱中包括至少一个恢复资源,每个恢复资源包括至少一个资源目录,所述目标恢复数据在所述资源目录上。The virus detection and killing drill unit is configured to perform virus detection and killing drills on the target recovery data according to the target virus detection and killing engine in a pre-built data sandbox with a one-way isolation function, wherein the data sandbox includes at least one recovery resource, each recovery resource includes at least one resource directory, and the target recovery data is on the resource directory.

可选的,病毒查杀演练单元,是设置为:Optional, virus detection drill unit is set to:

通过预设病毒查杀接口调用所述目标病毒查杀引擎所对应的适配器;Calling the adapter corresponding to the target virus detection engine through a preset virus detection interface;

根据目标病毒查杀引擎所对应的适配器调用所述目标病毒查杀引擎对所述目标恢复数据进行病毒查杀演练。The target virus detection engine is called according to the adapter corresponding to the target virus detection engine to perform virus detection drill on the target recovery data.

可选的,该装置还包括:Optionally, the device further comprises:

演练报告生成模块,设置为生成病毒查杀演练报告,并将所述病毒查杀演练报告反馈至服务端。The drill report generation module is configured to generate a virus detection and killing drill report and feed the virus detection and killing drill report back to the server.

可选的,该装置还包括数据沙箱创建模块,包括:Optionally, the device further includes a data sandbox creation module, including:

隔离网络创建单元,设置为在目标虚拟化平台上创建不带上行链路的虚拟交换机,并在所述虚拟交换机上创建预设数量的隔离网络端口;an isolated network creation unit, configured to create a virtual switch without an uplink on a target virtualization platform, and to create a preset number of isolated network ports on the virtual switch;

代理设备确定单元,设置为在所述目标虚拟化平台上创建具备预设操作系 统且开启路由转发功能的虚拟机,将所述虚拟机确定为代理设备;The proxy device determining unit is configured to create a virtual machine with a preset operating system on the target virtualization platform. A virtual machine with a routing and forwarding function enabled is configured, and the virtual machine is determined as a proxy device;

代理连接建立单元,设置为建立所述代理设备与所述预设数量的隔离网络端口的连接,以及所述代理设备与所述目标虚拟化平台的连接;an agent connection establishing unit, configured to establish a connection between the agent device and the preset number of isolated network ports, and a connection between the agent device and the target virtualization platform;

规则配置单元,设置为接收客户端的防火墙配置信息并根据所述防火墙配置信息对所述代理设备进行对应的防火墙规则配置。The rule configuration unit is configured to receive the firewall configuration information of the client and perform corresponding firewall rule configuration on the proxy device according to the firewall configuration information.

可选的,代理连接建立单元,是设置为:Optionally, the proxy connection establishment unit is set to:

在所述代理设备上创建预设数量的虚拟网卡,将所述预设数量的虚拟网卡与所述预设数量的隔离网络端口一一对应连接;Creating a preset number of virtual network cards on the proxy device, and connecting the preset number of virtual network cards to the preset number of isolated network ports in a one-to-one correspondence;

将每个隔离网络所映射的生产网络的网关地址确定为与所述隔离网络所对应的虚拟网卡的地址;Determine the gateway address of the production network mapped by each isolated network as the address of the virtual network card corresponding to the isolated network;

接收客户端的网络配置信息并根据所述网络配置信息对所述虚拟网卡的子网掩码和伪装网段进行配置。Receive network configuration information from the client and configure the subnet mask and camouflage network segment of the virtual network card according to the network configuration information.

本申请实施例所提供的病毒查杀演练装置可执行本申请任意实施例所提供的病毒查杀演练方法,具备执行方法相应的功能模块和有益效果。The virus detection and killing drill device provided in the embodiment of the present application can execute the virus detection and killing drill method provided in any embodiment of the present application, and has the corresponding functional modules and beneficial effects of the execution method.

实施例四Embodiment 4

图8示出了可以用来实施本申请的实施例的电子设备40的结构示意图。电子设备可表示各种形式的数字计算机,诸如,膝上型计算机、台式计算机、工作台、个人数字助理、服务器、刀片式服务器、大型计算机、和其它适合的计算机。电子设备还可以表示各种形式的移动装置,诸如,个人数字处理、蜂窝电话、智能电话、可穿戴设备(如头盔、眼镜、手表等)和其它类似的计算装置。本文所示的部件、它们的连接和关系、以及它们的功能是作为示例。FIG8 shows a schematic diagram of an electronic device 40 that can be used to implement an embodiment of the present application. The electronic device can represent various forms of digital computers, such as laptop computers, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers. The electronic device can also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices (such as helmets, glasses, watches, etc.) and other similar computing devices. The components shown herein, their connections and relationships, and their functions are by way of example.

如图8所示,电子设备40包括至少一个处理器41,以及与至少一个处理器41通信连接的存储器,如只读存储器(Read Only Memory,ROM)42、随机访问存储器(Random Access Memory,RAM)43等,其中,存储器存储有可被至少一个处理器执行的计算机程序,处理器41可以根据存储在只读存储器(ROM)42中的计算机程序或者从存储单元48加载到随机访问存储器(RAM)43中的计算机程序,来执行各种适当的动作和处理。在RAM 43中,还可存储电子设备40操作所需的各种程序和数据。处理器41、ROM 42以及RAM 43通过总线44彼此相连。输入/输出(Input/Output,I/O)接口45也连接至总线44。As shown in FIG8 , the electronic device 40 includes at least one processor 41, and a memory connected to the at least one processor 41 in communication, such as a read-only memory (ROM) 42, a random access memory (RAM) 43, etc., wherein the memory stores a computer program that can be executed by at least one processor, and the processor 41 can perform various appropriate actions and processes according to the computer program stored in the ROM 42 or the computer program loaded from the storage unit 48 to the RAM 43. Various programs and data required for the operation of the electronic device 40 can also be stored in the RAM 43. The processor 41, the ROM 42, and the RAM 43 are connected to each other through a bus 44. An input/output (I/O) interface 45 is also connected to the bus 44.

电子设备40中的多个部件连接至I/O接口45,包括:输入单元46,例如键盘、鼠标等;输出单元47,例如各种类型的显示器、扬声器等;存储单元48, 例如磁盘、光盘等;以及通信单元49,例如网卡、调制解调器、无线通信收发机等。通信单元49允许电子设备40通过诸如因特网的计算机网络和/或各种电信网络与其他设备交换信息/数据。Multiple components in the electronic device 40 are connected to the I/O interface 45, including: an input unit 46, such as a keyboard, a mouse, etc.; an output unit 47, such as various types of displays, speakers, etc.; a storage unit 48, and a communication unit 49, such as a network card, a modem, a wireless communication transceiver, etc. The communication unit 49 allows the electronic device 40 to exchange information/data with other devices through a computer network such as the Internet and/or various telecommunication networks.

处理器41可以是各种具有处理和计算能力的通用和/或专用处理组件。处理器41的一些示例可包括中央处理单元(Central Processing Unit,CPU)、图形处理单元(Graphic Processing Unit,GPU)、各种专用的人工智能(Artificial Intelligence,AI)计算芯片、各种运行机器学习模型算法的处理器、数字信号处理器(Digital Signal Processing,DSP)、以及任何适当的处理器、控制器、微控制器等。处理器41执行上文所描述的各个方法和处理,例如病毒查杀演练方法。The processor 41 may be a variety of general and/or special processing components with processing and computing capabilities. Some examples of the processor 41 may include a central processing unit (CPU), a graphics processing unit (GPU), various dedicated artificial intelligence (AI) computing chips, various processors running machine learning model algorithms, digital signal processors (DSP), and any appropriate processors, controllers, microcontrollers, etc. The processor 41 performs the various methods and processes described above, such as a virus detection and killing drill method.

在一些实施例中,病毒查杀演练方法可被实现为计算机程序,其被有形地包含于计算机可读存储介质,例如存储单元48。在一些实施例中,计算机程序的部分或者全部可以经由ROM 42和/或通信单元49而被载入和/或安装到电子设备40上。当计算机程序加载到RAM 43并由处理器41执行时,可以执行上文描述的病毒查杀演练方法的一个或多个步骤。备选地,在其他实施例中,处理器41可以通过其他任何适当的方式(例如,借助于固件)而被配置为执行病毒查杀演练方法。In some embodiments, the virus detection and killing drill method can be implemented as a computer program, which is tangibly contained in a computer-readable storage medium, such as a storage unit 48. In some embodiments, part or all of the computer program can be loaded and/or installed on the electronic device 40 via the ROM 42 and/or the communication unit 49. When the computer program is loaded into the RAM 43 and executed by the processor 41, one or more steps of the virus detection and killing drill method described above can be performed. Alternatively, in other embodiments, the processor 41 can be configured to perform the virus detection and killing drill method in any other appropriate manner (for example, by means of firmware).

本文中以上描述的系统和技术的各种实施方式可以在数字电子电路系统、集成电路系统、场可编程门阵列(Field-Programmable Gate Array,FPGA)、专用集成电路(Application Specific Integrated Circuit,ASIC)、专用标准产品(Application Specific Standard Parts,ASSP)、芯片上系统的系统(System on Chip,SOC)、负杂可编程逻辑设备(Complex Programmable Logic Device,CPLD)、计算机硬件、固件、软件、和/或它们的组合中实现。这些各种实施方式可以包括:实施在一个或者多个计算机程序中,该一个或者多个计算机程序可在包括至少一个可编程处理器的可编程系统上执行和/或解释,该可编程处理器可以是专用或者通用可编程处理器,可以从存储系统、至少一个输入装置、和至少一个输出装置接收数据和指令,并且将数据和指令传输至该存储系统、该至少一个输入装置、和该至少一个输出装置。Various implementations of the systems and techniques described above herein may be implemented in digital electronic circuit systems, integrated circuit systems, field-programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), application specific standard parts (ASSPs), system on chip systems (SOCs), complex programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various implementations may include: being implemented in one or more computer programs that are executable and/or interpreted on a programmable system that includes at least one programmable processor that may be a special purpose or general purpose programmable processor that may receive data and instructions from a storage system, at least one input device, and at least one output device, and transmit data and instructions to the storage system, the at least one input device, and the at least one output device.

用于实施本申请的方法的计算机程序可以采用一个或多个编程语言的任何组合来编写。这些计算机程序可以提供给通用计算机、专用计算机或其他可编程数据处理装置的处理器,使得计算机程序当由处理器执行时使流程图和/或框图中所规定的功能/操作被实施。计算机程序可以完全在机器上执行、部分地在机器上执行,作为独立软件包部分地在机器上执行且部分地在远程机器上执行或完全在远程机器或服务器上执行。 The computer programs for implementing the methods of the present application may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, so that when the computer programs are executed by the processor, the functions/operations specified in the flow charts and/or block diagrams are implemented. The computer programs may be executed entirely on the machine, partially on the machine, partially on the machine and partially on a remote machine as a stand-alone software package, or entirely on a remote machine or server.

在本申请的上下文中,计算机可读存储介质可以是有形的介质,其可以包含或存储以供指令执行系统、装置或设备使用或与指令执行系统、装置或设备结合地使用的计算机程序。计算机可读存储介质可以包括电子的、磁性的、光学的、电磁的、红外的、或半导体系统、装置或设备,或者上述内容的任何合适组合。备选地,计算机可读存储介质可以是机器可读信号介质。机器可读存储介质的示例可包括基于一个或多个线的电气连接、便携式计算机盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦除可编程只读存储器(Electronic Programable Read Only Memory,EPROM)、快闪存储器、光纤、便捷式紧凑盘只读存储器(Compact Disc-Read Only Memory,CD-ROM)、光学储存设备、磁储存设备、或上述内容的任何合适组合。In the context of the present application, a computer readable storage medium may be a tangible medium that may contain or store a computer program for use by or in conjunction with an instruction execution system, device, or apparatus. A computer readable storage medium may include an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any suitable combination of the foregoing. Alternatively, a computer readable storage medium may be a machine readable signal medium. Examples of machine readable storage media may include an electrical connection based on one or more lines, a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (Electronic Programable Read Only Memory, EPROM), a flash memory, an optical fiber, a portable compact disk read-only memory (Compact Disc-Read Only Memory, CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

为了提供与用户的交互,可以在电子设备上实施此处描述的系统和技术,该电子设备具有:用于向用户显示信息的显示装置(例如,阴极射线管(Cathode Ray Tube,CRT)、液晶显示器(Liquid Crystal Display,LCD)或者监视器);以及键盘和指向装置(例如,鼠标或者轨迹球),用户可以通过该键盘和该指向装置来将输入提供给电子设备。其它种类的装置还可以用于提供与用户的交互;例如,提供给用户的反馈可以是任何形式的传感反馈(例如,视觉反馈、听觉反馈、或者触觉反馈);并且可以用任何形式(包括声输入、语音输入或者、触觉输入)来接收来自用户的输入。To provide interaction with a user, the systems and techniques described herein may be implemented on an electronic device having: a display device (e.g., a cathode ray tube (CRT), a liquid crystal display (LCD), or a monitor) for displaying information to the user; and a keyboard and a pointing device (e.g., a mouse or a trackball), through which the user can provide input to the electronic device. Other types of devices may also be used to provide interaction with the user; for example, the feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form (including acoustic input, voice input, or tactile input).

可以将此处描述的系统和技术实施在包括后台部件的计算系统(例如,作为数据服务器)、或者包括中间件部件的计算系统(例如,应用服务器)、或者包括前端部件的计算系统(例如,具有图形用户界面或者网络浏览器的用户计算机,用户可以通过该图形用户界面或者该网络浏览器来与此处描述的系统和技术的实施方式交互)、或者包括这种后台部件、中间件部件、或者前端部件的任何组合的计算系统中。可以通过任何形式或者介质的数字数据通信(例如,通信网络)来将系统的部件相互连接。通信网络的示例包括:局域网(Local Area Network,LAN)、广域网(Wide Area Network,WAN)、区块链网络和互联网。The systems and techniques described herein may be implemented in a computing system that includes backend components (e.g., as a data server), or a computing system that includes middleware components (e.g., an application server), or a computing system that includes frontend components (e.g., a user computer with a graphical user interface or a web browser through which a user can interact with implementations of the systems and techniques described herein), or a computing system that includes any combination of such backend components, middleware components, or frontend components. The components of the system may be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: Local Area Network (LAN), Wide Area Network (WAN), blockchain network, and the Internet.

计算系统可以包括客户端和服务器。客户端和服务器一般远离彼此并且通常通过通信网络进行交互。通过在相应的计算机上运行并且彼此具有客户端-服务器关系的计算机程序来产生客户端和服务器的关系。服务器可以是云服务器,又称为云计算服务器或云主机,是云计算服务体系中的一项主机产品,以解决了传统物理主机与虚拟专用服务器(Virtual Private Server,VPS)服务中,存在的管理难度大,业务扩展性弱的缺陷。 A computing system may include a client and a server. The client and the server are generally remote from each other and usually interact through a communication network. The relationship between the client and the server is generated by computer programs running on the corresponding computers and having a client-server relationship with each other. The server may be a cloud server, also known as a cloud computing server or a cloud host, which is a host product in the cloud computing service system to solve the defects of difficult management and weak business scalability in traditional physical hosts and virtual private servers (VPS) services.

Claims (10)

一种病毒查杀演练方法,包括:A virus detection and killing drill method, comprising: 接收到工作流启动指令后,从灾备系统中获取备份数据;After receiving the workflow start instruction, the backup data is obtained from the disaster recovery system; 对所述备份数据进行数据恢复,并确定目标恢复数据;Performing data recovery on the backup data and determining target recovery data; 在预先构建的具备单向隔离功能的数据沙箱中对所述目标恢复数据进行病毒查杀演练。A virus detection and killing drill is performed on the target recovery data in a pre-built data sandbox with a one-way isolation function. 根据权利要求1所述的方法,其中,所述对所述备份数据进行数据恢复,并确定目标恢复数据,包括:The method according to claim 1, wherein the performing data recovery on the backup data and determining target recovery data comprises: 将所述备份数据恢复至数据沙箱中的恢复资源上,形成初始恢复数据并验证;Restoring the backup data to the recovery resources in the data sandbox to form initial recovery data and verifying it; 将验证通过的所述初始恢复数据确定为目标恢复数据。The initial restored data that has passed the verification is determined as the target restored data. 根据权利要求1所述的方法,其中,所述在预先构建的具备单向隔功能的数据沙箱中对所述目标恢复数据进行病毒查杀演练,包括:The method according to claim 1, wherein the performing virus detection and killing drill on the target recovery data in a pre-built data sandbox with a one-way isolation function comprises: 向客户端发送病毒查杀引擎选项,并接收所述客户端反馈的目标病毒查杀引擎;Sending virus detection engine options to the client, and receiving target virus detection engine feedback from the client; 在预先构建的具备单向隔离功能的数据沙箱中,根据所述目标病毒查杀引擎对所述目标恢复数据进行病毒查杀演练,其中,所述数据沙箱中包括至少一个恢复资源,每个恢复资源包括至少一个资源目录,所述目标恢复数据在所述资源目录上。In a pre-built data sandbox with a one-way isolation function, a virus detection drill is performed on the target recovery data according to the target virus detection engine, wherein the data sandbox includes at least one recovery resource, each recovery resource includes at least one resource directory, and the target recovery data is on the resource directory. 根据权利要求3所述的方法,其中,所述根据所述目标病毒查杀引擎对所述目标恢复数据进行病毒查杀演练,包括:The method according to claim 3, wherein the performing virus detection and killing drill on the target recovery data according to the target virus detection and killing engine comprises: 通过预设病毒查杀接口调用所述目标病毒查杀引擎所对应的适配器;Calling the adapter corresponding to the target virus detection engine through a preset virus detection interface; 根据目标病毒查杀引擎所对应的适配器调用所述目标病毒查杀引擎对所述目标恢复数据进行病毒查杀演练。The target virus detection engine is called according to the adapter corresponding to the target virus detection engine to perform virus detection drill on the target recovery data. 根据权利要求1所述的方法,所述方法还包括:The method according to claim 1, further comprising: 生成病毒查杀演练报告,并将所述病毒查杀演练报告反馈至服务端。Generate a virus detection and killing drill report, and feed the virus detection and killing drill report back to the server. 根据权利要求1所述的方法,其中,所述数据沙箱的构建,包括:The method according to claim 1, wherein the construction of the data sandbox comprises: 在目标虚拟化平台上创建不带上行链路的虚拟交换机,并在所述虚拟交换机上创建预设数量的隔离网络端口;Creating a virtual switch without an uplink on the target virtualization platform, and creating a preset number of isolated network ports on the virtual switch; 在所述目标虚拟化平台上创建具备预设操作系统且开启路由转发功能的虚拟机,将所述虚拟机确定为代理设备;Creating a virtual machine with a preset operating system and enabled routing and forwarding functions on the target virtualization platform, and determining the virtual machine as a proxy device; 建立所述代理设备与所述预设数量的隔离网络端口的连接,以及所述代理 设备与所述目标虚拟化平台的连接;Establishing a connection between the proxy device and the preset number of isolated network ports, and the proxy The connection between the device and the target virtualization platform; 接收客户端的防火墙配置信息并根据所述防火墙配置信息对所述代理设备进行对应的防火墙规则配置。Receive the firewall configuration information of the client and perform corresponding firewall rule configuration on the proxy device according to the firewall configuration information. 根据权利要求6所述的方法,其中,所述建立所述代理设备与所述预设数量的隔离网络端口的连接,包括:The method according to claim 6, wherein establishing the connection between the proxy device and the preset number of isolated network ports comprises: 在所述代理设备上创建预设数量的虚拟网卡,将所述预设数量的虚拟网卡与所述预设数量的隔离网络端口一一对应连接;Creating a preset number of virtual network cards on the proxy device, and connecting the preset number of virtual network cards to the preset number of isolated network ports in a one-to-one correspondence; 将每个隔离网络所映射的生产网络的网关地址确定为与所述隔离网络所对应的虚拟网卡的地址;Determine the gateway address of the production network mapped by each isolated network as the address of the virtual network card corresponding to the isolated network; 接收客户端的网络配置信息并根据所述网络配置信息对所述虚拟网卡的子网掩码和伪装网段进行配置。Receive network configuration information from the client and configure the subnet mask and camouflage network segment of the virtual network card according to the network configuration information. 一种病毒查杀演练装置,包括:A virus detection and killing drill device, comprising: 备份数据恢复模块,设置为接收到工作流启动指令后,从灾备系统中获取备份数据;A backup data recovery module is configured to obtain backup data from a disaster recovery system after receiving a workflow start instruction; 恢复数据确定模块,设置为对所述备份数据进行数据恢复,并确定目标恢复数据;A recovery data determination module, configured to perform data recovery on the backup data and determine target recovery data; 病毒查杀演练模块,设置为在预先构建的具备单向隔离功能的数据沙箱中对所述目标恢复数据进行病毒查杀演练。The virus detection and killing drill module is configured to perform a virus detection and killing drill on the target recovery data in a pre-built data sandbox with a one-way isolation function. 一种电子设备,包括:An electronic device, comprising: 至少一个处理器;以及at least one processor; and 与所述至少一个处理器通信连接的存储器;其中,a memory communicatively connected to the at least one processor; wherein, 所述存储器存储有可被所述至少一个处理器执行的计算机程序,所述计算机程序被所述至少一个处理器执行,以使所述至少一个处理器能够执行权利要求1-7中任一项所述的一种病毒查杀演练方法。The memory stores a computer program executable by the at least one processor, and the computer program is executed by the at least one processor so that the at least one processor can execute a virus detection and killing drill method according to any one of claims 1 to 7. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机指令,所述计算机指令用于使处理器执行时实现权利要求1-7中任一项所述的一种病毒查杀演练方法。 A computer-readable storage medium stores computer instructions, wherein the computer instructions are used to enable a processor to implement a virus detection and killing drill method according to any one of claims 1 to 7 when executed.
PCT/CN2024/127999 2023-10-31 2024-10-29 Virus detection and removal drilling method and apparatus, device, and storage medium Pending WO2025092706A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202311436379.6 2023-10-31
CN202311436379.6A CN117251845A (en) 2023-10-31 2023-10-31 A virus scanning and killing drill method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2025092706A1 true WO2025092706A1 (en) 2025-05-08

Family

ID=89133348

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/127999 Pending WO2025092706A1 (en) 2023-10-31 2024-10-29 Virus detection and removal drilling method and apparatus, device, and storage medium

Country Status (2)

Country Link
CN (1) CN117251845A (en)
WO (1) WO2025092706A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117251845A (en) * 2023-10-31 2023-12-19 上海爱数信息技术股份有限公司 A virus scanning and killing drill method, device, equipment and storage medium
CN119848842B (en) * 2024-11-14 2025-11-07 天翼云科技有限公司 Virus detection method and device
CN119322655A (en) * 2024-12-19 2025-01-17 成都云祺科技有限公司 Industry compliance verification method, system, equipment and storage medium
CN119377012B (en) * 2024-12-26 2025-11-18 杭州美创数智科技有限公司 Application of disaster recovery switching drills: methods, devices, computer equipment, and storage media

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107506295A (en) * 2017-07-12 2017-12-22 深信服科技股份有限公司 Method of testing, equipment and the computer-readable recording medium of virtual machine backup
CN110674502A (en) * 2019-09-19 2020-01-10 华为技术有限公司 A data detection method and device
CN110727501A (en) * 2019-09-29 2020-01-24 上海英方软件股份有限公司 Practicing method and system based on virtual machine backup data
US11341234B1 (en) * 2019-06-05 2022-05-24 EMC IP Holding Company LLC System for securely recovering backup and data protection infrastructure
CN117251845A (en) * 2023-10-31 2023-12-19 上海爱数信息技术股份有限公司 A virus scanning and killing drill method, device, equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107506295A (en) * 2017-07-12 2017-12-22 深信服科技股份有限公司 Method of testing, equipment and the computer-readable recording medium of virtual machine backup
US11341234B1 (en) * 2019-06-05 2022-05-24 EMC IP Holding Company LLC System for securely recovering backup and data protection infrastructure
CN110674502A (en) * 2019-09-19 2020-01-10 华为技术有限公司 A data detection method and device
CN110727501A (en) * 2019-09-29 2020-01-24 上海英方软件股份有限公司 Practicing method and system based on virtual machine backup data
CN117251845A (en) * 2023-10-31 2023-12-19 上海爱数信息技术股份有限公司 A virus scanning and killing drill method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN117251845A (en) 2023-12-19

Similar Documents

Publication Publication Date Title
US11088944B2 (en) Serverless packet processing service with isolated virtual network integration
WO2025092706A1 (en) Virus detection and removal drilling method and apparatus, device, and storage medium
US10700979B2 (en) Load balancing for a virtual networking system
CN109120494B (en) Method for accessing physical machine in cloud computing system
US9104458B1 (en) Managing virtual computing nodes using isolation and migration techniques
JP2025534241A (en) Virtual Private Label Cloud Metadata Customization
CN114942826B (en) Cross-network multi-cluster system and access method thereof and cloud computing device
US20170244787A1 (en) Hot swapping and hot scaling containers
WO2019204023A1 (en) Cross-regional virtual network peering
US9384029B1 (en) Managing virtual computing nodes
JP2017194979A (en) Providing virtual security appliance architecture to virtual cloud infrastructure
WO2013049991A1 (en) Network adapter hardware state migration discovery in a stateful environment
JP2024507146A (en) Packet flow in cloud infrastructure based on cached and non-cached configuration information
WO2020024413A1 (en) Method for controlling deployment of cloud computing platform, server, and storage medium
JP2024541997A (en) Transparent mounting of external endpoints across private networks
JP2024541998A (en) Secure two-way network connection system between private networks
CN113132293B (en) Attack detection method and device and public honeypot system
US12500811B2 (en) Secure bi-directional network connectivity system between private networks
US11296981B2 (en) Serverless packet processing service with configurable exception paths
US12413469B2 (en) Secure bi-directional network connectivity system between private networks
JP5445262B2 (en) Quarantine network system, quarantine management server, remote access relay method to virtual terminal and program thereof
WO2025010985A1 (en) Service governance method and apparatus, and computer-readable storage medium
CN115987990A (en) Multi-cluster load balancing method, device, electronic equipment and storage medium
CN110764987A (en) Hardware Device Access Method in Network Simulation Test System Based on Virtualization Technology
CN112887330A (en) Structure and method for realizing network ACL isolation floating IP

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24884709

Country of ref document: EP

Kind code of ref document: A1