Security Center evaluates your assets for vulnerabilities and assigns a security score which provides a reference on the security of your assets.

Security Center provides an overview of your cloud assets, and allows you to view network topology, security score, and security risks. Security Center also provides a unified console where you can manage your cloud assets.

Security Center provides a GUI that simplifies the management of your assets such as clusters, containers, images, and applications. Security Center also displays the network topology of your container assets. This gives you a birds-eye view of the security status of your containers and the network connections between them.

Security Center displays security information about each protected server. This information includes the risk status, group, region, and virtual private cloud (VPC).

Security Center collects the following types of server fingerprints:

• Accounts

  Security Center collects information about server accounts and their permissions, and checks privileged accounts to detect privilege escalation activities.

• Ports

  Security Center collects and displays port listening information to check open ports.

• Processes

  Security Center collects and displays process snapshots to verify trusted processes and detect untrusted processes.

• Middleware

  Security Center collects information about middleware of your assets.

• Databases

  Security Center collects information about databases of your assets.

• Web services

  Security Center collects information about web services of your assets.

• Software

  Security Center scans software installation information and identifies affected assets when high-risk vulnerabilities are detected.

• Scheduled tasks

  Security Center collects information about scheduled tasks of your assets.

• Startup items

  Security Center collects information about startup items to help you quickly identify at-risk items.

• Kernel modules

  Security Center collects information about kernel modules to help you quickly identify at-risk kernel modules.

• Websites

  Security Center collects information about websites of your assets.

• IDC probe findings

  If you install an IDC probe on a server in a data center, the IDC probe findings tab displays information about other servers in the data center. You can obtain an overview about the servers in the data center.

After you perform a quick check task, Security Center performs checks such as vulnerability detection and baseline checks on specified servers based on your configurations.

Security Center provides the security statistics of your clusters, pods, containers, and images.

Security Center displays the security information about cloud services. The information includes at-risk cloud services and their service types. The service types include Server Load Balancer (SLB) and ApsaraDB RDS.

Security Center displays security information about each protected website. The information includes the root domain, subdomains, risk status, and alerts.

Security Center visualizes the communication links between your Elastic Compute Service (ECS) instances and the Internet. Security Center also provides a central location that displays the vulnerabilities of your ECS instances as well as suggestions for handling them. You can quickly identify the exposures of your assets on the Internet.

Security Center compares software versions by using the matching engine of Open Vulnerability and Assessment Language (OVAL). Security Center generates alerts when the vulnerabilities that are recorded in the Common Vulnerabilities and Exposures (CVE) database are detected in the current version.

(Only the automatic vulnerability detection feature is supported.)

Security Center supports the automatic fixing of system vulnerabilities and automatic creation of snapshots. This allows you to undo fixes by using snapshots.

Security Center obtains Microsoft updates for Windows operating systems, detects high-risk vulnerabilities, and generates alerts for these vulnerabilities.

(Only the automatic vulnerability detection feature is supported.)

Security Center automatically identifies pre-patches that are used to fix vulnerabilities to prevent failures caused by the lack of the required pre-patches. This allows you to fix Windows vulnerabilities with a few clicks. Security Center also generates alerts for vulnerabilities that require a system restart after the vulnerabilities are fixed. This allows you to fix Windows system vulnerabilities in an efficient manner.

Security Center monitors web directories, recognizes common website builders, and checks the vulnerability database to identify vulnerabilities in website builders.

(Only the automatic vulnerability detection feature is supported.)

Security Center uses patches developed by Alibaba Cloud to replace and modify source code. This allows you to fix vulnerabilities with a few clicks.

Security Center detects urgent vulnerabilities when they are made public. Security Center does not support automatic fixing of urgent vulnerabilities. You must follow the instructions provided by Security Center to manually fix the vulnerabilities.

Security Center detects weak passwords for system services and vulnerabilities in system services and applications.

Security Center allows you to run quick scan tasks on your assets to detect vulnerabilities in real time.

(Only the detection of urgent vulnerabilities is supported.)

(The detection of application vulnerabilities is not supported.)

(The detection of application vulnerabilities is not supported.)

Display of vulnerabilities that require immediate fixing

Security Center provides a centralized entry point for you to view and fix all vulnerabilities with high priorities.

Security Center allows you to preferentially use YUM or APT sources maintained by Alibaba Cloud to fix vulnerabilities. After you turn on YUM/APT Source Configuration, Security Center automatically selects YUM or APT sources maintained by Alibaba Cloud. This improves the success rate of vulnerability fixing.

Security Center dispatches tasks to check server configurations. Security Center generates alerts when configuration risks are detected.

Security Center allows you to specify check items, detection intervals, and servers to customize check policies. Custom check scripts are not supported.

Security Center allows you to customize weak password rules. Security Center checks the configurations of your cloud services by using a custom check policy. Security Center generates alerts when weak passwords are detected.

(Only the detection of weak passwords is supported.)

Security Center performs security checks on the baseline configurations of containers. It also generates alerts for the detected risks. Security Center detects the following items:

• Alibaba Cloud Standard - Docker security baseline check

  Security Center checks the baseline against the Alibaba Cloud standard of best practices for Docker. This check covers different dimensions, such as security audit, service configurations, and file permissions. Security Center generates alerts at the earliest opportunity when risks are detected.

• Alibaba Cloud Standard - Kubernetes-Master security baseline check

  Security Center checks the baseline against the Alibaba Cloud standard of best practices for Kubernetes Master.

• Alibaba Cloud Standard - Kubernetes-Node security baseline check

  Security Center checks the baseline against the Alibaba Cloud standard of best practices for Kubernetes Node.

Security Center mitigates risks that are detected from the baseline checks of Alibaba Cloud security and classified protection compliance.

Security Center detects risks in the configurations of Alibaba Cloud services, such as ECS and ApsaraDB RDS.

(Only specific check items are supported.)

(Only specific check items are supported.)

(Only specific check items are supported.)

Security Center monitors code hosting platforms such as GitHub in real time to detect AccessKey leaks of Alibaba Cloud assets in source code.

Security Center provides capabilities such as attack discovery and defense within and outside the cloud. You can create honeypots in VPCs and servers that are protected by Security Center. This protects the servers from attacks that are launched within and outside the cloud and reinforces the security of the servers.

Security Center traces intrusion sources based on real attack-defense scenarios in the cloud and creates a process whitelist. Security Center generates alerts when unauthorized processes or intrusion attacks are detected.

Security Center builds approximately 1,000 process patterns for hundreds of processes and compares the processes against these patterns to detect suspicious processes.

Security Center supports detection of website script files, such as PHP, ASP, and JSP files, based on both servers and networks.

Security Center performs the following detection:

• Server-based detection

  Security Center monitors network directory changes on servers in real time.

• Network-based detection

  Security Center captures webshell files and identifies network protocols to detect webshells.

(The detection of some webshells is supported by the Basic edition.)

Security Center also supports webshell detection and removal, which allows you to manually quarantine detected webshell files. Files that are quarantined can be restored within 30 days.

Security Center provides basic detection services.

Security Center performs the following detection:

• Logons from unapproved locations

  Security Center detects logons from unapproved locations. Security Center automatically records locations where logons to ECS instances are allowed. These locations can also be manually added. Security Center generates alerts when logons from unapproved locations are detected.

• Brute-force attacks

  Security Center detects logons to ECS instances after multiple failed attempts. This may indicate that these ECS instances are compromised due to brute-force attacks.

Security Center provides advanced detection services.

Security Center performs the following detection:

• Logons from unapproved IP addresses

  Security Center detects logons from unapproved IP addresses. Security Center allows you to specify approved IP addresses, such as the IP addresses of bastion hosts and the private networks of companies, from which users are allowed to log on to ECS instances. Security Center generates alerts when logons from unapproved IP addresses are detected.

• Logons from unapproved accounts

  Security Center detects logons from unapproved accounts. Security Center allows you to specify approved accounts, with which users are allowed to log on to ECS instances. Security Center generates alerts when logons from unapproved accounts are detected.

• Logons within unapproved time ranges

  Security Center detects logons within unapproved time ranges. Security Center allows you to specify approved time ranges, such as business hours, during which users are allowed to log on. If Security Center detects logons within unapproved time ranges, Security Center generates alerts. Security Center generates alerts when logons within unapproved time ranges are detected.

Security Center monitors sensitive directories and files, and generates alerts if suspicious read, write, or delete operations are detected.

Security Center scans processes on a regular basis, monitors process startups, and detects viruses and trojans by using the cloud antivirus mechanism. You can terminate malicious processes and manually quarantine malicious files with a few clicks in the Security Center console.

Security Center monitors connections on servers and networks. Security Center generates alerts when suspicious connections are detected.

Security Center performs the following detection:

• Unusual disconnections of the Security Center agent
• DDoS attacks

Security Center detects suspicious accounts that attempt to log on to your system based on user behavior analysis.

Security Center detects intrusion into applications, such as SQL Server.

Security Center detects unusual use of cloud services based on user behavior analysis. For example, an attacker uses your AccessKey pair to purchase a large number of ECS instances to mine data.

Security Center automatically blocks common Internet viruses, such as ransomware, DDoS trojans, mining and trojan programs, malicious programs, webshells, and computer worms.

Security Center detects persistent webshells on servers.

After an attacker gains control over a server, the attacker typically places webshells, such as scripts, processes, and links, to persistently exploit the intrusion. Common persistent webshells include crontab jobs, automatic tasks, and system replacement files.

Security Center detects intrusion activities that use web applications.

Security Center detects malicious scripts on servers.

Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts to carry out the actual attack. For example, the attacker may insert mining programs and webshells, and add administrator accounts to your system. Languages of malicious scripts include Bash, Python, Perl, PowerShell, Batch, and VBScript.

Security Center identifies unusual network behavior based on logs, such as communication content and host behavior logs. Malicious network behavior includes intrusion into hosts over open network services and unusual behavior of cracked hosts.

Threat detection during container runtime

Security Center detects threats to Container Service for Kubernetes in real time. The threats include viruses and malicious programs in containers or on hosts, intrusion into containers, and container escapes. Security Center also generates alerts for these threats and warnings for high-risk operations. Security Center detects the following threats for containers during container runtime and generates alerts for detected threats:

• Malicious image startups

  Security Center dynamically monitors open image sources, such as Docker Hub, and generates alerts if an image that contains webshells or mining programs is installed on your server.

• Viruses and malicious programs

  Security Center detects viruses, trojans, mining programs, malicious scripts, and webshells in containers.

• Intrusion into containers

  Security Center detects intrusions into containers from attackers who exploit application-layer vulnerabilities, unauthorized operations in containers, and application-to-application spread of malicious scripts in containers.

• Container escapes

  Security Center detects container escapes caused by improper container configurations, Docker vulnerabilities, or operating system vulnerabilities.

• High-risk operations

  Security Center detects sensitive host directories mounted to containers, Docker API leaks, Kubernetes API leaks, and containers started based on suspicious privilege escalation. This minimizes the risk of attackers exploiting these vulnerabilities.

This feature archives the alert events that are handled prior to 30 days ago and allows you to download the archived alert events. This facilitates event tracing and audit.

Security Center allows you to add the security information of multiple cloud services to threat analysis. The cloud services include Security Center, Cloud Firewall, Server Load Balancer (SLB), and VPC.

This feature provides various system rules to generate alerts and events when threats are detected. This feature also allows you to configure custom rules.

This feature analyzes collected security information, displays detected security events, and provides suggestions on handling the events.

This feature displays the aggregated alert data of multiple accounts and cloud services. You can view alerts in a centralized manner.

This feature allows you to search for and view the aggregated logs of multiple accounts and cloud services.

Security Center displays the details of web attacks and brute-force attacks on your server. Security Center traces the attacker IP addresses and finds the flaws of the attacks.

Security Center allows you to retrieve and analyze raw log data. The data includes data related to process startup events, external network connections, system logon events, five tuples, DNS queries, security logs, and alert logs.

The agentless detection feature adopts the agentless technology to scan and then detect security risks on ECS instances, precluding the need to install the Security Center agent.

The anti-ransomware feature allows you to back up and restore data on your servers and databases. This protects your servers and databases from ransomware.

The security experts of Security Center conduct automated analysis on attack methods based on a large number of persistent virus samples. Then, the security experts release an engine that can detect and remove viruses based on machine learning results. You can use the engine to detect and remove viruses with a few clicks.

Security Center monitors website directories and restores maliciously modified files or directories by using backups. Security Center protects websites from malicious modification, trojans, hidden links, and insertion of violence or pornography content.

The malicious behavior defense feature provides system rules and allows you to create custom defense rules. You can use the rules to enhance the security of your servers.

The feature of defense against brute-force attacks allows you to configure a defense rule to protect your servers from brute-force attacks. If the number of logon failures from an IP address to the same server exceeds a specified limit during a specified statistical period, the IP address is blocked.

Security Center allows you to specify approved logon locations, IP addresses, time ranges, and accounts to identify unusual logons that may be initiated by attackers.

(Only approved logon locations can be specified.)

(Only approved logon locations can be specified.)

Security Center detects the following image baseline risks, image vulnerabilities, and malicious image samples:

• Image system vulnerabilities

  Security Center detects image system vulnerabilities to ensure that your images are secure and reliable.

• Image application vulnerabilities

  Security Center scans container-related middleware to detect image application vulnerabilities and provides suggestions on vulnerability fixes. This ensures that images run in a secure environment.

• Image baseline risks

  Security Center scans your containers to detect image baseline risks and provides suggestions on how to handle the risks.

• Malicious image samples

  Security Center detects malicious image samples in your containers. This allows you to view the container risks and reinforces the security of your containers.

• Sensitive image files

  Security Center detects sensitive data in common sensitive files and custom image files. Security Center supports various types of common sensitive files, including application configurations that contain sensitive information, general private keys of certificates, credentials for application authentication or logons, and credentials for cloud server providers.

Security Center provides the feature of proactive defense for containers. The feature allows you to detect risks on an image when you use the image to create resources in a cluster. The feature also allows you to create a container defense policy for a cluster. If an image hits the container defense policy, Security Center handles the image that is started in the cluster based on the action of the policy. The action can be Block, Alert, or Allow. This ensures that the image does not affect your business.

The feature of container escape prevention detects high-risk operations from multiple dimensions such as processes, files, and system calls, and establishes protection barriers between containers and hosts. This effectively blocks escape behavior and ensures the runtime security of containers.

Security Center provides the untrusted process defense feature to detect and block the startup of programs that are not included in the images of your containers during the running of the containers. The feature helps protect the container environment against malicious software intrusion.

The container file protection feature can monitor directories and files in containers in real time, and generate alerts or intercept tampering operations when the directories or files are tampered with. This prevents your applications from being inserted with illegal information or malicious code.

Security Center provides the container firewall feature. The feature delivers firewall capabilities to protect containers. If attackers exploit vulnerabilities or malicious images to intrude into clusters, the container firewall feature generates alerts or blocks attacks.

Security Center signs trusted container images and verifies the signatures to ensure that only trusted images are deployed. This prevents unauthorized container images from being started and improves asset security.

Security Center detects image risks in the project building stage on Jenkins and GitHub in an efficient manner and provides solutions to detected image risks. Image risks include high-risk system vulnerabilities, application vulnerabilities, viruses, webshells, execution of malicious scripts, configuration risks, and sensitive data.

The application protection feature is developed based on the Runtime Application Self Protection (RASP) technology. This feature can detect attacks and protects applications during application runtime.

Security Center provides the task management feature. You can run tasks to enable automatic fixing of vulnerabilities in multiple servers at a time.

Security Center allows you to specify report information. After you enable this feature, Security Center sends emails that contain security statistics to the specified recipients.

Proactive Defense - Anti-Virus

This feature automatically blocks common network viruses, such as common ransomware, DDoS trojans, mining programs, trojans, malicious programs, webshells, and computer worms.

Proactive Defense - Anti-ransomware (Bait Capture)

This feature uses bait to capture the new types of ransomware and analyzes the patterns of the new types of ransomware to protect your assets.

Proactive Defense - Webshell Protection

This feature automatically intercepts suspicious connections that are initiated by attackers by using known webshells. This feature also allows you to manually quarantine related files.

Proactive Defense - Behavior prevention

This feature intercepts the abnormal network behavior between your servers and disclosed malicious access sources, which reinforces the security of your servers.

Proactive Defense - Active defense experience optimization

If your server unexpectedly shuts down or the defense capability is unavailable, Security Center collects server data by using the kdump service for protection analysis. This enhances the protection capability of Security Center on an ongoing basis.

Webshell detection

Security Center periodically scans web directories to detect webshells and trojans on your servers.

Adaptive threat detection

If a high-risk intrusion is detected on your server after the adaptive threat detection feature is enabled, the Security Center agent on your server automatically runs in Safeguard Mode For Major Activities mode. This mode helps detect intrusions in a faster and more comprehensive manner.

Protection modes

Kubernetes threat detection

Container escape prevention

The feature of container escape prevention detects high-risk operations from multiple dimensions such as processes, files, and system calls, and establishes protection barriers between containers and hosts. This effectively blocks escape behavior and ensures the runtime security of containers.

Client protection

After you enable the client protection feature, Security Center automatically intercepts unauthorized agent uninstallation. This feature prevents the agent from being uninstalled by attackers or terminated by other software.

Local file detection

The local file detection engine performs security checks on new script files and binary files on your server. If threats are detected, the engine reports alerts.

Global log filtering

The global log filtering feature ensures security, and helps you effectively use your log storage and improve operational efficiency.

(The feature is supported after you purchase log storage capacity.)

(The feature is supported after you purchase log storage capacity.)

(The feature is supported after you purchase log storage capacity.)

(The feature is supported after you purchase log storage capacity.)

Security control

Security control allows you to configure the IP address whitelist. Requests initiated from IP addresses in the whitelist are directly forwarded to destination servers. This prevents normal network traffic from being blocked.

Access control

Resource Access Management (RAM) allows you to create and manage RAM users, such as individuals, system administrators, and application administrators. You can manage RAM user permissions to control access to Alibaba Cloud resources.

Security Center allows you to install and uninstall the Security Center agent.

The proxy access feature allows you to add the following types of servers to Security Center: ECS instances that are deployed in VPCs, servers that are deployed in data centers, and servers that are deployed in hybrid clouds and are inaccessible over the Internet. You can also use the feature to manage uplink traffic of the servers. Uplink traffic refers to traffic from servers to Security Center.

This feature allows you to add third-party cloud servers and servers in data centers to Security Center for protection and management.

Security Center allows you to create IDC probes to scan servers and identify the servers that have the Security Center agent installed in a data center. Then, you can synchronize the information about the identified servers to the Assets module of the Security Center console. This way, Security Center can manage the servers in a centralized manner.

The asset management rules feature lets you configure rule conditions. You can manage servers that meet the specified rule condition by group or tag in a simple and efficient manner.

Security Center allows you to customize notification methods and alert severities of alert notifications. Security Center sends alert notifications by using text messages, emails, internal messages, or DingTalk chatbots.

Security Center allows you to manage the assets of multiple members in the resource directory of your enterprise. You can monitor the security status of the members in real time.

Security Center checks whether your assets comply with classified protection regulations, including those on communication networks, region borders, computing environments, and management centers. Security Center also generates compliance reports.

Security Center checks whether your system meets ISO 27001 requirements from the aspects, such as asset management, access control, cryptography, and operation security.