Security Center offers three editions: Basic, Advanced, and Enterprise. This topic describes the features supported by each edition.

  • Basic edition

    The Basic edition offers free Security Enhancement services. This feature detects unusual logons to your servers, DDoS attacks, mainstream server vulnerabilities, and service configuration risks. If you select the Security Enhancement check box when you purchase an Elastic Compute Service (ECS) instance, the Basic edition of Security Center is activated automatically.

  • Advanced edition

    The Advanced edition adopts the subscription billing method and supports security alerts, vulnerability detection and fixing, and .

  • Enterprise edition

    The Enterprise edition adopts the subscription billing method and provides a wide array of features, including security alerts, vulnerability detection and fixing, baseline check, asset fingerprints, and attack analysis.

Marks and descriptions

The following section describes the marks used to indicate whether a feature is supported by each Security Center edition.
  • X: indicates that the feature is not supported by Security Center.
  • √: indicates that the feature is supported by Security Center.
  • Value-added: The feature is a value-added service. You must make a purchase to use the feature.

Container security

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Container signature Supports signing trusted container images and verifying container image signatures to ensure that only trusted images are deployed. Prevents unauthorized container images from starting and improves asset security. X X Container signature
Image vulnerability detection (preview) Supports container image vulnerability detection to make sure that your images are secure and reliable.
Note Currently, Security Center only supports container image vulnerability detection, but does not support quick vulnerability fixes. If vulnerabilities are detected in a container image, we recommend that you follow the fixes and solutions provided by Security Center to reinforce image protection.
X X Container image vulnerabilities
Container risk detection and alerting Supports detection the following risks:
  • Startup of malicious images

    Monitors open image sources such as Docker Hub in real time and generates alerts if an image that contains webshells or mining programs is deployed on your server.

  • Viruses and malicious programs

    Detects viruses, Trojans, mining programs, malicious scripts, and webshells in images.

  • Intrusion into containers

    Detects intrusion into containers through application-layer attacks, unauthorized operations in containers, and application-to-application spreading of malicious scripts in containers.

  • Container escapes

    Detects container escapes caused by improper container configurations, Docker vulnerabilities, or operating system vulnerabilities.

  • High-risk operation alerting

    Detects sensitive host directories mounted to containers, Docker API leaks, Kubernetes API leaks, and containers started by privilege escalation. Minimizes the risk of attackers exploiting these vulnerabilities.

X X View and handle alert events

Security score

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Security score The Overview page in the Security Center console displays the security score based on the security status of your assets. A higher score indicates less risks in your assets.

Assets

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Servers The Assets page displays security information about each protected server, including the risk status, group, region, and VPC network. Query server security status
Alibaba Cloud services The Assets page displays security information about each protected cloud resource, including the resources exposed to threats and the type of each resource, for example, Server Load Balancer (SLB), NAT Gateway, ApsaraDB for RDS, and ApsaraDB for MongoDB. View the security status of cloud services

Vulnerability fixing

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Linux software vulnerabilities Detection of Linux software vulnerabilities: compares software versions by using the Open Vulnerability and Assessment Language (OVAL®) matching engine, and generates alerts when vulnerabilities recorded in the Common Vulnerabilities and Exposures (CVE®) vulnerability database are detected.
Note The Basic edition only supports automatic vulnerability detection, but does not support vulnerability fixing or quick scan tasks. To use Security Center to fix detected vulnerabilities or run quick scan tasks on assets, you must upgrade Security Center to the Advanced or Enterprise edition.
Detection only Linux software vulnerabilities
Vulnerability fixing: supports quick fixing of vulnerabilities and automatic creation of snapshots, which allow you to roll back to a specific snapshot to undo fixes. X
Windows software vulnerabilities Detection of Windows vulnerabilities: obtains updates from Microsoft Updates for the Windows operating system, detects critical and other vulnerabilities, and generates alerts upon these vulnerabilities.
Note The Basic edition only supports automatic vulnerability detection, but does not support vulnerability fixing or quick scan tasks. To use Security Center to fix detected vulnerabilities or run quick scan tasks on assets, you must upgrade Security Center to the Advanced or Enterprise edition.
Detection only Windows system vulnerability detection
Vulnerability fixing: automatically identifies pre-downloaded patches required to fix vulnerabilities and solves the issue where vulnerabilities cannot be fixed due to the lack of required patches. Alerts you of vulnerability fixes that require a system restart, improving the efficiency of fixing vulnerabilities. X
Web CMS vulnerabilities Detection of web content management system (WCMS) vulnerabilities: monitors web directories, recognizes common website builders, and checks the vulnerability database to identify vulnerabilities in website builders.
Note The Basic edition only supports automatic vulnerability detection, but does not support vulnerability fixing or quick scan tasks. To use Security Center to fix detected vulnerabilities or run quick scan tasks on assets, you must upgrade Security Center to the Advanced or Enterprise edition.
Detection only Web-CMS vulnerabilities
Vulnerability fixing: uses patches developed by Alibaba Cloud to replace or modify source code and allows you to easily fix vulnerabilities. X
Emergency vulnerabilities Provides temporary detection and fixes for emergency vulnerabilities that are released to the public suddenly.
Note The Basic edition only supports automatic vulnerability detection, but does not support vulnerability fixing or quick scan tasks. To use Security Center to manually run quick scan tasks, you must upgrade Security Center to the Advanced or Enterprise edition.
Emergency vulnerability detection
Application vulnerabilities Detects and fixes weak passwords of system services, system service vulnerabilities, and application vulnerabilities.
Note Only the Enterprise edition supports application vulnerability detection. To use Security Center to fix application vulnerabilities and detect vulnerabilities on assets, you must upgrade Security Center to the Enterprise edition.
X X Application vulnerability detection

Baseline check

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Server baseline check Dispatches tasks to check server configurations and generates alerts if configuration risks are detected.
Detection scope
  • Account security: check for noncompliance with password policies, system weak passwords, and application weak passwords.
  • System configurations: checks for potential risks in group policies, logon baseline policies, and registry configurations.
  • Databases: checks for high-risk threats in the configurations of databases such as Redis.
  • Compliance requirements: checks whether your assets comply with system baseline requirements, such as the CIS CentOS Linux 7 Benchmark.

Custom check policies: allows you to specify the check items, detection interval, and target servers by customizing check policies. Currently, custom check scripts are not supported.

X X Baseline check

Cloud service configuration assessment

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Cloud service configuration assessment Cloud service baseline assessment: checks for potential risks in the configurations of Alibaba Cloud services, such as Elastic Compute Service (ECS) and ApsaraDB for RDS (RDS).
Detection scope
  • ECS: checks whether the port access policies of security groups are set to a loose standard.
  • Server Load Balancer (SLB): checks for unnecessary ports that are accessible from the Internet, which increases the risk of being attacked.
  • RDS: checks whether databases are accessible from the Internet and whether an access whitelist is configured.
  • ActionTrail: checks whether operation auditing is enabled, which facilitates event tracing.
  • Multi-factor authentication (MFA): checks whether two-factor authentication is enabled to prevent Alibaba Cloud accounts from being cracked.
  • Others: checks whether SLB has the whitelist feature enabled and whether RDS uses encrypted communications.
Configuration assessment overview

Security alerts

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Suspicious process behaviors Traces intrusion sources based on real attack and defense scenarios in the cloud, creates a process whitelist, and generates alerts when unauthorized processes or intrusion attacks are detected.

Suspicious process detection: builds more than 1,000 process patterns for hundreds of processes, and analyzes suspicious processes by comparing them with these patterns.

Detection scope
  • Reverse shells: detects suspicious command execution by Bash processes, and arbitrary command execution on servers remotely controlled by attackers.
  • Suspicious command execution in databases: detects suspicious command execution in databases, such as MySQL, PostgreSQL, SQL Server, Redis, and Oracle.
  • Unauthorized operations by application processes: detects unauthorized operations performed by application processes, such as Java, FTP, Tomcat, Docker containers, and Lsass.exe processes.
  • Unauthorized system processes: detects unauthorized activities of PowerShell, Secure Shell (SSH), Remote Desktop Protocol (RDP), smbd, and Secure Copy Protocol (SCP).
  • Other suspicious processes: detects suspicious process activities such as access over Visual Basic Script (VBScript), access to hosts, writing of crontab files, and webshell injection.
X Alert types
Webshells Supports detection of website script files, such as PHP, ASP, and JSP files, based on both servers and networks.

Detection scope

  • Server-based detection: monitors website server directory changes in real time.
  • Network-based detection: captures webshell files and identifies network protocols to detect webshells.
X
Webshell removal: quarantines detected webshell files in the Security Center console. You can restore files that are quarantined within the last 30 days. X
Unusual logons Detects the following unusual logons:
  • Logons from unapproved logon locations

    Automatically adds locations where logons to ECS are allowed. Allows you to manually add approved locations. Logons from unapproved locations trigger alerts.

  • Brute-force attacks

    Records details of successful logons to ECS after multiple failed attempts. In this case, the server may be under brute-force attack.

Detects the following unusual logon events:
  • Logons from unapproved IP addresses

    Allows you to specify IP addresses (host and company network IP addresses) from which users can log on to ECS. Logons from unapproved IP addresses trigger alerts.

  • Logons from unapproved accounts

    Allows you to specify accounts that are allowed to log on to ECS. Logons from unapproved accounts trigger alerts.

  • Logons from unapproved times

    Allows you to specify times (such as the office hours) at which users are allowed to log on to a server. Logons at unapproved times trigger alerts.

X
Sensitive file tampering Monitors sensitive directories and files in real time, and generates alerts when suspicious reading, writing, and deletion operations are detected.
Detection scope
  • System file tampering: detects whether Bash and ps commands are replaced, or hidden and unauthorized processes are running.
  • Core file removal: detects malicious removal of website core files after servers are cracked by attackers.
  • Trojan insertion: detects whether malicious code is injected into a web page where downloads of Trojans automatically start when visitors visit the page.
  • Other suspicious events: detects ransomware on the logon pages of Linux and MySQL, insertion of emails or Bitcoin wallet addresses.
X
Malicious processes Periodically scans processes, monitors process startup events, and detects malicious viruses and Trojans. Allows you to quickly terminate and quarantine malicious files in the console.
Virus library
  • Update mechanism: virus data is maintained in the cloud and updated by Alibaba Cloud in real time, and no detection engine is required on the client side.
  • Diverse virus samples: detects all types of viruses, integrates with worldwide major anti-virus engines, and develops a sandbox and machine learning engine.
Detection scope
  • Ransomware: file-encrypting ransomware such as WannaCry and CryptoLocker.
  • Malicious attacks: DDoS Trojans, malicious scanning Trojans, and spam Trojans.
  • Mining software: resource-consuming software that uses instances for illegal cryptocurrency mining.
  • Zombies: central control Trojans, malicious central control connections, and attack tools.
  • Other viruses: worms, Mirai, and infectious viruses.
X
Suspicious network connections Monitors connections between servers and networks, detects unauthorized connections, and generates alerts.
Detection scope
  • Suspicious connections to external IP addresses: reverse and Bash shells that establish suspicious connections to external IP addresses.
  • Malicious attacks: malicious software injection used to launch malicious attacks, such as SYN floods, User Datagram Protocol (UDP) floods, and Internet Control Message Protocol (ICMP) floods.
  • Suspicious communications: suspicious webshell communications.
X
Other features
  • Detects unusual disconnections of the Security Center agent.
  • Detects DDoS attacks.
X
Suspicious accounts Detects suspicious accounts that attempt to log on to your system based on user behavior analysis. X
Application intrusion events Detects intrusion into applications, such as SQL Server. X
Service threat detection Detects unusual use of services based on user behavior analysis. For example, an attack uses your AccessKey pair to purchase a large number of ECS instances for mining. X X
Precise defense Automatically quarantines common Internet viruses, such as ransomware, DDoS Trojans, mining programs, Trojans, malicious programs, webshells, and computer worms. Alibaba Cloud security specialists test and verify all automatically quarantined viruses to guarantee a minimum false positive rate. X
Application control Identifies programs as trusted, suspicious, and malicious based on the application whitelist to prevent unauthorized programs from running. X X Value-added
Persistent webshells Detects persistent webshells on servers.

After an attacker gains control over your server, the attacker typically places webshells, such as scripts, processes, and links, to persistently exploit the intrusion. Common persistent webshells include crontab jobs, automatic tasks, and system replacement files.

X
Web application threat detection Detects intrusion activities that use web applications. X
Malicious scripts Detects malicious scripts on servers.

Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts for further attacks. For example, the attacker may insert mining programs and webshells, and add administrator accounts. Languages of malicious scripts include Bash, Python, Perl, PowerShell, Batch, and VBScript.

X
Threat intelligence Provides third-party threat intelligence sources. X Value-added Value-added
Malicious network behaviors Identifies unusual network behaviors based on log data, such as network content and host behaviors. Malicious network behaviors typically include intrusion into hosts through open networks and unusual behaviors of cracked hosts. X

Attack analysis

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Attack analysis Provides details of web attacks and brute-force attacks targeting ECS instances. X X Attack Awareness

AccessKey leak detection

Feature Description Basic edition Advanced edition Enterprise edition Documentation
AccessKey leak detection Monitors code hosting sites such as GitHub in real time to detect AccessKey leaks in source code that may be accidentally uploaded by company employees. AccessKey leak detection

Log analysis

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Log analysis Supports retrieval and analysis of raw log data, including process startup events, external network connections, system logon events, five tuples, DNS queries, security logs, and alert logs.
Note The Advanced edition supports host logs and security logs. It does not support network logs. The Enterprise edition supports host logs, security logs, and network logs.
X Value-added Value-added Log analysis

Asset fingerprints

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Asset fingerprints Collects the following asset information in real time:
  • Ports

    Collects and displays port listening information, and records changes to track open ports.

  • Accounts

    Collects information about accounts and relevant permissions, and checks privileged accounts to track privilege escalation activities.

  • Processes

    Collects and displays process snapshots to track normal processes and detect abnormal processes.

  • Software

    Checks software installation information, and quickly locates affected assets when high-risk vulnerabilities occur.

  • Scheduled tasks

    Collects information about scheduled tasks to record task paths for your assets.

X X Overview of asset fingerprints

Security reports

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Security reports Allows you to customize security reports. After you enable this feature, Security Center sends daily security statistics to the specified recipients through emails. X X Security reports

Application marketplace

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Application control Allows you to add servers to the whitelist and identifies programs as trusted, suspicious, or malicious based on the whitelist. Unauthorized processes will be terminated. X Value-added Value-added Application control
Tamper protection Monitors website directories in real time and backs up and restores modified files or directories. Protects websites from Trojans, hidden links, and uploads of violent and illicit content. X Value-added Value-added Tamper protection

Settings

Feature Description Basic edition Advanced edition Enterprise edition Documentation
Settings Allows you to configure Security Center features, such as virus detection, webshell detection, container threat detection, security control, access control, and protection modes of the Security Center agent.
Note To configure these features, log on to the Security Center and click Settings in the left-side navigation pane.
Settings
Notifications Allows you to customize alert notifications, such as the notification method and alert severity. Alert settings
Installation and uninstallation of the Security Center agent Allows you to install and uninstall the Security Center agent. Install or uninstall the Security Center agent

Threat detection limits

When Security Center detects risks, it sends security alerts to you without delay. You can process security alerts, scan for vulnerabilities, analyze attacks, and check security settings in the Security Center console. Security Center can analyze alerts and automatically trace attacks. This helps you protect your assets. Security Center supports a wide array of protection features. We recommend that you also install the latest system patches on your server, and use multiple security services, such as Cloud Firewall and Web Application Firewall (WAF), to better protect your assets against attacks.

Note Due to the rapid adaption of attacks, viruses, and the variation of the workload environments, security breaches may occur. We recommend that you use the alerting, vulnerability detection, baseline check, and configuration assessment features provided by Security Center to better protect your assets against attacks.