Security Center generates different alerts for your assets in real time. The types of alerts include web tampering, suspicious processes, webshells, unusual logons, and malicious processes. Security Center detects threats in your assets based on more than 250 threat detection models. This allows you to monitor the security status of your assets at the earliest opportunity.

Security Center generates alerts when it detects threats on your cloud services or assets. For example, alerts are generated if attacks initiated from a malicious IP address are detected or your host is intruded after it runs a malicious script or visits a malicious download source.

To view the alerts generated for your assets, you can navigate to Detection > Alerts.

Note
  • By default, all defense features, excluding the application whitelist and web tamper proofing features, supported by the current Security Center edition are enabled. To enable the application whitelist and web tamper proofing features, you must upgrade Security Center to the Basic Anti-Virus, Advanced, or Enterprise edition. For more information, see Upgrade and downgrade Security Center.
  • Application whitelist and web tamper proofing are value-added services provided by Security Center. To use the application whitelist feature, you must apply for it. For more information, see Application whitelist. To use the web tamper proofing feature, you must purchase and enable it. The web tamper proofing feature is supported by the Basic Anti-Virus, Advanced, and Enterprise editions of Security Center. Security Center Basic does not support this feature. For more information about how to enable the web tamper proofing feature, see Enable tamper protection.
  • Cloud threat detection is automatically enabled and supported only by Security Center Enterprise. To use cloud threat detection, you must upgrade the Basic Anti-Virus or Advanced edition of Security Center to the Enterprise edition.

Threat detection models

Security Center provides more than 250 threat detection models to help you detect threats in a comprehensive way. In the upper-left corner of the Alerts page, click the Threat detection model icon icon to view the models. The models are used to detect threats through 10 stages of a network attack, including Attack Portal, Load Delivery, Privilege Escalation, and Escape Detection. This achieves full-link cloud threat detection.

Alert statistics

Security Center provides statistics on enabled defense items. This allows you to obtain up-to-date information about the alerts on your assets, enabled defense items, and disabled defense items. On the Alerts page of the Security Center console, you can view statistics on alerts and enabled defense items.

Enabled and disabled defense items
The following table describes the parameters in the upper part of the Alerts page.
Parameter Description Operation
Alerting Server(s) The number of servers on which alerts are generated.

Click the number below Alerting Server(s) to go to the Server(s) tab of the Assets page. The Server(s) tab displays the details of servers on which alerts are generated.

All Alerts The total number of unhandled alerts.

You can view the details of all unhandled alerts on the Alerts page. For more information, see View and handle alert events.

Urgent Alerts The number of unhandled Urgent alerts.

Click the number below Urgent Alerts. The urgent alerts are displayed on the Alerts page. You can view and handle the Urgent alerts.

The alerts generated by Security Center are classified into the following risk levels:
  • Urgent: high-risk alerts. If such alerts are generated, intrusion events such as reverse shells are detected on your server. We recommend that you view the details of the alerts and handle the alerts at the earliest opportunity.
  • Warning: medium-risk alerts. If such alerts are generated, exceptions such as suspicious command sequences are detected on your server. We recommend that you view the details of the alerts, check whether your server is at risk, and handle the alerts.
  • Notice: low-risk alerts. If such alerts are generated, low-risk exceptions such as suspicious port listening, are detected on your server. We recommend that you view the details of the alerts at the earliest opportunity.
Note We recommend that you handle the Urgent alerts at the earliest opportunity.
Precise Defense The number of viruses that are automatically quarantined by the antivirus feature. Click the number below Precise Defense. The related alerts are displayed on the Alerts page. You can view all viruses that are automatically quarantined by the antivirus feature.
Note You can ignore the viruses that are quarantined by Security Center.
IP blocking / All
  • IP blocking: the number of blocked IP addresses after defense rules against brute-force attacks are enabled.
  • All: the total number of IP addresses that are blocked by all defense rules against brute-force attacks.
Click a number below IP blocking / All. In the IP Policy Library panel, you can view the enabled or all IP blocking rules. For more information about IP blocking rules, see Configure IP blocking policy.
Number Of Quarantined Files The number of files that are quarantined by Security Center based on blocked alerts. Click the number below Number Of Quarantined Files. In the Quarantine panel, you can view the details of quarantined files. The quarantined files cannot affect your servers. For more information, see Use the quarantine feature.

Alert types

Since December 20, 2018, the Basic edition of Security Center generates alerts only for unusual logons and other DDoS attacks. To enable more advanced detection features, you must upgrade the Basic edition to the Basic Anti-Virus, Advanced, or Enterprise edition. For more information about the types of alerts that each edition can generate, see Features.

For more information about the specific check items of each type of alert in Security Center and check principles, see Alerts.

The following table describes all types of alerts that Security Center can generate.

Alert Description
Tamper Protection Security Center monitors web directories in real time and restores tampered files or directories based on the backup files. This prevents websites from malicious modification, trojans, hidden links, and uploads of violent or illicit content. Security Center can detect the following suspicious activities:
  • File adding
  • File modification
  • File deletion
Note Web tamper proofing is a value-added service that is provided by Security Center. To use this feature, you must purchase and activate it. The Basic edition of Security Center does not support web tamper proofing. For more information, see Web tamper proofing.
Suspicious Process Security Center can detect the following suspicious processes:
  • Write operations on the configuration files of scheduled tasks in Linux
  • Modification of files of scheduled tasks in Linux
  • Execution of suspicious commands in Linux
  • Reverse shells
  • Execution of suspicious commands in Python applications
  • Malicious code loading by using Windows system files
  • The Windows mshta.exe utility called to execute commands to insert JavaScript into an HTML page
  • Creation of suspicious scheduled tasks in Windows
  • Execution of suspicious commands in Windows regsvr32.exe
  • Connections to malicious download sources
  • Suspicious modification of registry configurations
  • Suspicious calls of system tools
  • Execution of malicious commands
  • Containers started in privileged mode
  • Suspicious modification of auto-startup items
Webshell Security Center uses engines developed by Alibaba Cloud to scan for common webshell files. Security Center supports scheduled scan tasks, provides real-time protection, and quickly quarantines webshell files.
  • Security Center scans the entire web directory early in the morning on a daily basis. Changes in files in the web directory trigger dynamic detection.
  • You can specify the assets on which Security Center scans for webshells.
  • You can quarantine, restore, or ignore the detected trojan files.
Note Security Center Basic detects only some webshells. If you use Security Center Basic and need to detect all webshells, we recommend that you upgrade Security Center to the Basic Anti-Virus, Advanced, or Enterprise edition. For more information, see Renew the subscription to Security Center.
Unusual Logon Security Center detects unusual logons to your servers. You can configure approved logon IP addresses, time periods, and accounts. Logons from unapproved IP addresses, accounts, or time periods trigger alerts. You can manually add approved logon locations or set the system to automatically update approved logon locations. You can also specify assets on which alerts are triggered when unusual logon locations are detected.

Security Center can detect the following logon events:

  • Logons to Elastic Compute Service (ECS) instances from unapproved IP addresses
  • Logons to ECS instances from unapproved locations
  • Execution of unusual commands after logons to ECS instances by using Secure Shell (SSH)
  • Passwords of ECS instances cracked due to brute-force attacks based on the SSH protocol
For more information, see How can I detect unusual logons and receive alerts in the Security Center console?
Suspicious Event Security Center detects suspicious activities.
Sensitive File Tampering Security Center checks whether malicious modification of sensitive files exists on your servers. The modification includes tampering of pre-loaded configuration files in Linux shared libraries.
Malicious Process Security Center uses the agent to scan your servers in real time and generates alerts if viruses are detected. You can handle the detected viruses in the Security Center console.

Security Center can detect the following malicious activities and processes:

  • Accesses from malicious IP addresses
  • Mining programs
  • Self-mutating trojans
  • Malicious programs
  • Trojans
For more information, see Cloud threat detection.
Unusual Network Connection Security Center detects unusual network connections and disconnections.

Security Center can detect the following network activities:

  • Proactive connections to malicious download sources
  • Accesses to malicious domains
  • Communication activities with mining pools
  • Suspicious outbound network connections
  • External reverse shell connections
  • Unusual network connections in Windows systems
  • Lateral movement attacks
  • Suspicious scans for sensitive ports such as ports 22, 80, 443, and 3389
Other Security Center detects unusual disconnections of the Security Center agent and other network intrusions, such as DDoS attacks.
Suspicious Account Security Center detects unapproved accounts that attempt to log on to your assets.
Application intrusion event Security Center detects intrusion activities that use system application components.
Cloud threat detection Security Center detects whether threats exist in other Alibaba Cloud services you have purchased. The threats include suspicious deletion of ECS security group rules.
Precision defense The antivirus feature provides precise protection against mainstream ransomware, DDoS trojans, mining programs, trojans, malicious processes, webshells, and worms. For more information about how to enable this feature, see Proactive defense.
Application Whitelist You can create a whitelist policy for servers that require reinforced protection. If the suspicious or malicious processes that are identified by the policy are not added to the whitelist, Security Center generates alerts.
Persistence Security Center detects suspicious scheduled tasks on the servers. When persistent threats against the servers are detected, Security Center generates alerts.
Web Application Threat Detection Security Center detects intrusion activities that use web applications.
Malicious scripts Security Center detects whether the system services of your assets are attacked or modified by using malicious scripts. If potential script attacks are detected, Security Center generates alerts.

Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts for additional attacks. For example, the attacker may insert mining programs and webshells, and add administrator accounts. Programming languages of malicious scripts include Bash, Python, Perl, PowerShell, Batch, and VBScript.

Threat intelligence Security Center uses the threat intelligence library developed by Alibaba Cloud to perform correlation analysis on access traffic and logs. Security Center also detects threat events, including access to malicious domains, connections to malicious download sources, and access form malicious IP addresses.
Malicious Network Activity Security Center identifies unusual network behaviors based on log data, such as network content and server behaviors. Malicious network behaviors include intrusions into the host by connecting to open networks and unusual behaviors of the cracked host.
K8s Abnormal Behavior Security Center monitors the security status of running containers in a Kubernetes cluster. This allows you to detect security risks and attacker intrusion in a timely manner.

Log on to the Security Center console and click Settings in the left-side navigation pane. In the K8s Threat Detection section of the General tab, you can turn on Threat Detection to allow Security Center to detect the container cluster errors. For more information, see Threat detection for Kubernetes containers.

Trusted exception Security Center detects whether your system processes have been modified and whether exceptions occur when you start the system.