Overview - Threat Detection| Alibaba Cloud Documentation Center

Security Center generates different types of alerts for your assets in real time. The types of alerts include the alerts for web tampering, suspicious processes, webshells, unusual logons, and malicious processes. Security Center detects threats to your assets based on more than 250 threat detection models. This allows you to monitor the security posture of your assets in real time and take actions at the earliest opportunity.

If Security Center detects threats to your cloud services or assets, it generates alerts. For example, if Security Center detects attacks initiated from a malicious IP address or detects exceptions on your assets, it generates alerts. The exceptions include that your server runs a malicious script or accesses a malicious download source after the server is intruded.

To view the alerts generated for your assets, you can choose Detection > Alerts in the left-side navigation pane of the Security Center console.

Note

By default, all protection features, excluding the web tamper proofing feature, supported by the current Security Center edition are enabled. To enable protection features such as web tamper proofing, you must upgrade Security Center to the Value-added Plan, Anti-virus, Advanced, Enterprise, or Ultimate edition. For more information, see Upgrade and downgrade Security Center.
The web tamper proofing feature is a value-added feature provided by Security Center. You must separately purchase and enable this feature. Only the Value-added Plan, Anti-virus, Advanced, Enterprise, and Ultimate editions support the web tamper proofing feature. The Basic edition does not support this feature. For more information about how to enable the web tamper proofing feature, see Enable tamper protection.
The cloud threat detection feature is supported by and automatically enabled for the Enterprise and Ultimate editions of Security Center. If you want to use this feature but Security Center runs the Basic, Anti-virus, or Advanced edition, you must upgrade Security Center to the Enterprise or Ultimate edition.

Threat detection models

Security Center provides more than 250 threat detection models to help you detect threats in a comprehensive way. In the upper-left corner of the Alerts page, you can click the Threat detection model icon icon to view the models. The models are used to detect threats throughout the 10 stages of a network attack. The stages include Attack Portal, Load Delivery, Privilege Escalation, and Escape Detection. This helps you detect threats to your cloud assets from end to end.

Alert statistics

Security Center provides statistics based on the enabled alert types. This allows you to obtain up-to-date information about the alerts on your assets, enabled alert types, and disabled alert types. On the Alerts page of the Security Center console, you can view the statistics on alerts and enabled alert types.

The following table describes the parameters in the upper part of the Alerts page.


Parameter	Description	Operation
Alerting Server(s)	The number of servers for which alerts are generated	Click the number below Alerting Server(s) to go to the Server(s) tab of the Assets page. The Server(s) tab displays the details of servers for which alerts are generated.
All Alerts	The total number of unhandled alerts	View the details of all Unhandled alerts on the Alerts page. For more information, see View and handle alert events.
Urgent Alerts	The number of unhandled Urgent alerts	Click the number below Urgent Alerts. The system displays the urgent alerts on the Alerts page. You can view and handle the Urgent alerts. The alerts generated by Security Center are classified into the following risk levels: Urgent: high-risk alerts. If high-risk alerts are generated, intrusion events such as reverse shells are detected on your server. We recommend that you view the details of the alerts and handle the alerts at the earliest opportunity. Warning: medium-risk alerts. If medium-risk alerts are generated, exceptions such as suspicious command sequences are detected on your server. We recommend that you view the details of the alerts, check whether your server is at risk, and handle the alerts. Notice: low-risk alerts. If low-risk alerts are generated, low-risk exceptions such as suspicious port listening are detected on your server. We recommend that you view the details of the alerts at the earliest opportunity. Note We recommend that you handle the Urgent alerts at the earliest opportunity.
Precise Defense	The number of viruses that are automatically quarantined by the antivirus feature	Click the number below Precise Defense. The system displays the related alerts on the Alerts page. You can view all the viruses that are automatically quarantined by the antivirus feature. Note You can ignore the viruses that are quarantined by Security Center.
IP blocking / All	IP blocking: the number of blocked IP addresses after the defense policies against brute-force attacks are enabled All: the total number of IP addresses that are blocked by all the defense policies against brute-force attacks	Click a number below IP blocking / All. In the IP Policy Library panel, you can view the enabled IP address blocking policies or all the IP address blocking policies. For more information about IP address blocking policies, see Configure blocking policies based on IP addresses.
Number Of Quarantined Files	The number of files that are quarantined by Security Center based on blocked alerts	Click the number below Number Of Quarantined Files. In the Quarantine panel, you can view the details of quarantined files. The quarantined files cannot affect your servers. For more information, see Use the quarantine feature.

Alert types

Since December 20, 2018, the Basic edition of Security Center generates alerts only for unusual logons and other DDoS attacks. To enable more advanced detection features, you must upgrade Security Center to a paid edition. For more information about the types of alerts that each Security Center edition can generate, see Features.

For more information about the specific check items of each type of alert in Security Center and check principles, see Alerts.

The following table describes all the types of alerts that Security Center can generate.


Alert	Description
Webpage Tampering	Security Center monitors web directories in real time and restores tampered files or directories by using the backup files. This protects websites from malicious modifications, trojans, hidden links, and uploads of violent or illicit content. Security Center can detect the following suspicious activities: File adding File modification File deletion Note Web tamper proofing is a value-added feature that is provided by Security Center. To use the feature, you must purchase and enable the feature. Security Center Anti-virus, Advanced, Enterprise, and Ultimate support web tamper proofing. Security Center Basic does not support web tamper proofing. For more information, see Overview of web tamper proofing.
Suspicious Process	Security Center can detect the following suspicious processes: Write operations on the configuration files of scheduled tasks in Linux. Modification to the files of scheduled tasks in Linux. Execution of suspicious commands in Linux. Reverse shells. For more information, see Detect reverse shells from multiple dimensions. Execution of suspicious commands in Python applications. Malicious code loading by using Windows system files. The Windows mshta.exe utility called to execute commands that insert JavaScript into an HTML page. Creation of suspicious scheduled tasks in Windows. Execution of suspicious commands in Windows regsvr32.exe. Access to malicious download sources. Suspicious modification of registry configurations. Suspicious calls of system tools. Execution of malicious commands. Containers started in privileged mode. Suspicious modification of auto-startup items.
Webshell	Security Center uses engines developed by Alibaba Cloud to scan for common webshell files. Security Center supports scheduled scan tasks, provides real-time protection, and quarantines webshell files. Security Center scans the entire web directory early in the morning on a daily basis. If a file in the web directory changes, Security Center immediately scans for webshells. You can specify the assets on which Security Center scans for webshells. You can quarantine, restore, or ignore the detected trojan files. Note Security Center Basic detects only some types of webshells. If you want to detect all types of webshells, we recommend that you upgrade Security Center Basic to the Anti-virus, Advanced, Enterprise, or Ultimate edition. For more information, see Upgrade and downgrade Security Center.
Unusual Login	Security Center detects unusual logons to your servers. You can configure approved logon IP addresses, time periods, and accounts. Logons from unapproved IP addresses, accounts, or time periods trigger alerts. You can manually add approved logon locations or configure the system to automatically update approved logon locations. You can also specify the assets on which alerts are triggered when unusual logon locations are detected. Security Center can detect the following logon events: Logons to Elastic Compute Service (ECS) instances from unapproved IP addresses Logons to ECS instances from unapproved locations Execution of unusual commands after logons to ECS instances by using Secure Shell (SSH) Passwords of ECS instances cracked due to brute-force attacks based on the SSH protocol For more information, see How can I detect unusual logons and receive alerts in the Security Center console?
Suspicious Event	Security Center detects suspicious activities.
Sensitive File Tampering	Security Center checks whether the sensitive files on your servers are tampered with. The sensitive files include pre-loaded configuration files in the shared libraries of Linux.
Malicious Process	Security Center uses an agent to scan your servers in real time. If viruses are detected, Security Center generates alerts. You can handle the detected viruses in the Security Center console. Security Center can detect the following malicious activities and processes: Access to malicious IP addresses Mining programs Self-mutating trojans Malicious programs Trojans For more information, see Cloud threat detection.
Unusual Network Connection	Security Center detects unusual network connections and disconnections. Security Center can detect the following suspicious network activities: Proactive connections to malicious download sources. Access to malicious domains. Communication activities with mining pools. Suspicious outbound connections. Outbound connections of reverse shells. For more information, see Detect reverse shells from multiple dimensions. Unusual connections in Windows. Lateral movement attacks. Suspicious scans on sensitive ports such as ports 22, 80, 443, and 3389.
Other	Security Center detects unusual disconnections of the Security Center agent and network intrusions such as DDoS attacks.
Suspicious Account	Security Center detects unapproved accounts that attempt to log on to your assets.
Application intrusion event	Security Center detects intrusions that use system application components.
Cloud threat detection	Security Center detects whether threats exist in the other Alibaba Cloud services that you have purchased. The threats include suspicious deletion of ECS security group rules.
Precise defense	The antivirus feature provides precise protection against common ransomware, DDoS trojans, mining programs, trojans, malicious processes, webshells, and computer worms. For more information about how to enable the feature, see Use proactive defense.
Application Whitelist	You can create a whitelist policy for servers that require reinforced protection. If the suspicious or malicious processes that are identified by the policy are not added to the whitelist, Security Center generates alerts.
Persistence	Security Center detects suspicious scheduled tasks on servers. If persistent threats against the servers are detected, Security Center generates alerts.
Web Application Threat Detection	Security Center detects intrusions that use web applications.
Malicious scripts	Security Center detects whether the system services of your assets are attacked or modified by malicious scripts. If potential script attacks are detected, Security Center generates alerts. Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts for additional attacks. For example, the attacker may insert mining programs and webshells, or add administrator accounts to your system. Programming languages of malicious scripts include Bash, Python, Perl, PowerShell, Batch, and VBScript.
Threat intelligence	Security Center uses the threat intelligence library developed by Alibaba Cloud to perform correlation analysis on access traffic and logs. Security Center also detects threat events, including access to malicious domains, malicious download sources, and malicious IP addresses.
Malicious Network Activity	Security Center identifies unusual network behavior based on log data, such as packet content and server behavior. Unusual network behavior includes intrusions into servers by using network services and unusual behavior of compromised servers.
K8s Abnormal Behavior	Security Center monitors the security status of running containers in a Kubernetes cluster. This allows you to detect security risks and intrusions at the earliest opportunity. Log on to the Security Center console and click Settings in the left-side navigation pane. In the K8s Threat Detection section of the General tab, you can turn on Threat Detection to allow Security Center to detect the exceptions to Kubernetes clusters. For more information, see Use threat detection on Kubernetes containers.
Trusted exception	Security Center detects whether your system processes have been modified and whether exceptions occur when you start the system.