All Products
Search
Document Center

Security Center:Functions and features

Last Updated:Nov 08, 2024

Security Center provides all-around security checks and protection capabilities for your assets that are deployed on Alibaba Cloud, multi-cloud environments, data centers, and container environments. To meet requirements in different scenarios, Security Center provides the following editions: Basic, Anti-virus, Advanced, Enterprise, Ultimate, and Value-added Plan. This topic describes the features that are provided by Security Center and the differences between the features of the editions.

Note
  • The Anti-virus, Advanced, Enterprise, and Ultimate editions encapsulate different features that are provided by Security Center to meet the security requirements in various scenarios. Basic features cannot be separately purchased and are available only after you purchase a specific edition of Security Center. Basic features include virus detection and removal and proactive defense for containers.

  • Value-added features can be used after you purchase or enable the features. Value-added features include anti-ransomware, web tamper proofing, and agentless detection.

  • The following symbols are used in the tables of this topic:

    • 不支持

    • 支持

Pricing

Subscription billable items

Billable item

Anti-virus

Advanced

Enterprise

Ultimate

Value-added Plan

Basic service fees

USD 1 per core-month

USD 9.5 per server-month

USD 23.5 per server-month

USD 23.5 per server-month + USD 1 per core-month

N/A

Value-added service fees

Vulnerability fixing

USD 0.3 per fix-month (The minimum quota that you can purchase is 20.)

An unlimited quota is provided, and no additional fees are generated.

USD 0.3 per fix-month (The minimum quota that you can purchase is 20.)

Application protection

You can purchase a larger quota at a lower unit price.

  • Tier 1: If the quota is no greater than 50, the fee is USD 6 per process-month.

  • Tier 2: If the quota is greater than 50 but no greater than 200, the fee is USD 4.5 per process-month.

  • Tier 3: If the quota is greater than 200, the fee is USD 3 per process-month

Web tamper proofing

USD 165 per server-month

Threat analysis and response

  • Log Data to Add: You are charged based on tiered pricing. The following list describes the unit price for each tier. X is the amount of log data that is added within one day.

    • 0 GB < X ≤ 10 GB: USD 0.6 per GB-day

    • 10 GB < X ≤ 50 GB: USD 0.48 per GB-day

    • 50 GB < X ≤ 100 GB: USD 0.45 per GB-day

    • 100 GB < X ≤ 9,999,999 GB: USD 0.42 per GB-day

  • Log Storage Capacity: USD 0.1 per GB-month

Anti-ransomware

USD 0.045 per GB-month

Log analysis

USD 0.1 per GB-month

Not supported.

Container image scan

Not supported.

USD 0.1 per image-month

Cloud honeypot

USD 333.33 per probe-month (The minimum quota that you can purchase is 20.)

Note

You are charged for cloud honeypot based on the number of probes.

Configuration assessment

Based on the consumed quota for configuration assessment (The total number of scans, verifications, and successful fixes for each check performed on an instance), a tiered pricing model is applied. The following list describes the specific pricing details (The minimum quota that you can purchase is 15,000, with increments of 55,000):

  • Tier 1: If the quota is no greater than 100,000, the fee is USD 0.0009 per time.

  • Tier 2: If the quota is greater than 100,000 but no greater than 500,000, the fee is USD 0.00069 per time.

  • Tier 3: If the quota is greater than 500,000, the fee is USD 0.000625 per time.

Note

An instance refers to the instance of a specific network device or an application, such as an Object Storage Service (OSS) bucket or an ECS security group. For more information, see Overview of configuration assessment.

SDK for malicious file detection

USD 1.5 per 10,000 detections-month (The minimum quota that you can purchase is 100,000.)

Note

You are charged based on the number of times that files are detected.

Subscription duration

Monthly or yearly subscription is supported.

  • If you use Security Center Basic, you can purchase basic protection features or value-added features that are supported by other editions of Security Center. If you do not need to purchase basic protection features, you can purchase the Value-added Plan edition to separately purchase value-added features.

  • If you purchased the threat analysis and response feature before April 26, 2024, you are charged based on the original price of USD 0.44 per GB-month for log storage capacity.

  • On July 21, 2022, the basic service fees for Security Center Ultimate are changed from USD 3 per core-month to USD 23.5 per server-month + USD 1 per core-month.

  • If you purchased Security Center Ultimate before July 21, 2022, you are charged based on the original prices when you renew, upgrade, or downgrade Security Center.

  • Starting from July 21, 2022, you are charged the basic service fees for Security Center Ultimate in scenarios when you purchase Security Center Ultimate or upgrade Security Center to the Ultimate edition. Basic service fees = USD 23.5 per server-month + USD 1 per core-month.

Pay-as-you-go billable items

  • Vulnerability fixing: After you purchase the vulnerability fixing feature by using the pay-as-you-go billing method, you are charged USD 0.3 per fix by calendar day. For more information, see Purchase the vulnerability fixing feature.

  • Agentless detection: After you purchase the agentless detection feature by using the pay-as-you-go billing method, you are charged USD 0.03 per GB of scanned data by calendar day. For more information, see Use the agentless detection feature.

  • Configuration assessment: After you purchase the configuration assessment feature by using the pay-as-you-go billing method, you are charged based on the consumed quota for configuration assessment (including scan counts, verification counts, and successful fix counts) in the tiered pricing mode by calendar day. For more information, see Purchase and authorization.

    Consumed quota for configuration assessment

    Price (USD/time)

    0~100,000

    0.0009

    100,001~500,000

    0.0007

    Greater than 500,000

    0.00045

Overview

Basic features

Feature

Description

Basic

Anti-virus

Advanced

Enterprise

Ultimate

Security Score

Security Center evaluates your assets and assigns a security score that provides a reference on the security of your assets.

对

对

对

对

对

Assets

Basic features

Feature

Description

Basic

Anti-virus

Advanced

Enterprise

Ultimate

Cloud Asset Overview

Security Center provides an overview of your cloud assets, and allows you to view network topology, security score, and security risks. Security Center also provides a unified portal where you can manage your cloud assets.

错

错

错

对

对

Container Asset Overview

Security Center provides a GUI that simplifies the management of your assets such as clusters, containers, images, and applications. Security Center also displays the network topology of your container assets. This gives you a birds-eye view of the security status of your containers and the network connections between them.

错

错

错

错

对

Server

Security Center displays security information about each protected server. The information includes the risk status, group, region, and virtual private cloud (VPC).

对

对

对

对

对

Asset Fingerprints

Security Center collects the following types of server fingerprints: accounts, ports, and processes.

Supported fingerprints

  • Accounts

    Security Center collects information about server accounts and their permissions, and checks privileged accounts to detect privilege escalation activities.

  • Ports

    Security Center collects and displays port listening information to check open ports.

  • Processes

    Security Center collects and displays process snapshots to verify trusted processes and detect untrusted processes.

  • Middleware

    Security Center collects information about middleware of your assets.

  • Database

    Security Center collects information about databases of your assets.

  • Web services

    Security Center collects information about web services of your assets.

  • Software

    Security Center scans software installation information and identifies affected assets when high-risk vulnerabilities are detected.

  • Scheduled tasks

    Security Center collects information about scheduled tasks of your assets.

  • Startup items

    Security Center collects information about startup items to help you quickly identify at-risk startup items.

  • Kernel modules

    Security Center collects information about kernel modules to help you quickly identify at-risk kernel modules.

  • Websites

    Security Center collects information about websites of your assets.

  • IDC probe findings

    If you install an IDC probe on a server in a data center, the IDC Probe Finding tab displays information about other servers in the data center. You can obtain an overview about the servers in the data center.

错

错

错

对

对

Security Check

After you perform a quick check task, Security Center performs checks such as vulnerability detection and baseline checks on specified servers based on your configurations.

错

错

对

对

对

Container

Security Center provides the security statistics of your clusters, pods, containers, and images.

错

错

错

错

对

Cloud Product

Security Center displays the security information about cloud services. The information includes at-risk cloud services and their service types. The service types include Server Load Balancer (SLB) and ApsaraDB RDS.

对

对

对

对

对

Website

Security Center displays security information about each protected website. The information includes the root domain, subdomains, risk status, and alerts.

对

对

对

对

对

Value-added features

Security Center provides the severless asset protection feature that supports the alert detection, vulnerability scanning, and baseline checks for Elastic Container Instance (ECI) and Serverless App Engine (SAE) instances created by using ACK managed clusters, ACK dedicated clusters, ACK Serverless clusters, or Platform for AI. You can use this feature after you enable the it based on the pay-as-you-go billing method. For more information, see Use the serverless asset protection feature.

Risk Governance

Basic features

Feature

Description

Basic

Anti-virus

Advanced

Enterprise

Ultimate

Asset Exposure Analysis

Security Center supports full scanning and analysis of your resources on Alibaba Cloud, such as Elastic Compute Service (ECS) instances, gateways, system components, and ports. This way, Security Center can identify the security risks and vulnerabilities of your resources that are exposed on the Internet. This helps you detect and resolve issues at the earliest opportunity and improves the security of your resources.

错

错

错

对

对

Vulnerabilities

Linux Software Vulnerability

Security Center compares software versions by using the matching engine of Open Vulnerability and Assessment Language (OVAL). Security Center generates alerts when the Linux software vulnerabilities that are recorded in the Common Vulnerabilities and Exposures (CVE) database are detected in the current version.

Only automatic detection is supported.

Only automatic detection is supported.

对

对

对

Security Center supports the automatic fixing of vulnerabilities and automatic creation of snapshots. This allows you to undo fixes by using snapshots.

Required

Required

对

对

对

Windows System Vulnerability

Security Center obtains Microsoft updates for Windows operating systems, detects high-risk vulnerabilities, and generates alerts for these vulnerabilities.

Only automatic detection is supported.

Only automatic detection is supported.

对

对

对

Security Center automatically identifies pre-patches that are used to fix vulnerabilities to prevent failures caused by the lack of the required pre-patches. This allows you to fix Windows vulnerabilities with a few clicks. Security Center also generates alerts for vulnerabilities that require a system restart after the vulnerabilities are fixed. This allows you to fix Windows system vulnerabilities in an efficient manner.

Required

Required

对

对

对

Web-CMS Vulnerability

Security Center monitors web directories, recognizes common website builders, and checks the vulnerability database to identify vulnerabilities in website builders.

Only automatic detection is supported.

Only automatic detection is supported.

对

对

对

Security Center uses patches developed by Alibaba Cloud to replace and modify source code. This allows you to fix vulnerabilities with a few clicks.

错

错

对

对

对

Urgent Vulnerability

Security Center detects urgent vulnerabilities when they are made public. Security Center does not support automatic fixing of urgent vulnerabilities. You must follow the instructions provided by Security Center to manually fix the vulnerabilities.

对

对

对

对

对

Application Vulnerability

Security Center detects weak passwords for system services and vulnerabilities in system services and applications.

错

错

错

对

对

Vulnerability Scan

Allows you to manually run quick scan tasks on your assets to detect vulnerabilities in real time.

Only urgent vulnerabilities can be detected.

对 (Application vulnerabilities are not supported.)

对 (Application vulnerabilities are not supported.)

对

对

Entry point to vulnerabilities that require immediate fixing

Security Center provides a centralized entry point for you to view and fix all vulnerabilities with high priorities.

错

错

对

对

对

YUM/APT Source Configuration

Security Center allows you to preferentially use YUM or APT sources maintained by Alibaba Cloud to fix vulnerabilities. After you turn on YUM/APT Source Configuration, Security Center automatically selects YUM or APT sources maintained by Alibaba Cloud. This improves the success rate of vulnerability fixing.

Note

Before you fix a Linux software vulnerability, you must specify a valid YUM or APT source. If you specify an invalid YUM or APT source, the vulnerability fails to be fixed.

错

错

对

对

对

Baseline Check

Server baseline check

Security Center dispatches tasks to check server configurations. Security Center generates alerts when configuration risks are detected.

Security Center allows you to specify check items, detection intervals, and servers to create custom check policies. Custom check scripts are not supported.

Security Center allows you to configure custom weak password rules. Security Center checks the configurations of your cloud services by using the check policy that you specify. Security Center generates alerts when weak passwords are detected.

Detection scope

  • High-risk exploits

    Security Center detects vulnerabilities in unauthorized operations in CouchDB or Docker.

  • Containers

    Security Center detects risks on Docker, Kubernetes Master, and Kubernetes Node.

  • Classified protection compliance

    Security Center performs security checks against Multi-Level Protection Scheme (MLPS) level 3, MLPS level 2, and internationally agreed best practices for security.

  • Best security practices

    Security Center performs security checks on Linux, Windows, and Redis.

  • Weak passwords

    Security Center detects weak passwords during logons, such as MongoDB, FTP, and Linux logons.

错

错

Only weak passwords can be detected.

对

对

Container baseline check

Security Center performs security checks on the baseline configurations of containers. Security Center also generates alerts for the detected risks.

Detection scope

  • Alibaba Cloud Standard - Docker security baseline check

    Security Center checks the configurations against the Alibaba Cloud standard of best practices for Docker. This check covers different dimensions, such as security audit, service configurations, and file permissions. Security Center generates alerts at the earliest opportunity when risks are detected.

  • Alibaba Cloud Standard - Kubernetes-Master security baseline check

    Security Center checks the configurations against the Alibaba Cloud standard of best practices for Kubernetes Master.

  • Alibaba Cloud Standard - Kubernetes-Node security baseline check

    Security Center checks the configurations against the Alibaba Cloud standard of best practices for Kubernetes Node.

错

错

错

错

对

Baseline risk fixing

Security Center mitigates risks that are detected from the baseline checks based on the Alibaba Cloud security standards and MLPS standards.

错

错

错

对

对

AK Leak Detection

Security Center monitors code hosting platforms such as GitHub in real time to detect AccessKey leaks of Alibaba Cloud accounts in source code.

对

对

对

对

对

Value-added features

Feature

Description

How to enable the feature

Quick vulnerability fixing

Security Center allows you to fix Linux software vulnerabilities and Windows system vulnerability with a few clicks.

You can use this feature after you purchase a quota for vulnerability fixing or purchase vulnerability fixing based on the pay-as-you-go billing method.

Note

If you use the Basic, Value-added Plan, or Anti-virus edition, you must purchase a quota for vulnerability fixing or purchase the vulnerability fixing feature. If you use the Advanced, Enterprise, or Ultimate edition, you do not need to purchase the feature. You are provided an unlimited quota to fix vulnerabilities.

Configuration Assessment

Security Center detects configuration errors and security risks on cloud services from the following dimensions: identity and permission management, security risks in Alibaba Cloud services, and compliance risks. This ensures the security of the running environment of your cloud services.

Use one of the following billing methods:

  • Pay-as-you-go: You can use this feature after you enable the feature based on the pay-as-you-go billing method.

  • Subscription: You can use this feature after you purchase a quota for the configuration assessment feature.

    Note

    If you enable the configuration assessment feature before July 7, 2023, you can use some check items of the feature free of charge until your Security Center expires. If you renew the subscription before your Security Center expires, you can continue to use specific check items free of charge.

Cloud Honeypot

Security Center provides capabilities such as attack discovery and defense within and outside the cloud. You can create honeypots in VPCs and servers that are protected by Security Center. This protects the servers from attacks that are launched within and outside the cloud and reinforces the security of the servers.

You can use this feature after you purchase a quota for the cloud honeypot feature based on the subscription billing method.

SDK for Malicious File Detection

SDK for malicious file detection is supported. The SDK provides the following capabilities:

  • SDK for file detection: You can use SDK for file detection to detect malicious files based on various threat detection engines of Security Center. To use this feature to detect malicious files, you need to only write a small amount of code.

  • Object Storage Service (OSS) file detection: You can use OSS file detection to detect malicious objects in Alibaba Cloud OSS buckets based on cloud-native capabilities.

You can use this feature after you purchase a quota for SDK for malicious file detection based on the subscription billing method.

Log Analysis

Network logs

This type of log records web access, Domain Name System (DNS) resolution, local DNS caches, and network sessions. You can use the logs to identify security threats, such as attack attempts and malicious traffic. This helps meet compliance and audit requirements.

If you use the Enterprise or Ultimate edition of Security Center, you can use this feature after you purchase the log storage capacity for log analysis.

Host logs

This type of log records logons, process startups, account snapshots, and DNS requests. You can use the logs to monitor user activities, system events, and application operations on hosts. This helps identify threats and optimize running performance.

If you use the Anti-virus edition of Security Center or higher, you can use this feature after you purchase the log storage capacity for log analysis.

Note

If you use the Value-added Plan edition, you cannot purchase the log storage capacity for log analysis.

Security logs

This type of log records vulnerabilities, baseline risks, alerts, and configuration assessment check results. You can use the logs to observe security trends, improve security policies and defense mechanisms, and identify weak links in systems.

Detection and Response

Basic features

Feature

Description

Basic

Anti-virus

Advanced

Enterprise

Ultimate

Alerts

Suspicious process

Security Center traces intrusion sources based on real attack-defense scenarios in the cloud and creates a process whitelist. Security Center generates alerts when unauthorized processes or intrusion attacks are detected.

Security Center builds approximately 1,000 process patterns for hundreds of processes and compares the processes against these patterns to detect suspicious processes.

Detection scope

  • Reverse shells

    Security Center detects suspicious command execution by Bash processes, and arbitrary command execution on servers under remote control.

  • Suspicious command execution in databases

    Security Center detects suspicious command execution in databases, such as MySQL, PostgreSQL, SQL Server, Redis, and Oracle.

  • Unauthorized operations in application processes

    Security Center detects unauthorized operations in application processes, such as Java, FTP, Tomcat, Docker container, and Lsass.exe processes.

  • Unauthorized system processes

    Security Center detects unauthorized system processes, such as PowerShell, SSH, Remote Desktop Protocol (RDP), Server Message Block Daemon (SMBD), and Secure Copy Protocol (SCP) processes.

  • Other suspicious processes

    Security Center detects activities of other suspicious processes, such as unusual access to Visual Basic Script (VBScript), unusual access to hosts, writing of crontab files, and webshell injection.

错

对

对

对

对

Webshell

Security Center supports detection of website script files, such as PHP, ASP, and JSP files, based on both servers and networks.

Security Center performs the following detection:

  • Server-based detection

    Security Center monitors network directory changes on servers in real time.

  • Network-based detection

    Security Center captures webshell files and identifies network protocols to detect webshells.

Only some webshells can be detected.

对

对

对

对

Security Center also supports webshell detection and removal, which allows you to manually quarantine detected webshell files. Files that are quarantined can be restored within 30 days.

错

对

对

对

对

Unusual logon

Security Center provides basic detection services.

Detection scope

  • Logons from unapproved locations

    Security Center detects logons from unapproved locations. Security Center automatically records locations where logons to ECS instances are allowed. These locations can also be manually added. Security Center generates alerts when logons from unapproved locations are detected.

  • Brute-force attacks

    Security Center detects logons to ECS instances after multiple failed attempts. This may indicate that these ECS instances are compromised due to brute-force attacks.

对

对

对

对

对

Security Center provides advanced detection services.

Detection scope

  • Logons from unapproved IP addresses

    Security Center detects logons from unapproved IP addresses. Security Center allows you to specify approved IP addresses, such as the IP addresses of bastion hosts and the private networks of companies, from which users are allowed to log on to ECS instances. Security Center generates alerts when logons from unapproved IP addresses are detected.

  • Logons from unapproved accounts

    Security Center detects logons from unapproved accounts. Security Center allows you to specify approved accounts, with which users are allowed to log on to ECS instances. Security Center generates alerts when logons from unapproved accounts are detected.

  • Logons within unapproved time ranges

    Security Center detects logons within unapproved time ranges. Security Center allows you to specify approved time ranges, such as business hours, during which users are allowed to log on. Security Center generates alerts when logons within unapproved time ranges are detected.

错

错

对

对

对

Sensitive file tampering

Security Center monitors sensitive directories and files, and generates alerts when suspicious read, write, or delete operations are detected.

Detection scope

  • Tampering of system files

    Security Center checks whether Bash and ps commands are replaced or whether hidden and unauthorized processes are running.

  • Removal of core website files

    Security Center detects malicious removal of core website files after servers are attacked.

  • Trojan insertion

    Security Center checks whether malicious code is inserted into a website. If malicious code is inserted into a website, trojans are automatically downloaded when users visit the website.

  • Other suspicious activities

    Security Center checks whether ransomware tampers with the logon pages of Linux and MySQL and inserts emails or Bitcoin wallet addresses.

错

对

对

对

对

Malicious software

Security Center scans processes on a regular basis, monitors process startups, and detects viruses and trojans by using the cloud threat detection mechanism. You can terminate malicious processes and manually quarantine malicious files with a few clicks in the Security Center console.

Characteristics of the virus library that is used for cloud threat detection

  • Up-to-date virus data

    The virus library is deployed, maintained, and updated by Alibaba Cloud in real time. This minimizes the risk of potential losses caused by outdated virus data.

  • Diverse virus samples

    All types of viruses are covered. Security Center integrates major antivirus engines around the world. Sandboxes and machine learning engines developed by Alibaba Cloud are used.

Detection scope

  • Ransomware

    Security Center detects file-encrypting ransomware, such as WannaCry and CryptoLocker.

  • Attacks

    Security Center detects DDoS trojans, malicious scanning trojans, and spam trojans.

  • Mining software

    Security Center detects software that consumes resources and uses servers for cryptocurrency mining.

  • Zombies

    Security Center detects command and control (C&C) trojans, malicious C&C connections, and attack tools.

  • Other viruses

    Security Center detects worms, Mirai, and infectious viruses.

错

对

对

对

对

Suspicious network connection

Security Center monitors connections on servers and networks. Security Center generates alerts when suspicious connections are detected.

Detection scope

  • Suspicious connections to external IP addresses

    Security Center detects reverse shells and the Bash shell that establishes suspicious connections to external IP addresses.

  • Attacks

    Security Center detects maliciously inserted software that is used to launch attacks, such as SYN floods, UDP floods, and ICMP floods.

  • Suspicious communications

    Security Center detects suspicious webshell communications.

  • Suspicious TCP packets

    Security Center detects scan activities that are initiated on your server and target other devices.

错

对

对

对

对

Other features

Security Center detects unusual disconnections of the Security Center agent.

错

错

对

对

对

Abnormal account

Security Center detects suspicious accounts that attempt to log on to your system based on user behavior analysis.

错

对

对

对

对

Intrusion into applications

Security Center detects intrusion into applications, such as SQL Server.

错

对

对

对

对

Cloud threat detection

Security Center detects unusual use of cloud services based on user behavior analysis. For example, an attacker uses your AccessKey pair to purchase a large number of ECS instances for data mining.

对

对

对

对

对

Precision defense

Security Center automatically blocks common Internet viruses, such as ransomware, DDoS trojans, mining and trojan programs, malicious programs, webshells, and computer worms.

错

对

对

对

对

Persistent webshell

Security Center detects persistent webshells on servers.

After an attacker gains control over a server, the attacker typically places webshells, such as scripts, processes, and links, to persistently exploit the intrusion. Common persistent webshells include crontab jobs, automatic tasks, and system replacement files.

错

对

对

对

对

Web application threat detection

Security Center detects intrusion activities that use web applications.

错

对

对

对

对

Malicious script

Security Center detects malicious scripts on servers.

Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts to carry out the actual attack. For example, the attacker may insert mining programs and webshells, and add administrator accounts to your system. Languages of malicious scripts include Bash, Python, Perl, PowerShell, Batch, and VBScript.

错

对

对

对

对

Threat detection during container runtime

Security Center detects threats to Container Service for Kubernetes in real time. The threats include viruses and malicious programs in containers or on hosts, intrusion into containers, and container escapes. Security Center also generates alerts for these threats and warnings for high-risk operations. Security Center detects the threats to containers and generates alerts for detected threats.

Detection scope

  • Malicious image startups

    Security Center dynamically monitors open image sources, such as Docker Hub, and generates alerts if an image that contains webshells or mining programs is installed on your server.

  • Viruses and malicious programs

    Security Center detects viruses, trojans, mining programs, malicious scripts, and webshells in containers.

  • Intrusions into containers

    Security Center detects intrusions into containers from attackers who exploit application-layer vulnerabilities, unauthorized operations in containers, and application-to-application spread of malicious scripts in containers.

  • Container escapes

    Security Center detects container escapes caused by improper container configurations, Docker vulnerabilities, or operating system vulnerabilities.

  • High-risk operations

    Security Center detects sensitive host directories mounted to containers, Docker API leaks, Kubernetes API leaks, and suspicious startup behavior of privileged containers. This minimizes the risk of attackers exploiting these vulnerabilities.

错

错

错

错

对

Alert archiving

Security Center archives the alerts that are handled earlier than 30 days ago and allows you to download the archived alerts. This facilitates event tracing and audit.

对

对

对

对

对

Attack Awareness

Security Center displays the details of web attacks and brute-force attacks on your server. Security Center traces the attacker IP addresses and finds the flaws of the attacks.

错

错

错

对

对

Threat Analysis and Response

Value-added features

The threat analysis and response feature allows you to manage security information and events of multiple cloud services that belong to different cloud accounts, including accounts of Alibaba Cloud, Huawei Cloud, and Tencent Cloud. The cloud services include Cloud Firewall and VPC. The feature allows you to focus on events and identify unknown threats. The feature also provides various context and tracing information, and supports quick event handling to improve the event operation efficiency. You can use this feature after you purchase the log storage capacity for threat analysis. For more information about the threat analysis and response feature, see Overview.

Host Protection

Basic features

Feature

Description

Basic

Anti-virus

Advanced

Enterprise

Ultimate

Virus Detection and Removal

The security experts of Security Center conduct automated analysis on persistence and attack methods based on a large number of persistent virus samples. Then, the security experts release an engine that can detect and remove viruses based on machine learning results. You can use the engine to detect and remove viruses with a few clicks.

错

对

对

对

对

Host-specific Rule Management

The malicious behavior defense feature provides system rules and allows you to create custom defense rules. You can use the rules to enhance the security of your servers.

错

错

对

对

对

The feature of defense against brute-force attacks allows you to configure a defense rule to protect your servers from brute-force attacks. If the number of logon failures from an IP address to the same server exceeds a specified limit during a specified statistical period, the IP address is blocked.

错

错

对

对

对

Security Center allows you to specify approved logon locations, IP addresses, time ranges, and accounts to identify unusual logons that may be initiated by attackers.

Only approved logon locations can be specified.

Only approved logon locations can be specified.

对

对

对

Core File Monitoring

The core file monitoring feature allows you to monitor operations on files in real time, such as accessing, modifying, deleting, and renaming the files. If such operations are detected, Security Center generates alerts. This helps reduce the risk of core files being stolen or tampered with.

错

错

错

对

对

Value-added features

Feature

Description

How to enable the feature

Agentless Detection

The agentless detection feature adopts the agentless technology to scan and then detect security risks such as vulnerabilities, malicious files, and baseline risks on ECS instances, precluding the need to install the Security Center agent.

You can use this feature after you enable the agentless detection feature based on the pay-as-you-go billing method.

Anti-ransomware

The anti-ransomware feature allows you to back up and restore data on your servers and databases. This protects your servers and databases from ransomware.

You can use this feature after you purchase the anti-ransomware capacity.

Web Tamper Proofing

Security Center monitors website directories and restores maliciously modified files or directories by using backups. Security Center protects websites from malicious modification, trojans, hidden links, and insertion of violence or pornography content.

You can use this feature after you purchase a quota for web tamper proofing.

Container Protection

Basic features

Feature

Description

Basic

Anti-virus

Advanced

Enterprise

Ultimate

Proactive Defense for Containers

  • At-risk Image Blocking

    This feature detects risks on images when you use images to create resources in clusters. This feature can allow or block an image that hits an at-risk image blocking rule, or generate an alert for the image. This ensures that only images that meet your security requirements can be started in your clusters.

  • Non-image Program Defense

    This feature detects and blocks the startup of programs that are not included in the images of clusters. This helps defend against malicious software intrusion.

  • Container Escape Prevention

    This feature detects risky operations from multiple dimensions, such as processes, files, and system calls, and isolates containers and hosts. This effectively blocks escape behavior and ensures the runtime security of containers.

错

错

错

错

对

Container File Protection

This feature can monitor directories and files in containers in real time, and generate alerts or intercept tampering operations when the directories or files are tampered with. This prevents your applications from being inserted with illegal information or malicious code.

错

错

错

错

对

Container Firewall

This feature delivers firewall capabilities to protect containers. If attackers exploit vulnerabilities or malicious images to intrude into clusters, the container firewall feature generates alerts or blocks attacks.

错

错

错

错

对

Container Signature

Security Center signs trusted container images and verifies the signatures to ensure that only trusted images are deployed. This prevents unauthorized container images from being started and improves asset security.

Note

Only Kubernetes clusters that are deployed in the China (Hong Kong) region support the image signature feature.

错

错

错

错

对

CI/CD Integration Settings

Security Center detects image risks in the project building stage on Jenkins and GitHub in an efficient manner and provides solutions to detected image risks. Image risks include high-risk system vulnerabilities, application vulnerabilities, viruses, webshells, execution of malicious scripts, configuration risks, and sensitive data.

错

错

对

对

对

Value-added features

The container image scan feature can manage container images and detect security risks in a comprehensive manner. The risks include high-risk system vulnerabilities, application vulnerabilities, malicious samples, configuration risks, and sensitive data in images. If you use the Advanced, Enterprise or Ultimate edition of Security Center, you can use this feature after you purchase a quota for Container Image Scan. For more information about the container image scan feature, see Overview.

Application Protection

Value-added features

The application protection feature adopts the Runtime Application Self Protection (RASP) technology to detect attacks during application runtime, and then block the attacks or generate alerts for the attacks. This helps protect applications. You can use this feature after you purchase a Quota for Application Protection. For more information, see Use the application protection feature.

System Configuration

Basic features

Feature

Description

Basic

Anti-virus

Advanced

Enterprise

Ultimate

Playbook

Security Center provides the task management feature. You can run tasks to enable automatic fixing of vulnerabilities in multiple servers at a time.

错

错

错

对

对

Security Report

Security Center allows you to configure security reports. After you enable this feature, Security Center sends emails that contain security statistics to the specified recipients.

错

错

对

对

对

Host Protection Settings

Proactive Defense - Malicious Host Behavior Prevention

This feature automatically blocks common network viruses, such as common ransomware, DDoS trojans, mining programs, trojans, malicious programs, webshells, and computer worms.

错

对

对

对

对

Proactive Defense - Anti-ransomware (Bait Capture)

This feature uses bait to capture the new types of ransomware and analyzes the patterns of the new types of ransomware. If risks such as unusual encryption are performed by the new types of ransomware, the system automatically blocks the ransomware to protect your assets.

错

对

对

对

对

Proactive Defense - Webshell Prevention

This feature automatically intercepts suspicious connections that are initiated by attackers by using known webshells. This feature also allows you to manually quarantine related files.

错

错

错

对

对

Proactive Defense - Malicious Network Behavior Prevention

This feature intercepts the abnormal network behavior between your servers and disclosed malicious access sources, which reinforces the security of your servers.

错

错

对

对

对

Proactive Defense - User Experience Optimization in Proactive Defense

If your server unexpectedly shuts down or the defense capability is unavailable, Security Center collects server data by using the kdump service for protection analysis. This enhances the protection capability of Security Center on an ongoing basis.

错

错

错

对

对

Webshell Detection and Removal

Security Center periodically scans web directories to detect webshells and trojans on your servers.

Only some webshells can be detected.

对

对

对

对

Adaptive Threat Detection Capability

If a high-risk intrusion is detected on your server after the adaptive threat detection feature is enabled, the Security Center agent on your server automatically runs in strict alert mode. This mode helps detect intrusions in a faster manner.

错

错

错

对

对

Alert modes

Security Center supports different alert modes for servers to meet your security requirements in different scenarios. By default, Security Center enables Balanced Mode for all servers that are added to Security Center.

错

对

对

对

对

Container Protection Settings

Threat Detection on Kubernetes Containers

Security Center monitors the status of running containers in a Kubernetes cluster. This allows you to detect security risks and attacker intrusions at the earliest opportunity. Security Center detects the following items:

  • Suspicious instruction execution on a Kubernetes API server

  • Mounting of suspicious directories to a pod

  • Lateral movement among Kubernetes service accounts

  • Startup of a pod that contains a malicious image

错

错

错

错

对

Container Escape Prevention

The feature of container escape prevention detects high-risk operations from multiple dimensions such as processes, files, and system calls, and establishes protection barriers between containers and hosts. This effectively blocks escape behavior and ensures the runtime security of containers.

错

错

错

错

对

Agent Settings

Agent Protection

After you enable the agent protection feature, Security Center automatically intercepts unauthorized agent uninstallation. This feature prevents the agent from being uninstalled by attackers or terminated by other software.

对

对

对

对

对

Local File Detection Engine

The local file detection engine performs security checks on new script files and binary files on your server. If threats are detected, the engine reports alerts.

错

错

错

对

对

Client Resource Management

The feature of client resource management allows you to manually change the running mode of the Security Center agent to limit the amount of resources that the agent can consume. This meets the protection requirements of servers in various scenarios and enhances security.

对

对

对

对

对

Other Settings

Security Control

This feature allows you to configure the IP address whitelist. Requests initiated from IP addresses in the whitelist are directly forwarded to destination servers. This prevents normal network traffic from being blocked.

对

对

对

对

对

Access Control

Resource Access Management (RAM) allows you to create and manage RAM users, such as individuals, system administrators, and application administrators. You can manage RAM user permissions to control access to Alibaba Cloud resources.

对

对

对

对

对

Installation of the Security Center agent

This feature allows you to install and uninstall the Security Center agent.

对

对

对

对

对

Proxy Access

This feature allows you to add the following types of servers to Security Center: ECS instances that are deployed in VPCs, servers that are deployed in data centers, and servers that are deployed in hybrid clouds and are inaccessible over the Internet. You can also use the feature to manage uplink traffic of the servers. Uplink traffic refers to traffic from servers to Security Center.

对

对

对

对

对

Multi-cloud Assets

This feature allows you to add third-party cloud servers and servers in data centers to Security Center for protection and management.

对

对

对

对

对

IDC Probe

This feature allows you to create IDC probes to scan servers and identify the servers that have the Security Center agent installed in a data center. Then, you can synchronize the information about the identified servers to the Assets module of the Security Center console. This way, Security Center can manage the servers in a centralized manner.

对

对

对

对

对

Asset Management Rule

This feature allows you to configure rule conditions. You can manage servers that meet the specified rule conditions by group or tag in a simple and efficient manner.

对

对

对

对

对

Notification Settings

This feature allows you to configure custom notification methods and alert severities of alert notifications. Security Center sends alert notifications by using text messages, emails, internal messages, or DingTalk chatbots.

Note

Only the Enterprise and Ultimate editions of Security Center support DingTalk chatbots.

对 (Only specific notification methods are supported.)

对

对

对

对

Multi-account Management

This feature allows you to manage the assets of multiple members in the resource directory of your enterprise. You can monitor the security status of the members in real time.

对

对

对

对

对

Security Compliance Check

Security Center checks whether your assets comply with classified protection regulations, including those on communication networks, region borders, computing environments, and management centers. Security Center also generates compliance reports.

对

对

对

对

对

ISO 27001 Compliance Check

Security Center checks whether your system meets ISO 27001 requirements from aspects such as asset management, access control, cryptography, and operation security.

对

对

对

对

对

Value-added features

The global log filtering feature ensures security, maximizes log storage usage, and improves your operational efficiency. If you use the Anti-virus edition of Security Center or higher, you can use this feature after you purchase the log storage capacity for log analysis and enable the log analysis feature. For more information, see Global log filtering.

Limits on threat detection

Security Center sends alerts in real time when risks are detected. You can manage security alerts, scan for and fix vulnerabilities, analyze attacks, and perform configuration assessment in the Security Center console. Security Center can analyze alerts and trace attacks. This reinforces the security of your assets. To protect your assets against attacks, we recommend that you regularly install the latest security patches on your server, and use other security services together with Security Center, such as Cloud Firewall and Web Application Firewall (WAF).

After you install the Security Center agent on a server, the defense process of Security Center requires a specific period of time to take effect on the server. During this period of time, Security Center cannot block threats such as ransomware and DDoS trojans.

Important

Attacks and viruses are always changing, and actual workloads run in different environments. Therefore, Security Center cannot ensure that all unknown threats are detected in real time. We recommend that you use Security Center features such as alerting, vulnerability detection, baseline check, and configuration assessment to enhance security and prevent intrusions, data thefts, and data damage.

References