CN117879927A - Security level determination method, device, equipment and storage medium - Google Patents

Abstract

The application relates to a security level determining method, a security level determining device, security level determining equipment and a storage medium, and relates to the technical field of communication. The method comprises the following steps: and determining at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to each target security level assessment domain according to the target device class of the target device and the first corresponding relation. And then, determining the target security level of the target device according to the target device information of the target device, at least one target security level evaluation item corresponding to each target security level evaluation domain and the second corresponding relation. The second correspondence relationship includes: the system comprises a plurality of security level assessment items, a plurality of security levels corresponding to each security level assessment item and a plurality of device information corresponding to the security levels one by one. The target security level is used to represent the degree of security of the target device. The method and the device are used for determining the safety degree of the communication equipment.

Description

Security level determination method, device, equipment and storage medium

Technical Field

The present application relates to the field of communication technology, and in particular to a security level determination method, apparatus, device and storage medium.

Background Art

The security of communication networks is closely related to people's lives. Since communication networks rely on communication equipment, determining the security level of communication equipment is helpful for the management of communication networks and can enhance the security of communication networks. Therefore, how to determine the security level of communication equipment is a technical problem that needs to be solved urgently.

Summary of the invention

The present application provides a security level determination method, apparatus, device and storage medium to determine the security level of a communication device. The technical solution of the present application is as follows:

In a first aspect, a security level determination method is provided, the method comprising: obtaining a target device category and target device information of a target device. The target device information comprises: at least one of device information of a device evaluation dimension, device information of a network evaluation dimension, and device information of a system evaluation dimension. According to the target device category and a first corresponding relationship, at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to each target security level assessment domain of the target device are determined. The first corresponding relationship comprises: a plurality of preset device categories, at least one security level assessment domain corresponding to each preset device category, and at least one security level assessment item corresponding to each preset device category in each security level assessment domain. At least one security level assessment domain comprises: at least one of an assessment domain of a device evaluation dimension, an assessment domain of a network evaluation dimension, and an assessment domain of a system evaluation dimension. According to the target device information, at least one target security level assessment item corresponding to each target security level assessment domain of the target device, and a second corresponding relationship, a target security level of the target device is determined. The second corresponding relationship comprises: a plurality of security level assessment items, a plurality of security levels corresponding to each security level assessment item, and a plurality of device information corresponding to the plurality of security levels one by one. The target security level is used to indicate the security level of the target device.

In a possible implementation, the method further includes: establishing a first sub-correspondence. The first sub-correspondence includes: a plurality of first security level assessment items corresponding to the assessment domain of the device assessment dimension, a plurality of first security levels corresponding to each first security level assessment item, and a plurality of first device information corresponding one-to-one to the plurality of first security levels. Establishing a second sub-correspondence. The second sub-correspondence includes: a plurality of second security level assessment items corresponding to the assessment domain of the network assessment dimension, a plurality of second security levels corresponding to each second security level assessment item, and a plurality of second device information corresponding one-to-one to the plurality of second security levels. Establishing a third sub-correspondence. The third sub-correspondence includes: a plurality of third security level assessment items corresponding to the assessment domain of the system assessment dimension, a plurality of third security levels corresponding to each third security level assessment item, and a plurality of third device information corresponding one-to-one to the plurality of third security levels. A second correspondence is established based on the first sub-correspondence, the second sub-correspondence, and the third sub-correspondence.

In a possible implementation, the above-mentioned establishment of the first sub-correspondence includes: obtaining multiple first security level assessment items corresponding to the assessment domain of the device assessment dimension. The multiple first security level assessment items include: integrity protection capability at device startup, integrity protection capability at device runtime, secure cryptographic algorithm management capability, preset data protection capability, and identity authentication capability. Obtain multiple first device information corresponding to each first security level assessment item. The multiple first device information corresponding to the integrity protection capability at device startup includes: software integrity verification capability at device startup, integrity and authenticity verification capability through digital signature technology at device startup, and zero-configuration start capability at device startup. The multiple first device information corresponding to the integrity protection capability at device runtime includes: software package integrity verification capability at device upgrade, patch integrity verification capability at device upgrade, and integrity and authenticity verification capability through digital signature technology at device upgrade. The multiple first device information corresponding to the secure cryptographic algorithm management capability includes: preset cryptographic algorithm security strength, cryptographic algorithm alarm capability, multi-layer key protection capability, and root key hardware protection capability. The multiple first device information corresponding to the preset data protection capability includes: first preset data protection capability, second preset data protection capability, and preset program protection capability, and the importance of the second preset data is higher than the first preset data. The multiple first device information corresponding to the identity authentication capability includes: user identity identification capability, user identity verification capability, whether to perform user identity verification when the user performs a preset operation, and interface authentication capability. According to the multiple first device information corresponding to any first security level assessment item, determine the multiple first security levels corresponding to any first security level assessment item. According to the multiple first security level assessment items corresponding to the assessment domain of the device assessment dimension, the multiple first device information corresponding to any first security level assessment item, and the multiple first security levels corresponding to any first security level assessment item, establish a first sub-correspondence relationship.

In a possible implementation, the above-mentioned establishment of the second sub-correspondence includes: obtaining multiple second security level assessment items corresponding to the assessment domain of the network assessment dimension. The multiple second security level assessment items include: user authentication capability, attack protection capability, and link protection capability. Obtain multiple second device information corresponding to each second security level assessment item. The multiple second device information corresponding to the user authentication capability includes: supporting remote authentication and authorization capability of a preset server, supporting preset server group configuration capability, establishing a secure channel capability, and supporting the preset server to dynamically issue command line configuration capability. The multiple second device information corresponding to the attack protection capability includes: first preset attack traffic detection and cleaning capability, second preset attack detection capability, and second-level detection capability of the first preset attack. The multiple second device information corresponding to the link protection capability includes: port cyclic redundancy check capability, optical transmission network error detection capability, and millisecond-level service switching capability. According to the multiple second device information corresponding to any second security level assessment item, determine the multiple second security levels corresponding to any second security level assessment item. Establish a second sub-correspondence relationship according to the multiple second security level assessment items corresponding to the assessment domain of the network assessment dimension, the multiple second device information corresponding to any second security level assessment item, and the multiple second security levels corresponding to any second security level assessment item.

In a possible implementation, the establishment of the third sub-correspondence relationship includes: obtaining multiple third security level assessment items corresponding to the assessment domain of the system assessment dimension. The multiple third security level assessment items include: intrusion detection capability, certificate management capability, and security configuration capability. Obtain multiple third device information corresponding to each third security level assessment item. The multiple third device information corresponding to the intrusion detection capability includes: third preset attack detection capability, preset file tampering detection capability, and rebound interface attack behavior detection capability. The multiple third device information corresponding to the certificate management capability includes: digital certificate import and update capability, digital certificate expiration warning capability, whether there is an interface for digital certificate import and update, digital certificate integrity protection capability, and the ability to connect to the public key infrastructure system. The multiple third device information corresponding to the security configuration capability includes: business security configuration verification capability, manual repair of preset configuration capability,

Repair preset configuration capabilities. Determine multiple third security levels corresponding to any third security level assessment item based on multiple third device information corresponding to any third security level assessment item. Establish a third sub-correspondence relationship based on multiple third security level assessment items corresponding to the assessment domain of the system assessment dimension, multiple third device information corresponding to any third security level assessment item, and multiple third security levels corresponding to any third security level assessment item.

In a second aspect, a security level determination device is provided, the security level determination device comprising: an acquisition unit and a determination unit. The acquisition unit is used to acquire a target device category and target device information of a target device. The target device information comprises: at least one of device information of a device evaluation dimension, device information of a network evaluation dimension, and device information of a system evaluation dimension. The determination unit is used to determine, according to the target device category and a first corresponding relationship, at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to each target security level assessment domain of the target device. The first corresponding relationship comprises: a plurality of preset device categories, at least one security level assessment domain corresponding to each preset device category, and at least one security level assessment item corresponding to each preset device category in each security level assessment domain. At least one security level assessment domain comprises: at least one of an assessment domain of a device evaluation dimension, an assessment domain of a network evaluation dimension, and an assessment domain of a system evaluation dimension. The determination unit is further used to determine the target security level of the target device according to the target device information, at least one target security level assessment item corresponding to each target security level assessment domain of the target device, and a second corresponding relationship. The second corresponding relationship comprises: a plurality of security level assessment items, a plurality of security levels corresponding to each security level assessment item, and a plurality of device information corresponding to the plurality of security levels one by one. The target security level is used to indicate the security level of the target device.

In a possible implementation, the device further includes an establishing unit. The establishing unit is used to: establish a first sub-correspondence. The first sub-correspondence includes: a plurality of first security level assessment items corresponding to the assessment domain of the device assessment dimension, a plurality of first security levels corresponding to each first security level assessment item, and a plurality of first device information corresponding to the plurality of first security levels. Establish a second sub-correspondence. The second sub-correspondence includes: a plurality of second security level assessment items corresponding to the assessment domain of the network assessment dimension, a plurality of second security levels corresponding to each second security level assessment item, and a plurality of second device information corresponding to the plurality of second security levels. Establish a third sub-correspondence. The third sub-correspondence includes: a plurality of third security level assessment items corresponding to the assessment domain of the system assessment dimension, a plurality of third security levels corresponding to each third security level assessment item, and a plurality of third device information corresponding to the plurality of third security levels. A second correspondence is established based on the first sub-correspondence, the second sub-correspondence, and the third sub-correspondence.

In a possible implementation, the establishment unit is specifically used to: obtain multiple first security level assessment items corresponding to the assessment domain of the device assessment dimension. The multiple first security level assessment items include: integrity protection capability at device startup, integrity protection capability at device runtime, secure cryptographic algorithm management capability, preset data protection capability, and identity authentication capability. Obtain multiple first device information corresponding to each first security level assessment item. The multiple first device information corresponding to the integrity protection capability at device startup includes: software integrity verification capability at device startup, integrity and authenticity verification capability through digital signature technology at device startup, and zero configuration start capability at device startup. The multiple first device information corresponding to the integrity protection capability at device runtime includes: software package integrity verification capability at device upgrade, patch integrity verification capability at device upgrade, and integrity and authenticity verification capability through digital signature technology at device upgrade. The multiple first device information corresponding to the secure cryptographic algorithm management capability includes: preset cryptographic algorithm security strength, cryptographic algorithm alarm capability, multi-layer key protection capability, and root key hardware protection capability. The multiple first device information corresponding to the preset data protection capability includes: first preset data protection capability, second preset data protection capability, and preset program protection capability, and the importance of the second preset data is higher than the first preset data. The multiple first device information corresponding to the identity authentication capability includes: user identity identification capability, user identity verification capability, whether to perform user identity verification when the user performs a preset operation, and interface authentication capability. According to the multiple first device information corresponding to any first security level assessment item, determine the multiple first security levels corresponding to any first security level assessment item. According to the multiple first security level assessment items corresponding to the assessment domain of the device assessment dimension, the multiple first device information corresponding to any first security level assessment item, and the multiple first security levels corresponding to any first security level assessment item, establish a first sub-correspondence relationship.

In a possible implementation, the establishment unit is specifically used to: obtain multiple second security level assessment items corresponding to the assessment domain of the network assessment dimension. The multiple second security level assessment items include: user authentication capability, attack protection capability, and link protection capability. Obtain multiple second device information corresponding to each second security level assessment item. The multiple second device information corresponding to the user authentication capability includes: remote authentication and authorization capability of supporting preset servers, configuration capability of supporting preset server groups, establishing secure channels, and supporting dynamic command line configuration capability of preset servers. The multiple second device information corresponding to the attack protection capability includes: first preset attack traffic detection and cleaning capability, second preset attack detection capability, and second-level detection capability of the first preset attack. The multiple second device information corresponding to the link protection capability includes: port cyclic redundancy check capability, optical transmission network error detection capability, and millisecond-level service switching capability. According to the multiple second device information corresponding to any second security level assessment item, determine the multiple second security levels corresponding to any second security level assessment item. According to the multiple second security level assessment items corresponding to the assessment domain of the network assessment dimension, the multiple second device information corresponding to any second security level assessment item, and the multiple second security levels corresponding to any second security level assessment item, establish a second sub-corresponding relationship.

In a possible implementation, the establishment unit is specifically used to: obtain multiple third security level assessment items corresponding to the assessment domain of the system assessment dimension. The multiple third security level assessment items include: intrusion detection capability, certificate management capability, and security configuration capability. Obtain multiple third device information corresponding to each third security level assessment item. The multiple third device information corresponding to the intrusion detection capability includes: third preset attack detection capability, preset file tampering detection capability, and rebound interface attack behavior detection capability. The multiple third device information corresponding to the certificate management capability includes: digital certificate import and update capability, digital certificate expiration warning capability, whether there is an interface for digital certificate import and update, digital certificate integrity protection capability, and the ability to connect to the public key infrastructure system. The multiple third device information corresponding to the security configuration capability includes: business security configuration verification capability, manual repair preset configuration capability, and repair preset configuration capability. According to the multiple third device information corresponding to any third security level assessment item, determine the multiple third security levels corresponding to any third security level assessment item. According to the multiple third security level assessment items corresponding to the assessment domain of the system assessment dimension, the multiple third device information corresponding to any third security level assessment item, and the multiple third security levels corresponding to any third security level assessment item, establish a third sub-corresponding relationship.

In a third aspect, an electronic device is provided, comprising: a processor and a memory for storing instructions executable by the processor, wherein the processor is configured to execute the instructions to implement the method of the first aspect and any possible implementation manner thereof.

In a fourth aspect, a computer-readable storage medium is provided. When instructions in the computer-readable storage medium are executed by a processor of an electronic device, the electronic device is enabled to execute the method in the above-mentioned first aspect and any possible implementation manner thereof.

In a fifth aspect, a computer program product is provided. The computer program product includes computer instructions. When the computer instructions are executed on an electronic device, the electronic device executes the method of the first aspect and any possible implementation manner thereof.

The technical solution of the first aspect provided by the present application brings at least the following beneficial effects: the present application obtains the target device category and target device information of the target device. Among them, the target device information includes: at least one of the device information of the device evaluation dimension, the device information of the network evaluation dimension, and the device information of the system evaluation dimension. Afterwards, according to the target device category and the first corresponding relationship, at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to the target device in each target security level assessment domain are determined. Among them, the first corresponding relationship includes: multiple preset device categories, at least one security level assessment domain corresponding to each preset device category, and at least one security level assessment item corresponding to each security level assessment domain for each preset device category. At least one security level assessment domain includes: at least one of the assessment domain of the device evaluation dimension, the assessment domain of the network evaluation dimension, and the assessment domain of the system evaluation dimension. In this way, through the target device category and the first corresponding relationship of the target device, at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to the target device in each target security level assessment domain can be efficiently determined.

Further, the target security level of the target device is determined according to the target device information, at least one target security level assessment item corresponding to the target device in each target security level assessment domain, and the second corresponding relationship. The second corresponding relationship includes: multiple security level assessment items, multiple security levels corresponding to each security level assessment item, and multiple device information corresponding to the multiple security levels. The target security level is used to indicate the security level of the target device. In this way, the security level of the target device can be determined efficiently and accurately.

It should be noted that the technical effects brought about by any implementation method in the second to fifth aspects can refer to the technical effects brought about by the corresponding implementation method in the first aspect, and will not be repeated here.

It should be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present application.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings herein are incorporated into the specification and constitute a part of the specification, illustrate embodiments consistent with the present application, and together with the specification are used to explain the principles of the present application, and do not constitute improper limitations on the present application.

FIG1 is a schematic structural diagram of a security level determination system according to an exemplary embodiment;

FIG2 is a flow chart of a method for determining a security level according to an exemplary embodiment;

FIG3 is a schematic diagram showing a communication network classification according to an exemplary embodiment;

FIG4 is a schematic diagram showing an example of determining a security level according to an exemplary embodiment;

FIG5 is a flow chart showing another method for determining a security level according to an exemplary embodiment;

FIG6 is a flow chart showing another method for determining a security level according to an exemplary embodiment;

FIG7 is a flow chart showing another method for determining a security level according to an exemplary embodiment;

FIG8 is a flow chart showing another method for determining a security level according to an exemplary embodiment;

FIG9 is a block diagram of a security level determination device according to an exemplary embodiment;

Fig. 10 is a block diagram of an electronic device according to an exemplary embodiment.

DETAILED DESCRIPTION

In order to enable ordinary persons in the art to better understand the technical solution of the present application, the technical solution in the embodiments of the present application will be clearly and completely described below in conjunction with the accompanying drawings.

It should be noted that the terms "first", "second", etc. in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the data used in this way can be interchangeable where appropriate, so that the embodiments of the present application described herein can be implemented in an order other than those illustrated or described herein. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. On the contrary, they are merely examples of devices and methods consistent with some aspects of the present application as detailed in the attached claims.

Before introducing in detail the security level determination method provided by the present application, a brief introduction to the implementation environment (implementation architecture) involved in the present application is first given.

The security level determination method provided in the embodiment of the present application can be applied to the security level determination system. FIG1 shows a schematic diagram of the structure of the security level determination system. As shown in FIG1 , the security level determination system 10 includes a security level determination device 11 and an electronic device 12. The security level determination device 11 is connected to the electronic device 12, and the security level determination device 11 and the electronic device 12 can be connected by wire or by wireless, which is not limited in the embodiment of the present application.

The security level determination device 11 can be used to perform data interaction with the electronic device 12, for example, to receive the target device category and target device information of the target device sent by the electronic device 12, and to send the target security level of the target device to the electronic device 12.

The security level determination device 11 can also be used to process the target device category and target device information of the acquired target device. For example, according to the target device category and the first corresponding relationship, determine at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to the target device in each target security level assessment domain. Among them, the first corresponding relationship includes: multiple preset device categories, at least one security level assessment domain corresponding to each preset device category, and at least one security level assessment item corresponding to each preset device category in each security level assessment domain. At least one security level assessment domain includes: at least one of the assessment domain of the device assessment dimension, the assessment domain of the network assessment dimension, and the assessment domain of the system assessment dimension.

The security level determination device 11 can also be used to determine the target security level of the target device according to the target device information, at least one target security level assessment item corresponding to the target device in each target security level assessment domain, and a second corresponding relationship. The second corresponding relationship includes: multiple security level assessment items, multiple security levels corresponding to each security level assessment item, and multiple device information corresponding to the multiple security levels. The target security level is used to indicate the security level of the target device.

The electronic device 12 can be used to exchange data with the security level determination device 11, for example, to send the target device category and target device information of the target device to the security level determination device 11, and to receive the target security level of the target device sent by the security level determination device 11.

Optionally, the electronic device can be a physical machine, for example, a desktop computer, also known as a desktop or desktop computer (desktop computer), a mobile phone, a tablet computer, a laptop computer, an ultra-mobile personal computer (ultra-mobile personal computer, UMPC), a netbook, a personal digital assistant (personal digital assistant, PDA) and other terminal devices. The electronic device can also be a server or a server group composed of multiple servers.

Optionally, the security level determination device 11 may also implement the functions to be implemented by the security level determination device 11 through a virtual machine (VM) deployed on a physical machine.

It should be noted that the security level determination device 11 and the electronic device 12 can be independent devices or integrated into the same device, and this application does not make any specific limitation on this.

When the security level determination device 11 and the electronic device 12 are integrated into the same device, the communication between the security level determination device 11 and the electronic device 12 is the communication between the internal modules of the device. In this case, the communication process between the two is the same as "the communication process between the security level determination device 11 and the electronic device 12 when they are independent of each other".

In the following embodiments provided in the present application, the present application is explained by taking the example that the security level determination device 11 and the electronic device 12 are independently configured.

For ease of understanding, the security level determination method provided by the present application is specifically introduced below with reference to the accompanying drawings.

FIG2 is a flow chart of a method for determining a security level according to an exemplary embodiment. The method can be applied to an electronic device or a security level determination device connected to the electronic device. At the same time, the method can also be applied to a device similar to the electronic device or the security level determination device. The following is an example of applying the method to an electronic device to illustrate the method. As shown in FIG2, the security level determination method includes the following steps:

S201: The electronic device obtains a target device category and target device information of a target device.

The target device information includes at least one of device information in a device evaluation dimension, device information in a network evaluation dimension, and device information in a system evaluation dimension.

Exemplarily, the communication network (communication technology) can be divided into the device layer, the network layer and the system layer. Among them, the device layer includes multiple basic devices (such as routers, switches). In order to ensure the security of each device in the device layer, it is necessary to ensure the security of the device's supply chain, and through a variety of technical means such as secure boot technology, data confidentiality protection technology, resilience recovery technology, single-domain security technology, etc., to achieve the device's anti-tampering and intrusion defense and other security capabilities. The network layer includes multiple networking. In order to ensure the security of each networking in the network layer, a variety of technical means such as routing security technology, traffic encryption technology, and network protection technology can be used to predict traffic paths and query historical traffic behaviors to avoid lateral spread of illegal traffic. In this way. A network determined by traffic paths and traffic behaviors can be provided. From the perspective of networking technology, networking can be divided into: native Internet protocol (IP) networking, multi-protocol label switching (MPLS) networking, next-generation virtual private network (EVPN) networking, and segment routing IPv6 (SRv6) networking based on the sixth-generation Internet protocol (IPv6) forwarding plane. The system layer includes multiple systems. By collecting security data such as traffic, security logs, alarm data, files, and asset data, and performing global security analysis on security data, abnormal behavior can be obtained. After that, by quickly processing abnormal behavior, risk diffusion can be avoided, security losses can be minimized, and intelligent security defense for network security integration can be achieved.

FIG3 provides a schematic diagram of the classification of communication networks. As shown in FIG3, the communication network includes: a device layer, a network layer, and a system layer. The device layer includes: access routers, aggregation routers, core routers, and security devices. The network layer includes: metropolitan area networks, backbone networks, and internet data centers (IDCs). The system layer includes: controllers.

Exemplarily, since the communication network can be divided into a device layer, a network layer, and a system layer, the security level of the device can be determined through the device evaluation dimension, the network evaluation dimension, and the system evaluation dimension.

S202: The electronic device determines, according to the target device category and the first corresponding relationship, at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to the target device in each target security level assessment domain.

The first corresponding relationship includes: a plurality of preset device categories, at least one security level assessment domain corresponding to each preset device category, and at least one security level assessment item corresponding to each preset device category in each security level assessment domain. The at least one security level assessment domain includes: at least one of an assessment domain of a device assessment dimension, an assessment domain of a network assessment dimension, and an assessment domain of a system assessment dimension.

As a possible implementation method, the electronic device obtains multiple preset device categories, and for each preset device category, determines at least one security level assessment domain corresponding to the preset device category and at least one security level assessment item corresponding to the preset device category in each security level assessment domain, and constructs a first corresponding relationship.

Afterwards, the electronic device determines at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to each target security level assessment domain according to the target device category and the first corresponding relationship.

Exemplarily, the first corresponding relationship may be shown in the following Table 1:

Table 1 The first correspondence

As shown in Table 1 above, the security level assessment domain corresponding to the preset device category 1 is the assessment domain of the device assessment dimension, and the security level assessment items corresponding to the assessment domain of the device assessment dimension are: device security level assessment item 1 and device security level assessment item 2. The security level assessment domain corresponding to the preset device category 2 is the assessment domain of the device assessment dimension and the assessment domain of the system assessment dimension, the security level assessment item corresponding to the assessment domain of the device assessment dimension is device security level assessment item 3, and the security level assessment item corresponding to the assessment domain of the system assessment dimension is system security level assessment item 1. The security level assessment domain corresponding to the preset device category 3 is the assessment domain of the network assessment dimension and the assessment domain of the system assessment dimension, the security level assessment item corresponding to the assessment domain of the network assessment dimension is network security level assessment item 1, and the security level assessment items corresponding to the assessment domain of the system assessment dimension are system security level assessment item 1 and system security level assessment item 2.

The security level assessment domain corresponding to preset device category 4 is the assessment domain of the network assessment dimension, and the security level assessment item corresponding to the assessment domain of the network assessment dimension is network security level assessment item 2. The security level assessment domain corresponding to preset device category 5 is the assessment domain of the device assessment dimension, the assessment domain of the network assessment dimension, and the assessment domain of the system assessment dimension. The security level assessment item corresponding to the assessment domain of the device assessment dimension is device security level assessment item 3, the security level assessment item corresponding to the assessment domain of the network assessment dimension is network security level assessment item 3, and the security level assessment item corresponding to the assessment domain of the system assessment dimension is system security level assessment item 3.

Exemplarily, taking the target device category of the target device as preset device category 2, the electronic device determines, based on the preset device category 2 and the first correspondence shown in Table 1 above, that the target security level assessment domain corresponding to the target device is the assessment domain of the device assessment dimension and the assessment domain of the system assessment dimension, and that the target security level assessment item corresponding to the assessment domain of the device assessment dimension is device security level assessment item 3, and the target security level assessment item corresponding to the assessment domain of the system assessment dimension is system security level assessment item 1.

S203: The electronic device determines a target security level of the target device according to the target device information, at least one target security level assessment item corresponding to the target device in each target security level assessment domain, and the second corresponding relationship.

The second corresponding relationship includes: a plurality of security level evaluation items, a plurality of security levels corresponding to each security level evaluation item, and a plurality of device information corresponding to the plurality of security levels. The target security level is used to indicate the security level of the target device.

As a possible implementation, the electronic device obtains multiple security level assessment items. Then, the electronic device obtains multiple device information corresponding to each security level assessment item, and determines multiple security levels according to the multiple device information corresponding to each security level assessment item, and establishes a second corresponding relationship.

Next, the electronic device determines the target security level of the target device according to the target device information, at least one target security level assessment item corresponding to each target security level assessment domain, and the second corresponding relationship.

Exemplarily, the second corresponding relationship may be shown in the following Table 2:

Table 2 Second correspondence

Exemplarily, taking the target security level assessment domain corresponding to the target device as the assessment domain of the device assessment dimension and the assessment domain of the system assessment dimension, and the target security level assessment item corresponding to the target device in the assessment domain of the device assessment dimension is device security level assessment item 3, and the target security level assessment item corresponding to the target device in the assessment domain of the system assessment dimension is system security level assessment item 1, and the target device information includes: device information 32 in the device assessment dimension and device information 12 in the system assessment dimension as an example, the electronic device determines that the target security level of the target device is device security level 32 and system security level 12 based on the target device information (device information 32 in the device evaluation dimension and device information 12 in the system evaluation dimension), at least one target security level assessment item corresponding to each target security level assessment domain (device security level assessment item 3 and system security level assessment item 1), and the second corresponding relationship.

FIG4 provides a schematic diagram of an example of security level determination. As shown in FIG4, the electronic device determines, based on the target device category of the target device, that the target security level assessment domain corresponding to the target device is the assessment domain of the device assessment dimension and the assessment domain of the network assessment dimension, and that the target security level assessment items corresponding to the target device in the assessment domain of the device assessment dimension are device security level assessment item 1 and device security level assessment item 2, and the target security level assessment items corresponding to the target device in the assessment domain of the network assessment dimension are network security level assessment item 1 and network security level assessment item 2.

It can be understood that the present application obtains the target device category and target device information of the target device. Among them, the target device information includes: at least one of the device information of the device evaluation dimension, the device information of the network evaluation dimension, and the device information of the system evaluation dimension. Afterwards, according to the target device category and the first corresponding relationship, at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to the target device in each target security level assessment domain are determined. Among them, the first corresponding relationship includes: multiple preset device categories, at least one security level assessment domain corresponding to each preset device category, and at least one security level assessment item corresponding to each preset device category in each security level assessment domain. At least one security level assessment domain includes: at least one of the assessment domain of the device evaluation dimension, the assessment domain of the network evaluation dimension, and the assessment domain of the system evaluation dimension. In this way, through the target device category of the target device and the first corresponding relationship, at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to the target device in each target security level assessment domain can be efficiently determined.

Further, the target security level of the target device is determined according to the target device information, at least one target security level assessment item corresponding to the target device in each target security level assessment domain, and the second corresponding relationship. The second corresponding relationship includes: multiple security level assessment items, multiple security levels corresponding to each security level assessment item, and multiple device information corresponding to the multiple security levels. The target security level is used to indicate the security level of the target device. In this way, the security level of the target device can be determined efficiently and accurately.

In some embodiments, in order to construct the second corresponding relationship, as shown in FIG5 , the security level determination method provided in the embodiment of the present application further includes:

S301: The electronic device establishes a first sub-correspondence relationship.

Among them, the first sub-correspondence includes: multiple first security level evaluation items corresponding to the evaluation domain of the equipment evaluation dimension, multiple first security levels corresponding to each first security level evaluation item, and multiple first equipment information corresponding one-to-one to the multiple first security levels.

As a possible implementation, the electronic device obtains multiple first security level assessment items corresponding to the assessment domain of the device assessment dimension, and multiple first device information corresponding to each first security level assessment item. Afterwards, the electronic device determines multiple first security levels corresponding to any first security level assessment item based on the multiple first device information corresponding to any first security level assessment item.

Furthermore, the electronic device establishes a first sub-correspondence relationship based on multiple first security level assessment items corresponding to the assessment domain of the device assessment dimension, multiple first device information corresponding to any first security level assessment item, and multiple first security levels corresponding to any first security level assessment item.

Exemplarily, the first sub-correspondence relationship may be as shown in Table 3 below:

Table 3 First sub-correspondence

For the specific implementation method of this step, please refer to the subsequent description of the embodiments of the present application, which will not be repeated here.

S302: The electronic device establishes a second sub-correspondence relationship.

Among them, the second sub-correspondence includes: multiple second security level evaluation items corresponding to the evaluation domain of the network evaluation dimension, multiple second security levels corresponding to each second security level evaluation item, and multiple second device information corresponding one-to-one to the multiple second security levels.

As a possible implementation, the electronic device obtains multiple second security level assessment items corresponding to the assessment domain of the network assessment dimension, and multiple second device information corresponding to each second security level assessment item. Afterwards, the electronic device determines multiple second security levels corresponding to any second security level assessment item based on the multiple second device information corresponding to any second security level assessment item.

Furthermore, the electronic device establishes a second sub-correspondence relationship based on multiple second security level evaluation items corresponding to the evaluation domain of the network evaluation dimension, multiple second device information corresponding to any second security level evaluation item, and multiple second security levels corresponding to any second security level evaluation item.

Exemplarily, the second sub-correspondence relationship may be as shown in the following Table 4:

Table 4 Second sub-correspondence

For the specific implementation method of this step, please refer to the subsequent description of the embodiments of the present application, which will not be repeated here.

S303: The electronic device establishes a third sub-correspondence relationship.

Among them, the third sub-correspondence relationship includes: multiple third security level evaluation items corresponding to the evaluation domain of the system evaluation dimension, multiple third security levels corresponding to each third security level evaluation item, and multiple third device information corresponding one-to-one to the multiple third security levels.

For the specific implementation method of this step, please refer to the subsequent description of the embodiments of the present application, which will not be repeated here.

As a possible implementation, the electronic device obtains multiple third security level assessment items corresponding to the assessment domain of the system assessment dimension, and multiple third device information corresponding to each third security level assessment item. Afterwards, the electronic device determines multiple third security levels corresponding to any third security level assessment item based on the multiple third device information corresponding to any third security level assessment item.

Furthermore, the electronic device establishes a third sub-correspondence relationship based on multiple third security level assessment items corresponding to the assessment domain of the system assessment dimension, multiple third device information corresponding to any third security level assessment item, and multiple third security levels corresponding to any third security level assessment item.

Exemplarily, the third sub-correspondence relationship may be as shown in Table 5 below:

Table 5 The third sub-correspondence

S304: The electronic device establishes a second correspondence relationship according to the first sub-correspondence relationship, the second sub-correspondence relationship and the third sub-correspondence relationship.

It can be understood that the first sub-correspondence determines the security level of the communication device from the device evaluation dimension, the second sub-correspondence determines the security level of the communication device from the network evaluation dimension, and the third sub-correspondence determines the security level of the communication device from the system evaluation dimension. In this way, the second correspondence constructed based on the first sub-correspondence, the second sub-correspondence, and the third sub-correspondence covers the evaluation domain of the device evaluation dimension, the evaluation domain of the network evaluation dimension, and the evaluation domain of the system evaluation dimension.

In some embodiments, in order to establish the first sub-correspondence relationship, as shown in FIG6 , the above S301 may be implemented in the following manner:

S401. The electronic device obtains a plurality of first security level assessment items corresponding to an assessment domain of a device assessment dimension.

Among them, multiple first security level assessment items include: integrity protection capability when the device is started, integrity protection capability when the device is running, security cryptographic algorithm management capability, preset data protection capability, and identity authentication capability.

S402: The electronic device obtains a plurality of first device information corresponding to each first security level assessment item.

Among them, the multiple first device information corresponding to the integrity protection capability when the device is started include: software integrity verification capability when the device is started, integrity and authenticity verification capability through digital signature technology when the device is started, and zero-configuration start capability when the device is started. The multiple first device information corresponding to the integrity protection capability when the device is running includes: software package integrity verification capability when the device is upgraded, patch integrity verification capability when the device is upgraded, and integrity and authenticity verification capability through digital signature technology when the device is upgraded. The multiple first device information corresponding to the security cryptographic algorithm management capability includes: preset cryptographic algorithm security strength, cryptographic algorithm alarm capability, multi-layer key protection capability, and root key hardware protection capability. The multiple first device information corresponding to the preset data protection capability includes: first preset data protection capability, second preset data protection capability, and preset program protection capability, and the importance of the second preset data is higher than that of the first preset data. The multiple first device information corresponding to the identity authentication capability includes: user identity identification capability, user identity authentication capability, whether to perform user identity authentication when the user performs a preset operation, and interface authentication capability.

S403: The electronic device determines a plurality of first security levels corresponding to any first security level assessment item according to a plurality of first device information corresponding to any first security level assessment item.

As a possible implementation, the electronic device determines multiple first security levels corresponding to the integrity protection capability at device startup based on the software integrity verification capability at device startup, the integrity and authenticity verification capability through digital signature technology at device startup, and the zero-configuration start capability at device startup. The electronic device determines multiple first security levels corresponding to the integrity protection capability during device operation based on the software package integrity verification capability at device upgrade, the patch integrity verification capability at device upgrade, and the integrity and authenticity verification capability through digital signature technology at device upgrade.

The electronic device determines multiple first security levels corresponding to the security cryptographic algorithm management capability based on the preset cryptographic algorithm security strength, cryptographic algorithm alarm capability, multi-layer key protection capability, and root key hardware protection capability. The electronic device determines multiple first security levels corresponding to the preset data protection capability based on the first preset data protection capability, the second preset data protection capability, and the preset program protection capability. The electronic device determines multiple first security levels corresponding to the identity authentication capability based on the user identity identification capability, the user identity authentication capability, whether to perform user identity authentication when the user performs a preset operation, and the interface authentication capability.

S404. The electronic device establishes a first sub-correspondence relationship according to multiple first security level assessment items corresponding to the assessment domain of the device assessment dimension, multiple first device information corresponding to any first security level assessment item, and multiple first security levels corresponding to any first security level assessment item.

Exemplarily, the first sub-correspondence relationship may also be shown in the following Table 6:

Table 6 First sub-correspondence

In actual applications, when the first security level of the device's integrity protection capability is level 2, the corresponding first device information is: the ability to verify the software integrity when the device is started, and the ability to verify the software integrity and authenticity of the startup chain step by step using the digital signature technology starting from the hardware trusted root when the device is started. When the first security level of the device's integrity protection capability is level 4, the corresponding first device information is: the ability to verify the integrity and authenticity of the software package using the digital signature technology when the device is upgraded, the ability to verify the integrity and authenticity of the patch using the digital signature technology when the device is upgraded, and the ability to send a downgrade alarm message when the software is installed. The alarm message can be a log message or an alarm message that the administrator can see. When the first security level of the device's integrity protection capability is level 3, the corresponding first device information also includes: the ability to deploy secure zero touch provisioning (SZTP) and the ability to measure startup.

The preset strength can be 120 bits. Having the cryptographic algorithm alarm capability means that it has the ability to issue security prompts or alarms when an unsafe cryptographic algorithm or protocol is configured. Multi-layer key protection capability means that the security management of keys adopts a hierarchical protection method. The hierarchical management mechanism of keys recommends dividing the keys into three layers, at least two layers. For example: root key, key encryption key, working key. The root key provides encryption protection for the key encryption key, and the key encryption key provides encryption protection for the working key. When the first security level of the secure cryptographic algorithm management capability is 5, the corresponding first device information is: the preset cryptographic algorithm security strength is greater than or equal to the preset strength, has the cryptographic algorithm alarm capability, multi-layer key protection capability, root key hardware protection capability, and the ability to resist quantum attacks.

The first preset data may be sensitive data (eg, private key/password) stored in the device, the second preset data may be critical data (eg, log, configuration file, digital certificate), and the preset program may be critical firmware.

When the first security level is 1, the corresponding first device information also includes: identity authentication information is open to users, user identity identifier is unique, the ability to modify the default password when managing the device for the first time, the ability to set the password when managing the device for the first time, support for random initial passwords, support for setting password life cycle, the ability to check password complexity when using password authentication, the ability to display the password information entered by the user in ciphertext when using password authentication, the ability to lock the logged-in user when idle timeout, and support for automatic logout security policy. Among them, the password complexity check includes whether the password length is greater than or equal to 8 characters and whether it contains at least 2 different types of characters.

The interface may be an interface for managing the system (such as a human-machine interface, a machine-machine interface across a trusted network) and a physical interface visible from the outside of the device that can manage the system (such as a serial port, a universal serial bus (USB) interface, a management network port), and the mechanism for authenticating the interface may be an authentication mechanism in a standard protocol. When the first security level is level 3, the corresponding first device information also includes: disabling hard-coded accounts or authentication credentials for logging into the device, and supporting multi-factor authentication. When the first security level is level 4, the corresponding first device information includes: supporting security risk identification and alarm capabilities and repair capabilities for user identification and authentication.

In actual applications, the assessment domains of the device assessment dimension include: integrity protection subdomain, data protection subdomain, user authentication subdomain, network element situational awareness subdomain and resilience recovery subdomain. Among them, the security level assessment items corresponding to the integrity protection subdomain include: integrity protection capability at device startup and integrity protection capability during device operation. The security level assessment items corresponding to the data protection subdomain include: secure cryptographic algorithm management capability and preset data protection capability. The security level assessment items corresponding to the user authentication subdomain include: access permission minimization capability and identity authentication capability. The security level assessment items corresponding to the network element situational awareness subdomain include: security audit capability. The security level assessment items corresponding to the resilience recovery subdomain include: security isolation capability.

It can be understood that the first sub-correspondence determines the security level of the communication device from the device evaluation dimension, which helps to efficiently establish the second corresponding relationship later.

In some embodiments, in order to establish the second sub-correspondence relationship, as shown in FIG. 7 , the above S302 may be implemented in the following manner:

S501. The electronic device obtains a plurality of second security level assessment items corresponding to an assessment domain of a network assessment dimension.

Among them, multiple second security level evaluation items include: user authentication capability, attack protection capability, and link protection capability.

S502: The electronic device obtains a plurality of second device information corresponding to each second security level assessment item.

Among them, the multiple second device information corresponding to the user authentication capability includes: the ability to support remote authentication and authorization of the preset server, the ability to support the configuration of the preset server group, the ability to establish a secure channel, and the ability to support the dynamic distribution of command line configuration by the preset server. The multiple second device information corresponding to the attack protection capability includes: the first preset attack traffic detection and cleaning capability, the second preset attack detection capability, and the ability to detect the first preset attack in seconds. The multiple second device information corresponding to the link protection capability includes: the port cyclic redundancy check capability, the optical transmission network error detection capability, and the millisecond-level service switching capability.

S503: The electronic device determines a plurality of second security levels corresponding to any second security level assessment item according to a plurality of second device information corresponding to any second security level assessment item.

As a possible implementation method, the electronic device determines multiple second security levels corresponding to the user authentication capability based on the remote authentication and authorization capability of the preset server, the capability of supporting the configuration of the preset server group, the capability of establishing a secure channel, and the capability of supporting the dynamic distribution of command line configuration by the preset server. The electronic device determines multiple second security levels corresponding to the attack protection capability based on the first preset attack traffic detection and cleaning capability, the second preset attack detection capability, and the capability of detecting the first preset attack in seconds. The electronic device determines multiple second security levels corresponding to the link protection capability based on the port cyclic redundancy check capability, the optical transmission network error detection capability, and the millisecond-level service switching capability.

S504. The electronic device establishes a second sub-correspondence relationship according to multiple second security level assessment items corresponding to the assessment domain of the network assessment dimension, multiple second device information corresponding to any second security level assessment item, and multiple second security levels corresponding to any second security level assessment item.

Exemplarily, the first sub-correspondence relationship may also be shown in the following Table 7:

Table 7 Second sub-correspondence

In actual applications, the preset server may be a remote authentication dial in user service (Radius) server. When the second security level of the user authentication capability is level 2, the corresponding second device information also includes: the ability to detect the availability of the preset server and the ability to switch servers. When the second security level of the user authentication capability is level 3, the corresponding second device information also includes: the ability to ensure the security of authentication information based on a shared key. When the second security level of the user authentication capability is level 5, the corresponding second device information includes: the ability to support the preset server attribute docking. Among them, the ability to support the preset server attribute docking can be secondary developed based on a three-party script, the ability to establish a secure channel can establish a secure channel between the device and the server (such as Internet protocol security (IPSec) and Datagram transport layer security (DTLS)), and the ability to support the preset server to dynamically send command line configurations can be to support Radius to dynamically send access control lists (ACLs) and dynamically send command line configurations.

The first preset attack may be a dual-stack distributed denial of service attack (DDoS) attack, and the second preset attack may be a SYN flood attack, a Ping flood attack, a hypertext transfer protocol secure (HTTPS) flood attack, a session initiation protocol (SIP) flood attack, or a domain name system (DNS) flood attack. When the attack protection capability is at level 3, the corresponding second device information also includes: the ability to ensure normal hypertext transfer protocol (HTTP) request services when the first preset attack occurs.

When the second security level is level 1, the corresponding second device information of the link protection capability also includes: the ability to detect the original bit error rate based on the optical path. When the second security level is level 2, the corresponding second device information also includes: the ability to support pre-correction and post-correction error presentation. When the second security level is level 3, the corresponding second device information also includes: the ability to constrain the forward error correction code (FEC), cyclic redundancy check code (CRC), and packet loss rate when calculating the SRv6 path, and the ability to combine and tune multiple factors when calculating the SRv6 path. When the second security level is level 4, the corresponding second device information includes: the ability to switch services at a microsecond level when a link fails. Among them, the port cyclic redundancy check capability can support CRC verification. The optical transport network error detection capability can support optical transport network (OTN) error detection.

In actual applications, the evaluation domains of the network evaluation dimension include: user authentication subdomain, attack message prevention subdomain, Ethernet service subdomain, IP routing subdomain, IP service subdomain, SRv6 service subdomain, IP multicast subdomain, MPLS subdomain, protocol subdomain, interface and link subdomain, and network resilience subdomain. Among them, the security level evaluation items corresponding to the user authentication subdomain include: user authentication capability and terminal access controller access control system (TACACS+) capability. The security level evaluation items corresponding to the attack message prevention subdomain include: transmission control protocol (TCP) anti-attack capability, IP anti-attack capability, unicast reverse path forwarding (URPF) capability, and attack protection capability. The security level evaluation items corresponding to the Ethernet service subdomain include: media access control (MAC) security capability and link layer discovery protocol (LLDP) security capability.

The security level assessment items corresponding to the IP routing subdomain include: intermediate system to intermediate system (ISIS) security capability, open shortest path first (OSPF) security capability, and border gateway protocol (BGP) security capability. The security level assessment items corresponding to the IP service subdomain include: Internet protocol version 4 (IPv4) basic service security capability and IPv6 basic service security. The security level assessment items corresponding to the SRv6 service subdomain include: SRv6 security capability. The security level assessment items corresponding to the IP multicast subdomain include: protocol independent multicast (PIM) security capability. The security level assessment items corresponding to the MPLS subdomain include: label distribution protocol (LDP) security capability. The security level assessment items corresponding to the protocol subdomain include: secure shell protocol (SSH) security capability, IPSec capability, transport layer security (TLS) capability, and attack protection capability. The security level assessment items corresponding to the interface and link subdomain include: link protection capability. The security level assessment items corresponding to the network resilience subdomain include: IP fast reroute (FRR) capability, traffic engineering (TE) FRR capability, and virtual private network (VPN) FRR capability.

Among them, the second device information corresponding to the IPv4 basic service security capability includes: supporting the address resolution protocol (ARP). The second device information corresponding to the IPv6 basic service security capability includes: supporting the neighbor discovery protocol (ND) and supporting the source address validation architecture (SAVA). The second device information corresponding to the TLS capability includes: having the ability to protect the confidentiality of inter-application communication data above the transport layer using the TLS protocol and having the ability to protect the confidentiality of inter-application communication data above the transport layer using the datagram transport layer security protocol (DTLS). The second device information corresponding to the IP FRR capability includes: supporting the convergence time of less than 100 milliseconds (millisecond, ms) in combination with FRR and bidirectional forwarding detection (BFD). The second device information corresponding to the TE FRR capability includes: supporting the convergence time of less than 100ms in combination with FRR and BFD. The second device information corresponding to the VPN FRR capability includes: supporting the convergence time of less than 100ms in combination with FRR and BFD.

It can be understood that the second sub-correspondence determines the security level of the communication device from the network evaluation dimension, which helps to efficiently establish the second corresponding relationship later.

In some embodiments, in order to establish the third sub-correspondence relationship, as shown in FIG8 , the above S303 may be implemented in the following manner:

S601. The electronic device obtains a plurality of third security level assessment items corresponding to an assessment domain of a system assessment dimension.

Among them, multiple third-level security level assessment items include: intrusion detection capability, certificate management capability, and security configuration capability.

S602: The electronic device obtains a plurality of third device information corresponding to each third security level assessment item.

Among them, the multiple third device information corresponding to the intrusion detection capability includes: the third preset attack detection capability, the preset file tampering detection capability, and the rebound interface attack behavior detection capability. The multiple third device information corresponding to the certificate management capability includes: the digital certificate import and update capability, the digital certificate expiration warning capability, whether there is an interface for digital certificate import and update, the digital certificate integrity protection capability, and the ability to connect to the public key infrastructure system. The multiple third device information corresponding to the security configuration capability includes: the business security configuration verification capability, the manual repair preset configuration capability, and the repair preset configuration capability.

S603: The electronic device determines multiple third security levels corresponding to any third security level assessment item based on multiple third device information corresponding to any third security level assessment item.

As a possible implementation method, the electronic device determines multiple third security levels corresponding to the intrusion detection capability based on the third preset attack detection capability, the preset file tampering detection capability, and the rebound interface attack behavior detection capability. The electronic device determines multiple third security levels corresponding to the certificate management capability based on the digital certificate import and update capability, the digital certificate expiration warning capability, whether there is an interface for digital certificate import and update, the digital certificate integrity protection capability, and the ability to connect to the public key infrastructure system. The electronic device determines multiple third security levels corresponding to the security configuration capability based on the business security configuration verification capability, the manual repair preset configuration capability, and the repair preset configuration capability.

S604. The electronic device establishes a third sub-correspondence relationship according to multiple third security level assessment items corresponding to the assessment domain of the system assessment dimension, multiple third device information corresponding to any third security level assessment item, and multiple third security levels corresponding to any third security level assessment item.

Exemplarily, the third sub-correspondence relationship may also be shown in the following Table 8:

Table 8 The third sub-correspondence

In actual applications, the third preset attack can be a common attack behavior detection for Linux shell accounts, including brute force cracking and illegal connection behaviors, and the preset files can be key system files of Linux, such as account files and network configuration files. The interface in the rebound interface attack behavior can be a shell. Through the rebound interface attack behavior detection, it is possible to prevent attackers from performing related operations on the host's existing bash in order to bypass the security detection system on the host, which facilitates the subsequent establishment of a control channel for the rebound shell. When the third security level of the intrusion detection capability is level 3, the corresponding third device information also includes: illegal user detection capability, hidden trace detection capability through rootkit, and key file detection capability. Among them, the illegal user detection capability can prevent attackers from hiding their identities and maintaining control over the device. Hidden trace detection through rootkit can prevent attackers from hiding files, processes, network connections, and kernel modules, and staying for a long time and having the highest authority. The key file detection capability can prevent hackers from leaving backdoors or malicious files to threaten the host.

When the third security level is 1, the corresponding third device information also includes: the device that cannot be connected to the network management and is remotely managed has the ability to import and update the certificate in a proximal programmed manner, the device that can be connected to the network management has the ability to remotely import and update the certificate through the network management, the device that cannot be connected to the network management has the ability to warn the network management of the expiration of the local digital certificate, the device that can be connected to the network management has the ability to warn the network management of the expiration of the certificate, has the ability to import and update the certificate revocation list, supports the digital certificate revocation status verification strategy, has the ability to verify the validity of the certificate signature of the peer certificate, whether the certificate has expired, and whether the certificate status has been revoked, has the ability to pre-make the certificate uniqueness, key pair and public key certificate confidentiality in the device, and the software package does not include certificate-related data (such as private key, public key certificate, certificate chain and root certificate for verifying the peer certificate). Among them, the certificate subject contains product uniqueness information (such as electronic serial number (ESN), IP address, MAC address, server name).

When the third security level of certificate management capability is 2, the corresponding third device information also includes: the ability to connect to the electronic certification authority (CA) system, the ability to protect the private key password based on hardware, and the ability to protect the private key password based on software. Among them, the ability to import and update digital certificates can connect to the network management to realize certificate import and update, the ability to connect to the CA system can realize the automation of certificate application and issuance, the ability to protect the integrity of digital certificates can prevent business interruption caused by damage to certificates (including root certificates) and private keys, and the ability to connect to the public key infrastructure system can realize the automation of certificate revocation list updates.

When the third security level is 1, the corresponding third device information also includes: having a business security configuration baseline and having the ability to visualize business security configuration verification results. When the third security level is 2, the corresponding third device information also includes: having the ability to customize business security configuration verification templates.

In actual applications, the assessment domains of the system assessment dimension include: single-domain situation control subdomain, network element security management subdomain, and security verification subdomain. Among them, the security level assessment items corresponding to the single-domain situation control subdomain include: intrusion detection capability and security asset management capability. The security level assessment items corresponding to the network element security management subdomain include: certificate management capability. The security level assessment items corresponding to the security verification subdomain include: security configuration capability.

It can be understood that the third sub-correspondence determines the security level of the communication equipment from the system evaluation dimension, which helps to efficiently establish the second corresponding relationship later.

In actual applications, the target device can be a router. From the perspective of the business field, routers can be divided into access routers, aggregation routers, and core routers. The target device can also be a switch. From the perspective of the business field, routers can be divided into campus switches, data center switches, and industrial switches. The security level assessment items corresponding to the business router include: mobile bearer router trust capability, router trust capability, internet gateway (IGW) router trust capability, software-defined wide area network (SD-WAN) router trust capability. The security level assessment items corresponding to the mobile bearer router include: IP and security protection capability, slice security protection capability, SRv6 security capability, clock synchronization security capability, and EVPN security protection capability. The security level assessment items corresponding to the router include: control plane (control plane) and user plane (user plane) separation security capability, broadband network gateway control device (broadband network gateway, BNG) business security protection capability, and BGP security capability. The security level assessment items corresponding to the IGW router include: BGP security capability and traffic tuning security protection capability.

The security level of the target device is evaluated from the evaluation domain of the device evaluation dimension, the evaluation domain of the network evaluation dimension, and the evaluation domain of the system evaluation dimension. Among them, the evaluation domain of the device evaluation dimension includes multiple security level evaluation items, the evaluation domain of the network evaluation dimension includes multiple security level evaluation items, and the evaluation domain of the system evaluation dimension includes multiple security level evaluation items. In this way, the security level of the target device is evaluated in the evaluation domain of the device evaluation dimension, the evaluation domain of the network evaluation dimension, and the evaluation domain of the system evaluation dimension, and each corresponds to a security level. Exemplarily, when the first security level corresponding to the integrity protection capability of the target device at device startup is level 3, the first security level corresponding to the integrity protection capability during device operation is level 3, the first security level corresponding to the preset data protection capability is level 3, and the first security level corresponding to the identity authentication capability is level 3, the target security level of the target device in the evaluation domain of the device evaluation dimension is level 3.

The above mainly introduces the solution provided by the embodiment of the present application from the perspective of the method. In order to achieve the above functions, the security level determination device or electronic device includes a hardware structure and/or software module corresponding to the execution of each function. It should be easily appreciated by those skilled in the art that, in combination with the units and algorithm steps of each example described in the embodiments disclosed herein, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is executed in the form of hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Professional and technical personnel can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of the present application.

The embodiments of the present application can exemplarily divide the functional modules of the security level determination device or electronic device according to the above method. For example, the security level determination device or electronic device can include various functional modules corresponding to the various functional divisions, or two or more functions can be integrated into one processing module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. It should be noted that the division of modules in the embodiments of the present application is schematic and is only a logical functional division. There may be other division methods in actual implementation.

Fig. 9 shows a security level determination device 700 according to an exemplary embodiment. As shown in Fig. 9 , the security level determination device 700 includes an acquisition unit 701 , a determination unit 702 and an establishment unit 703 .

The acquisition unit 701 is used to acquire the target device category and target device information of the target device. The target device information includes at least one of device information of device evaluation dimension, device information of network evaluation dimension and device information of system evaluation dimension.

The determination unit 702 is used to determine at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to the target device in each target security level assessment domain according to the target device category and the first corresponding relationship. The first corresponding relationship includes: multiple preset device categories, at least one security level assessment domain corresponding to each preset device category, and at least one security level assessment item corresponding to each preset device category in each security level assessment domain. The at least one security level assessment domain includes: at least one of an assessment domain of a device assessment dimension, an assessment domain of a network assessment dimension, and an assessment domain of a system assessment dimension.

The determination unit 702 is further configured to determine the target security level of the target device according to the target device information, at least one target security level assessment item corresponding to the target device in each target security level assessment domain, and a second corresponding relationship. The second corresponding relationship includes: multiple security level assessment items, multiple security levels corresponding to each security level assessment item, and multiple device information corresponding to the multiple security levels. The target security level is used to indicate the security level of the target device.

Optionally, in order to construct the second corresponding relationship, as shown in FIG9 , the establishing unit 703 is used to:

A first sub-correspondence relationship is established. The first sub-correspondence relationship includes: a plurality of first security level assessment items corresponding to the assessment domain of the device assessment dimension, a plurality of first security levels corresponding to each first security level assessment item, and a plurality of first device information corresponding to the plurality of first security levels.

A second sub-correspondence relationship is established. The second sub-correspondence relationship includes: a plurality of second security level assessment items corresponding to the assessment domain of the network assessment dimension, a plurality of second security levels corresponding to each second security level assessment item, and a plurality of second device information corresponding to the plurality of second security levels.

The third sub-correspondence relationship is established. The third sub-correspondence relationship includes: a plurality of third security level assessment items corresponding to the assessment domain of the system assessment dimension, a plurality of third security levels corresponding to each third security level assessment item, and a plurality of third device information corresponding to the plurality of third security levels.

A second corresponding relationship is established according to the first sub-corresponding relationship, the second sub-corresponding relationship and the third sub-corresponding relationship.

Optionally, in order to establish the first sub-correspondence relationship, as shown in FIG9 , the establishing unit 703 is specifically configured to:

A plurality of first security level assessment items corresponding to the assessment domain of the device assessment dimension are obtained. The plurality of first security level assessment items include: integrity protection capability at device startup, integrity protection capability at device runtime, security cryptographic algorithm management capability, preset data protection capability, and identity authentication capability.

Acquire multiple pieces of first device information corresponding to each first security level assessment item. Multiple pieces of first device information corresponding to the integrity protection capability at device startup include: software integrity verification capability at device startup, integrity and authenticity verification capability through digital signature technology at device startup, and zero-configuration start capability at device startup. Multiple pieces of first device information corresponding to the integrity protection capability at device runtime include: software package integrity verification capability at device upgrade, patch integrity verification capability at device upgrade, and integrity and authenticity verification capability through digital signature technology at device upgrade. Multiple pieces of first device information corresponding to the security cryptographic algorithm management capability include: preset cryptographic algorithm security strength, cryptographic algorithm alarm capability, multi-layer key protection capability, and root key hardware protection capability. Multiple pieces of first device information corresponding to the preset data protection capability include: first preset data protection capability, second preset data protection capability, and preset program protection capability, and the second preset data is more important than the first preset data. Multiple pieces of first device information corresponding to the identity authentication capability include: user identity identification capability, user identity authentication capability, whether to perform user identity authentication when the user performs a preset operation, and interface authentication capability.

According to the plurality of first device information corresponding to any first security level evaluation item, a plurality of first security levels corresponding to any first security level evaluation item are determined.

A first sub-correspondence relationship is established based on multiple first security level assessment items corresponding to the assessment domain of the device assessment dimension, multiple first device information corresponding to any first security level assessment item, and multiple first security levels corresponding to any first security level assessment item.

Optionally, in order to establish the second sub-correspondence relationship, as shown in FIG9 , the establishing unit 703 is specifically configured to:

Acquire multiple second security level evaluation items corresponding to the evaluation domain of the network evaluation dimension. The multiple second security level evaluation items include: user authentication capability, attack protection capability, and link protection capability.

Obtain multiple second device information corresponding to each second security level assessment item. Multiple second device information corresponding to user authentication capability includes: remote authentication and authorization capability supporting preset server, capability to support preset server group configuration, capability to establish secure channel, capability to support dynamic command line configuration of preset server. Multiple second device information corresponding to attack protection capability includes: first preset attack traffic detection and cleaning capability, second preset attack detection capability, and capability to detect first preset attack in seconds. Multiple second device information corresponding to link protection capability includes: port cyclic redundancy check capability, optical transmission network error detection capability, and millisecond-level service switching capability.

A plurality of second security levels corresponding to any second security level evaluation item are determined according to a plurality of second device information corresponding to any second security level evaluation item.

A second sub-correspondence relationship is established based on multiple second security level assessment items corresponding to the assessment domain of the network assessment dimension, multiple second device information corresponding to any second security level assessment item, and multiple second security levels corresponding to any second security level assessment item.

Optionally, in order to establish the third sub-correspondence relationship, as shown in FIG9 , the establishing unit 703 is specifically configured to:

A plurality of third security level evaluation items corresponding to the evaluation domain of the system evaluation dimension are obtained. The plurality of third security level evaluation items include: intrusion detection capability, certificate management capability, and security configuration capability.

Obtain multiple third device information corresponding to each third security level assessment item. Multiple third device information corresponding to intrusion detection capability includes: third preset attack detection capability, preset file tampering detection capability, and rebound interface attack behavior detection capability. Multiple third device information corresponding to certificate management capability includes: digital certificate import and update capability, digital certificate expiration warning capability, whether there is an interface for digital certificate import and update, digital certificate integrity protection capability, and the ability to connect to the public key infrastructure system. Multiple third device information corresponding to security configuration capability includes: business security configuration verification capability, manual repair preset configuration capability, and repair preset configuration capability.

A plurality of third security levels corresponding to any third security level evaluation item is determined according to a plurality of third device information corresponding to any third security level evaluation item.

A third sub-correspondence relationship is established based on multiple third security level assessment items corresponding to the assessment domain of the system assessment dimension, multiple third device information corresponding to any third security level assessment item, and multiple third security levels corresponding to any third security level assessment item.

Fig. 10 is a block diagram of an electronic device according to an exemplary embodiment. As shown in Fig. 10 , the electronic device 800 includes but is not limited to: a processor 801 and a memory 802 .

The memory 802 is used to store executable instructions of the processor 801. It can be understood that the processor 801 is configured to execute instructions to implement the security level determination method in the above embodiment.

It should be noted that those skilled in the art will understand that the electronic device structure shown in FIG10 does not constitute a limitation on the electronic device, and the electronic device may include more or fewer components than shown in FIG10, or a combination of certain components, or a different arrangement of components.

The processor 801 is the control center of the electronic device. It uses various interfaces and lines to connect various parts of the entire electronic device. By running or executing software programs and/or modules stored in the memory 802, and calling data stored in the memory 802, it performs various functions of the electronic device and processes data, thereby monitoring the electronic device as a whole. The processor 801 may include one or more processing units. Optionally, the processor 801 may integrate an application processor and a modem processor, wherein the application processor mainly processes the operating system, user interface, and application programs, and the modem processor mainly processes wireless communications. It is understandable that the above-mentioned modem processor may not be integrated into the processor 801.

The memory 802 can be used to store software programs and various data. The memory 802 can mainly include a program storage area and a data storage area, wherein the program storage area can store an operating system, an application program required by at least one functional module, etc. (such as an acquisition unit, a determination unit, and an establishment unit). In addition, the memory 802 can include a high-speed random access memory, and can also include a non-volatile memory, such as at least one disk storage device, a flash memory device, or other volatile solid-state storage devices.

In an exemplary embodiment, a computer-readable storage medium including instructions is also provided, such as a memory including instructions. The above instructions can be executed by a processor of an electronic device to implement the security level determination method in the above embodiment.

In actual implementation, the functions of the acquisition unit 701, the determination unit 702 and the establishment unit 703 can all be implemented by the processor 801 in Figure 10 calling a computer program stored in the memory 802. The specific execution process can refer to the description of the security level determination method in the above embodiment, which will not be repeated here.

Optionally, the computer-readable storage medium may be a non-temporary computer-readable storage medium, for example, the non-temporary computer-readable storage medium may be a read-only memory (ROM), a random access memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, etc.

In an exemplary embodiment, the present application also provides a computer program product including one or more instructions, and the one or more instructions can be executed by a processor of an electronic device to complete the method in the above embodiment.

It should be noted that when the instructions in the above-mentioned computer-readable storage medium or one or more instructions in the computer program product are executed by the processor of the electronic device, the various processes of the above-mentioned method embodiment are implemented, and the same technical effect as the above-mentioned method can be achieved. To avoid repetition, they will not be repeated here.

Through the description of the above implementation methods, technical personnel in the relevant field can clearly understand that for the convenience and simplicity of description, only the division of the above-mentioned functional modules is used as an example. In actual applications, the above-mentioned functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above.

In the several embodiments provided in the present application, it should be understood that the disclosed devices and methods can be implemented in other ways. For example, the device embodiments described above are only schematic, for example, the division of modules or units is only a logical function division, and there may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another device, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, indirect coupling or communication connection of devices or units, which can be electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may be one physical unit or multiple physical units, that is, they may be located in one place or distributed in multiple different places. Some or all of the units may be selected according to actual needs to achieve the purpose of the present embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.

If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a readable storage medium. Based on this understanding, the technical solution of the embodiment of the present application is essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium, including several instructions to enable a device (which can be a single-chip microcomputer, chip, etc.) or a processor (processor) to perform all or part of the steps of the various embodiments of the present application. The aforementioned storage medium includes: various media that can store program codes, such as USB flash drives, mobile hard drives, ROM, RAM, magnetic disks or optical disks.

The above are only specific implementations of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions within the technical scope disclosed in the present application should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (12)

1. A security level determining method, comprising:

acquiring a target equipment category and target equipment information of target equipment; the target device information includes: at least one of device information of a device evaluation dimension, device information of a network evaluation dimension, and device information of a system evaluation dimension;

determining at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to the target device in each target security level assessment domain according to the target device category and the first corresponding relation; the first correspondence relationship includes: the security level evaluation system comprises a plurality of preset device categories, at least one security level evaluation domain corresponding to each preset device category, and at least one security level evaluation item corresponding to each preset device category in each security level evaluation domain; the at least one security level assessment domain comprises: at least one of an assessment domain of a device assessment dimension, an assessment domain of a network assessment dimension, and an assessment domain of a system assessment dimension;

Determining a target security level of the target device according to the target device information, at least one target security level evaluation item corresponding to the target device in each target security level evaluation domain and a second corresponding relation; the second correspondence relationship includes: a plurality of security level evaluation items, a plurality of security levels corresponding to each security level evaluation item, and a plurality of pieces of equipment information corresponding to the plurality of security levels one to one; the target security level is used to represent a degree of security of the target device.

2. The method according to claim 1, wherein the method further comprises:

establishing a first sub-corresponding relation; the first sub-correspondence relationship includes: the device comprises a plurality of first security level assessment items corresponding to an assessment domain of the device assessment dimension, a plurality of first security levels corresponding to each first security level assessment item, and a plurality of first device information corresponding to the plurality of first security levels one to one;

establishing a second sub-corresponding relation; the second sub-correspondence includes: a plurality of second security level evaluation items corresponding to the evaluation domain of the network evaluation dimension, a plurality of second security levels corresponding to each second security level evaluation item, and a plurality of second device information corresponding to the plurality of second security levels one to one;

Establishing a third sub-corresponding relation; the third sub-correspondence relationship includes: the system comprises a plurality of third security level assessment items corresponding to assessment domains of the system assessment dimension, a plurality of third security levels corresponding to each third security level assessment item and a plurality of third device information corresponding to the third security levels one to one;

and establishing the second corresponding relation according to the first sub corresponding relation, the second sub corresponding relation and the third sub corresponding relation.

3. The method of claim 2, wherein the establishing the first sub-correspondence comprises:

acquiring a plurality of first security level evaluation items corresponding to an evaluation domain of the equipment evaluation dimension; the plurality of first security level assessment items includes: integrity protection capability when equipment is started, integrity protection capability when equipment is operated, security cryptographic algorithm management capability, preset data protection capability and identity authentication capability;

acquiring a plurality of pieces of first equipment information corresponding to each first security level evaluation item; the plurality of first device information corresponding to the integrity protection capability when the device is started comprises: the software integrity verification capability when the equipment is started, the integrity and authenticity verification capability when the equipment is started and the zero configuration starting capability when the equipment is started are realized through a digital signature technology; the plurality of first device information corresponding to the device runtime integrity protection capability includes: the software package integrity checking capability during equipment upgrading, the patch integrity checking capability during equipment upgrading and the integrity and authenticity checking capability during equipment upgrading are carried out through the digital signature technology; the plurality of pieces of first device information corresponding to the secure cryptographic algorithm management capability include: presetting the security strength of a cryptographic algorithm, the alarm capability of the cryptographic algorithm, the multi-layer key protection capability and the root key hardware protection capability; the plurality of pieces of first equipment information corresponding to the preset data protection capability comprise: the method comprises the steps of a first preset data protection capability, a second preset data protection capability and a preset program protection capability, wherein the importance degree of the second preset data is higher than that of the first preset data; the plurality of first device information corresponding to the identity authentication capability includes: user identity identification capability, user identity authentication capability, and whether user identity authentication capability and interface authentication capability are performed when a user performs preset operation;

Determining a plurality of first security levels corresponding to any first security level evaluation item according to a plurality of first device information corresponding to any first security level evaluation item;

and establishing the first sub-corresponding relation according to a plurality of first security level assessment items corresponding to the assessment domains of the equipment assessment dimension, a plurality of first equipment information corresponding to any one of the first security level assessment items and a plurality of first security levels corresponding to any one of the first security level assessment items.

4. The method of claim 2, wherein the establishing the second sub-correspondence comprises:

acquiring a plurality of second security level evaluation items corresponding to the evaluation domains of the network evaluation dimension; the plurality of second security level assessment items includes: user authentication capability, attack protection capability, and link protection capability;

acquiring a plurality of pieces of second equipment information corresponding to each second security level evaluation item; the plurality of second device information corresponding to the user authentication capability includes: supporting remote authentication and authorization capability of a preset server, supporting configuration capability of a preset server group, establishing a secure channel capability and supporting dynamic issuing command line configuration capability of the preset server; the plurality of pieces of second device information corresponding to the attack protection capability include: the method comprises the steps of detecting and cleaning a first preset attack flow, detecting a second preset attack, and detecting the first preset attack in a second level; the plurality of second device information corresponding to the link protection capability includes: port cyclic redundancy check capability, optical transmission network error code detection capability and millisecond service switching capability;

Determining a plurality of second security levels corresponding to any second security level evaluation item according to a plurality of second device information corresponding to any second security level evaluation item;

and establishing the second sub-corresponding relation according to a plurality of second security level assessment items corresponding to the assessment domains of the network assessment dimension, a plurality of second equipment information corresponding to any one of the second security level assessment items and a plurality of second security levels corresponding to any one of the second security level assessment items.

5. The method according to any one of claims 2-4, wherein the establishing a third sub-correspondence comprises:

acquiring a plurality of third security level evaluation items corresponding to the evaluation domain of the system evaluation dimension; the plurality of third security level assessment items includes: intrusion detection capability, certificate management capability, security configuration capability;

acquiring a plurality of pieces of third equipment information corresponding to each third security level evaluation item; the plurality of third device information corresponding to the intrusion detection capability includes: third preset attack detection capability, preset file tampering detection capability and rebound interface attack behavior detection capability; the plurality of third device information corresponding to the certificate management capability includes: digital certificate import and update capability, digital certificate expiration pre-warning capability, whether there is an interface for digital certificate import and update, digital certificate integrity protection capability, capability to dock public key infrastructure systems; the plurality of third device information corresponding to the security configuration capability includes: business security configuration checking capability, manual restoration preset configuration capability and restoration preset configuration capability;

Determining a plurality of third security levels corresponding to any third security level evaluation item according to a plurality of third device information corresponding to any third security level evaluation item;

and establishing the third sub-corresponding relation according to a plurality of third security level assessment items corresponding to the assessment domains of the system assessment dimension, a plurality of third device information corresponding to any one of the third security level assessment items and a plurality of third security levels corresponding to any one of the third security level assessment items.

6. A security level determining apparatus, characterized by comprising an acquisition unit and a determining unit;

the acquisition unit is used for acquiring the target equipment category and the target equipment information of the target equipment; the target device information includes: at least one of device information of a device evaluation dimension, device information of a network evaluation dimension, and device information of a system evaluation dimension;

the determining unit is configured to determine, according to the target device class and the first correspondence, at least one target security level assessment domain corresponding to the target device and at least one target security level assessment item corresponding to the target device in each target security level assessment domain; the first correspondence relationship includes: the security level evaluation system comprises a plurality of preset device categories, at least one security level evaluation domain corresponding to each preset device category, and at least one security level evaluation item corresponding to each preset device category in each security level evaluation domain; the at least one security level assessment domain comprises: at least one of an assessment domain of a device assessment dimension, an assessment domain of a network assessment dimension, and an assessment domain of a system assessment dimension;

The determining unit is further configured to determine a target security level of the target device according to the target device information, at least one target security level evaluation item corresponding to the target device in each target security level evaluation domain, and a second correspondence; the second correspondence relationship includes: a plurality of security level evaluation items, a plurality of security levels corresponding to each security level evaluation item, and a plurality of pieces of equipment information corresponding to the plurality of security levels one to one; the target security level is used to represent a degree of security of the target device.

7. The apparatus of claim 6, further comprising a setup unit; the establishing unit is used for:

establishing a first sub-corresponding relation; the first sub-correspondence relationship includes: the device comprises a plurality of first security level assessment items corresponding to an assessment domain of the device assessment dimension, a plurality of first security levels corresponding to each first security level assessment item, and a plurality of first device information corresponding to the plurality of first security levels one to one;

establishing a second sub-corresponding relation; the second sub-correspondence includes: a plurality of second security level evaluation items corresponding to the evaluation domain of the network evaluation dimension, a plurality of second security levels corresponding to each second security level evaluation item, and a plurality of second device information corresponding to the plurality of second security levels one to one;

Establishing a third sub-corresponding relation; the third sub-correspondence relationship includes: the system comprises a plurality of third security level assessment items corresponding to assessment domains of the system assessment dimension, a plurality of third security levels corresponding to each third security level assessment item and a plurality of third device information corresponding to the third security levels one to one;

and establishing the second corresponding relation according to the first sub corresponding relation, the second sub corresponding relation and the third sub corresponding relation.

8. The apparatus according to claim 7, wherein the establishing unit is specifically configured to:

acquiring a plurality of first security level evaluation items corresponding to an evaluation domain of the equipment evaluation dimension; the plurality of first security level assessment items includes: integrity protection capability when equipment is started, integrity protection capability when equipment is operated, security cryptographic algorithm management capability, preset data protection capability and identity authentication capability;

acquiring a plurality of pieces of first equipment information corresponding to each first security level evaluation item; the plurality of first device information corresponding to the integrity protection capability when the device is started comprises: the software integrity verification capability when the equipment is started, the integrity and authenticity verification capability when the equipment is started and the zero configuration starting capability when the equipment is started are realized through a digital signature technology; the plurality of first device information corresponding to the device runtime integrity protection capability includes: the software package integrity checking capability during equipment upgrading, the patch integrity checking capability during equipment upgrading and the integrity and authenticity checking capability during equipment upgrading are carried out through the digital signature technology; the plurality of pieces of first device information corresponding to the secure cryptographic algorithm management capability include: presetting the security strength of a cryptographic algorithm, the alarm capability of the cryptographic algorithm, the multi-layer key protection capability and the root key hardware protection capability; the plurality of pieces of first equipment information corresponding to the preset data protection capability comprise: the method comprises the steps of a first preset data protection capability, a second preset data protection capability and a preset program protection capability, wherein the importance degree of the second preset data is higher than that of the first preset data; the plurality of first device information corresponding to the identity authentication capability includes: user identity identification capability, user identity authentication capability, and whether user identity authentication capability and interface authentication capability are performed when a user performs preset operation;

Determining a plurality of first security levels corresponding to any first security level evaluation item according to a plurality of first device information corresponding to any first security level evaluation item;

and establishing the first sub-corresponding relation according to a plurality of first security level assessment items corresponding to the assessment domains of the equipment assessment dimension, a plurality of first equipment information corresponding to any one of the first security level assessment items and a plurality of first security levels corresponding to any one of the first security level assessment items.

9. The apparatus according to claim 7, wherein the establishing unit is specifically configured to:

acquiring a plurality of second security level evaluation items corresponding to the evaluation domains of the network evaluation dimension; the plurality of second security level assessment items includes: user authentication capability, attack protection capability, and link protection capability;

acquiring a plurality of pieces of second equipment information corresponding to each second security level evaluation item; the plurality of second device information corresponding to the user authentication capability includes: supporting remote authentication and authorization capability of a preset server, supporting configuration capability of a preset server group, establishing a secure channel capability and supporting dynamic issuing command line configuration capability of the preset server; the plurality of pieces of second device information corresponding to the attack protection capability include: the method comprises the steps of detecting and cleaning a first preset attack flow, detecting a second preset attack, and detecting the first preset attack in a second level; the plurality of second device information corresponding to the link protection capability includes: port cyclic redundancy check capability, optical transmission network error code detection capability and millisecond service switching capability;

Determining a plurality of second security levels corresponding to any second security level evaluation item according to a plurality of second device information corresponding to any second security level evaluation item;

and establishing the second sub-corresponding relation according to a plurality of second security level assessment items corresponding to the assessment domains of the network assessment dimension, a plurality of second equipment information corresponding to any one of the second security level assessment items and a plurality of second security levels corresponding to any one of the second security level assessment items.

10. The apparatus according to any of the claims 7-9, characterized in that the establishing unit is specifically configured to:

acquiring a plurality of third security level evaluation items corresponding to the evaluation domain of the system evaluation dimension; the plurality of third security level assessment items includes: intrusion detection capability, certificate management capability, security configuration capability;

acquiring a plurality of pieces of third equipment information corresponding to each third security level evaluation item; the plurality of third device information corresponding to the intrusion detection capability includes: third preset attack detection capability, preset file tampering detection capability and rebound interface attack behavior detection capability; the plurality of third device information corresponding to the certificate management capability includes: digital certificate import and update capability, digital certificate expiration pre-warning capability, whether there is an interface for digital certificate import and update, digital certificate integrity protection capability, capability to dock public key infrastructure systems; the plurality of third device information corresponding to the security configuration capability includes: business security configuration checking capability, manual restoration preset configuration capability and restoration preset configuration capability;

Determining a plurality of third security levels corresponding to any third security level evaluation item according to a plurality of third device information corresponding to any third security level evaluation item;

and establishing the third sub-corresponding relation according to a plurality of third security level assessment items corresponding to the assessment domains of the system assessment dimension, a plurality of third device information corresponding to any one of the third security level assessment items and a plurality of third security levels corresponding to any one of the third security level assessment items.

11. An electronic device, comprising:

a processor;

a memory for storing the processor-executable instructions;

wherein the processor is configured to execute the instructions to implement the method of any of claims 1-5.

12. A computer readable storage medium, characterized in that, when computer-executable instructions stored in the computer readable storage medium are executed by a processor of an electronic device, the electronic device is capable of performing the method of any of claims 1-5.