CN119232619A

CN119232619A - Information determination method, apparatus, device, computer storage medium and computer program product

Info

Publication number: CN119232619A
Application number: CN202411066885.5A
Authority: CN
Inventors: 张峰; 于乐; 马禹昇; 康乾; 王晓明; 黄一鸣
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Hangzhou Information Technology Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Hangzhou Information Technology Co Ltd
Priority date: 2024-08-05
Filing date: 2024-08-05
Publication date: 2024-12-31

Abstract

The embodiment of the present application discloses an information determination method, including: obtaining historical operation data of an asset in a network system, first data of the asset for historical access requests, and second data of the asset for target access requests; generating target detection information for services provided by the asset based on the historical operation data, the first data, and the second data; obtaining target data of the asset for pending access requests, and determining the target service of the asset for the pending access requests from a target database based on the target data and the target detection information. The embodiment of the present application also discloses an information determination device, equipment, computer storage medium, and computer program product.

Description

Information determination method, apparatus, device, computer storage medium and computer program product

Technical Field

The present application relates to information determining technology in the field of computers, and in particular, to an information determining method, apparatus, device, computer storage medium, and computer program product.

Background

As networks become popular and technology advances, security threats to assets in network systems become increasingly serious, and based thereon, how to improve the security of assets in network systems becomes increasingly important. However, when the application is deployed on the asset, the open source framework is adopted to cause the asset to have serious security holes, so that the service provided by the asset in the network system needs to be detected in advance, the asset information is monitored in real time according to the detection result, and the risk event possibly happening for the asset is predicted in time, so that the security of the asset in the network system is improved. Currently, in the related art, a specific service corresponding to an asset is detected by using a regular expression and keyword matching mode under a specific scene. However, the related art method of detecting service detection has a problem in that the accuracy of service detection is low.

Disclosure of Invention

In order to solve the above technical problems, it is desirable for embodiments of the present application to provide an information determining method, apparatus, device, storage medium, and computer program product, which solve the problem in the related art that the accuracy of service detection is low when service detection is performed.

An information determination method, the method comprising:

acquiring historical operation data of an asset in a network system, first data of the asset aiming at a historical access request and second data of the asset aiming at a target access request;

generating target detection information for a service based on the historical operating data, the first data and the second data, wherein the service is provided by the asset;

And acquiring target data of the asset aiming at the to-be-processed access request, and determining target service of the asset aiming at the to-be-processed access request from a target database based on the target data and the target detection information.

In the above aspect, the generating the target detection information for the service based on the historical operation data, the first data, and the second data includes:

Generating initial detection information for the service based on the historical operating data and the first data;

And correcting the initial detection information based on the second data to obtain the target detection information.

In the above solution, the generating initial detection information for the service based on the historical operation data and the first data includes:

determining a target detection parameter for the service based on the historical operational data and the first data;

determining a target detection mode and a target detection type aiming at the service, wherein the target detection type represents the type of data which can be detected;

And generating the initial detection information based on the target detection parameters, the target detection mode and the target detection type.

In the above aspect, the determining, based on the historical operation data and the first data, a target detection parameter for the service includes:

Processing the historical operation data and the first data to obtain a plurality of different characteristic parameters of the service;

a target detection parameter for the service is determined from the plurality of different feature parameters.

In the above solution, the determining, based on the target data and the target detection information, a target service of the asset for the pending access request from a target database includes:

Processing the target data to obtain processed target data;

based on the target detection information, matching the processed target data with the data in the target database;

and if first matching data which are matched with different characteristic parameters of the processed target data exist in the target database, determining that the service corresponding to the first matching data is the target service.

In the above scheme, the method further comprises:

If the matching data does not exist in the target database, determining the number of the characteristic parameters which are not matched with each characteristic parameter of the data in the target database in the different characteristic parameters;

determining a target value based on the number;

And if the target value is smaller than or equal to a target threshold value, determining first data to be matched from the target database, and determining that the service corresponding to the first data to be matched is the target service.

In the above scheme, the method further comprises:

if the target value is larger than the target threshold value, determining second data to be matched from the target database based on the target value;

based on the target detection information, carrying out matching processing on the second data to be matched and the processed target data;

if second matching data matched with the different characteristic parameters exist in the second data to be matched, determining that the service corresponding to the second matching data is the target service;

And if the second matching data does not exist in the second data to be matched, processing the processed target data by adopting a target self-learning algorithm to obtain target characteristic information of the processed target data, and storing the target characteristic information into the target database.

In the above scheme, the method further comprises:

predicting target access data of the asset using a target time series model based on the target data;

generating a risk access policy of the asset for the pending access request based on the target access data;

And determining a risk assessment result of the asset for the pending access request based on the risk access policy, the target access data and different characteristic parameters of the target service.

In the above solution, the determining, based on the risk access policy, the target access data, and different feature parameters of the target service, a risk assessment result of the asset for the pending access request includes:

Determining a target risk value of the pending access request based on the target access data, different characteristic parameters of the target service and a target risk library;

Determining the target trust degree of the pending access request;

and determining a risk assessment result of the asset for the pending access request based on the risk access policy, the target risk value and the target trust level.

An information determining apparatus, the apparatus comprising:

The acquisition unit is used for acquiring historical operation data of the asset in the network system, first data of the asset aiming at the historical access request and second data of the asset aiming at the target access request;

A processing unit configured to generate target detection information for a service based on the historical operating data, the first data, and the second data, wherein the service is a service provided by the asset;

and the determining unit is used for acquiring target data of the asset aiming at the access request to be processed and determining target service of the asset aiming at the access request to be processed from a target database based on the target data and the target detection information.

An information determining apparatus includes a processor, a memory, and a communication bus;

the communication bus is used for realizing communication connection between the processor and the memory;

the processor is configured to execute the information determining program in the memory to implement the steps of the information determining method described above.

A computer-readable storage medium storing one or more programs executable by one or more processors to implement the steps of the information determining method described above.

A computer program product comprising a computer program which, when executed by a processor, implements a method of information determination according to the above.

The information determining method, the device, the equipment, the computer storage medium and the computer program product provided by the embodiment of the application can acquire the historical operation data of the asset, the first data of the asset aiming at the historical access request and the second data of the asset aiming at the target access request in the network system, generate the target detection information of the service provided by the asset based on the historical operation data, the first data and the second data, acquire the target data of the asset aiming at the access request to be processed, and determine the target service of the asset aiming at the access request from the target database based on the target data and the target detection information, so that the target detection information of all the services provided by the asset can be generated according to the data of multiple dimensions of the asset, and the target detection information of the asset aiming at the access request is realized by combining the target detection information and the target data of the asset aiming at the access request, thereby realizing that the generated target detection information can detect different services under different scenes instead of detecting the specific services under the related scenes with lower accuracy in the related scenes.

Drawings

Fig. 1 is a schematic flow chart of an information determining method according to an embodiment of the present application;

Fig. 2 is a flow chart of another information determining method according to an embodiment of the present application;

fig. 3 is a schematic system structure diagram corresponding to an information determining method according to an embodiment of the present application;

Fig. 4 is a schematic flow chart of a risk access policy generation method in an information determination method according to an embodiment of the present application;

Fig. 5 is a schematic flow chart of a risk assessment method in an information determination method according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of an information determining apparatus according to an embodiment of the present application;

Fig. 7 is a schematic structural diagram of an information determining apparatus according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application.

It should be appreciated that reference throughout this specification to "an embodiment of the present application" or "the foregoing embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrase "in an embodiment of the application" or "in the foregoing embodiments" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In various embodiments of the present application, the sequence number of each process does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application. The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.

Without being specifically illustrated, the electronic device may perform any step in the embodiments of the present application, and the processor of the electronic device may perform the step. It is further noted that the embodiment of the present application does not limit the sequence of the following steps performed by the electronic device. In addition, the manner in which the data is processed in different embodiments may be the same method or different methods. It should be further noted that any step in the embodiments of the present application may be executed by the electronic device independently, that is, the electronic device may not depend on execution of other steps when executing any step in the embodiments described below.

It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

An embodiment of the present application provides an information determining method, which may be applied to an information determining apparatus, and referring to fig. 1, the method may include the steps of:

step 101, acquiring historical operation data of an asset in a network system, first data of the asset aiming at a historical access request and second data of the asset aiming at a target access request.

In the embodiment of the application, the asset may refer to a network device deployed in a network system, the historical operation data may refer to a historical security log of the network device, the first data may refer to collected historical data of the network device in the network system for various service access requests, and the second data may refer to collected response data of the network device in the network system for specific access requests. It should be noted that the network device may include a physical device and a virtual device, the historical running log may be obtained through network detection and response (Network Detection and Response, NDR) technology and a website application level intrusion prevention system (Web Application Firewall, WAF), and the historical security log includes relevant data about an attack on the asset and relevant data about a service provided by the asset.

Step 102, generating target detection information for the service based on the historical operation data, the first data and the second data.

Wherein the service is a service that the asset can provide. In one implementation, a service may refer to a service that can be provided by an open source framework, middleware, and application components, etc., corresponding to an application deployed on an asset.

In embodiments of the present application, the target detection information may be used to detect a specified service from among a plurality of services of the asset. In one implementation, the target detection information may include detection parameters required to detect the service, a specific detection mode, and a type of data that can be detected.

In the embodiment of the application, initial detection information can be determined according to the historical operation data and the first data of the asset aiming at the historical access request, and then the initial detection information is adjusted according to the second data of the asset aiming at the target access request, so that final target detection information is obtained.

In the embodiment of the application, the historical operation data of the asset, the first data of the asset for the historical access request and the second data of the asset for the target access request are obtained, so that the target detection information of the service provided by the open source framework corresponding to the application, the service provided by the middleware, the service provided by the application component and the like can be generated, the service provided by the open source framework corresponding to the application, the middleware and the like can be detected by using the target detection information, and the coverage rate of the service detection is obviously improved.

Step 103, obtaining target data of the asset aiming at the access request to be processed, and determining target service of the asset aiming at the access request to be processed from a target database based on the target data and the target detection information.

The access request to be processed may refer to a real-time access request for the network device, the target data may refer to response data of the asset to the access request to be processed, the target database may be a preset database, and the target database includes relevant data of various services provided by the asset. In one implementation, the relevant data for the various services may include data such as a service name, a port corresponding to the service, and a specific description of the service.

In the embodiment of the application, after the target data is acquired, the target data can be matched with each data in the target database according to the target detection information generated in advance, and the target service of the asset for the access request to be processed can be determined according to a plurality of obtained matching results.

In other embodiments of the present application, by acquiring data of each dimension of the asset, target detection information for all services provided by the asset may be generated, so that various services in various scenes may be detected using the target detection information, thereby improving accuracy and efficiency of service detection.

The information determining method provided by the embodiment of the application can generate the target detection information of all the services provided by the asset according to the data of the plurality of dimensions of the asset, and can realize the combination of the target detection information and the target data of the asset aiming at the access request to be processed when determining that the target service of the asset aiming at the access request to be processed is realized, thereby realizing the purpose that the data of each dimension of the asset is considered when the target detection information aiming at the service is generated, so that the generated target detection information can detect different services in different scenes instead of only detecting the specific service in the specific scene as in the related art, and solving the problem of lower accuracy of the detection of the service in the service detection in the related art.

Based on the foregoing embodiments, an embodiment of the present application provides an information determining method, as shown with reference to fig. 2, which may include the steps of:

Step 201, the information determining device obtains historical operation data of an asset in a network system, first data of the asset aiming at a historical access request and second data of the asset aiming at a target access request.

In the embodiment of the present application, a system corresponding to the information determining apparatus shown in fig. 3 may include a source data unit and an auxiliary unit. The source data unit includes initial operation data, first initial data and second initial data, specifically, the initial operation data of an asset, first initial data of the asset aiming at a historical access request and second initial data of the asset aiming at a target access request can be obtained from the source data unit in a system corresponding to the information determining device, and then relevant information of services such as a service name, a service version and an operating system corresponding to the service in the initial operation data and the first initial data is marked to obtain historical operation data and first data carrying the mark.

It should be noted that, as shown in fig. 3, the system corresponding to the information determining device further includes an auxiliary unit, where the auxiliary unit includes a request response module, a flow collection module, and a log synchronization module, the flow collection module is configured to receive first initial data of an asset for a historical access request and second initial data of the asset for a target access request, and the log synchronization module is configured to receive a security log (i.e. historical operation data) of the asset.

Step 202, the information determining device generates initial detection information for the service based on the historical operation data and the first data.

In the embodiment of the application, the information determining device processes the historical operation data and the first data to obtain the detection parameters aiming at the service, determines the detection mode and the detection type aiming at the service, and then generates initial detection information by combining the detection parameters, the detection mode and the detection type. The detection parameters may refer to detection fields required for detecting the service.

It should be noted that, the asset may provide a plurality of different services through an open source framework, middleware, and application components, and then one initial detection information may be generated for each service, that is, one service corresponds to one initial detection information.

In the embodiment of the present application, step 202 may be implemented by steps 202a to 202 c:

step 202a, the information determining apparatus determines a target detection parameter for the service based on the historical operation data and the first data.

In the embodiment of the application, the information determining device can process the historical operation data and the first data to obtain a plurality of characteristic parameters of the service, and screen the plurality of characteristic parameters to obtain the target detection parameters. In one implementation, the plurality of feature parameters of the service may refer to a service name, an operating system to which the service corresponds, port information to which the service corresponds, middleware that provides the service, basic information of application plug-ins and application components, and so on.

In the embodiment of the present application, step 202a may be implemented by steps 202a1 to 202a 2:

step 202a1, the information determining device processes the historical operation data and the first data to obtain a plurality of different feature parameters of the service.

In the embodiment of the present application, as shown in fig. 3, the system corresponding to the information determining apparatus further includes a data processing unit, where the data processing unit includes a data initializing module and a data cleaning module. The data cleaning module is used for screening partial abnormal data in the data obtained through the formatting of the data initializing module.

In the embodiment of the application, the historical operation data and the first data can be subjected to format conversion firstly to convert the historical operation data and the first data into the data with the specified format, then the data after format conversion is processed to obtain the transmission data corresponding to the service, and further the transmission data is processed to obtain a plurality of different characteristic parameters of the service. Specifically, the information determining device may format the historical operation data and the first data through a data initializing module in the data processing unit, then filter the abnormal data of the formatted data through a data cleaning module, and then process the filtered data through a data processing tool to obtain transmission data corresponding to the service. The transmission data may refer to specific data of a transmission protocol employed when the asset provides the service.

In one implementation, the data processing tool may be referred to as a small shark (Wireshark) software or a network data acquisition analysis tool, and the transport protocols may include Hypertext transfer protocol (HypertextTransfer Protocol, HTTP) and Transmission control protocol (Transmission Control Protocol, TCP).

For example, if the transmission protocol is HTTP, the transmission data may be as follows:

Name of POST/Login.php HTTP/1.1\r\n# transport protocol

Expert Info(Chat/Sequence):POST/login.php HTTP/1.1\r\n

POST/hacker.php HTTP/1.1\r\n

Severity level:Chat

Request Method POST# HTTP Request Method (HTTP Method)

Request URI:/hacker.php

Request Version:HTTP/1.1

# HTTP request head (HTTP HEADER)

User-Agent:Java/1.8.0_112\r\n

Host:192.168.193.129:8080\r\n

Accept:text/html,image/gif,image/jpeg,*;q=.2,*/*;q=.2\r\n

Connection:keep-alive\r\n

# HTTP request text (HTTP body)

Content-type application/x-www-form-urlencoded \r\n# Payload information

Content-Length:633\r\n

Content length:633

URL address of the Full request URI http:// 192.168.193.129/url.php# request

HTTP request 1/1

Further, the session identifier carried in the transmission data may be used as a reference, the obtained transmission data is grouped by adopting a clustering algorithm, that is, the data belonging to the same session in the transmission data is divided into a group, and duplicate data in each request group of data is subjected to de-duplication processing according to attribute information of network data, further, the data in each group of transmission data is arranged according to the IP address and the time sequence information, so as to obtain a group of transmission data with context association, and then, the obtained transmission data is processed by using a data analysis tool, so as to obtain a plurality of different characteristic parameters corresponding to different services. It should be noted that, the attribute information of the network data may include a source IP address, a destination IP address, a source port number, a destination port number, and a name of a transport protocol, and the data parsing tool may refer to a PyShark module in Python. In one implementation, if the protocol corresponding to the service is a hypertext transfer protocol, duplicate data in each set of data needs to be deduplicated according to the attribute information of the network data, the Payload (Payload) information in the HTTP request header (HTTP HEADER), and the data in the HTTP request body (HTTP body) at the same time.

In the embodiment of the application, different services and the corresponding characteristic parameters can be combined into the data aiming at the different services, and a plurality of data are sent to the characteristic library in the knowledge base unit for storage.

Step 202a2, the information determining apparatus determines a target detection parameter for the service from a plurality of different feature parameters.

In the embodiment of the application, the frequency of each characteristic parameter of the service in the transmission data can be counted, the frequency of each characteristic parameter and the preset threshold value are compared, and then the characteristic parameter with the frequency higher than the preset threshold value is screened out from a plurality of different characteristic parameters according to the comparison result. Specifically, the characteristic parameter with the frequency higher than the preset threshold may be used as the final detection parameter (i.e. the target detection parameter) for the service, and the characteristic parameter with the frequency smaller than the preset threshold may be directly discarded. It should be noted that the determined target detection parameters may be different for different services.

Step 202b, the information determining apparatus determines a target detection manner and a target detection type for the service.

Wherein the target detection type characterizes the type of data that can be detected.

In the embodiment of the present application, the target detection mode may refer to a mode of matching target data with data in a target database. In one implementation, the target detection manner may include a manner of matching by regular expressions, a manner of matching by global matching, and/or a manner of matching by uniform resource locators (uniform resource locator, URLs), and the target detection types may include a character string type and a text type.

The target detection method also includes other matching methods, and is not specifically limited herein.

Step 202c, the information determining apparatus generates initial detection information based on the target detection parameter, the target detection mode and the target detection type.

In one implementation, the initial detection information may be as shown in table 1 below:

TABLE 1

The detection parameters in the table 1 are target detection parameters and comprise service names, service versions, service descriptions and reference information of services, the detection modes are target detection modes and comprise three modes of regular expressions, global matching and URL matching, and the detection types are target detection types and comprise character string types and text types. It should be noted that, fields in the initial detection information for different application scenarios may be increased or decreased correspondingly, that is, specific contents in the detection parameters, the detection mode and the detection type may be increased or decreased correspondingly, and the fields in the initial detection information may also be changed according to the needs of the user.

By way of example, the specific code program of the initial detection information may be as follows:

:text＝>'org.apache.struts.',},{:url＝>'/?actionErrors＝notfoundnotfound',:regexp＝>/(Struts Problem Report|org.apache.struts2|struts.devMode|struts-tags|There is no Actionmapped for namespace)/}]# Detection mode (i.e., target detection mode) and detection type (i.e., target detection type)

Step 203, the information determining device corrects the initial detection information based on the second data to obtain target detection information.

In the embodiment of the application, format conversion can be performed on the second data first to convert the second data into the second data with the specified format, and then the initial detection information is corrected according to the second data after format conversion to obtain the target detection information. Specifically, the information determining apparatus may verify the validity of the generated plurality of initial detection information using the second data, and determine final target detection information according to the verification result. Specifically, the second data may be processed by the data processing tool and the data analysis tool to obtain processed second data, then the processed second data is matched with the data in the feature library according to the initial detection information, and the initial detection information is adjusted according to the matching result to obtain a plurality of final target detection information. It should be noted that the processed second data may include feature parameters of a plurality of different services, that is, when matching is performed, the information determining apparatus may match the processed second data with a plurality of different data in the feature library according to different initial detection information, so as to determine a plurality of services.

Specifically, for the initial detection information with high matching frequency and high recognition rate, the detection parameters and the detection mode in the initial detection information can be adjusted, and the adjusted initial detection information is taken as target detection information. In one implementation, the initial detection information may be adjusted by reducing additional wildcards in the regular expression. It should be noted that the matching frequency may refer to a ratio of the number of times a certain initial detection information is used to the total number of times all initial detection information is used in the matching process, the recognition rate may refer to a ratio of the number of initial detection information at which service can be finally detected to the number of all initial detection information used in the matching process, and the recognition rate may refer to a recognition rate higher than 95%.

Correspondingly, the initial detection information with high matching frequency and low recognition rate can be combined or directly deleted, the initial detection information with low matching frequency and high recognition rate can be directly used as target detection information without modification, and the initial detection information which is not used in the matching process is directly deleted.

Step 204, the information determining device obtains the target data of the asset aiming at the access request to be processed, and processes the target data to obtain the processed target data.

In this embodiment of the present application, as shown in fig. 3, the auxiliary unit may further include a request response module, and specifically, the information determining apparatus may receive response data (i.e. target data) of an asset for a request to be processed through the request response module in the auxiliary unit, then format the obtained target data through the data initializing module, then filter abnormal data in the formatted target data through the data cleaning module in the data processing unit, and then process the filtered target data through the data processing tool and the data analyzing tool, so as to obtain processed target data with different feature parameters.

Step 205, the information determining device performs matching processing on the processed target data and the data in the target database based on the target detection information.

In the embodiment of the application, as shown in fig. 3, the system corresponding to the information determining device may further include a knowledge base unit, where the knowledge base unit includes a feature library, a history research and judgment library, and a classification knowledge base, where the feature library is used to store data including various feature parameters of different services provided by different assets, the classification knowledge base is used to store service data indexed by each feature parameter of the services, and the history research and judgment library is used to analyze target data that is not matched with the data in the target database, and store analysis results.

In the embodiment of the present application, the target database may refer to a knowledge base unit in a system corresponding to the information determining device shown in fig. 3, and specifically, the information determining device may perform matching processing on the feature parameters of the processed target data and the feature parameters of the data in the feature library in the knowledge base unit (i.e., the target database) according to the target detection information by using a service matching module in the data processing unit, so as to determine, according to a matching result, a target service of the asset for the access request to be processed.

In the embodiment of the present application, step 205 may be followed by step 206 or steps 207 to 209.

Step 206, if there is first matching data matching with different characteristic parameters of the processed target data in the target database, the information determining device determines that the service corresponding to the first matching data is the target service.

In this embodiment of the present application, as shown in fig. 3, the data processing unit may further include a service matching module, specifically, the service matching module is configured to match acquired target data of an access request to be processed with data in a target database, and specifically, if it is determined by the service matching module that multiple feature parameters of the processed target data are matched with multiple feature parameters of certain data in a feature library in the target database, the data is matching data (i.e. first matching data) that is completely matched with the target data, and then a service corresponding to the first matching data may be determined as a target service. In one implementation manner, if the plurality of feature parameters of the processed target data are matched with the plurality of feature parameters of the plurality of data in the target database, the service corresponding to each matched data may be determined as the plurality of target services of the access request to be processed.

Step 207, if there is no matching data in the target database, the information determining apparatus determines the number of feature parameters that do not match each feature parameter in the target database from among the different feature parameters.

In the embodiment of the present application, if there is no matching data in the feature library in the target database, the number of feature parameters that are not matched with the feature parameters of the data in the feature library may be determined from a plurality of different feature parameters of the target data, specifically, if there is no matching data in the feature library that is matched with the plurality of feature parameters of the processed target data, that is, there is a conflict between the processed target data and the data in the feature library, at this time, the information determining apparatus may divide the target data according to different feature parameters by a data classification module in the data processing unit as shown in fig. 3, to obtain data corresponding to each feature parameter, and then determine, from the plurality of feature parameters, the feature parameters that are not matched with the feature parameters of the data in the target database, and determine the number of the unmatched feature parameters.

Step 208, the information determining apparatus determines a target value based on the number.

In the embodiment of the present application, the target value may refer to a collision coefficient, and specifically, the information determining apparatus may determine the number of target detection information used in the matching process, and then may determine the target value according to the number of unmatched feature parameters and the number of target detection information used in the matching process. It should be noted that the conflict coefficient may represent the degree of matching between the processed target data and the data in the target database.

In the embodiment of the present application, step 208 may be followed by step 209 or steps 210-211.

In step 209, if the target value is less than or equal to the target threshold, the information determining apparatus determines the first data to be matched from the target database, and determines the service corresponding to the first data to be matched as the target service.

In the embodiment of the application, after the target value is determined, the target value and the target threshold value may be compared, if the target value is smaller than or equal to the target threshold value (i.e., the collision coefficient is smaller), the information determining device may determine that the successfully matched characteristic parameter is the indexed data (i.e., the first to-be-matched data) from the classification knowledge base in the knowledge base unit (i.e., the target database), then, may calculate the similarity between the first to-be-matched data and the processed target data, and use the data whose similarity satisfies the threshold value as the final first to-be-matched data, and finally, use the service corresponding to the screened first to-be-matched data as the final to-be-determined target service. It should be noted that the target threshold is set according to the historical data and the actual application scenario.

In one implementation manner, if the processed target data includes three feature parameters, namely, a service version, a service port and an operating system corresponding to the service, and there is no data matched with the service version in the data of the feature library, the data with the service port and the operating system corresponding to the service as indexes can be respectively screened from the classification knowledge base in the target database as shown in fig. 3 to serve as first data to be matched, and the service corresponding to the first data to be matched serves as final target service. The data indexed by the service port not only comprises the specific data of the service port, but also comprises the specific data of the service version and the specific data of the operating system corresponding to the service, and the data indexed by the operating system corresponding to the service also comprises the specific data of the operating system corresponding to the service, and also comprises the specific data of the service version and the specific data of the service port.

Step 210, if the target value is greater than the target threshold, the information determining apparatus determines the second data to be matched from the target database based on the target value.

In the embodiment of the present application, if the target value is greater than the target threshold (i.e., the collision coefficient is greater), it is indicated that the classification knowledge base in the target database does not have the first matching data matching the target data, and at this time, the information determining apparatus may screen, according to the target value corresponding to each data in the history research and judgment base of the knowledge base unit (i.e., the target database), from the history research and judgment base, data close to the target value of the processed target data as the second data to be matched. It should be noted that the number of the second data to be matched may be plural.

Step 211, the information determining device performs matching processing on the second data to be matched and the processed target data based on the target detection information.

In the embodiment of the application, the service matching module in the data processing unit can be used for carrying out matching processing on the characteristic parameters of the processed target data and the characteristic parameters of the second data to be matched according to the target detection information, and further determining the target service aiming at the access request to be processed according to the matching result.

In an embodiment of the present application, step 211 may be followed by step 212 or step 213.

Step 212, if there is second matching data matching with different feature parameters of the processed target data in the second data to be matched, the information determining device determines that the service corresponding to the second matching data is the target service.

In the embodiment of the application, if the characteristic parameter of a certain data in the second data to be matched is matched with a different characteristic parameter of the processed target data, the information determining device determines the service corresponding to the data (i.e. the second matched data) as the target service of the asset aiming at the access request to be processed.

And 213, if the second matching data does not exist in the second data to be matched, the information determining device processes the processed target data by adopting a target self-learning algorithm, and target characteristic information of the processed target data is obtained and stored in a target database.

In the embodiment of the application, if the second matching data which is completely matched with the characteristic parameters of the processed target data still does not exist in the second data to be matched, the information determining device performs characteristic extraction and learning on the processed target data by adopting a characteristic self-learning module in the data processing unit shown in fig. 3, namely, the characteristics of the target service are mined, so as to obtain the target characteristic information of the processed target data, and the target characteristic information is stored in a characteristic library in a target database, so that better data support is provided for subsequent service detection.

In the embodiment of the application, in the service detection process, if the service matched with the target data does not exist in the target database, the target value is calculated to carry out secondary detection on the target data, so that the accuracy of target service detection is obviously improved.

In other embodiments of the present application, step 213 may be followed by the following steps:

step 214, the information determining apparatus predicts target access data of the asset using a target time series model based on the target data.

In the embodiment of the application, the target time sequence model may be access data (i.e., target access data) for predicting the asset in a future period of time, the target access data may be data generated after performing a target access operation on the asset, and the target access data may include the number of accesses to the asset, login data of a user corresponding to the target access operation, and an address of a terminal corresponding to the target access operation. In one implementation, the target time series model may be referred to as Auto-Regression moving average (Auto-Regression and)

In the embodiment of the application, the initial time sequence model can be trained to obtain the target time sequence model, then the information determining equipment can input target data into the target time sequence model, and the target time sequence model can obtain target access data of the asset after processing the target data of the real-time access request of the asset.

In the embodiment of the present application, as shown in fig. 4, the target time series model may be obtained by A1 to A4:

A1, threat information data and security information of the asset and event management (Security Informationand EVENT MANAGEMENT, SIEM) logs are acquired. The SIEM log may be collected by a SIEM system. Threat intelligence data may refer to, among other things, potential or ongoing threat information for an asset. It should be noted that the information determining apparatus may also acquire other information sources that acquire security information concerning the asset from other channels.

In one implementation, threat intelligence data for an asset may be as shown in Table 2 below:

TABLE 2

It should be noted that, threat information data shown in table 2 may include a number, an IP address, an IP home location, anti-checking domain name information, a tag, information data and specific data of a request parameter, where the number may refer to a number of a threat event, the IP address may refer to an IP address initiating the threat event, the IP home location may refer to a specific home location of an IP address corresponding to the threat event, the anti-checking domain name information may refer to domain name information of a physical device corresponding to the threat event, the tag may refer to a type of the threat event, the information data may refer to data such as a time when the threat event occurs, and the request data may refer to information of a request message sent to an asset.

In one implementation, the SIEM log of an asset may be as shown in table 3 below:

TABLE 3 Table 3

Note that the SIEM log shown in table 3 contains data about the attack event for the asset. The number may refer to the number of the attack event, the attack time may refer to the occurrence time of the attack event, the attack source may refer to the IP address from which the attack event is initiated, the attacked domain name may refer to the domain name information of the asset attacked by the attack event, the attack type may refer to the type of the attack event, the URL may refer to the website corresponding to the attack event, the request parameter may refer to the region where the IP address corresponding to the attack event is located, the risk level may refer to the severity of the attack event, and the processing action may refer to the processing mode of the asset on the attack event.

A2, processing the historical operation data to obtain an access list of the asset, wherein in one implementation manner, the access list of the asset can be shown in the following table 4:

at the site	Application name	Data classification	Description of sensitive information	Sensitivity level	IP address of terminal
						**	****	A2-1	User access password	Level 4	172.26.110.44
**	****	A1-5	User address	Level 4	172.26.110.44
						**	****	A1-2	User's mobile phone number, mailbox	Level 2	172.26.110.44
**	****	C1-4	Position data	3 Rd stage	172.26.110.44

TABLE 4 Table 4

The access list of the asset shown in table 4 may refer to access data when performing an access operation on the asset, where the access list may include a location of the asset, a name of an application to be accessed, a type of the access data (data classification), access information (related information description) corresponding to the access data, importance level (sensitivity level) of the access data, and an IP address of a terminal corresponding to the access operation.

A3, carrying out data formatting on the access list, the SIEM log and the threat information data to obtain formatted data in a unified format, and carrying out clustering operation and association operation on the formatted data to associate the formatted data according to time sequence information of the data to obtain sample data.

The sample data is data for training the initial time sequence estimation model, and specifically, the sample data may include the number of accesses to the asset in a past period of time, login data of a user performing an access operation to the asset, and an address of a terminal corresponding to the access operation.

And A4, training the initial time sequence model by using sample data to obtain a target time sequence model.

In the embodiment of the application, historical data in a preset database can be obtained, preprocessing operation is performed on the data to obtain processed data meeting the requirement of a preset format, then, sequence stability is checked on the processed data, if the processed data is stable, an expected initial time sequence model is built by combining an autocorrelation function and a partial autocorrelation function and a red pool information criterion (Akaike information criterion, AIC) and a Bayesian information criterion (Bayesian Information Criterion, BIC), if the processed data is unstable, differential operation is performed on the processed data, if the data obtained after operation is stable, an initial time sequence model can be built directly through the autocorrelation function, the partial autocorrelation function, the AIC criterion and the BIC criterion, if the operated data is still stable, differential operation is needed to be continued on the data until stable data is obtained, a model can be built according to the stable data, and then, the initial time sequence model can be trained by using sample data to obtain a target time sequence model.

Step 215, the information determining apparatus generates a risk access policy for the asset for the pending access request based on the target access data.

In the embodiment of the present application, after determining the target access data of the asset, the information determining device as shown in fig. 4 may generate an initial risk access policy for the pending access request, and then may adjust the initial risk access policy according to the existing historical access policy to obtain a final risk access policy. In one implementation, the initial risk access policy may also be adjusted simultaneously in combination with the expertise of the expert.

Step 216, the information determining device determines a risk assessment result of the asset for the pending access request based on the risk access policy, the target access data and different feature parameters of the target service.

In the embodiment of the present application, as shown in fig. 5, the information determining device may determine, according to the target risk library, the target access data, and multiple different feature parameters of the target service, a target risk value of the to-be-processed access request, then determine a target trust degree of the to-be-processed access request, and then determine a final risk assessment result by combining the target risk value, the target trust degree, and the generated risk access policy.

In the embodiment of the present application, step 216 may be implemented by steps 216a to 216 c:

Step 216a, the information determining device determines a target risk value of the pending access request based on the target access data, different feature parameters of the target service and the target risk library.

In the embodiment of the application, the information determining device may determine, according to the target access data and the target risk library, a first risk value of the user corresponding to the target access operation and a second risk value of the terminal corresponding to the target access operation, and then may determine, according to different feature parameters of the target service and the target risk library, a third risk value of the target service, and finally may multiply the first risk value, the second risk value and the third risk value with corresponding weights, respectively, to obtain a final target risk value of the access request to be processed. It should be noted that the target risk library is preset according to an actual application scenario, and the weight may be set according to historical data and the actual application scenario.

Step 216b, the information determining device determines the target trust level of the pending access request.

The target trust level may refer to a trust level of an asset to process an access request.

In the embodiment of the application, the information determining device can determine the target trust degree of the asset for the to-be-processed access request from the target information base. It should be noted that the target information base is preset according to an actual application scenario.

And step 216c, the information determining device determines a risk assessment result of the asset for the to-be-processed access request based on the risk access policy, the target risk value and the target trust level.

In the embodiment of the application, the information determining device can determine the risk assessment result of the asset for the access request to be processed by combining the generated risk access strategy, the target risk value of the access request to be processed and the target trust degree of the access request to be processed.

Based on the foregoing embodiments, an embodiment of the present application provides an information determining apparatus, which may be applied to the information determining method provided in the embodiment corresponding to fig. 1 to 2, and referring to fig. 6, the information determining apparatus 3 may include an obtaining unit 31, a processing unit 32, and a determining unit 33, where:

an acquiring unit 31 for acquiring historical operation data of an asset in a network system, first data of the asset for a historical access request, and second data of the asset for a target access request;

a processing unit 32 for generating target detection information for a service based on the historical operating data, the first data and the second data, wherein the service is a service provided by an asset;

a determining unit 33, configured to obtain target data of the asset for the pending access request, and determine a target service of the asset for the pending access request from a target database based on the target data and the target detection information.

In other embodiments of the application, the processing unit 32 is further configured to perform the steps of:

And correcting the initial detection information based on the second data to obtain target detection information.

determining a target detection mode and a target detection type aiming at the service, wherein the target detection type characterizes the type of data which can be detected;

Based on the target detection parameters, the target detection mode and the target detection type, initial detection information is generated.

Target detection parameters for the service are determined from a plurality of different characteristic parameters.

In other embodiments of the application, the determining unit 33 is further configured to perform the following steps:

Processing the target data to obtain processed target data;

If first matching data which are matched with different characteristic parameters of the processed target data exist in the target database, determining that the service corresponding to the first matching data is the target service.

If the matching data does not exist in the target database, determining the number of the characteristic parameters which are not matched with each characteristic parameter in the target database in different characteristic parameters;

Determining a target value based on the quantity;

If the target value is smaller than or equal to the target threshold value, determining first data to be matched from the target database, and determining the service corresponding to the first data to be matched as target service.

if the target value is greater than the target threshold, determining second data to be matched from the target database based on the target value;

if second matching data matched with different characteristic parameters exist in the second data to be matched, determining that the service corresponding to the second matching data is the target service;

and if the second matching data does not exist in the second data to be matched, processing the processed target data by adopting a target self-learning algorithm to obtain target characteristic information of the processed target data, and storing the target characteristic information into a target database.

Predicting target access data of the asset by adopting a target time sequence model based on the target data;

generating a risk access policy of the asset for the access request to be processed based on the target access data;

determining a target risk value of the access request to be processed based on the target access data, different characteristic parameters of the target service and the target risk library;

Determining the target trust degree of the access request to be processed;

and determining a risk assessment result of the asset for the access request to be processed based on the risk access policy, the target risk value and the target trust level.

It should be noted that, in the information determining method provided by the corresponding embodiment of fig. 1 to 2, specific descriptions of steps executed by each unit may be omitted here.

The information determining device provided by the embodiment of the application can generate the target detection information of all the services provided by the asset according to the data of the plurality of dimensions of the asset, and can realize the combination of the target detection information and the target data of the asset aiming at the access request to be processed when determining that the target service of the asset aiming at the access request to be processed is realized, thereby realizing the purpose that the data of each dimension of the asset is considered when the target detection information aiming at the service is generated, so that the generated target detection information can detect different services in different scenes instead of only detecting the specific service in the specific scene as in the related art, and solving the problem of lower accuracy of the detection of the service in the service detection in the related art.

Based on the foregoing embodiments, an embodiment of the present application provides an information determining apparatus, which may be applied to the information determining method provided in the corresponding embodiment of fig. 1 to 2, and referring to fig. 7, the information determining apparatus 4 may include a processor 41, a memory 42, and a communication bus 43, where:

a communication bus 43 for enabling a communication connection between the processor 41 and the memory 42;

the processor 41 is configured to execute the information determining program in the memory 42 to implement the steps of:

Generating target detection information for a service based on the historical operating data, the first data and the second data, wherein the service is provided by an asset;

And acquiring target data of the asset aiming at the access request to be processed, and determining target service of the asset aiming at the access request to be processed from a target database based on the target data and the target detection information.

In other embodiments of the present application, the processor 41 is configured to execute the history-based operation data, the first data, and the second data of the information determination program in the memory 42 to generate the target detection information for the service to implement the steps of:

In other embodiments of the present application, the processor 41 is configured to execute the history-based operation data and the first data of the information determination program in the memory 42 to generate initial detection information for the service to implement the steps of:

In other embodiments of the present application, the processor 41 is configured to execute the information determination program in the memory 42 to determine the target detection parameters for the service based on the history running data and the first data to implement the steps of:

In other embodiments of the present application, the processor 41 is configured to execute the information determining program in the memory 42 to determine a target service of the asset for the pending access request from the target database based on the target data and the target detection information, so as to implement the following steps:

Processing the target data to obtain processed target data;

In other embodiments of the present application, the processor 41 is configured to execute the information determining program in the memory 42 to implement the following steps:

Determining a target value based on the quantity;

Determining the target trust degree of the access request to be processed;

It should be noted that, in the information determining method provided by the embodiment corresponding to fig. 1 to 2, specific descriptions of the steps executed by the processor may be omitted here.

The information determining device provided by the embodiment of the application can generate the target detection information of all the services provided by the asset according to the data of the plurality of dimensions of the asset, and when the target service of the asset for the access request to be processed is determined to be realized by combining the target detection information and the target data of the asset for the access request to be processed, the data of each dimension of the asset is considered when the target detection information for the service is generated, so that the generated target detection information can detect different services in different scenes instead of only detecting the specific service in the specific scene as in the related art, and the problem that the accuracy of the detection of the service is lower when the service detection is performed in the related art is solved.

Based on the foregoing embodiments, embodiments of the present application provide a computer-readable storage medium storing one or more programs executable by one or more processors to implement the steps of the information determining method provided by the corresponding embodiments of fig. 1-2.

Based on the foregoing embodiments, embodiments of the present application provide a computer program product comprising a computer program which, when executed by a processor 41, implements the steps of the information determining method provided by the corresponding embodiments of fig. 1-2.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The foregoing is merely illustrative embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about variations or substitutions within the technical scope of the present application, and the application should be covered. Therefore, the protection scope of the application is subject to the protection scope of the claims.

Claims

1. An information determining method, the method comprising:

2. The method of claim 1, wherein the generating target detection information for a service based on the historical operating data, the first data, and the second data comprises:

3. The method of claim 2, wherein the generating initial detection information for the service based on the historical operating data and the first data comprises:

4. A method according to claim 3, wherein said determining target detection parameters for said service based on said historical operating data and said first data comprises:

5. The method of claim 1, wherein the determining a target service of the asset for the pending access request from a target database based on the target data and the target detection information comprises:

Processing the target data to obtain processed target data;

6. The method of claim 5, wherein the method further comprises:

determining a target value based on the number;

7. The method of claim 6, wherein the method further comprises:

8. The method according to claim 1, wherein the method further comprises:

9. The method of claim 8, wherein the determining a risk assessment result for the asset for the pending access request based on the risk access policy, the target access data, and different characteristic parameters of the target service comprises:

Determining the target trust degree of the pending access request;

10. An information determining apparatus, characterized in that the apparatus comprises:

11. An information determining apparatus, characterized in that the apparatus comprises a processor, a memory and a communication bus;

the processor is configured to execute the information determining program in the memory, so as to implement the steps of the information determining method according to any one of claims 1 to 9.

12. A computer-readable storage medium storing one or more programs executable by one or more processors to implement the steps of the information determination method of any one of claims 1-9.

13. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the information determination method according to any of claims 1-9.