[go: up one dir, main page]

CN111539644B - Network asset risk control method and device - Google Patents

Network asset risk control method and device Download PDF

Info

Publication number
CN111539644B
CN111539644B CN202010360291.0A CN202010360291A CN111539644B CN 111539644 B CN111539644 B CN 111539644B CN 202010360291 A CN202010360291 A CN 202010360291A CN 111539644 B CN111539644 B CN 111539644B
Authority
CN
China
Prior art keywords
asset
time period
current time
threat
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010360291.0A
Other languages
Chinese (zh)
Other versions
CN111539644A (en
Inventor
吴浪
邹昊
胡启明
李学良
陈景妹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NATIONAL COMPUTER VIRUS EMERGENCY RESPONSE CENTER
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NATIONAL COMPUTER VIRUS EMERGENCY RESPONSE CENTER
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NATIONAL COMPUTER VIRUS EMERGENCY RESPONSE CENTER, Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical NATIONAL COMPUTER VIRUS EMERGENCY RESPONSE CENTER
Priority to CN202010360291.0A priority Critical patent/CN111539644B/en
Publication of CN111539644A publication Critical patent/CN111539644A/en
Application granted granted Critical
Publication of CN111539644B publication Critical patent/CN111539644B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0639Performance analysis of employees; Performance analysis of enterprise or organisation operations
    • G06Q10/06393Score-carding, benchmarking or key performance indicator [KPI] analysis

Landscapes

  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Engineering & Computer Science (AREA)
  • Strategic Management (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • Educational Administration (AREA)
  • Operations Research (AREA)
  • Marketing (AREA)
  • Game Theory and Decision Science (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network asset risk control method and device, which are used for solving the problem that the scoring accuracy of the existing network asset risk control method is low so as to influence the risk control efficiency of a network asset. The network asset risk control method comprises the following steps: acquiring network asset related data, wherein the data at least comprises a network asset identifier; when the network asset identification is found out from a preset network asset blocking information list, acquiring a preset threshold corresponding to the network asset identification from the network asset blocking information list; determining a risk score for the network asset for the current time period based on the data; and blocking the network asset when the risk score of the network asset is greater than or equal to the preset threshold.

Description

Network asset risk control method and device
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method and an apparatus for controlling risk of a network asset.
Background
With the frequent occurrence of network attacks, the mass of attack events increases, and for the mass of attack events, how to rapidly distinguish the current network conditions from the existing high-risk network assets becomes important, so that the high-risk network assets are rapidly responded to reduce risks.
The existing network asset risk control method is to calculate the risk value of the vulnerability of the network asset, further, risk scoring is carried out on the network asset according to the risk value of the vulnerability, or risk scoring is carried out according to the current number of times the network asset is attacked and the network attack event, however, risk scoring is carried out on the network asset only according to the vulnerability of the network asset or the network attack event, the scoring accuracy is low, and further, the risk control efficiency of the network asset is affected.
Disclosure of Invention
In order to solve the problem that the scoring accuracy of the existing network asset risk control method is low and the risk control efficiency of the network asset is affected, the embodiment of the invention provides a network asset risk control method and device.
In a first aspect, an embodiment of the present invention provides a method for controlling risk of a network asset, including:
acquiring network asset related data, wherein the data at least comprises a network asset identifier, an attack event of the network asset in a current time period, an attack result corresponding to the attack event, an asset attacked state of the network asset in the current time period, the number of attack source network protocol IP addresses of the network asset in the current time period, the number of attack source IP addresses of the network asset in the first N time periods in the current time period and vulnerabilities of the network asset in the current time period;
When the network asset identification is found out from a preset network asset blocking information list, acquiring a preset threshold corresponding to the network asset identification from the network asset blocking information list;
determining a risk score for the network asset for the current time period based on the data;
and blocking the network asset when the risk score of the network asset is greater than or equal to the preset threshold.
In the network asset risk control method provided by the embodiment of the invention, a big data security analysis (Bigdata Security Analytics, BSA) platform acquires network asset related data, wherein the data at least comprises: the network asset identification, attack events of the network asset in the current time period and attack results corresponding to the attack events, the number of attack source network protocol IP addresses of the network asset in the current time period, the number of attack source IP addresses of the network asset in the first N time periods of the current time period, the vulnerability of the network asset in the current time period, if the attack event of the network asset in the current time period and the attack event are found in a preset network asset blocking information list, a preset threshold corresponding to the network asset identification is obtained from the network asset blocking information list, a risk score of the network asset in the current time period is determined according to the data, when the risk score of the network asset is determined to be greater than or equal to the preset threshold, the network asset is blocked, when the risk score of the network asset is determined, the attack event of the network asset in the current time period and the attack source IP address of the network asset in the current time period are comprehensively considered, the current state of the network asset in the current time period, the risk score of the network asset is determined from the network asset in the current time period, the number of the network asset is more than the current time period is determined, and the network asset in the current time period is more than the current time period is more influenced by the network address of the network asset in the current time period, and the network asset in the current time period is determined, the risk score of the network asset in the current time period can be evaluated more accurately, and further, the risk control efficiency of the network asset is improved.
Optionally, the method further comprises:
acquiring a blocking-removing mode corresponding to the network asset identifier from the network asset blocking information list;
and unblocking the network asset according to the unblocking mode.
Preferably, the unblocking mode includes a timing unblocking mode;
unblocking the network asset according to the unblocking mode, specifically including:
when the unblocking mode is determined to be a timing unblocking mode, acquiring preset duration corresponding to the network asset identifier from the network asset blocking information list;
and unblocking the network asset according to the preset duration.
Preferably, unblocking the network asset according to the preset duration specifically includes:
acquiring a first risk score of the network asset in a specified time period, wherein the specified time period is after a first time corresponding to the blocking of the network asset and before a second time corresponding to the preset duration;
unblocking the network asset when the first risk score is determined to be less than the preset threshold;
and when the first risk score is determined to be greater than or equal to the preset threshold value and reaches a second moment corresponding to the preset duration, unblocking the network asset.
Preferably, determining a risk score of the network asset in the current time period according to the data specifically includes:
determining an asset cycle threat index of the network asset for a current time period, the asset cycle threat index characterizing a degree of threat of the network asset within the current time period;
determining an asset threat index of the network asset according to the asset cycle threat index of the network asset and the asset cycle threat indexes of the network asset in the first N time periods of the current time period, wherein the asset threat index represents the threat degree of the network asset up to the current time period;
determining an asset vulnerability index of the network asset for the current time period, the asset vulnerability index characterizing a vulnerability level of the network asset;
and determining a risk score of the network asset in the current time period according to the asset threat index and the asset vulnerability index.
In the above preferred embodiment, the big data security analysis platform determines an asset cycle threat index of the network asset in the current time period, the asset cycle threat index characterizes a threat degree of the network asset in the current time period, the asset threat index of the network asset in the current time period is determined according to the asset cycle threat index of the network asset in the current time period and the asset cycle threat indexes of the network asset in the previous N time periods in the current time period, the asset threat index of the network asset in the current time period is characterized by being stopped to the threat degree of the network asset in the current time period, the asset vulnerability index of the network asset in the current time period is determined, the vulnerability index of the network asset is characterized by the asset vulnerability index in the current time period, further, the risk score of the network asset in the current time period is determined according to the asset threat index and the asset vulnerability index of the network asset in the current time period, in the above process, the network threat index of the current time period is determined according to the asset cycle threat index of the network asset in the current time period and the history time period, and the risk score of the network asset in the current time period is determined according to the asset threat index in the current time period, and the risk score of the network asset in the current time period is not detected in the current time period, and the risk score is not accurately evaluated according to the current threat score of the current time period is determined.
Preferably, determining an asset cycle threat index of the network asset in the current time period specifically includes:
determining an asset threat severity, an asset under-attack status score, and an asset threat profile for the network asset for the current time period;
and determining an asset cycle threat index of the network asset in the current time period according to the asset threat severity of the network asset, the asset under-attack state score and the asset threat surface.
Preferably, determining the asset cycle threat index of the network asset in the current time period according to the asset threat severity degree, the asset attack state score and the asset threat surface of the network asset specifically includes:
calculating an asset cycle threat index for the network asset for the current time period by:
w=α*S+β*Q+γ*P
wherein w represents an asset cycle threat index of the network asset for the current time period;
s represents an asset threat severity of the network asset for the current time period;
alpha represents the weight of S;
q represents an asset under-attack status score for the network asset for the current time period;
beta represents the weight of Q;
P represents an asset threat surface of the network asset for the current time period;
gamma represents the weight of P.
Preferably, determining the asset threat severity of the network asset for the current time period specifically includes:
determining a threat level of an attack event according to a preset corresponding relation between the attack event and the threat level, wherein the threat level represents the risk degree of the attack event;
and determining the asset threat severity of the network asset in the current time period according to the highest threat level in the threat levels, the attack result of the attack event with the highest threat level and the threat level of the attack event with the highest threat level in the attack event with the highest threat level as the attack result.
Preferably, determining the asset attack status score of the network asset in the current time period specifically includes:
searching the attacked state of the asset from the corresponding relation between the attacked state of the asset and the score of the attacked state of the asset;
and obtaining the score of the attacked state of the asset corresponding to the attacked state of the asset.
Preferably, determining an asset threat plane of the network asset in the current time period specifically includes:
Determining the current time period and the highest number of attack source IP addresses of the network asset in the first N time periods of the current time period;
and determining an asset threat surface of the network asset in the current time period according to the number of the attack source IP addresses of the network asset and the highest attack source IP address number in the current time period.
Preferably, determining the asset threat severity of the network asset in the current time period according to the highest threat level in the threat levels, the attack result of the attack event with the highest threat level, and the threat level of the attack event with the highest threat level in the attack event with the highest threat level, wherein the attack result is that the attack is successful, specifically including:
calculating an asset threat severity of the network asset for the current time period by:
S=(r 1 *Te 1 +r 2 *Te 2 *Re)*10/5
wherein S represents an asset threat severity of the network asset for the current time period;
Te 1 the threat level of the attack event with the highest threat level in the attack event with the successful attack is represented by the attack result in the attack event of the network asset;
r 1 represents Te 1 Weights of (2);
Te 2 a highest threat level of threat levels representing an attack event of the network asset;
r 2 Represents Te 2 Weights of (2);
re represents the attack result of the highest threat level attack event in the attack events of the network asset, re=1 if the attack is successful, re=0.1 if the attack is failed, re=0.5 if the attack result is uncertain.
Preferably, determining the asset threat plane of the network asset in the current time period according to the number of the attack source IP addresses of the network asset in the current time period and the number of the highest attack source IP addresses specifically includes:
calculating an asset threat surface of the network asset for the current time period by:
wherein P represents an asset threat face of the network asset for the current time period;
c represents the number of attack source IP addresses of the network asset in the current time period;
c max representing the current time period and the highest number of attack source IP addresses of the network asset in the first N time periods of the current time period.
Preferably, determining the risk score of the network asset in the current time period according to the asset threat index and the asset vulnerability index specifically includes:
calculating a risk score for the network asset at the current time period by:
Risk=c 1 *W+c 2 *R
Wherein Risk represents a Risk score for the network asset for the current time period;
w represents an asset threat index of the network asset;
c 1 a weight representing W;
r represents an asset vulnerability index of the network asset for the current time period;
c 2 the weight of R is represented.
Preferably, determining the asset threat index of the network asset according to the asset cycle threat index of the network asset and the asset cycle threat indexes of the network asset in the first N time periods of the current time period specifically includes:
calculating an asset threat index for the network asset by:
wherein W represents an asset threat index of the network asset;
n represents the number of cycles from the current time period, i=0, 1, &..;
w i an asset cycle threat index representing the network asset for a time period of a number of cycles i from the current time period;
b i representing w i Is used for the weight of the (c),
preferably, determining the asset vulnerability index of the network asset in the current time period specifically includes:
determining the asset value of the network asset according to a preset corresponding relation between the network asset and the asset value, wherein the asset value is used for representing the importance level of the network asset;
Determining the risk index of each vulnerability according to the corresponding relation between the preset vulnerability and the risk index, wherein the risk index of each vulnerability represents the risk degree of the vulnerability;
and determining the asset vulnerability index of the network asset in the current time period according to the asset value and the risk index of each vulnerability.
Preferably, determining the asset vulnerability index of the network asset in the current time period according to the asset value and the risk index of each vulnerability specifically includes:
calculating an asset vulnerability index of the network asset for the current time period by:
wherein R represents an asset vulnerability index of the network asset for the current time period;
a j a risk index representing a j-th vulnerability of the network asset for the current time period, j=1, 2,3,.. 1 >a 2 >a 3 >......>a m
V represents the asset value of the network asset.
Optionally, the method further comprises:
determining the cycle threat index of the authority domain of the current time period according to the asset cycle threat index of the network asset contained in the authority domain of the current time period, wherein the authority domain represents the range of the managed network asset, the authority domain contains at least two network assets, and the cycle threat index of the authority domain represents the threat degree of the authority domain in the current time period;
Determining the threat index of the authority domain according to the period threat index of the authority domain and the period threat indexes of the authority domain in the first N time periods of the current time period, wherein the threat index of the authority domain represents the threat degree of the authority domain which is cut off to the current time period;
determining the vulnerability index of the authority domain of the current time period according to the asset vulnerability index of the network asset contained in the authority domain, wherein the vulnerability index of the authority domain represents the vulnerability degree of the authority domain;
and determining a risk score of the authority domain in the current time period according to the threat index of the authority domain and the vulnerability index of the authority domain.
Preferably, the determining the cycle threat index of the authority domain of the current time period according to the asset cycle threat index of the network asset contained in the authority domain of the current time period specifically includes:
calculating a cycle threat index of the authority domain of the current time period by the following formula:
wherein w' represents a cycle threat index of the rights domain for the current time period;
V k representing asset value of a kth network asset in the rights domain for the current time period, k=1, 2,..;
w k An asset cycle threat index representing a kth network asset in the rights domain for the current time period.
Preferably, determining the threat index of the authority domain according to the period threat index of the authority domain and the period threat indexes of the authority domain in the first N time periods of the current time period specifically includes:
the threat index of the rights domain is calculated by the following formula:
wherein W represents a threat index of the rights domain;
n represents the number of cycles from the current time period, i=0, 1, &..;
w i ' represents a period threat index of the rights domain from a period number i of the current time period;
b i representing w i The weight of the' weight is calculated,
preferably, the determining the vulnerability index of the authority domain of the current time period according to the asset vulnerability index of the network asset contained in the authority domain specifically includes:
calculating the vulnerability index of the authority domain of the current time period by the following formula:
wherein R is lm A vulnerability index of the rights domain representing a current time period;
R k an asset vulnerability index representing a kth network asset in the rights domain for the current time period, k=1, 2, once more. M represents the number of network assets contained in the authority domain, R 1 >R 2 >R 3 >......>R M
Preferably, determining the risk score of the authority domain in the current time period according to the threat index of the authority domain and the vulnerability index of the authority domain specifically includes:
calculating a risk score of the rights domain for the current time period by the following formula:
Risk'=d 1 *W'+d 2 *R lm
wherein Risk' represents a Risk score for the rights domain for the current time period;
w' represents a threat index of the rights domain;
d 1 a weight representing W';
R lm a vulnerability index of the rights domain representing the current time period;
d 2 r represents lm Is a weight of (2).
Optionally, the method further comprises:
acquiring the identification of the authority domain;
when the identification of the authority domain is found out from the network asset blocking information list, a first preset threshold corresponding to the identification of the authority domain is obtained from the network asset blocking information list;
blocking the network asset in the authority domain when the risk score of the authority domain is greater than or equal to the first preset threshold;
acquiring a blocking removing mode corresponding to the identifier of the authority domain from the network asset blocking information list;
and unblocking the network assets in the authority domain according to the unblocking mode.
In a second aspect, an embodiment of the present invention provides a network asset risk control apparatus, including:
a first obtaining unit, configured to obtain network asset related data, where the data at least includes a network asset identifier, an attack event of the network asset in a current time period, an attack result corresponding to the attack event, an asset attacked state of the network asset in the current time period, a number of attack source network protocol IP addresses of the network asset in the current time period, a number of attack source IP addresses of the network asset in the first N time periods in the current time period, and a vulnerability of the network asset in the current time period;
the second acquisition unit is used for acquiring a preset threshold value corresponding to the network asset identifier from the network asset blocking information list when the network asset identifier is determined to be found out from the preset network asset blocking information list;
a first determining unit for determining a risk score of the network asset for the current time period based on the data;
and the network asset blocking unit is used for blocking the network asset when determining that the risk score of the network asset is greater than or equal to the preset threshold value.
Optionally, the apparatus further comprises:
a third obtaining unit, configured to obtain, from the network asset blocking information list, a blocking release manner corresponding to the network asset identifier;
and the network asset blocking and unblocking unit unblocks the network asset according to the unblocking mode.
Preferably, the unblocking mode includes a timing unblocking mode;
the network asset blocking and releasing unit is specifically configured to acquire a preset duration corresponding to the network asset identifier from the network asset blocking information list when the blocking and releasing mode is determined to be a timing blocking and releasing mode; and unblocking the network asset according to the preset duration.
Preferably, the network asset blocking-up releasing unit is specifically configured to obtain a first risk score of the network asset in a specified time period, where the specified time period is after a first time corresponding to blocking up the network asset and before a second time corresponding to reaching the preset duration; unblocking the network asset when the first risk score is determined to be less than the preset threshold; and when the first risk score is determined to be greater than or equal to the preset threshold value and reaches a second moment corresponding to the preset duration, unblocking the network asset.
Preferably, the first determining unit is specifically configured to determine an asset cycle threat index of the network asset in the current time period, where the asset cycle threat index characterizes a degree of threat of the network asset in the current time period; determining an asset threat index of the network asset according to the asset cycle threat index of the network asset and the asset cycle threat indexes of the network asset in the first N time periods of the current time period, wherein the asset threat index represents the threat degree of the network asset up to the current time period; determining an asset vulnerability index of the network asset for the current time period, the asset vulnerability index characterizing a vulnerability level of the network asset; and determining a risk score of the network asset in the current time period according to the asset threat index and the asset vulnerability index.
Preferably, the first determining unit is specifically configured to determine an asset threat severity, an asset attack status score and an asset threat plane of the network asset in the current time period; and determining an asset cycle threat index of the network asset in the current time period according to the asset threat severity of the network asset, the asset under-attack state score and the asset threat surface.
Preferably, the first determining unit is specifically configured to calculate an asset cycle threat index of the network asset for the current time period by the following formula:
w=α*S+β*Q+γ*P
wherein w represents an asset cycle threat index of the network asset for the current time period;
s represents an asset threat severity of the network asset for the current time period;
alpha represents the weight of S;
q represents an asset under-attack status score for the network asset for the current time period;
beta represents the weight of Q;
p represents an asset threat surface of the network asset for the current time period;
gamma represents the weight of P.
Preferably, the first determining unit is specifically configured to determine a threat level of the attack event according to a preset correspondence between the attack event and the threat level, where the threat level represents a risk degree of the attack event; and determining the asset threat severity of the network asset in the current time period according to the highest threat level in the threat levels, the attack result of the attack event with the highest threat level and the threat level of the attack event with the highest threat level in the attack event with the highest threat level as the attack result.
Preferably, the first determining unit is specifically configured to find an attacked state of the asset from a preset correspondence between the attacked state of the asset and a score of the attacked state of the asset; and obtaining the score of the attacked state of the asset corresponding to the attacked state of the asset.
Preferably, the first determining unit is specifically configured to determine the current time period and the highest number of attack source IP addresses of the network asset in the first N time periods of the current time period; and determining an asset threat surface of the network asset in the current time period according to the number of the attack source IP addresses of the network asset and the highest attack source IP address number in the current time period.
Preferably, the first determining unit is specifically configured to calculate an asset threat severity of the network asset for the current time period by the following formula:
S=(r 1 *Te 1 +r 2 *Te 2 *Re)*10/5
wherein S represents an asset threat severity of the network asset for the current time period;
Te 1 the threat level of the attack event with the highest threat level in the attack event with the successful attack is represented by the attack result in the attack event of the network asset;
r 1 represents Te 1 Weights of (2);
Te 2 A highest threat level of threat levels representing an attack event of the network asset;
r 2 represents Te 2 Weights of (2);
re represents the attack result of the highest threat level attack event in the attack events of the network asset, re=1 if the attack is successful, re=0.1 if the attack is failed, re=0.5 if the attack result is uncertain.
Preferably, the first determining unit is specifically configured to calculate an asset threat plane of the network asset for the current time period by the following formula:
wherein P represents an asset threat face of the network asset for the current time period;
c represents the number of attack source IP addresses of the network asset in the current time period;
c max representing the current time period and the highest number of attack source IP addresses of the network asset in the first N time periods of the current time period.
Preferably, the first determining unit is specifically configured to calculate a risk score of the network asset in the current time period by the following formula:
Risk=c 1 *W+c 2 *R
wherein Risk represents a Risk score for the network asset for the current time period;
w represents an asset threat index of the network asset;
c 1 A weight representing W;
r represents an asset vulnerability index of the network asset for the current time period;
c 2 the weight of R is represented.
Preferably, the first determining unit is specifically configured to calculate an asset threat index of the network asset by the following formula:
wherein W represents an asset threat index of the network asset;
n represents the number of cycles from the current time period, i=0, 1, &..;
w i an asset cycle threat index representing the network asset for a time period of a number of cycles i from the current time period;
b i representing w i Is used for the weight of the (c),
preferably, the first determining unit is specifically configured to determine an asset value of the network asset according to a preset correspondence between the network asset and the asset value, where the asset value is used to characterize an importance level of the network asset; determining the risk index of each vulnerability according to the corresponding relation between the preset vulnerability and the risk index, wherein the risk index of each vulnerability represents the risk degree of the vulnerability; and determining the asset vulnerability index of the network asset in the current time period according to the asset value and the risk index of each vulnerability.
Preferably, the first determining unit is specifically configured to calculate an asset vulnerability index of the network asset for the current time period by the following formula:
Wherein R represents an asset vulnerability index of the network asset for the current time period;
a j a risk index representing a j-th vulnerability of the network asset for the current time period, j=1, 2,3,.. 1 >a 2 >a 3 >......>a m
V represents the asset value of the network asset.
Optionally, the apparatus further comprises:
a second determining unit, configured to determine a cycle threat index of a rights domain of the current time period according to an asset cycle threat index of a network asset included in the rights domain of the current time period, where the rights domain represents a range of managed network assets, the rights domain includes at least two network assets, and the cycle threat index of the rights domain represents a degree of threat of the rights domain in the current time period;
a third determining unit, configured to determine a threat index of the authority domain according to the period threat index of the authority domain and the period threat indexes of the authority domain in the first N time periods of the current time period, where the threat index of the authority domain indicates a degree of threat of the authority domain up to the current time period;
A fourth determining unit, configured to determine a vulnerability index of the authority domain for a current time period according to an asset vulnerability index of a network asset included in the authority domain, where the vulnerability index of the authority domain characterizes a vulnerability degree of the authority domain;
and a fifth determining unit, configured to determine a risk score of the authority domain in the current time period according to the threat index of the authority domain and the vulnerability index of the authority domain.
Preferably, the second determining unit is specifically configured to calculate the cycle threat index of the authority domain of the current time cycle according to the following formula:
wherein w' represents a cycle threat index of the rights domain for the current time period;
V k representing asset value of a kth network asset in the rights domain for the current time period, k=1, 2,..;
w k an asset cycle threat index representing a kth network asset in the rights domain for the current time period.
Preferably, the third determining unit is specifically configured to calculate the threat index of the authority domain according to the following formula:
wherein W represents a threat index of the rights domain;
N represents the number of cycles from the current time period, i=0, 1, &..;
w i ' represents a period threat index of the rights domain from a period number i of the current time period;
b i representing w i The weight of the' weight is calculated,
preferably, the fourth determining unit is specifically configured to calculate the vulnerability index of the authority domain of the current time period according to the following formula:
wherein R is lm A vulnerability index of the rights domain representing a current time period;
R k an asset vulnerability index representing a kth network asset in the rights domain for the current time period, k=1, 2, once more. M represents the number of network assets contained in the authority domain, R 1 >R 2 >R 3 >......>R M
Preferably, the fifth determining unit is specifically configured to calculate a risk score of the authority domain of the current time period according to the following formula:
Risk'=d 1 *W'+d 2 *R lm
wherein Risk' represents a Risk score for the rights domain for the current time period;
w' represents a threat index of the rights domain;
d 1 a weight representing W';
R lm a vulnerability index of the rights domain representing the current time period;
d 2 r represents lm Is a weight of (2).
Optionally, the apparatus further comprises:
a fourth obtaining unit, configured to obtain an identifier of the rights domain;
A fifth obtaining unit, configured to obtain, when determining that the identifier of the rights domain is found from the network asset blocking information list, a first preset threshold corresponding to the identifier of the rights domain from the network asset blocking information list;
a rights domain blocking unit, configured to block a network asset in the rights domain when it is determined that a risk score of the rights domain is greater than or equal to the first preset threshold;
a sixth obtaining unit, configured to obtain, from the network asset blocking information list, a blocking release manner corresponding to the identifier of the rights domain;
and the authority domain blocking and unblocking unit is used for unblocking the network assets in the authority domain according to the unblocking mode.
Technical effects of the network asset risk control device provided by the present invention may be referred to the technical effects of the first aspect or each implementation manner of the first aspect, which are not described herein.
In a third aspect, an embodiment of the present invention provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the network asset risk control method according to the present invention when executing the program.
In a fourth aspect, embodiments of the present invention provide a computer readable storage medium having stored thereon a computer program which when executed by a processor performs steps in a network asset risk control method according to the present invention.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
fig. 1 is a schematic flow chart of an implementation of a network asset risk control method according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of an embodiment of the present invention for determining risk scores of network assets for a current time period;
FIG. 3 is a schematic flow chart of an implementation of determining an asset cycle threat index for a network asset for a current time period in an embodiment of the invention;
FIG. 4 is a schematic flow chart of an implementation of determining the asset threat severity of a network asset for a current time period in an embodiment of the invention;
FIG. 5 is a schematic flow chart of an implementation of determining an asset under-attack status score of a network asset for a current time period in an embodiment of the present invention;
FIG. 6 is a schematic flow chart of an implementation of an asset threat surface of a network asset for determining a current time period in an embodiment of the invention;
FIG. 7 is a schematic flow chart of an implementation of determining an asset vulnerability index of a network asset for a current time period in an embodiment of the invention;
FIG. 8 is a flowchart illustrating an implementation of determining risk scores of authority domains in a current time period according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of an implementation flow for unblocking a network asset according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of an implementation flow for unblocking a network asset when the unblocking mode is a timed unblocking mode according to an embodiment of the present invention;
FIG. 11 is a schematic diagram of an implementation flow for blocking a rights domain according to an embodiment of the present invention;
FIG. 12 is a schematic diagram of a flow chart for unblocking a rights domain according to an embodiment of the present invention;
fig. 13 is a schematic structural diagram of a network asset risk control device according to an embodiment of the present invention;
Fig. 14 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to solve the problem that the scoring accuracy of the existing network asset risk control method is low and the risk control efficiency of the network asset is affected, the embodiment of the invention provides a network asset risk control method and device.
The existing methods for risk scoring of network assets based on vulnerabilities of network assets or network attack events ignore the following problems:
first, the state of a network asset is ignored during scoring, and a network attack event occurs on the network asset, but if a network asset is trapped and is not continuously attacked, the state remains very dangerous, and the danger does not disappear, but is hidden.
Second, ignoring the importance of network assets to the whole network, the extent to which a discarded network asset jeopardizes the whole network is different from a core network asset jeopardizing the whole network, and if the core network asset is attacked, the risk is greater.
Third, ignoring historical dangerous situations, when a network asset is attacked, it is possible that no more network attack situations of the network asset are found within a few days thereafter, but the network asset is not dangerous, and it is possible that the network asset is hidden, and the risk is considered to be reduced, but the historical risk value is not necessarily considered to be dangerous.
Fourth, in a complex network environment, management authorities of network assets need to be distinguished, so that the overall network condition cannot be considered, and safety conditions of different authority domains need to be considered, wherein the authority domains refer to the range of the managed network assets, so that the response can be faster, risks of the network environments of the different authority domains are different, an administrator of each authority domain can know the risk degree in the management range of the administrator of the authority domain more clearly, and the network assets with risks can be managed more specifically and more efficiently.
Based on the above, the embodiment of the invention provides a network asset risk control method and device.
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings of the specification, it being understood that the preferred embodiments described herein are for illustration and explanation only, and not for limitation of the present invention, and embodiments of the present invention and features of the embodiments may be combined with each other without conflict.
In this context, it is to be understood that the technical terms referred to in the present invention are:
1. network asset: mainly various devices used in computer (or communication) networks. Mainly including hosts, network devices (routers, switches, etc.) and security devices (firewalls, etc.).
It should be noted that, in the embodiment of the present invention, the network asset may further include a website, where the website may be, but is not limited to, a website for providing network services.
As shown in fig. 1, which is a schematic diagram of an implementation flow of a network asset risk control method according to an embodiment of the present invention, the method may include the following steps:
s111, acquiring network asset related data.
In specific implementation, the big data security analysis platform acquires network asset related data, where the data at least includes a network asset identifier, an attack event of the network asset in a current time period, an attack result corresponding to the attack event, an asset under-attack state of the network asset in the current time period, the number of attack source IP (Internet Protocol, network protocol) addresses of the network asset in the current time period, the number of attack source IP addresses of the network asset in the first N time periods in the current time period, and a vulnerability of the network asset in the current time period. The time period may be preset by itself, for example, 1 day (00:00-24:00) may be divided into one time period, which is not limited in the embodiment of the present invention. N is an integer greater than or equal to 1, and the value of N can be set according to actual needs, and the embodiment of the invention is not limited to the above.
S112, when the network asset identification is found out from a preset network asset blocking information list, acquiring a preset threshold corresponding to the network asset identification from the network asset blocking information list.
In specific implementation, the big data security analysis platform presets a network asset blocking information list, the network asset blocking information list comprises a corresponding relation between a network asset identifier to be blocked, a preset threshold value and a blocking release mode, the blocking release mode comprises a manual blocking release mode and a timing blocking release mode, and when the blocking release mode is the timing blocking release mode, the network asset blocking information list also comprises a preset duration corresponding to the network asset identifier to be blocked, and the preset duration is a timing duration corresponding to the timing blocking release mode.
When the network asset identification is found from the preset network asset blocking information list, the big data security analysis platform acquires a preset threshold corresponding to the network asset identification from the network asset blocking information list.
S113, determining a risk score of the network asset in the current time period according to the data.
In particular, determining the risk score of the network asset for the current time period according to the flow shown in fig. 2 may include the following steps:
s11, determining an asset period threat index of the network asset in the current time period.
In specific implementation, the big data security analysis platform determines an asset cycle threat index of the network asset in the current time period, wherein the asset cycle threat index characterizes the threat degree of the network asset in the current time period.
Specifically, determining the asset cycle threat index of the network asset for the current time period according to the flow shown in fig. 3 may comprise the steps of:
s21, determining the asset threat severity, the asset attacked state score and the asset threat surface of the network asset in the current time period.
In particular implementations, the big data security analysis platform determines an asset threat severity, an asset under-attack status score, and an asset threat face for the network asset over a current time period. The severity of the threat of the asset is used for representing the severity of the threat of the network asset, the score of the state of the network asset after the attack is represented by the score of the state of the network asset, the threat surface of the asset represents the possibility of the threat of the network asset, and the more the number of attackers, the greater the possibility of the threat of the network asset.
Specifically, determining the asset threat severity of the network asset for the current time period according to the flow shown in fig. 4 may comprise the steps of:
s31, determining the threat level of the attack event according to the corresponding relation between the preset attack event and the threat level.
In specific implementation, the big data security analysis platform divides different attack events into different threat levels in advance according to the severity of the attack event, for example, the different attack events can be divided into five levels, the five levels are respectively represented by five values of 1-5, and the greater the value is, the greater the severity of the attack event is represented, wherein the threat levels represent the risk of the attack event. And the big data security analysis platform stores the corresponding relation between the attack event and the threat level.
Specifically, the big data security analysis platform determines threat levels corresponding to each attack event of the network asset in the current time period according to the corresponding relation between the attack event and the threat levels.
S32, determining the asset threat severity of the network asset in the current time period according to the highest threat level in the threat levels, the attack result of the attack event with the highest threat level and the threat level of the attack event with the highest threat level in the attack event with the highest threat level as the attack result.
In the implementation, the big data security analysis platform determines the asset threat severity of the network asset in the current time period according to the highest threat level in the threat levels, the attack result of the attack event with the highest threat level and the threat level of the attack event with the highest threat level in the attack event with the highest threat level as the attack result.
Specifically, the asset threat severity of the network asset for the current time period may be calculated by the following formula:
S=(r 1 *Te 1 +r 2 *Te 2 *Re)*10/5
wherein S represents an asset threat severity of the network asset for the current time period;
Te 1 the threat level of the attack event with the highest threat level in the attack event with the successful attack is represented by the attack result in the attack event of the network asset;
r 1 represents Te 1 Weights of (2);
Te 2 a highest threat level of threat levels representing an attack event of the network asset;
r 2 represents Te 2 Weights of (2);
re represents the attack result of the highest threat level attack event in the attack events of the network asset, re=1 if the attack is successful, re=0.1 if the attack is failed, re=0.5 if the attack result is uncertain.
In implementation, determining the asset attack status score of the network asset for the current time period according to the flow shown in fig. 5 may include the following steps:
S41, searching the attacked state of the asset from the corresponding relation between the preset attacked state of the asset and the score of the attacked state of the asset.
Among other things, the asset's attacked state may include, but is not limited to, the following states: (1) confirm the collapse but the untreated is complete; (2) a suspected collapse state; (3) most recently attacked but not sagged; (4) not sagged and not attacked.
In specific implementation, the big data security analysis platform presets the score of the state of the under-attack of the asset, stores the correspondence between the state of the under-attack of the asset and the score of the state of the under-attack of the asset, for example, the score of the state of the under-attack of the asset corresponding to "confirm collapse but not process completion" may be set to 9 points, the score of the state of the under-attack of the asset corresponding to "suspected collapse state" may be set to 7 points, the score of the state of the under-attack of the asset corresponding to "most recently attacked but not collapse" may be set to 5 points, and the score of the under-attack of the asset corresponding to "not collapse and not attacked" may be set to 0 points.
Specifically, the big data security analysis platform searches the asset attack state of the network asset in the related data of the network asset from the corresponding relation between the asset attack state and the asset attack state score.
S42, obtaining the score of the attacked state of the asset corresponding to the attacked state of the asset.
And in the specific implementation, the big data security analysis platform acquires the score of the attacked state of the asset corresponding to the attacked state of the asset.
In implementation, determining the asset threat surface of the network asset for the current time period according to the flow shown in fig. 6 may include the following steps:
s51, determining the current time period and the highest attack source IP address number of the network asset in the first N time periods of the current time period.
In the implementation, the big data security analysis platform compares the number of the attack source IPs of the network asset in the current time period in the related data of the network asset with the number of the attack source IPs of the network asset in each period of the first N time periods of the current time period, and determines the highest number of the attack source IP addresses.
S52, determining an asset threat surface of the network asset in the current time period according to the number of the attack source IP addresses of the network asset and the highest attack source IP address number in the current time period.
In practice, the asset threat surface of the network asset for the current time period may be calculated by the following formula:
Wherein P represents an asset threat face of the network asset for the current time period;
c represents the number of attack source IP addresses of the network asset in the current time period;
c max representing the current time period and the highest number of attack source IP addresses of the network asset in the first N time periods of the current time period.
S22, determining an asset cycle threat index of the network asset in the current time period according to the asset threat severity degree, the asset attacked state score and the asset threat surface of the network asset.
In implementation, the big data security analysis platform determines an asset cycle threat index of the network asset in the current time period according to the asset threat severity of the network asset, the asset attacked state score and the asset threat surface.
Specifically, the asset cycle threat index of the network asset for the current time period may be calculated by the following formula:
w=α*S+β*Q+γ*P
wherein w represents an asset cycle threat index of the network asset for the current time period;
s represents an asset threat severity of the network asset for the current time period;
alpha represents the weight of S;
Q represents an asset under-attack status score for the network asset for the current time period;
beta represents the weight of Q;
p represents an asset threat surface of the network asset for the current time period;
gamma represents the weight of P.
In implementation, the values of α+β+γ=1, α, β, γ may be set according to the asset threat severity of the network asset, the asset attack status score, and the importance of the asset threat surface, for example, set as follows:the embodiment of the present invention is not limited thereto.
S12, determining the asset threat index of the network asset according to the asset period threat index of the network asset and the asset period threat indexes of the network asset in the first N time periods of the current time period.
In implementation, the big data security analysis platform determines the asset threat index of the network asset according to the asset period threat index of the network asset and the asset period threat indexes of the network asset in the first N time periods of the current time period, and the asset threat index characterizes the threat degree of the network asset up to the current time period.
Specifically, the asset threat index of the network asset may be calculated by the following formula:
Wherein W represents an asset threat index of the network asset;
n represents the number of cycles from the current time period, i=0, 1, &..;
w i an asset cycle threat index representing the network asset for a time period of a number of cycles i from the current time period;
b i representing w i Is used for the weight of the (c),
in specific implementation, w i I.e., the asset cycle threat index of the network asset for the first i time periods of the current time period. Assuming a time period of 1 day, assuming n=4, then n=5, thenWherein w is 0 For distance toAsset cycle threat index for network asset on day 0, i.e. the asset cycle threat index for network asset on day, w 1 Asset cycle threat index for network asset 1 day away from day, i.e. 1 day before day, w 2 Asset cycle threat index for a network asset 2 days from the day, i.e. the asset cycle threat index for a network asset 2 days before the day, w 3 Asset cycle threat index for network asset 3 days from the day, i.e. 3 days before the day, w 4 The asset cycle threat index for a network asset 4 days from the day, i.e., the asset cycle threat index for a network asset 4 days before the day.
S13, determining an asset vulnerability index of the network asset in the current time period.
In particular implementations, the big data security analysis platform determines an asset vulnerability index of the network asset for the current time period, the asset vulnerability index characterizing a vulnerability level of the network asset.
Specifically, determining the asset vulnerability index of the network asset for the current time period according to the flow shown in fig. 7 may include the steps of:
s61, determining the asset value of the network asset according to the preset corresponding relation between the network asset and the asset value.
In specific implementation, the asset value is used for representing the importance level of the network asset, the big data security analysis platform sets the corresponding asset value according to the importance level of the network asset in advance, the big data security analysis platform can be represented by 1-5 five numerical values, the higher the numerical value of the asset value is, the more important the network asset is represented, and the corresponding relation between the network asset and the asset value is stored. In the embodiment of the invention, the network asset is represented by a network asset identifier.
S62, determining risk indexes of all vulnerabilities according to the corresponding relation between preset vulnerabilities and risk indexes.
In specific implementation, the risk index of the vulnerability characterizes the risk degree of the vulnerability. The big data security analysis platform presets a risk index corresponding to the loophole and stores a corresponding relation between the loophole and the risk index, wherein the risk index of the loophole represents the risk degree of the loophole.
Specifically, the big data security analysis platform determines risk indexes of all vulnerabilities of the network asset in the current time period in the related data of the network asset according to the corresponding relation between the vulnerabilities and the risk indexes.
Specifically, the big data security analysis platform searches each vulnerability from the corresponding relation between the vulnerability and the risk index, and obtains the risk index corresponding to each vulnerability.
And S63, determining an asset vulnerability index of the network asset in the current time period according to the asset value and the risk index of each vulnerability.
In practice, the asset vulnerability index of the network asset for the current time period may be calculated by the following formula:
wherein R represents an asset vulnerability index of the network asset for the current time period;
a j A risk index representing a j-th vulnerability of the network asset for the current time period, j=1, 2,3,.. 1 >a 2 >a 3 >......>a m
V represents the asset value of the network asset.
S14, determining a risk score of the network asset in the current time period according to the asset threat index and the asset vulnerability index.
In practice, the risk score for the network asset at the current time period may be calculated by the following formula:
Risk=c 1 *W+c 2 *R
wherein Risk represents a Risk score for the network asset at the current time period;
w represents an asset threat index of the network asset;
c 1 a weight representing W;
r represents an asset vulnerability index of the network asset for the current time period;
c 2 the weight of R is represented.
In the specific implementation, c 1 +c 2 =1,c 1 And c 2 The value of (2) may be set according to the actual situation, which is not limited in the embodiment of the present invention.
Optionally, for the authority domain including several network assets, the risk score of the authority domain may be further evaluated, and the risk score of the authority domain of the current time period may be determined according to the flow shown in fig. 8, including the following steps:
S71, determining the period threat index of the authority domain of the current time period according to the asset period threat index of the network asset contained in the authority domain of the current time period.
In specific implementation, the big data security analysis platform determines the period threat index of the authority domain of the current time period according to the threat index of the asset period of the network asset contained in the authority domain of the current time period, wherein the authority domain represents the range of the managed network asset, the authority domain contains at least two network assets, and the period threat index of the authority domain represents the threat degree of the authority domain in the current time period.
Specifically, the cycle threat index of the rights domain for the current time period may be calculated by the following formula:
wherein w' represents a cycle threat index of the rights domain for the current time period;
V k representing asset value of a kth network asset in the rights domain for the current time period, k=1, 2,..;
w k an asset cycle threat index representing a kth network asset in the rights domain for the current time period.
S72, determining the threat index of the authority domain according to the period threat index of the authority domain and the period threat indexes of the authority domain in the first N time periods of the current time period.
In specific implementation, the threat index representation of the authority domain is cut off to the threat degree of the authority domain in the current time period.
Specifically, the threat index of the rights domain may be calculated by the following formula:
wherein W represents a threat index of the rights domain;
n represents the number of cycles from the current time period, i=0, 1, &..;
w i ' represents a period threat index of the rights domain from a period number i of the current time period;
b i representing w i The weight of the' weight is calculated,
in specific implementation, w i I.e. the cycle threat index of the rights domain for the first i time periods of the current time period.
S73, determining the vulnerability index of the authority domain of the current time period according to the asset vulnerability index of the network asset contained in the authority domain.
Wherein the vulnerability index of the rights domain characterizes the vulnerability of the rights domain.
In specific implementation, the vulnerability index of the authority domain of the current time period can be calculated through the following formula:
Wherein R is lm A vulnerability index of the rights domain representing a current time period;
R k an asset vulnerability index representing a kth network asset in the rights domain for the current time period, k=1, 2, once more. M represents the number of network assets contained in the authority domain, R 1 >R 2 >R 3 >......>R M
And S74, determining a risk score of the authority domain in the current time period according to the threat index of the authority domain and the vulnerability index of the authority domain.
In practice, the risk score of the rights domain at the current time period may be calculated by the following formula:
Risk'=d 1 *W'+d 2 *R lm
wherein Risk' represents a Risk score for the rights domain at the current time period;
w' represents a threat index of the rights domain;
d 1 a weight representing W';
R lm a vulnerability index of the rights domain representing the current time period;
d 2 r represents lm Is a weight of (2).
And S114, blocking the network asset when determining that the risk score of the network asset is greater than or equal to the preset threshold.
And when the risk score of the network asset is greater than or equal to the preset threshold value, blocking the network asset.
Further, unblocking the network asset according to the flow shown in fig. 9 may include the steps of:
s81, obtaining a blocking removing mode corresponding to the network asset identification from the network asset blocking information list.
In the implementation, the big data security analysis platform acquires the unblocking mode corresponding to the network asset identification from the corresponding relation between the preset network asset identification and the unblocking mode in the network asset blocking information list.
S82, unblocking the network asset according to the unblocking mode.
In the specific implementation, when the blocking removal is a manual blocking removal mode, an administrator can manually unblock the message according to actual conditions.
When the unblocking mode is a timing unblocking mode, unblocking the network asset according to a flow as shown in fig. 10 may include the steps of:
s91, when the unblocking mode is determined to be a timing unblocking mode, acquiring a preset duration corresponding to the network asset identifier from the network asset blocking information list.
When the big data security analysis platform determines that the unblocking mode is a timing unblocking mode, acquiring preset duration corresponding to the network asset identifier from the preset network asset blocking information list.
S92, unblocking the network asset according to the preset duration.
In specific implementation, the big data security analysis platform acquires risk scores of the network assets within a specified time period, and records the risk scores as first risk scores, wherein the specified time period is a plurality of time periods behind the current time period after a first time corresponding to blocking the network assets and before a second time corresponding to the preset time, and the specified time period is a plurality of time periods behind the current time period and is acquired according to time periods one by one before the second time corresponding to the preset time. And unblocking the network asset when the first risk score is determined to be less than the preset threshold. And when the first risk score is determined to be greater than or equal to the preset threshold value and reaches a second moment corresponding to the preset duration, unblocking the network asset, namely, if the first risk score is still greater than or equal to the preset threshold value when reaching the second moment corresponding to the preset duration, unblocking the network asset directly.
Optionally, the network asset blocking information list may further include a correspondence between an identifier of a preset authority domain, a preset threshold, and a preset blocking release mode, and similarly, the blocking release mode includes a manual blocking release mode and a timing blocking release mode, and when the blocking release mode is the timing blocking release mode, the network asset blocking information list further includes a preset duration corresponding to the identifier of the authority domain to be blocked, where blocking of the authority domain is performed on all network assets included in the authority domain corresponding to the authority domain identifier.
In specific implementation, blocking the rights domain according to the flow shown in fig. 11 may include the following steps:
s100, acquiring identification of the authority domain.
In specific implementation, the big data security analysis platform acquires the identification of the authority domain.
S101, when the identification of the authority domain is found out from a network asset blocking information list, a first preset threshold corresponding to the identification of the authority domain is obtained from the network asset blocking information list.
When the identification of the authority domain is found from the preset network asset blocking information list, the big data security analysis platform acquires a preset threshold corresponding to the identification of the authority domain from the network asset blocking information list and records the preset threshold as a first preset threshold.
S102, blocking the network asset in the authority domain when the risk score of the authority domain is greater than or equal to the first preset threshold.
In the implementation, the big data security analysis platform acquires the risk score of the authority domain in the current time period, compares the risk score of the authority domain with the first preset threshold, and blocks each network asset in the authority domain if the risk score of the authority domain is greater than or equal to the first preset threshold.
S103, acquiring a blocking-removing mode corresponding to the identifier of the authority domain from the network asset blocking information list.
In the specific implementation, the big data security analysis platform acquires the unblocking mode corresponding to the identifier of the authority domain from the corresponding relation between the identifier of the preset authority domain and the unblocking mode in the network asset blocking information list.
S104, unblocking the network assets in the authority domain according to the unblocking mode.
In the implementation, when the unblocking is a manual unblocking mode, an administrator can manually unblock each network asset in the authority domain according to actual conditions.
When the unblocking mode is a timing unblocking mode, unblocking the rights domain, that is, unblocking the network asset in the rights domain according to a flow shown in fig. 12 may include the steps of:
s1041, when the unblocking mode is determined to be a timing unblocking mode, acquiring a first preset duration corresponding to the identifier of the authority domain from the network asset blocking information list.
When the big data security analysis platform determines that the unblocking mode is a timing unblocking mode, acquiring preset duration corresponding to the identifier of the authority domain from the preset network asset blocking information list, and marking the preset duration as a first preset duration.
S1042, unblocking the network asset in the authority domain according to the first preset time length.
In specific implementation, the big data security analysis platform obtains a risk score of the authority domain in a first designated time period, and marks the risk score as a second risk score, wherein the first designated time period is after a third moment corresponding to blocking of network assets of the authority domain and before a fourth moment corresponding to the first preset duration, the designated time period refers to a plurality of time periods behind the current time period, and the second risk score is obtained one by one according to time period before the fourth moment corresponding to the first preset duration is reached. Unblocking each network asset in the rights domain when the second risk score is determined to be less than the first preset threshold. And when the second risk score is determined to be greater than or equal to the first preset threshold value and reaches a fourth moment corresponding to the first preset duration, unblocking each network asset in the authority domain, that is, if the second risk score is still greater than or equal to the first preset threshold value when reaching the fourth moment corresponding to the first preset duration, unblocking each network asset in the authority domain directly.
According to the network asset risk control method provided by the embodiment of the invention, the asset threat index of the network asset to be judged corresponding to the current time period is determined together according to the asset period threat index of the network asset in the current time period and the asset period threat index of the network asset in the historical time period, and the influence of the historical threat on the threat of the current time period is considered, so that the risk cannot be considered to exist because the threat cannot be detected in the current time period, and furthermore, the risk score of the network asset in the current time period is determined according to the asset threat index and the asset vulnerability index of the network asset, so that the risk assessment is performed more accurately, the accuracy of the risk score is improved, and further, the risk control efficiency of the network asset is improved. Moreover, the risk degree of each authority domain can be distinguished through the risk score of the authority domain, so that the node of the problem can be positioned more quickly. And based on the risk score of the network asset and the risk score of the authority domain, the network asset in the single network asset and the authority domain can be automatically plugged and unplugged, and through plugging the dangerous network asset, the dangerous request sent by the dangerous network asset is reduced and enters the system, so that the risk is reduced, when the risk value is lower than a certain threshold value, the risk is reduced, and the plugging is relieved, so that the safety is improved.
Based on the same inventive concept, the embodiment of the invention also provides a network asset risk control device, and because the principle of solving the problem of the network asset risk control device is similar to that of the network asset risk control method, the implementation of the device can refer to the implementation of the method, and the repetition is omitted.
As shown in fig. 13, which is a schematic structural diagram of a network asset risk control device according to an embodiment of the present invention, the network asset risk control device may include:
a first obtaining unit 111, configured to obtain network asset related data, where the data includes at least a network asset identifier, an attack event of the network asset in a current time period, an attack result corresponding to the attack event, an asset under-attack state of the network asset in the current time period, a number of attack source network protocol IP addresses of the network asset in the current time period, a number of attack source IP addresses of the network asset in the first N time periods in the current time period, and a vulnerability of the network asset in the current time period;
a second obtaining unit 112, configured to obtain, when it is determined that the network asset identifier is found from a preset network asset blocking information list, a preset threshold corresponding to the network asset identifier from the network asset blocking information list;
A first determining unit 113, configured to determine a risk score of the network asset in the current time period according to the data;
and the network asset blocking unit 114 is configured to block the network asset when determining that the risk score of the network asset is greater than or equal to the preset threshold.
Optionally, the apparatus further comprises:
a third obtaining unit, configured to obtain, from the network asset blocking information list, a blocking release manner corresponding to the network asset identifier;
and the network asset blocking and unblocking unit unblocks the network asset according to the unblocking mode.
Preferably, the unblocking mode includes a timing unblocking mode;
the network asset blocking and releasing unit is specifically configured to acquire a preset duration corresponding to the network asset identifier from the network asset blocking information list when the blocking and releasing mode is determined to be a timing blocking and releasing mode; and unblocking the network asset according to the preset duration.
Preferably, the network asset blocking-up releasing unit is specifically configured to obtain a first risk score of the network asset in a specified time period, where the specified time period is after a first time corresponding to blocking up the network asset and before a second time corresponding to reaching the preset duration; unblocking the network asset when the first risk score is determined to be less than the preset threshold; and when the first risk score is determined to be greater than or equal to the preset threshold value and reaches a second moment corresponding to the preset duration, unblocking the network asset.
Preferably, the first determining unit 113 is specifically configured to determine an asset cycle threat index of the network asset in the current time period, where the asset cycle threat index characterizes a degree of threat of the network asset in the current time period; determining an asset threat index of the network asset according to the asset cycle threat index of the network asset and the asset cycle threat indexes of the network asset in the first N time periods of the current time period, wherein the asset threat index represents the threat degree of the network asset up to the current time period; determining an asset vulnerability index of the network asset for the current time period, the asset vulnerability index characterizing a vulnerability level of the network asset; and determining a risk score of the network asset in the current time period according to the asset threat index and the asset vulnerability index.
Preferably, the first determining unit 113 is specifically configured to determine an asset threat severity, an asset attack status score and an asset threat plane of the network asset in the current time period; and determining an asset cycle threat index of the network asset in the current time period according to the asset threat severity of the network asset, the asset under-attack state score and the asset threat surface.
Preferably, the first determining unit 113 is specifically configured to calculate an asset cycle threat index of the network asset in the current time period according to the following formula:
w=α*S+β*Q+γ*P
wherein w represents an asset cycle threat index of the network asset for the current time period;
s represents an asset threat severity of the network asset for the current time period;
alpha represents the weight of S;
q represents an asset under-attack status score for the network asset for the current time period;
beta represents the weight of Q;
p represents an asset threat surface of the network asset for the current time period;
gamma represents the weight of P.
Preferably, the first determining unit 113 is specifically configured to determine a threat level of the attack event according to a preset correspondence between the attack event and the threat level, where the threat level characterizes a risk level of the attack event; and determining the asset threat severity of the network asset in the current time period according to the highest threat level in the threat levels, the attack result of the attack event with the highest threat level and the threat level of the attack event with the highest threat level in the attack event with the highest threat level as the attack result.
Preferably, the first determining unit 113 is specifically configured to find the attacked state of the asset from a preset correspondence between the attacked state of the asset and the score of the attacked state of the asset; and obtaining the score of the attacked state of the asset corresponding to the attacked state of the asset.
Preferably, the first determining unit 113 is specifically configured to determine the current time period and the highest number of attack source IP addresses of the network asset in the first N time periods of the current time period; and determining an asset threat surface of the network asset in the current time period according to the number of the attack source IP addresses of the network asset and the highest attack source IP address number in the current time period.
Preferably, the first determining unit is specifically configured to calculate an asset threat severity of the network asset for the current time period by the following formula:
S=(r 1 *Te 1 +r 2 *Te 2 *Re)*10/5
wherein S represents an asset threat severity of the network asset for the current time period;
Te 1 the threat level of the attack event with the highest threat level in the attack event with the successful attack is represented by the attack result in the attack event of the network asset;
r 1 represents Te 1 Weights of (2);
Te 2 A highest threat level of threat levels representing an attack event of the network asset;
r 2 represents Te 2 Weights of (2);
re represents the attack result of the highest threat level attack event in the attack events of the network asset, re=1 if the attack is successful, re=0.1 if the attack is failed, re=0.5 if the attack result is uncertain.
Preferably, the first determining unit 113 is specifically configured to calculate an asset threat plane of the network asset in the current time period according to the following formula:
wherein P represents an asset threat face of the network asset for the current time period;
c represents the number of attack source IP addresses of the network asset in the current time period;
c max representing the current time periodA period and a highest number of attack source IP addresses for the network asset in a first N time periods of the current time period.
Preferably, the first determining unit 113 is specifically configured to calculate a risk score of the network asset in the current time period by the following formula:
Risk=c 1 *W+c 2 *R
wherein Risk represents a Risk score for the network asset for the current time period;
w represents an asset threat index of the network asset;
c 1 A weight representing W;
r represents an asset vulnerability index of the network asset for the current time period;
c 2 the weight of R is represented.
Preferably, the first determining unit 113 is specifically configured to calculate an asset threat index of the network asset according to the following formula:
wherein W represents an asset threat index of the network asset;
n represents the number of cycles from the current time period, i=0, 1, &..;
w i an asset cycle threat index representing the network asset for a time period of a number of cycles i from the current time period;
b i representing w i Is used for the weight of the (c),
preferably, the first determining unit 113 is specifically configured to determine an asset value of the network asset according to a preset correspondence between the network asset and an asset value, where the asset value is used to characterize an importance level of the network asset; determining the risk index of each vulnerability according to the corresponding relation between the preset vulnerability and the risk index, wherein the risk index of each vulnerability represents the risk degree of the vulnerability; and determining the asset vulnerability index of the network asset in the current time period according to the asset value and the risk index of each vulnerability.
Preferably, the first determining unit 113 is specifically configured to calculate the asset vulnerability index of the network asset for the current time period according to the following formula:
Wherein R represents an asset vulnerability index of the network asset for the current time period;
a j a risk index representing a j-th vulnerability of the network asset for the current time period, j=1, 2,3,.. 1 >a 2 >a 3 >......>a m
V represents the asset value of the network asset.
Optionally, the apparatus further comprises:
a second determining unit, configured to determine a cycle threat index of a rights domain of the current time period according to an asset cycle threat index of a network asset included in the rights domain of the current time period, where the rights domain represents a range of managed network assets, the rights domain includes at least two network assets, and the cycle threat index of the rights domain represents a degree of threat of the rights domain in the current time period;
a third determining unit, configured to determine a threat index of the authority domain according to the period threat index of the authority domain and the period threat indexes of the authority domain in the first N time periods of the current time period, where the threat index of the authority domain indicates a degree of threat of the authority domain up to the current time period;
A fourth determining unit, configured to determine a vulnerability index of the authority domain for a current time period according to an asset vulnerability index of a network asset included in the authority domain, where the vulnerability index of the authority domain characterizes a vulnerability degree of the authority domain;
and a fifth determining unit, configured to determine a risk score of the authority domain in the current time period according to the threat index of the authority domain and the vulnerability index of the authority domain.
Preferably, the second determining unit is specifically configured to calculate the cycle threat index of the authority domain of the current time cycle according to the following formula:
wherein w' represents a cycle threat index of the rights domain for the current time period;
V k representing asset value of a kth network asset in the rights domain for the current time period, k=1, 2,..;
w k an asset cycle threat index representing a kth network asset in the rights domain for the current time period.
Preferably, the third determining unit is specifically configured to calculate the threat index of the authority domain according to the following formula:
wherein W represents a threat index of the rights domain;
N represents the number of cycles from the current time period, i=0, 1, &..;
w i ' represents a period threat index of the rights domain from a period number i of the current time period;
b i representing w i The weight of the' weight is calculated,
preferably, the fourth determining unit is specifically configured to calculate the vulnerability index of the authority domain of the current time period according to the following formula:
wherein R is lm A vulnerability index of the rights domain representing a current time period;
R k an asset vulnerability index representing a kth network asset in the rights domain for the current time period, k=1, 2, once more. M represents the number of network assets contained in the authority domain, R 1 >R 2 >R 3 >......>R M
Preferably, the fifth determining unit is specifically configured to calculate a risk score of the authority domain of the current time period according to the following formula:
Risk'=d 1 *W'+d 2 *R lm
wherein Risk' represents a Risk score for the rights domain for the current time period;
w' represents a threat index of the rights domain;
d 1 a weight representing W';
R lm a vulnerability index of the rights domain representing the current time period;
d 2 r represents lm Is a weight of (2).
Optionally, the apparatus further comprises:
a fourth obtaining unit, configured to obtain an identifier of the rights domain;
A fifth obtaining unit, configured to obtain, when determining that the identifier of the rights domain is found from the network asset blocking information list, a first preset threshold corresponding to the identifier of the rights domain from the network asset blocking information list;
a rights domain blocking unit, configured to block a network asset in the rights domain when it is determined that a risk score of the rights domain is greater than or equal to the first preset threshold;
a sixth obtaining unit, configured to obtain, from the network asset blocking information list, a blocking release manner corresponding to the identifier of the rights domain;
and the authority domain blocking and unblocking unit is used for unblocking the network assets in the authority domain according to the unblocking mode.
Based on the same technical concept, the embodiment of the present invention further provides an electronic device 110, referring to fig. 14, where the electronic device 110 is configured to implement the network asset risk control method described in the above method embodiment, and the electronic device 110 of this embodiment may include: memory 1101, processor 1102, and a computer program stored in the memory and executable on the processor, such as a network asset risk scoring program. The steps of the above embodiments of the method for controlling risk of network assets are implemented by the processor when executing the computer program, for example, step S111 shown in fig. 1. Alternatively, the processor, when executing the computer program, performs the functions of the modules/units of the apparatus embodiments described above, e.g. 111.
The specific connection medium between the memory 1101 and the processor 1102 is not limited in the embodiment of the present application. In the embodiment of the present application, the memory 1101 and the processor 1102 are connected through the bus 1103 in fig. 14, the bus 1103 is shown in a thick line in fig. 14, and the connection manner between other components is only schematically illustrated, but not limited to. The bus 1103 can be classified as an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in fig. 14, but not only one bus or one type of bus.
The memory 1101 may be a volatile memory (RAM), such as a random-access memory (RAM); the memory 1101 may also be a nonvolatile memory (non-volatile memory), such as a read-only memory, a flash memory (flash memory), a Hard Disk Drive (HDD) or a Solid State Drive (SSD), or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory 1101 may be a combination of the above memories.
A processor 1102, configured to implement a network asset risk control method as shown in fig. 1, including:
the processor 1102 is configured to invoke a computer program stored in the memory 1101 to execute step S111 shown in fig. 1, obtain network asset related data, step S112, obtain a preset threshold corresponding to the network asset identifier from a preset network asset blocking information list when it is determined that the network asset identifier is found from the preset network asset blocking information list, step S113, determine a risk score of the network asset in the current time period according to the data, and step S114, block the network asset when it is determined that the risk score of the network asset is greater than or equal to the preset threshold.
The embodiment of the application also provides a computer readable storage medium which stores computer executable instructions required to be executed by the processor and contains a program for executing the processor.
In some possible embodiments, aspects of the network asset risk control method provided by the present application may also be implemented in the form of a program product, which includes program code for causing an electronic device to perform the steps in the network asset risk control method according to the various exemplary embodiments of the present application described above when the program product is run on the electronic device, for example, the electronic device may perform step S111 as shown in fig. 1, obtain network asset related data, step S112, obtain a preset threshold value corresponding to the network asset identification from a preset network asset blocking information list when it is determined that the network asset identification is found from the network asset blocking information list, step S113, determine a risk score of the network asset for the current time period according to the data, and block the network asset when it is determined that the risk score of the network asset is greater than or equal to the preset threshold value, step S114.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The program product for network asset risk control of embodiments of the present invention may employ a portable compact disc read-only memory (CD-ROM) and include program code and may run on a computing device. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such a division is merely exemplary and not mandatory. Indeed, the features and functions of two or more of the elements described above may be embodied in one element in accordance with embodiments of the present invention. Conversely, the features and functions of one unit described above may be further divided into a plurality of units to be embodied.
Furthermore, although the operations of the methods of the present invention are depicted in the drawings in a particular order, this is not required to either imply that the operations must be performed in that particular order or that all of the illustrated operations be performed to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
It will be apparent to those skilled in the art that embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (46)

1. A method for controlling risk of a network asset, comprising:
Acquiring network asset related data, wherein the data at least comprises a network asset identifier, an attack event of the network asset in a current time period, an attack result corresponding to the attack event, an asset attacked state of the network asset in the current time period, the number of attack source network protocol IP addresses of the network asset in the current time period, the number of attack source IP addresses of the network asset in the first N time periods in the current time period and vulnerabilities of the network asset in the current time period;
when the network asset identification is found out from a preset network asset blocking information list, acquiring a preset threshold corresponding to the network asset identification from the network asset blocking information list;
determining a risk score for the network asset for the current time period based on the data;
and blocking the network asset when the risk score of the network asset is greater than or equal to the preset threshold.
2. The method as recited in claim 1, further comprising:
acquiring a blocking-removing mode corresponding to the network asset identifier from the network asset blocking information list;
And unblocking the network asset according to the unblocking mode.
3. The method of claim 2, wherein the unblocking means comprises a timed unblocking means;
unblocking the network asset according to the unblocking mode, specifically including:
when the unblocking mode is determined to be a timing unblocking mode, acquiring preset duration corresponding to the network asset identifier from the network asset blocking information list;
and unblocking the network asset according to the preset duration.
4. A method according to claim 3, wherein unblocking the network asset according to the preset duration comprises:
acquiring a first risk score of the network asset in a specified time period, wherein the specified time period is after a first time corresponding to the blocking of the network asset and before a second time corresponding to the preset duration;
unblocking the network asset when the first risk score is determined to be less than the preset threshold;
and when the first risk score is determined to be greater than or equal to the preset threshold value and reaches a second moment corresponding to the preset duration, unblocking the network asset.
5. The method of claim 1, wherein determining a risk score for the network asset for the current time period based on the data, comprises:
determining an asset cycle threat index for the network asset for the current time period, the asset cycle threat index characterizing a degree of threat for the network asset over the current time period;
determining an asset threat index of the network asset according to the asset cycle threat index of the network asset and the asset cycle threat indexes of the network asset in the first N time periods of the current time period, wherein the asset threat index represents the threat degree of the network asset up to the current time period;
determining an asset vulnerability index of the network asset for the current time period, the asset vulnerability index characterizing a vulnerability level of the network asset;
and determining a risk score of the network asset in the current time period according to the asset threat index and the asset vulnerability index.
6. The method of claim 5, wherein determining an asset cycle threat index for the network asset for the current time period, comprises:
Determining an asset threat severity, an asset under-attack status score, and an asset threat profile for the network asset for the current time period;
and determining an asset cycle threat index of the network asset in the current time period according to the asset threat severity of the network asset, the asset under-attack state score and the asset threat surface.
7. The method of claim 6, wherein determining an asset cycle threat index for the network asset for the current time period based on the asset threat severity, asset under-attack status score, and asset threat face for the network asset, comprises:
calculating an asset cycle threat index for the network asset for the current time period by:
w=α*S+β*Q+γ*P
wherein w represents an asset cycle threat index of the network asset for the current time period;
s represents an asset threat severity of the network asset for the current time period;
alpha represents the weight of S;
q represents an asset under-attack status score for the network asset for the current time period;
beta represents the weight of Q;
p represents an asset threat surface of the network asset for the current time period;
Gamma represents the weight of P.
8. The method of claim 6, wherein determining the asset threat severity of the network asset for the current time period, in particular comprises:
determining a threat level of an attack event according to a preset corresponding relation between the attack event and the threat level, wherein the threat level represents the risk degree of the attack event;
and determining the asset threat severity of the network asset in the current time period according to the highest threat level in the threat levels, the attack result of the attack event with the highest threat level and the threat level of the attack event with the highest threat level in the attack event with the highest threat level as the attack result.
9. The method of claim 6, wherein determining an asset under-attack status score for the network asset for the current time period, comprises:
searching the attacked state of the asset from the corresponding relation between the attacked state of the asset and the score of the attacked state of the asset;
and obtaining the score of the attacked state of the asset corresponding to the attacked state of the asset.
10. The method of claim 6, wherein determining the asset threat face of the network asset for the current time period comprises:
Determining the current time period and the highest number of attack source IP addresses of the network asset in the first N time periods of the current time period;
and determining an asset threat surface of the network asset in the current time period according to the number of the attack source IP addresses of the network asset and the highest attack source IP address number in the current time period.
11. The method of claim 8, wherein determining the asset threat severity of the network asset for the current time period based on the highest threat level of the threat levels and the attack result of the highest threat level attack event and the threat level of the attack event with the highest threat level of the attack events with the attack result being a successful attack, specifically comprises:
calculating an asset threat severity of the network asset for the current time period by:
S=(r 1 *Te 1 +r 2 *Te 2 *Re)*10/5
wherein S represents an asset threat severity of the network asset for the current time period;
Te 1 the threat level of the attack event with the highest threat level in the attack event with the successful attack is represented by the attack result in the attack event of the network asset;
r 1 Represents Te 1 Weights of (2);
Te 2 a highest threat level of threat levels representing an attack event of the network asset;
r 2 represents Te 2 Weights of (2);
re represents the attack result of the highest threat level attack event in the attack events of the network asset, re=1 if the attack is successful, re=0.1 if the attack is failed, re=0.5 if the attack result is uncertain.
12. The method of claim 10, wherein determining the asset threat face of the network asset for the current time period based on the number of attack source IP addresses and the highest number of attack source IP addresses for the network asset during the current time period, comprises:
calculating an asset threat surface of the network asset for the current time period by:
wherein P represents an asset threat face of the network asset for the current time period;
c represents the number of attack source IP addresses of the network asset in the current time period;
c max representing the current time period and the highest number of attack source IP addresses of the network asset in the first N time periods of the current time period.
13. The method of claim 5, wherein determining a risk score for the network asset for the current time period based on the asset threat index and the asset vulnerability index, comprises:
Calculating a risk score for the network asset at the current time period by:
Risk=c 1 *W+c 2 *R
wherein Risk represents a Risk score for the network asset for the current time period;
w represents an asset threat index of the network asset;
c 1 a weight representing W;
r represents an asset vulnerability index of the network asset for the current time period;
c 2 the weight of R is represented.
14. The method of claim 5, wherein determining the asset threat index of the network asset based on the asset cycle threat index of the network asset and the asset cycle threat indexes of the network asset for the first N time periods of the current time period, comprises:
calculating an asset threat index for the network asset by:
wherein W represents an asset threat index of the network asset;
n represents the number of cycles from the current time period, i=0, 1, &..;
w i an asset cycle threat index representing the network asset for a time period of a number of cycles i from the current time period;
b i representing w i Is used for the weight of the (c),
15. the method of claim 5, wherein determining the asset vulnerability index of the network asset for the current time period comprises:
Determining the asset value of the network asset according to a preset corresponding relation between the network asset and the asset value, wherein the asset value is used for representing the importance level of the network asset;
determining the risk index of each vulnerability according to the corresponding relation between the preset vulnerability and the risk index, wherein the risk index of each vulnerability represents the risk degree of the vulnerability;
and determining the asset vulnerability index of the network asset in the current time period according to the asset value and the risk index of each vulnerability.
16. The method of claim 15, wherein determining the asset vulnerability index of the network asset for the current time period based on the asset value and the risk index of each vulnerability, comprises:
calculating an asset vulnerability index of the network asset for the current time period by:
wherein R represents an asset vulnerability index of the network asset for the current time period;
a j a risk index representing a j-th vulnerability of the network asset for the current time period, j=1, 2,3,.. 1 >a 2 >a 3 >......>a m
V represents the asset value of the network asset.
17. The method of any one of claims 5, 6, 7, or 16, further comprising:
determining the cycle threat index of the authority domain of the current time period according to the asset cycle threat index of the network asset contained in the authority domain of the current time period, wherein the authority domain represents the range of the managed network asset, the authority domain contains at least two network assets, and the cycle threat index of the authority domain represents the threat degree of the authority domain in the current time period;
determining the threat index of the authority domain according to the period threat index of the authority domain and the period threat indexes of the authority domain in the first N time periods of the current time period, wherein the threat index of the authority domain represents the threat degree of the authority domain which is cut off to the current time period;
determining the vulnerability index of the authority domain of the current time period according to the asset vulnerability index of the network asset contained in the authority domain, wherein the vulnerability index of the authority domain represents the vulnerability degree of the authority domain;
and determining a risk score of the authority domain in the current time period according to the threat index of the authority domain and the vulnerability index of the authority domain.
18. The method of claim 17, wherein determining the cycle threat index of the rights domain for the current time period from the asset cycle threat index of the network asset contained in the rights domain for the current time period, comprises:
calculating a cycle threat index of the authority domain of the current time period by the following formula:
wherein w' represents a cycle threat index of the rights domain for the current time period;
V k representing asset value of a kth network asset in the rights domain for the current time period, k=1, 2,..;
w k an asset cycle threat index representing a kth network asset in the rights domain for the current time period.
19. The method of claim 17, wherein determining the threat index of the rights domain based on the periodic threat index of the rights domain and the periodic threat indexes of the rights domain for the first N time periods of the current time period, comprises:
the threat index of the rights domain is calculated by the following formula:
wherein W represents a threat index of the rights domain;
N represents the number of cycles from the current time period, i=0, 1, &..;
w i ' represents a period threat index of the rights domain from a period number i of the current time period;
b i representing w i The weight of the' weight is calculated,
20. the method of claim 17, wherein determining the vulnerability index of the rights domain for the current time period based on the asset vulnerability index of the network asset contained within the rights domain, comprises:
calculating the vulnerability index of the authority domain of the current time period by the following formula:
wherein R is lm A vulnerability index of the rights domain representing a current time period;
R k an asset vulnerability index representing a kth network asset in the rights domain for the current time period, k=1, 2, once more. M represents the number of network assets contained in the authority domain, R 1 >R 2 >R 3 >......>R M
21. The method according to claim 19 or 20, wherein determining a risk score for the rights domain at the current time period based on a threat index of the rights domain and a vulnerability index of the rights domain, in particular comprises:
calculating a risk score of the rights domain for the current time period by the following formula:
Risk'=d 1 *W'+d 2 *R lm
Wherein Risk' represents a Risk score for the rights domain for the current time period;
w' represents a threat index of the rights domain;
d 1 a weight representing W';
R lm a vulnerability index of the rights domain representing the current time period;
d 2 r represents lm Is a weight of (2).
22. The method as recited in claim 17, further comprising:
acquiring the identification of the authority domain;
when the identification of the authority domain is found out from the network asset blocking information list, a first preset threshold corresponding to the identification of the authority domain is obtained from the network asset blocking information list;
blocking the network asset in the authority domain when the risk score of the authority domain is greater than or equal to the first preset threshold;
acquiring a blocking removing mode corresponding to the identifier of the authority domain from the network asset blocking information list;
and unblocking the network assets in the authority domain according to the unblocking mode.
23. A network asset risk control device, comprising:
a first obtaining unit, configured to obtain network asset related data, where the data at least includes a network asset identifier, an attack event of the network asset in a current time period, an attack result corresponding to the attack event, an asset attacked state of the network asset in the current time period, a number of attack source network protocol IP addresses of the network asset in the current time period, a number of attack source IP addresses of the network asset in the first N time periods in the current time period, and a vulnerability of the network asset in the current time period;
The second acquisition unit is used for acquiring a preset threshold value corresponding to the network asset identifier from the network asset blocking information list when the network asset identifier is determined to be found out from the preset network asset blocking information list;
a first determining unit for determining a risk score of the network asset for the current time period based on the data;
and the network asset blocking unit is used for blocking the network asset when determining that the risk score of the network asset is greater than or equal to the preset threshold value.
24. The apparatus as recited in claim 23, further comprising:
a third obtaining unit, configured to obtain, from the network asset blocking information list, a blocking release manner corresponding to the network asset identifier;
and the network asset blocking and unblocking unit unblocks the network asset according to the unblocking mode.
25. The apparatus of claim 24, wherein the unblocking means comprises a timed unblocking means;
the network asset blocking and releasing unit is specifically configured to acquire a preset duration corresponding to the network asset identifier from the network asset blocking information list when the blocking and releasing mode is determined to be a timing blocking and releasing mode; and unblocking the network asset according to the preset duration.
26. The apparatus of claim 25, wherein the device comprises a plurality of sensors,
the network asset blocking and releasing unit is specifically configured to obtain a first risk score of the network asset in a specified time period, where the specified time period is after a first time corresponding to blocking the network asset and before a second time corresponding to the preset duration; unblocking the network asset when the first risk score is determined to be less than the preset threshold; and when the first risk score is determined to be greater than or equal to the preset threshold value and reaches a second moment corresponding to the preset duration, unblocking the network asset.
27. The apparatus of claim 23, wherein the device comprises,
the first determining unit is specifically configured to determine an asset cycle threat index of the network asset in the current time period, where the asset cycle threat index characterizes a degree of threat of the network asset in the current time period; determining an asset threat index of the network asset according to the asset cycle threat index of the network asset and the asset cycle threat indexes of the network asset in the first N time periods of the current time period, wherein the asset threat index represents the threat degree of the network asset up to the current time period; determining an asset vulnerability index of the network asset for the current time period, the asset vulnerability index characterizing a vulnerability level of the network asset; and determining a risk score of the network asset in the current time period according to the asset threat index and the asset vulnerability index.
28. The apparatus of claim 27, wherein the device comprises,
the first determining unit is specifically configured to determine an asset threat severity degree, an asset attacked state score and an asset threat surface of the network asset in the current time period; and determining an asset cycle threat index of the network asset in the current time period according to the asset threat severity of the network asset, the asset under-attack state score and the asset threat surface.
29. The apparatus of claim 28, wherein the device comprises,
the first determining unit is specifically configured to calculate an asset cycle threat index of the network asset in the current time period according to the following formula:
w=α*S+β*Q+γ*P
wherein w represents an asset cycle threat index of the network asset for the current time period;
s represents an asset threat severity of the network asset for the current time period;
alpha represents the weight of S;
q represents an asset under-attack status score for the network asset for the current time period;
beta represents the weight of Q;
p represents an asset threat surface of the network asset for the current time period;
gamma represents the weight of P.
30. The apparatus of claim 28, wherein the device comprises,
The first determining unit is specifically configured to determine a threat level of the attack event according to a preset correspondence between the attack event and the threat level, where the threat level represents a risk degree of the attack event; and determining the asset threat severity of the network asset in the current time period according to the highest threat level in the threat levels, the attack result of the attack event with the highest threat level and the threat level of the attack event with the highest threat level in the attack event with the highest threat level as the attack result.
31. The apparatus of claim 28, wherein the device comprises,
the first determining unit is specifically configured to find an asset under-attack state from a preset correspondence between the asset under-attack state and an asset under-attack state score; and obtaining the score of the attacked state of the asset corresponding to the attacked state of the asset.
32. The apparatus of claim 28, wherein the device comprises,
the first determining unit is specifically configured to determine the current time period and the highest number of attack source IP addresses of the network asset in the first N time periods of the current time period; and determining an asset threat surface of the network asset in the current time period according to the number of the attack source IP addresses of the network asset and the highest attack source IP address number in the current time period.
33. The apparatus of claim 30, wherein the device comprises,
the first determining unit is specifically configured to calculate an asset threat severity of the network asset for the current time period according to the following formula:
S=(r 1 *Te 1 +r 2 *Te 2 *Re)*10/5
wherein S represents an asset threat severity of the network asset for the current time period;
Te 1 the threat level of the attack event with the highest threat level in the attack event with the successful attack is represented by the attack result in the attack event of the network asset;
r 1 represents Te 1 Weights of (2);
Te 2 a highest threat level of threat levels representing an attack event of the network asset;
r 2 represents Te 2 Weights of (2);
re represents the attack result of the highest threat level attack event in the attack events of the network asset, re=1 if the attack is successful, re=0.1 if the attack is failed, re=0.5 if the attack result is uncertain.
34. The apparatus of claim 32, wherein the device comprises a plurality of sensors,
the first determining unit is specifically configured to calculate an asset threat plane of the network asset in the current time period according to the following formula:
wherein P represents an asset threat face of the network asset for the current time period;
c represents the number of attack source IP addresses of the network asset in the current time period;
c max representing the current time period and the highest number of attack source IP addresses of the network asset in the first N time periods of the current time period.
35. The apparatus of claim 27, wherein the device comprises,
the first determining unit is specifically configured to calculate a risk score of the network asset in the current time period by the following formula:
Risk=c 1 *W+c 2 *R
wherein Risk represents a Risk score for the network asset for the current time period;
w represents an asset threat index of the network asset;
c 1 a weight representing W;
r represents an asset vulnerability index of the network asset for the current time period;
c 2 the weight of R is represented.
36. The apparatus of claim 27, wherein the device comprises,
the first determining unit is specifically configured to calculate an asset threat index of the network asset according to the following formula:
wherein W represents an asset threat index of the network asset;
n represents the number of cycles from the current time period, i=0, 1, &..;
w i an asset cycle threat index representing the network asset for a time period of a number of cycles i from the current time period;
b i Representing w i Is used for the weight of the (c),
37. the apparatus of claim 27, wherein the device comprises,
the first determining unit is specifically configured to determine an asset value of the network asset according to a preset correspondence between the network asset and the asset value, where the asset value is used to characterize an importance level of the network asset; determining the risk index of each vulnerability according to the corresponding relation between the preset vulnerability and the risk index, wherein the risk index of each vulnerability represents the risk degree of the vulnerability; and determining the asset vulnerability index of the network asset in the current time period according to the asset value and the risk index of each vulnerability.
38. The apparatus of claim 37, wherein the device comprises a plurality of sensors,
the first determining unit is specifically configured to calculate an asset vulnerability index of the network asset for the current time period according to the following formula:
wherein R represents an asset vulnerability index of the network asset for the current time period;
a j a risk index representing a j-th vulnerability of the network asset for the current time period, j=1, 2,3,.. 1 >a 2 >a 3 >......>a m
V represents the asset value of the network asset.
39. The apparatus of any one of claims 27, 28, 29, or 38, further comprising:
a second determining unit, configured to determine a cycle threat index of a rights domain of the current time period according to an asset cycle threat index of a network asset included in the rights domain of the current time period, where the rights domain represents a range of managed network assets, the rights domain includes at least two network assets, and the cycle threat index of the rights domain represents a degree of threat of the rights domain in the current time period;
a third determining unit, configured to determine a threat index of the authority domain according to the period threat index of the authority domain and the period threat indexes of the authority domain in the first N time periods of the current time period, where the threat index of the authority domain indicates a degree of threat of the authority domain up to the current time period;
a fourth determining unit, configured to determine a vulnerability index of the authority domain for a current time period according to an asset vulnerability index of a network asset included in the authority domain, where the vulnerability index of the authority domain characterizes a vulnerability degree of the authority domain;
And a fifth determining unit, configured to determine a risk score of the authority domain in the current time period according to the threat index of the authority domain and the vulnerability index of the authority domain.
40. The apparatus of claim 39, wherein,
the second determining unit is specifically configured to calculate a cycle threat index of the authority domain of the current time period according to the following formula:
wherein w' represents a cycle threat index of the rights domain for the current time period;
V k representing asset value of a kth network asset in the rights domain for the current time period, k=1, 2,..;
w k an asset cycle threat index representing a kth network asset in the rights domain for the current time period.
41. The apparatus of claim 39, wherein,
the third determining unit is specifically configured to calculate a threat index of the authority domain according to the following formula:
wherein W represents a threat index of the rights domain;
n represents the number of cycles from the current time period, i=0, 1, &..;
w i ' represents a period threat index of the rights domain from a period number i of the current time period;
b i Representing w i The weight of the' weight is calculated,
42. the apparatus of claim 39, wherein,
the fourth determining unit is specifically configured to calculate the vulnerability index of the authority domain of the current time period according to the following formula:
wherein R is lm A vulnerability index of the rights domain representing a current time period;
R k an asset vulnerability index representing a kth network asset in the rights domain for the current time period, k=1, 2, once more. M represents the number of network assets contained in the authority domain, R 1 >R 2 >R 3 >......>R M
43. The apparatus of claim 41 or 42, wherein,
the fifth determining unit is specifically configured to calculate a risk score of the authority domain of the current time period according to the following formula:
Risk'=d 1 *W'+d 2 *R lm
wherein Risk' represents a Risk score for the rights domain for the current time period;
w' represents a threat index of the rights domain;
d 1 a weight representing W';
R lm a vulnerability index of the rights domain representing the current time period;
d 2 r represents lm Is a weight of (2).
44. The apparatus of claim 39, further comprising:
a fourth obtaining unit, configured to obtain an identifier of the rights domain;
a fifth obtaining unit, configured to obtain, when determining that the identifier of the rights domain is found from the network asset blocking information list, a first preset threshold corresponding to the identifier of the rights domain from the network asset blocking information list;
A rights domain blocking unit, configured to block a network asset in the rights domain when it is determined that a risk score of the rights domain is greater than or equal to the first preset threshold;
a sixth obtaining unit, configured to obtain, from the network asset blocking information list, a blocking release manner corresponding to the identifier of the rights domain;
and the authority domain blocking and unblocking unit is used for unblocking the network assets in the authority domain according to the unblocking mode.
45. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the network asset risk control method of any of claims 1 to 22 when the program is executed.
46. A computer readable storage medium having stored thereon a computer program, which when executed by a processor performs the steps in a method of controlling risk of a network asset as claimed in any one of claims 1 to 22.
CN202010360291.0A 2020-04-30 2020-04-30 Network asset risk control method and device Active CN111539644B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010360291.0A CN111539644B (en) 2020-04-30 2020-04-30 Network asset risk control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010360291.0A CN111539644B (en) 2020-04-30 2020-04-30 Network asset risk control method and device

Publications (2)

Publication Number Publication Date
CN111539644A CN111539644A (en) 2020-08-14
CN111539644B true CN111539644B (en) 2023-11-24

Family

ID=71978987

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010360291.0A Active CN111539644B (en) 2020-04-30 2020-04-30 Network asset risk control method and device

Country Status (1)

Country Link
CN (1) CN111539644B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112217824A (en) * 2020-10-13 2021-01-12 福建奇点时空数字科技有限公司 Network asset conformance analysis method based on flow perception
CN112784281A (en) * 2021-01-21 2021-05-11 恒安嘉新(北京)科技股份公司 Safety assessment method, device, equipment and storage medium for industrial internet
CN116405578A (en) * 2023-03-07 2023-07-07 杭州迪普科技股份有限公司 Asset identification method and device
CN117811802B (en) * 2023-12-28 2025-07-04 广西电网有限责任公司 Network security monitoring system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8495745B1 (en) * 2009-11-30 2013-07-23 Mcafee, Inc. Asset risk analysis
CN104901960A (en) * 2015-05-26 2015-09-09 汉柏科技有限公司 Device and method for network security management based on alarm strategy
CN105427172A (en) * 2015-12-04 2016-03-23 北京华热科技发展有限公司 Risk assessment method and system
CN110505206A (en) * 2019-07-19 2019-11-26 广东电网有限责任公司信息中心 A kind of internet threat monitoring defence method based on dynamic joint defence

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160226893A1 (en) * 2015-01-30 2016-08-04 Wipro Limited Methods for optimizing an automated determination in real-time of a risk rating of cyber-attack and devices thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8495745B1 (en) * 2009-11-30 2013-07-23 Mcafee, Inc. Asset risk analysis
CN104901960A (en) * 2015-05-26 2015-09-09 汉柏科技有限公司 Device and method for network security management based on alarm strategy
CN105427172A (en) * 2015-12-04 2016-03-23 北京华热科技发展有限公司 Risk assessment method and system
CN110505206A (en) * 2019-07-19 2019-11-26 广东电网有限责任公司信息中心 A kind of internet threat monitoring defence method based on dynamic joint defence

Also Published As

Publication number Publication date
CN111539644A (en) 2020-08-14

Similar Documents

Publication Publication Date Title
CN111539644B (en) Network asset risk control method and device
US12301627B2 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US11297109B2 (en) System and method for cybersecurity reconnaissance, analysis, and score generation using distributed systems
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US20250047717A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
US11405419B2 (en) Preventing advanced persistent threat attack
CN112534432A (en) Real-time mitigation of unfamiliar threat scenarios
US10320817B2 (en) Systems and methods for detecting an attack on an auto-generated website by a virtual machine
CN113408948A (en) Network asset management method, device, equipment and medium
CN112511561A (en) Network attack path determination method, equipment, storage medium and device
CN114499939B (en) An optimal path selection method, system, storage medium and electronic device based on knowledge graph
CN113872959B (en) Method, device and equipment for judging risk asset level and dynamically degrading risk asset level
CN112291199B (en) Message processing method and device, electronic equipment and storage medium
RU2738334C1 (en) Method and system for making decision on need for automated response to incident
CN105959294A (en) Malicious domain name identification method and device
CN111226426B (en) Identification of attack flows in a multi-layer network topology
CN114448690A (en) Attack organization analysis method, device, equipment and medium
CN111368300B (en) Malicious file handling method, device, equipment and storage medium
KR101535381B1 (en) Method for blocking internet access using uniform resource locator and ip address
Anashkin et al. Implementation of Behavioral Indicators in Threat Detection and User Behavior Analysis
US10805300B2 (en) Computer network cross-boundary protection
US20200045078A1 (en) Resource Security System Using Fake Connections
Yagi et al. Analysis of blacklist update frequency for countering malware attacks on websites
CN118353701A (en) Method, device, equipment and medium for analyzing firewall rules of website application
CN106657150B (en) Method and device for acquiring network attack structure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant