CN102739649A

CN102739649A - Method and device for determining network threat level

Info

Publication number: CN102739649A
Application number: CN2012101670919A
Authority: CN
Inventors: 鲍旭华; 赵粮
Original assignee: Beijing NSFocus Information Security Technology Co Ltd
Current assignee: Nsfocus Technologies Group Co Ltd
Priority date: 2012-05-25
Filing date: 2012-05-25
Publication date: 2012-10-17
Anticipated expiration: 2032-05-25
Also published as: CN102739649B

Abstract

The invention provides a method and a device for determining network threat level. The method comprises the following steps: acquiring network threat information; and determining the network threat level according to the network threat information. The device comprises an acquisition module and a processing module. According to the invention, for vulnerabilities occurring in the whole Internet environment, according to the disclosure time, acquisition time and vulnerability coefficients of vulnerability information, the network threat level of the current vulnerability is quantitatively analyzed and determined, so that the accuracy of network threat level judgment can be improved, the changes of the vulnerability based network threat level with time can be analyzed, the severity degree and changes of a network threat can be timely and intuitively understood, and then corresponding safety measures are taken.

Description

Confirm Cyberthreat degree methods and device

Technical field

The present invention relates to network safety filed, relate in particular to a kind of definite Cyberthreat degree methods and device.

Background technology

In the open internet environment of sharing, information security issue is on the rise, and the loss that produces therefrom is difficult to estimate, wherein it is obvious that Cyberthreat.

In the prior art; Usually in single information system or particular network scope; To particular network threat analysis Cyberthreat degree; The user is difficult to understand Cyberthreat degree and variation in time, intuitively, and takes corresponding safety measure, needs a kind of quantitative analysis method that whole Internet is threatened badly.

Summary of the invention

The present invention provides a kind of definite Cyberthreat degree methods and device, to improve the accuracy that the Cyberthreat degree of the leak in the internet environment is judged, with accurate selection counter-measure.

On the one hand, the present invention provides a kind of method, comprising:

Obtain Cyberthreat information; Said Cyberthreat information comprises: the exposure time of leak information, time of receipt and leak coefficient; The exposure time representation leak of said leak information found time first in forum information or instrument sample; Said time of receipt is represented the time that leak is included by public leak and exposure, and said leak coefficient is represented the order of severity of said leak information;

According to said Cyberthreat information, and according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Confirm the Cyberthreat degree;

Wherein, t express time; D _vRepresent said leak coefficient; t _V1Represent the said exposure time; t _V2Represent said time of receipt; T _vRepresent the said needed time of leak diffusion of information, if known t _V1And t _V2One of, T then _vIt is a preset value; If known t _V1And t _V2Both, then

t _vIf the estimation discovery time of expression leak is known t _V1, t then _v=t _V1-β * T _vIf known t _V2, t then _v=t _V2-(alpha-beta) * T _vα, β is the alpha+beta that satisfies condition<1 positive number.

On the other hand, the present invention also provides a kind of device, comprising:

Acquisition module; Be used to obtain Cyberthreat information; Said Cyberthreat information comprises: the exposure time of leak information, time of receipt and leak coefficient; The exposure time representation leak of said leak information found time first in forum information or instrument sample, said time of receipt represent leak by public leak with expose the time of including, said leak coefficient is represented the order of severity of said leak information;

Processing module is used for according to said Cyberthreat information, and according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Confirm the Cyberthreat degree;

Definite Cyberthreat degree methods provided by the invention and device; To the leak that occurs in the whole internet environment; Exposure time, time of receipt and leak coefficient according to leak information; The Cyberthreat degree based on current leak is confirmed in quantitative analysis, can improve the accuracy that the Cyberthreat degree is judged, and analyzes based on the Cyberthreat degree of leak situation over time; With in time, understand the order of severity and the variation of Cyberthreat intuitively, and take corresponding safety measure.

Description of drawings

Fig. 1 is the flow chart of an embodiment of definite Cyberthreat degree methods provided by the invention;

Fig. 2 is the curve synoptic diagram figure of the Cyberthreat degree of definite Cyberthreat degree methods shown in Figure 1;

Fig. 3 is the flow chart of definite another embodiment of Cyberthreat degree methods provided by the invention;

Fig. 4 is a kind of curve synoptic diagram that the patch of definite Cyberthreat degree methods shown in Figure 3 threatens index;

Fig. 5 is the another kind of curve synoptic diagram that the patch of definite Cyberthreat degree methods shown in Figure 3 threatens index;

Fig. 6 is the curve synoptic diagram of the Cyberthreat degree of definite Cyberthreat degree methods shown in Figure 3;

Fig. 7 is the flow chart of definite another embodiment of Cyberthreat degree methods provided by the invention;

Fig. 8 is the curve synoptic diagram that the instrument of definite Cyberthreat degree methods shown in Figure 7 threatens index;

Fig. 9 is the curve synoptic diagram of the Cyberthreat degree of definite Cyberthreat degree methods shown in Figure 7;

Figure 10 is the flow chart of definite another embodiment of Cyberthreat degree methods provided by the invention;

Figure 11 is the curve synoptic diagram that the incident of definite Cyberthreat degree methods shown in Figure 10 threatens index;

Figure 12 is the curve synoptic diagram of the Cyberthreat degree of definite Cyberthreat degree methods shown in Figure 10;

Figure 13 is the structural representation of the device of definite Cyberthreat degree provided by the invention.

Embodiment

Below in conjunction with accompanying drawing and embodiment the present invention is done further description.

Fig. 1 is the flow chart of an embodiment of definite Cyberthreat degree methods provided by the invention; Present embodiment is confirming applicable to the Cyberthreat degree in the internet environment specifically; Form with software and/or hardware realizes; For example can be implemented by the device of confirming the Cyberthreat degree, the concrete steps of definite Cyberthreat degree methods of present embodiment are following:

S100: obtain Cyberthreat information.

Cyberthreat information comprises: the exposure time of leak information, time of receipt and leak coefficient.The exposure time representation leak of leak information found time first in forum information or instrument sample; Time of receipt is represented the time that leak is included by public leak and exposure (Common Vulnerabilities & Exposures is abbreviated as CVE); The leak coefficient is represented the order of severity of said leak information, the numerical value that adopts CVSS (Common Vulnerability Scoring System is abbreviated as CVSS) to announce.

Wherein, the channel that obtains Cyberthreat information is diversified.For instance, can be the leak tabulation of authoritative institution's announcement, the security bulletin that manufacturer announces, the news report of relevant great security incident etc., do not enumerate one by one at this.

The leak here is meant the defective that on the concrete realization of hardware, software, agreement or system safety strategy, exists, thereby the assailant can be visited or the destruction system under undelegated situation.Therefore embodiments of the invention can, can confirm threaten degree based on this phase-split network threaten degree over time more accurately through exposure time, time of receipt and the leak coefficient of leak information.

S110: according to said Cyberthreat information, and according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Confirm the Cyberthreat degree.

As a kind of possible implementation, can be according to the exposure time t of the leak information of collecting _V1Time of receipt t with leak information _V2, confirm the needed time T of leak diffusion of information _vEstimation discovery time t with leak _v

If known t _V1And t _V2One of, T then _vIt is a preset value; If known t _V1And t _V2Both, then

If known t _V1, t then _v=t _V1-β * T _vIf known t _V2, t then _v=t _V2-(alpha-beta) * T _vα wherein, β is the alpha+beta that satisfies condition<1 positive number.

Further, can basis:

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Confirm the Cyberthreat degree;

Wherein, t express time; D _vExpression leak coefficient, the numerical value that adopts CVSS to announce.

Implement under the scene at this, the Cyberthreat degree curve synoptic diagram that obtains is as shown in Figure 2, x axle express time t, and the y axle is represented Cyberthreat degree f _v(t).Explanation is under the situation of not considering other factors, along with leak comes to light promptly from t _vConstantly begin, its information constantly spreads, and is understood by increasing assailant, threatens also and constantly rises; Up to being issued promptly from t by authoritative institution or manufacturer _v+ T _vConstantly begin, become public information, threaten also to continue to remain on high point.

In the foregoing description; To the leak in the Internet; The news of the leak tabulation of announcing from authoritative institution, the security bulletin that manufacturer announces, relevant great security incident reports and public network obtains the exposure time of leak information, the time of receipt and the leak coefficient of leak information, confirms the Cyberthreat degree.Information source can be verified, can not produce deviation because of the conversion of attacking ways.And have generality, the whole the Internet overall situation is had directive significance.And go out based on the Cyberthreat degree of leak situation over time through quantitative analysis, thereby ensure that the user can understand the order of severity and the variation of Cyberthreat in time, intuitively, judge the influence degree of leak, select counter-measure self.

As another kind of possible implementation, when mechanism or harpoon are issued unofficial patch to said leak, explain that this leak is more serious, when calculating leak this moment and threatening index, can announce the order of severity D of leak by CVSS _vMust multiply by a preset weighting parameters k again.Therefore, under this enforcement scene, can basis:

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ k D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ {kD}_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Confirm the Cyberthreat degree;

Wherein, t express time; D _vExpression leak coefficient, the numerical value that adopts CVSS to announce; Whether k is preset weighting parameters, can issue to confirm according to unofficial patch, for greater than 1 numerical value.For instance, unofficial patch issue, then k can elect 1.5 as, and perhaps, k can also confirm based on real needs or actual conditions, also can choose based on empirical value.

T _vIf the expression leak needed time of diffusion of information is known t _V1And t _V2One of, T then _vIt is a preset value; If known t _V1And t _V2Both, then

t _V1Be the exposure time of said leak information, t _V2Time of receipt for said leak information;

t _vIf the estimation discovery time of expression leak is known t _V1, t then _v=t _V1-β * T _vIf known t _V2, t then _v=t _V2-(alpha-beta) * T _vα, β is the preset alpha+beta that satisfies condition<1 positive number.

In the foregoing description, the Internet leak has been issued unofficial patch as mechanism or harpoon to this leak after occurring, and explains that the threaten degree of this leak increases, and this moment is through the leak order of severity D to the CVSS announcement _vConfirm the Cyberthreat degree again after multiply by a preset weighting parameters k.Through the threaten degree of the current particular vulnerability of quantitative calculation, thereby ensure that the user can judge the influence degree of leak to self, select counter-measure.

Definite Cyberthreat degree methods that present embodiment provides; To the leak that occurs in the internet environment,, confirm the threaten degree of current leak according to exposure time, time of receipt and the leak coefficient of leak information; Can improve the accuracy that the Cyberthreat degree of the current leak in the internet environment is judged; And analyze based on the Cyberthreat degree of leak situation over time, with in time, understand the order of severity and the variation of Cyberthreat intuitively, with accurate selection counter-measure.Simultaneously, information source of the present invention mainly is leak tabulation, the security bulletin of manufacturer's announcement and the news report of relevant great security incident that authoritative institution announces, has generality, and the whole the Internet overall situation is had directive significance.

Optional, above-mentioned Cyberthreat information also comprises following any one or more combination: the issuing time of patch information, attack tool and the issuing time of attack.

Wherein, Above-mentioned patch information comprises unofficial patch issuing time and formal patch issuing time; Above-mentioned unofficial patch issuing time is illustrated in the time that interim patch before the issue of formal patch or third party's patch are issued first, and above-mentioned formal patch issuing time is represented the time that formal patch is issued first.The channel that obtains of patch information is various.For instance, can be authoritative release mechanism or tissue issue, manufacturer's announcement, software or system house's issue or research institution's issue etc., do not enumerate one by one at this.Above-mentioned interim patch is meant to current leak, by the producer of software with leak or system for endanger emergent and the interim program or the code that are used for repairing specially current leak of issue.Above-mentioned third party's patch is meant the program or the code that are used for repairing specially current leak by the user of non-software or system and producer's issue.And above-mentioned formal patch is meant program or the code that generally can repair current leak fully by producer's issue of software with leak or system; This patch is strong to the repair ability of current leak, generally can control the harm that current leak brings effectively.

Above-mentioned attack tool issuing time is represented the attack signature found time of the first time of every kind of attack tool or download version appears for the first time in attack tool in network time.The channel that obtains of attack tool issuing time is various.For instance, can be authoritative release mechanism or tissue issue, manufacturer's announcement, software or system house's issue, research institution's issue or internet community or forum etc., do not enumerate one by one at this.Above-mentioned attack tool is meant the program software that is specifically designed to network attack or system attack.

Above-mentioned attack issuing time is represented the earliest time that verifiable attack begins to take place.The channel that obtains of above-mentioned attack issuing time is various.For instance, can be the bulletin of authoritative institution's announcement, manufacturer, the news report of relevant great security incident etc., do not enumerate one by one at this.Above-mentioned attack is meant through network or other technologies means; Utilize configuration defective, agreement defective, the bugs of information system or use force to attack information system is implemented to attack, and cause information system unusual or to information system current operation causes the information security events of potential hazard.

Accordingly, can obtain patch according to above-mentioned patch information and threaten index f _p(t), and/or, obtain above-mentioned attack tool according to the issuing time of above-mentioned attack tool and threaten index f _t(t), and/or, obtain above-mentioned attack according to the issuing time of above-mentioned attack and threaten index f _e(t);

According to above-mentioned f _p(t), above-mentioned f _t(t) and above-mentioned f _e(t) any at least one and above-mentioned f in _v(t) product is confirmed above-mentioned Cyberthreat degree.

Following Fig. 3 ~ Fig. 5, Fig. 7 ~ Fig. 8, Figure 10 ~ embodiment illustrated in fig. 11 providing are respectively obtained patch threat index f _p(t), obtain said attack tool and threaten index f _t(t) and obtain said attack and threaten index f _e(t) possible implementation.

Fig. 3 is the flow chart of the another embodiment of definite Cyberthreat degree methods provided by the invention, and on the basis of the foregoing description, definite Cyberthreat degree methods of present embodiment may further comprise the steps:

S200: obtain patch information.

Patch information comprises: unofficial patch issuing time and formal patch issuing time.Unofficial patch issuing time is illustrated in before the formal patch issue time that interim patch or third party's patch are issued first; Formal patch issuing time is represented the time that formal patch is issued first.The channel that obtains of patch information is various.For instance, can be authoritative release mechanism or tissue issue, manufacturer's announcement, software or system house's issue or research institution's issue etc., do not enumerate one by one at this.

S210: obtain patch according to said patch information and threaten index.

But, use t as a kind of execution mode _P0The issuing time first of representing unofficial patch; Use t _P1The issuing time first of representing formal patch.According to patch issue situation to said leak, issued unofficial patch earlier if mechanism is arranged or organize, issued formal patch and t afterwards again _P1-t _P0≤T _p, T _pThe expression patch produces the required time cycle of governance role from occurring, and is preset value.Then can basis:

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p 0} \\ e^{- \frac{D_{p 0} \times (t - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}} & t_{p 0} < t < t_{p 1} \\ e^{- \frac{D_{p 1} \times (t - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}}, & t_{p 1} \leq t < t_{p 0} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p 0} + T_{p} \end{matrix}

Confirm that patch threatens index;

Wherein, f _p(t) the expression patch threatens index; The t express time; D _P0Represent the governance role parameter of unofficial patch, be preset as 0.5; D _P1Represent the governance role parameter of formal patch, be preset as 1.

Implement under the scene at this, the patch that obtains threatens the curve synoptic diagram of index as shown in Figure 4, and x axle express time t, y axle represent that patch threatens index f _p(t).Explain under the situation of not considering other factors, after an interim patch issue, promptly from t _P0Constantly begin, certain customers select to install, and overall threat is descended gradually, but because the publication channel and the mounting means problem of interim patch, the often formal patch of spreading speed wants slow; And after the issue of formal patch promptly from t _P1Constantly begin, along with the user generally installs, overall threat can descend at faster speed.Yet, there are certain customers in the reality because business or IT safeguard, corresponding patch is not installed all the time, so finally can exist certain remnants to threaten.

But,, all issued with formal patch, but t if only issued the perhaps unofficial patch of unofficial patch according to patch issue situation to said leak as a kind of execution mode _P1-t _P0>T _p, T _pThe expression patch produces the required time cycle of governance role from occurring, and is preset value, gets t at this moment _p=t _P0, the governance role parameter D of patch _pValue is 0.5; If only issued formal patch, get t this moment _p=t _P1, the governance role parameter D of patch _pValue is 1.Then can basis:

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p} \\ e^{- \frac{D_{p} \times (t - t_{p})}{T_{p}}}, & t_{p} < t < t_{p} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p} + T_{p} \end{matrix}

Confirm that patch threatens index;

Wherein, f _p(t) the expression patch threatens index; The t express time.

Implement under the scene at this, the patch that obtains threatens the curve synoptic diagram of index as shown in Figure 5, and x axle express time t, y axle represent that patch threatens index f _p(t).Explain under the situation of not considering other factors to have only under the situation of a patch issue, promptly from t _pConstantly begin, along with the user generally installs, overall threat can constantly descend; But, there are certain customers in the reality because business or IT safeguard, corresponding patch is not installed all the time, so finally still can exist certain remnants to threaten.

S220: threaten index to confirm the Cyberthreat degree according to said patch.

But as a kind of execution mode, on the basis of the foregoing description, in the present embodiment, with f (t) expression Cyberthreat degree, so can be according to f (t)=f _v(t) * f _p(t) confirm the Cyberthreat degree.

Under this implemented scene, the curve synoptic diagram of the Cyberthreat degree that obtains was as shown in Figure 6, shown the discovery leak after, when mechanism, tissue or manufacturer have provided to the patch of this leak, the Cyberthreat degree change of current leak.Leak comes to light, and the back threat is continuous rises, after mechanism, tissue or manufacturer issue patch, owing to the reason of deployment cycle; Threaten still and can rise a stage by inertia; Up to the flex point that reaches a nature, begin to descend, to most of user installation patch; Threat can maintain a lower level, but can have certain residual risk all the time.

In the foregoing description; To the leak in the Internet; Obtain unofficial patch issuing time and formal patch issuing time from authoritative institution and public network, calculate and obtain patch and threaten index, and then confirm Cyberthreat degree and situation over time thereof from leak itself and two aspects of patch; Thereby ensure that the user can judge the influence degree of leak to self, accurately select counter-measure.And information source is reliable, and has generality, so and definite Cyberthreat degree has directive significance to the whole the Internet overall situation.

Fig. 7 is the flow chart of the another embodiment of definite Cyberthreat degree methods provided by the invention, and on the basis of the foregoing description, definite Cyberthreat degree methods of present embodiment may further comprise the steps:

S300: obtain the attack tool issuing time.

The attack tool issuing time, the attack signature of representing every kind of attack tool is the found time for the first time, or the time of download version appears for the first time in attack tool in network.Wherein, the channel that obtains of said attack tool issuing time is various.For instance, can be authoritative release mechanism or tissue issue, manufacturer's announcement, software or system house's issue, research institution's issue or internet community or forum etc., do not enumerate one by one at this.

S310: confirm that according to said attack tool issuing time instrument threatens index.

Have to the attack tool of same leak multiple, but as a kind of execution mode, use t _TkThe issuing time of representing k kind attack tool.

D _TkThe order of severity of representing k kind attack tool is preset value.The order of severity of attack tool is usually by the decision of two combined factors: the destructiveness (high, medium and low) of ease for use of attack tool (difficult, in, be prone to) and attack tool.The order of severity preset value of attack tool is as shown in table 1.

Table 1

T _tThe expression attack tool produces the required time cycle of damaging effect, is preset value.

Then can basis:

f_{tk} (t) = \{\begin{matrix} 0 & t \leq t_{tk} \\ D_{tk} \times e^{- \frac{16 \times {(t - t_{k} - \frac{T_{t}}{2})}^{2}}{{T_{t}}^{2}}}, & t_{tk} < t < t_{tk} + T_{t} \\ 0 & t &GreaterEqual; t_{tk} + T_{t} \end{matrix}

Confirm the threat index of attack tool;

Then can basis:

confirms to threaten index to whole attack tools of this leak;

Wherein, f _t(t) expression threatens index to whole attack tools of this leak; The t express time.

Implement under the scene at this, the instrument that obtains threatens the curve synoptic diagram of index as shown in Figure 8, x axle express time t, and y axle representational tool threatens index f _t(t).Explain under the situation of not considering other factors, when some kinds of attack tools to same leak spread in network, promptly at least from t _K1Constantly begin, along with the range of scatter of these instruments constantly increases, the user is more and more, and the overall threat of generation is also increasing; When its influence acquired a certain degree, security firm can release relevant detection or safeguard procedures, made to threaten progressively to descend.

S320: threaten index to confirm the Cyberthreat degree according to said instrument.

But as a kind of execution mode, on the basis of the foregoing description, with f (t) expression Cyberthreat degree, then can be according to f (t)=f _v(t) * f _t(t) confirm the Cyberthreat degree.The determined Cyberthreat degree of this embodiment is meant, after starting a leak, any patch and any attack to this leak do not occur, the Cyberthreat degree when the attack tool to this leak only having occurred.

But as a kind of execution mode, on the basis of the foregoing description, with f (t) expression Cyberthreat degree, then can be according to f (t)=f _v(t) * f _p(t) * f _t(t) confirm the Cyberthreat degree.

Implement under the scene at this, the curve synoptic diagram of the Cyberthreat degree that obtains is as shown in Figure 9, has shown under the situation of appearance to the attack tool of this leak the Cyberthreat degree change.Leak comes to light, and the back threat is continuous rises, and after mechanism, tissue or manufacturer issue patch, owing to deployment cycle, threatens still and can rise a stage by inertia, up to the flex point that reaches a nature, begins to descend; Begin in network, to spread and use as attack tool; This moment, the patch of certain customers was disposed as yet completion; Caused a rise cycle that threatens, finally begun to descend and tend towards stability up to having mechanism, tissue or manufacturer's issue to detect and preventive means, threatening.

In the foregoing description; To the leak in the Internet; According to the attack tool issuing time of this leak, confirm that patch threatens index, and then confirm Cyberthreat degree and situation over time thereof from leak itself, patch and three aspects of attack tool; Thereby ensure that the user can judge the influence degree of leak to self, accurately select suitable counter-measure.And information source is reliable and have generality, so and definite Cyberthreat degree has directive significance to the whole the Internet overall situation.

Figure 10 is the flow chart of the another embodiment of definite Cyberthreat degree methods provided by the invention, and on the basis of the foregoing description, definite Cyberthreat degree methods of present embodiment may further comprise the steps:

S400: obtain the attack issuing time.

The attack issuing time is represented the earliest time that verifiable attack begins to take place.The channel that obtains of said attack issuing time is various.For instance, can be the bulletin of authoritative institution's announcement, manufacturer, the news report of relevant great security incident etc., do not enumerate one by one at this.

S410: confirm that according to said attack issuing time incident threatens index.

Have to the attack of same leak a plurality of, but as a kind of execution mode, use t _EiThe issuing time of representing i attack.

D _EiThe order of severity of representing i attack is preset value.The order of severity of attack is determined by two combined factors: the destructiveness (high, medium and low) of coverage of incident (large, medium and small) and incident.The order of severity preset value of attack is as shown in table 2.

Table 2

T _eThe expression attack produces the required time cycle of damaging effect, is preset value.

Then can basis

f_{ei} (t) = \{\begin{matrix} 0 & t \leq t_{ei} - \frac{T_{e}}{2} \\ D_{ei} \times e^{- \frac{16 \times {(t - t_{ei})}^{2}}{{T_{e}}^{2}}}, & t_{ei} - \frac{T_{e}}{2} < t < t_{ei} + \frac{T_{e}}{2} \\ 0 & t &GreaterEqual; t_{ei} + \frac{T_{e}}{2} \end{matrix}

Confirm the threat index of i attack;

Can confirm that then whole attacks threaten index according to

;

Wherein, t express time.

Implement under the scene at this, the incident that obtains threatens the curve synoptic diagram of index shown in figure 11, x axle express time t, and y axle presentation of events threatens index f _e(t).Explain under the situation of not considering other factors; When several attacks with significant impact to same leak take place; Expression exists some unknown before influences, for example special-purpose attack tool, the focus of attention of hacker's tissue; Politics opposition or the like, the threat of this moment has reached a peak value.This means and to recall adjustment to threat condition for the previous period, and concern that the incident outburst causes itself and reply can make the cycle that threatens a relative decline of entering.

S420: threaten index to confirm the Cyberthreat degree according to said incident.

But as a kind of execution mode, on the basis of the foregoing description, with f (t) expression Cyberthreat degree, so can be according to f (t)=f _v(t) * f _e(t) confirm the Cyberthreat degree.The determined Cyberthreat degree of this embodiment is meant, after starting a leak, any patch and any attack tool to this leak do not occur, the Cyberthreat degree when the attack to this leak only having occurred.

But as a kind of execution mode, on the basis of the foregoing description, with f (t) expression Cyberthreat degree, so can be according to f (t)=f _v(t) * f _e(t) * f _p(t) confirm the Cyberthreat degree.The determined Cyberthreat degree of this embodiment is meant, after starting a leak, any attack tool to this leak does not occur, the Cyberthreat degree when only having occurred to the patch issue of this leak and attack.

But as a kind of execution mode, on the basis of the foregoing description, with f (t) expression Cyberthreat degree, so can be according to f (t)=f _v(t) * f _e(t) * f _t(t) confirm the Cyberthreat degree.The determined Cyberthreat degree of this embodiment is meant, after starting a leak, any patch to this leak does not occur, the Cyberthreat degree when only having occurred to the attack of this leak and attack tool.

But as a kind of execution mode, on the basis of the foregoing description, with f (t) expression Cyberthreat degree, so can be according to f (t)=f _v(t) * f _p(t) * f _t(t) * f _e(t), confirm the Cyberthreat degree.

Implement under the scene at this, the curve synoptic diagram of the Cyberthreat degree that obtains is shown in figure 12, has shown under the situation of appearance to the attack of this leak the Cyberthreat degree change.Leak comes to light, and the back threat is continuous rises, and after mechanism, tissue or manufacturer issue patch, owing to deployment cycle, threatens still and can rise a stage by inertia, up to the flex point that reaches a nature, begins to descend; Have attack tool to begin in network, to spread and use, this moment, the patch of certain customers was disposed as yet completion, had caused a rise cycle that threatens, and up to mechanism, tissue or manufacturer's issue detection and preventive means are arranged, threatened finally to begin to descend.After some website being concentrated the incident of attack as the hacker, show that preparation, information gathering, the personnel arrangement of the attack tool that is directed against this leak continued certain hour.And after the attack, begun to strengthen protection by object of attack, and there are mechanism, tissue or manufacturer to release new scheme and measure or the like factor, can cause threatening from peak value beginning to descend.

In the foregoing description; To the leak in the Internet; According to the attack issuing time of this leak, calculate the acquisition incident and threaten index, and then confirm acquisition Cyberthreat degree and situation over time thereof from leak itself, patch, attack tool and four aspects of attack; Thereby ensure that the user can judge the influence degree of leak to self, accurately select suitable counter-measure.And information source is reliable, can not produce deviation because of the conversion of attacking ways; And have generality, the whole the Internet overall situation is had directive significance.

Should be noted that the related time of calculating in the foregoing description, all adopt the UNIX time well-known to those skilled in the art.

Figure 13 is the structural representation of the device of definite Cyberthreat degree provided by the invention, and is shown in figure 13, and this device comprises: acquisition module 10 and processing module 11.

Acquisition module 10; Be used to obtain Cyberthreat information; Said Cyberthreat information comprises: the exposure time of leak information, time of receipt and leak coefficient; The exposure time representation leak of said leak information found time first in forum information or instrument sample, said time of receipt represent leak by public leak with expose the time of including, said leak coefficient is represented the order of severity of said leak information.

Processing module 11 is used for according to said Cyberthreat information, and according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Confirm the Cyberthreat degree;

Optional, the Cyberthreat information that acquisition module 10 is obtained also comprises following any one or more combination: the issuing time of patch information, attack tool and the issuing time of attack; Wherein, Patch information comprises unofficial patch issuing time and formal patch issuing time; Unofficial patch issuing time is illustrated in the time that interim patch before the formal patch issue or third party's patch are issued first; Formal patch issuing time is represented the time that formal patch is issued first; The attack tool issuing time is represented the attack signature found time of the first time of every kind of attack tool or download version appears for the first time in attack tool in network time, and the attack issuing time is represented the earliest time that verifiable attack begins to take place.

Optional, processing module 11 specifically can be used for: obtain patch according to patch information and threaten index f _p(t), and/or, obtain said attack tool according to the issuing time of attack tool and threaten index f _t(t), and/or, obtain said attack according to the issuing time of attack and threaten index f _e(t); According to f _p(t), f _t(t) and f _e(t) any at least one and f in _v(t) product is confirmed the Cyberthreat degree.

Optional, processing module 11 specifically can be used for:

According to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ {kD}_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ k D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Confirm said Cyberthreat degree;

Wherein, t express time; D _vRepresent said leak coefficient; K representes the weighting parameters preset, and said k is confirmed by the issue of said unofficial patch; T _vIf the expression leak needed time of diffusion of information is known t _V1And t _V2One of, T then _vIt is a preset value; If known t _V1And t _V2Both, then

t _V1Be the exposure time of said leak information, t _V2Time of receipt for said leak information; t _vIf the estimation discovery time of expression leak is known t _V1, t then _v=t _V1-β * T _vIf known t _V2, t then _v=t _V2-(alpha-beta) * T _vα, β is the preset alpha+beta that satisfies condition<1 positive number;

And/or processing module 11 specifically can be used for:

According to

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p 0} \\ e^{- \frac{D_{p 0} \times (t - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}} & t_{p 0} < t < t_{p 1} \\ e^{- \frac{D_{p 1} \times (t - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}}, & t_{p 1} \leq t < t_{p 0} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p 0} + T_{p} \end{matrix}

Confirm that patch threatens index;

Wherein, f _p(t) the expression patch threatens index; The t express time; D _P0Represent the governance role parameter of unofficial patch, be preset as 0.5; D _P1Represent the governance role parameter of formal patch, be preset as 1; T _pThe expression patch produces the required time cycle of governance role from occurring, and is preset value; t _P0The issuing time first of representing unofficial patch; t _P1The issuing time first of representing formal patch; And t _P1-t _P0≤T _p

Perhaps, processing module 11 specifically can be used for: according to

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p} \\ e^{- \frac{D_{p} \times (t - t_{p})}{T_{p}}}, & t_{p} < t < t_{p} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p} + T_{p} \end{matrix}

Confirm that patch threatens index;

Wherein, f _p(t) the expression patch threatens index; The t express time; T _pThe expression patch produces the required time cycle of governance role from occurring, and is preset value; D _pThe governance role parameter of expression patch; All issued with formal patch if only issued unofficial patch or unofficial patch, but t _P1-t _P0>T _p, t then _p=t _P0, D _p=0.5; If only issued formal patch, then t _p=t _P1, D _p=1;

And/or processing module 11 specifically can be used for:

Confirm that according to

attack tool threatens index;

Wherein, f _t(t) the whole instruments of expression threaten index; The t express time; f _Tk(t) the threat index of expression k kind attack tool;

f_{tk} (t) = \{\begin{matrix} 0 & t \leq t_{tk} \\ D_{tk} \times e^{- \frac{16 \times {(t - t_{k} - \frac{T_{t}}{2})}^{2}}{{T_{t}}^{2}}}, & t_{tk} < t < t_{tk} + T_{t} \\ 0 & t &GreaterEqual; t_{tk} + T_{t} \end{matrix};

t _TkThe issuing time of representing k kind attack tool; D _TkThe order of severity of representing k kind attack tool is preset value; T _tThe expression attack tool produces the required time cycle of damaging effect, is preset value;

And/or processing module 11 specifically can be used for:

Confirm that according to attack threatens index;

Wherein, f _e(t) the whole attacks of expression threaten index; The t express time; f _Ei(t) the threat index of i attack of expression;

f_{ei} (t) = \{\begin{matrix} 0 & t \leq t_{ei} - \frac{T_{e}}{2} \\ D_{ei} \times e^{- \frac{16 \times {(t - t_{ei})}^{2}}{{T_{e}}^{2}}}, & t_{ei} - \frac{T_{e}}{2} < t < t_{ei} + \frac{T_{e}}{2} \\ 0 & t &GreaterEqual; t_{ei} + \frac{T_{e}}{2} \end{matrix};

t _EiThe issuing time of representing i attack; D _EiThe order of severity of representing i attack is preset value; T _eThe expression attack produces the required time cycle of damaging effect, is preset value.

The device embodiment of definite Cyberthreat degree provided by the invention; Corresponding with definite Cyberthreat degree methods embodiment provided by the invention; Actuating equipment for definite Cyberthreat degree methods provided by the invention; The operation that each several part is carried out in its concrete structure and the structure can be repeated no more at this referring to method embodiment.

The device of definite Cyberthreat degree provided by the invention; To the leak that occurs in the whole internet environment, according to exposure time, time of receipt and the leak coefficient of leak information, the Cyberthreat degree of current leak is confirmed in quantitative analysis; Can improve the accuracy that the Cyberthreat degree is judged; And analyze based on the Cyberthreat degree of leak situation over time, with in time, understand the order of severity and the variation of Cyberthreat intuitively, and take corresponding safety measure.

One of ordinary skill in the art will appreciate that: all or part of step that realizes above-mentioned each method embodiment can be accomplished through the relevant hardware of program command.Aforesaid program can be stored in the computer read/write memory medium.This program the step that comprises above-mentioned each method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.

What should explain at last is: above each embodiment is only in order to explaining technical scheme of the present invention, but not to its restriction; Although the present invention has been carried out detailed explanation with reference to aforementioned each embodiment; Those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, perhaps to wherein part or all technical characteristic are equal to replacement; And these are revised or replacement, do not make the scope of the essence disengaging various embodiments of the present invention technical scheme of relevant art scheme.

Claims

1. a definite Cyberthreat degree methods is characterized in that, comprising:

According to said Cyberthreat information, and according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Confirm the Cyberthreat degree;

2. method according to claim 1 is characterized in that, said Cyberthreat information also comprises following any one or more combination: the issuing time of patch information, attack tool and the issuing time of attack; Wherein, Said patch information comprises unofficial patch issuing time and formal patch issuing time; Said unofficial patch issuing time is illustrated in the time that interim patch before the issue of formal patch or third party's patch are issued first; Said formal patch issuing time is represented the time that formal patch is issued first; Said attack tool issuing time is represented the attack signature found time of the first time of every kind of attack tool or download version appears for the first time in attack tool in network time, and said attack issuing time is represented the earliest time that verifiable attack begins to take place.

3. method according to claim 2 is characterized in that, comprising:

According to said Cyberthreat information, and according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ {kD}_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ k D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Confirm said Cyberthreat degree;

Wherein, t express time; D _vRepresent said leak coefficient; K representes the weighting parameters preset, and said k is confirmed by the issue of said unofficial patch; T _vIf the expression leak needed time of diffusion of information is known t _V1And t _V2One of, T then _vIt is a preset value; If known t _V1And t _V2Both, then t _V1Be the exposure time of said leak information, t _V2Time of receipt for said leak information; t _vIf the estimation discovery time of expression leak is known t _V1, t then _v=t _V1-β * T _vIf known t _V2, t then _v=t _V2-(alpha-beta) * T _vα, β is the preset alpha+beta that satisfies condition<1 positive number.

4. according to claim 2 or 3 described methods, it is characterized in that, comprising:

Obtain patch according to said patch information and threaten index f _p(t), and/or, obtain said attack tool according to the issuing time of said attack tool and threaten index f _t(t), and/or, obtain said attack according to the issuing time of said attack and threaten index f _e(t);

According to said f _p(t), said f _t(t) and said f _e(t) any at least one and said f in _v(t) product is confirmed said Cyberthreat degree.

5. method according to claim 4 is characterized in that, said patch threatens the index basis

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p 0} \\ e^{- \frac{D_{p 0} \times (t - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}} & t_{p 0} < t < t_{p 1} \\ e^{- \frac{D_{p 1} \times (t - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}}, & t_{p 1} \leq t < t_{p 0} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p 0} + T_{p} \end{matrix}

Confirm;

Perhaps, said patch threatens the index basis

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p} \\ e^{- \frac{D_{p} \times (t - t_{p})}{T_{p}}}, & t_{p} < t < t_{p} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p} + T_{p} \end{matrix}

Confirm;

And/or,

Said attack tool threatens index to confirm according to

;

f_{tk} (t) = \{\begin{matrix} 0 & t \leq t_{tk} \\ D_{tk} \times e^{- \frac{16 \times {(t - t_{k} - \frac{T_{t}}{2})}^{2}}{{T_{t}}^{2}}}, & t_{tk} < t < t_{tk} + T_{t} \\ 0 & t &GreaterEqual; t_{tk} + T_{t} \end{matrix};

And/or,

Said attack threatens index to confirm according to ;

f_{ei} (t) = \{\begin{matrix} 0 & t \leq t_{ei} - \frac{T_{e}}{2} \\ D_{ei} \times e^{- \frac{16 \times {(t - t_{ei})}^{2}}{{T_{e}}^{2}}}, & t_{ei} - \frac{T_{e}}{2} < t < t_{ei} + \frac{T_{e}}{2} \\ 0 & t &GreaterEqual; t_{ei} + \frac{T_{e}}{2} \end{matrix};

6. the device of a definite Cyberthreat degree is characterized in that, comprising:

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Confirm the Cyberthreat degree;

7. device according to claim 6 is characterized in that, the Cyberthreat information that said acquisition module obtained also comprises following any one or more combination: the issuing time of patch information, attack tool and the issuing time of attack; Wherein, Said patch information comprises unofficial patch issuing time and formal patch issuing time; Said unofficial patch issuing time is illustrated in the time that interim patch before the issue of formal patch or third party's patch are issued first; Said formal patch issuing time is represented the time that formal patch is issued first; Said attack tool issuing time is represented the attack signature found time of the first time of every kind of attack tool or download version appears for the first time in attack tool in network time, and said attack issuing time is represented the earliest time that verifiable attack begins to take place.

8. device according to claim 7 is characterized in that, said processing module specifically is used for: obtain patch according to said patch information and threaten index f _p(t), and/or, obtain said attack tool according to the issuing time of said attack tool and threaten index f _t(t), and/or, obtain said attack according to the issuing time of said attack and threaten index f _e(t); According to said f _p(t), said f _t(t) and said f _e(t) any at least one and said f in _v(t) product is confirmed said Cyberthreat degree.

9. device according to claim 8 is characterized in that, said processing module specifically is used for:

According to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ {kD}_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ k D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Confirm said Cyberthreat degree;

And/or processing module specifically is used for:

According to

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p 0} \\ e^{- \frac{D_{p 0} \times (t - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}} & t_{p 0} < t < t_{p 1} \\ e^{- \frac{D_{p 1} \times (t - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}}, & t_{p 1} \leq t < t_{p 0} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p 0} + T_{p} \end{matrix}

Confirm that said patch threatens index;

Perhaps, processing module specifically is used for: according to

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p} \\ e^{- \frac{D_{p} \times (t - t_{p})}{T_{p}}}, & t_{p} < t < t_{p} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p} + T_{p} \end{matrix}

Confirm that said patch threatens index;

And/or processing module specifically is used for:

Confirm that according to

said attack tool threatens index;

f_{tk} (t) = \{\begin{matrix} 0 & t \leq t_{tk} \\ D_{tk} \times e^{- \frac{16 \times {(t - t_{k} - \frac{T_{t}}{2})}^{2}}{{T_{t}}^{2}}}, & t_{tk} < t < t_{tk} + T_{t} \\ 0 & t &GreaterEqual; t_{tk} + T_{t} \end{matrix};

And/or processing module specifically is used for:

Confirm that according to said attack threatens index;

f_{ei} (t) = \{\begin{matrix} 0 & t \leq t_{ei} - \frac{T_{e}}{2} \\ D_{ei} \times e^{- \frac{16 \times {(t - t_{ei})}^{2}}{{T_{e}}^{2}}}, & t_{ei} - \frac{T_{e}}{2} < t < t_{ei} + \frac{T_{e}}{2} \\ 0 & t &GreaterEqual; t_{ei} + \frac{T_{e}}{2} \end{matrix};