CN107360188B - Website risk value evaluation method and device based on cloud protection and cloud monitoring system - Google Patents
Website risk value evaluation method and device based on cloud protection and cloud monitoring system Download PDFInfo
- Publication number
- CN107360188B CN107360188B CN201710732558.2A CN201710732558A CN107360188B CN 107360188 B CN107360188 B CN 107360188B CN 201710732558 A CN201710732558 A CN 201710732558A CN 107360188 B CN107360188 B CN 107360188B
- Authority
- CN
- China
- Prior art keywords
- target website
- influence
- risk value
- risk
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
The invention provides a website risk value evaluation method and device based on cloud protection and a cloud monitoring system, and relates to the technical field of network security, wherein the method comprises the following steps: acquiring monitoring data of a target website, wherein the monitoring data comprises monitoring data of different influence factors, and the influence factors comprise: attack events, WEB vulnerability events, historical invasion events; respectively calculating risk values of the target website under the influence of different influence factors to obtain a plurality of risk values; and calculating the weighted sum of the plurality of risk values to obtain a risk value comprehensive score of the target website, wherein the risk value comprehensive score is used for determining the probability of the target website being attacked. The method can comprehensively and accurately evaluate the risk value of the website through comprehensive analysis of multiple aspects of historical invasion events, WEB vulnerability events and attacked events, and can even provide the risk value as threat information data to other security manufacturers to realize information sharing.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a website risk value evaluation method and device based on cloud protection and a cloud monitoring system.
Background
Under the big background of the internet era, websites carry the important roles of various information release and data transmission, and have the important role of playing roles in various industries. Among them, the portal site is becoming important as an important image and a propaganda medium for governments or enterprises and public institutions.
In recent years, a large number of attacks and intrusion behaviors occur in a network space at any time, and the occurrence frequency of the attacks and the intrusion behaviors is in an exponential rising trend, so that monitoring on network security becomes more and more important. The existing website security monitoring and risk value evaluation only rely on the statistical analysis of risk vulnerability events, and cannot comprehensively monitor the security of the website.
At present, no effective solution has been proposed to the above problems.
Disclosure of Invention
In view of the above, the present invention provides a website risk value assessment method and apparatus based on cloud protection and a cloud monitoring system, which can comprehensively and accurately assess a risk value of a website through comprehensive analysis of historical invasion events, WEB vulnerability events, and attacked events in many aspects.
In a first aspect, an embodiment of the present invention provides a website risk value evaluation method based on cloud protection and a cloud monitoring system, including:
acquiring monitoring data of a target website, wherein the monitoring data comprises monitoring data of different influence factors, and the influence factors comprise: attack events, WEB vulnerability events, historical invasion events;
respectively calculating risk values of the target website under the influence of different influence factors to obtain a plurality of risk values;
and calculating the weighted sum of the plurality of risk values to obtain a risk value comprehensive score of the target website, wherein the risk value comprehensive score is used for determining the probability of the target website being attacked.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where the calculating the risk values of the target website under the influence of different influence factors respectively to obtain a plurality of risk values includes:
determining an influencing sub-factor of the attacked event; influencer factors include: attack time period, attack level;
according to the data belonging to the attacked event in the monitoring data, calculating a first risk value of the target website under the influence of the attacked time period and calculating a second risk value of the target website under the influence of the attacked level;
and calculating the weighted sum of the first risk value and the second risk value to obtain the risk value of the target website under the influence of the attack event.
With reference to the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where the attack time period includes multiple time periods, and the calculating a first risk value of the target website under the influence of the attack time period includes:
respectively extracting the attacked times of the target website in each time period from the data belonging to the attacked events in the monitoring data;
calculating a risk value of the target website under the influence of each time period according to the attacked times of the target website in each time period;
and calculating the weighted sum of the risk values of the target website under the influence of a plurality of time periods, and calculating to obtain a first risk value.
With reference to the first aspect, an embodiment of the present invention provides a third possible implementation manner of the first aspect, where calculating, according to the number of times of attacks on the target website in each time period, a risk value of the target website under the influence of each time period includes:
through equation Pi=Ki/NiCalculating a risk value of the target website under the influence of a time period i, wherein i is the ith time period in the multiple time periods, i is 1-m in sequence, m is the number of the multiple time periods, and PiIs a risk value, K, of the target website under the influence of the time period iiThe attack times of the target website in the time period i, NiThe total attack times of the target website in a plurality of time periods.
With reference to the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where calculating a second risk value of a target website under the influence of an attack level includes:
respectively extracting the attacked times of the target website and the accessed times of the target website from the data belonging to the attacked events in the monitoring data;
through equation C12=V12Calculating a second risk value of the target website under the influence of the attack level, wherein C12Is the second risk value, V12Is the attack frequency; and V is12=NT/(NT+NV) Wherein N isTRepresenting the number of attacks on the target site, NVIndicating the number of times the target web site was accessed.
With reference to the first aspect, an embodiment of the present invention provides a fifth possible implementation manner of the first aspect, where the calculating the risk values of the target website under the influence of different influence factors to obtain multiple risk values respectively further includes:
dividing the WEB vulnerability event into target levels according to the severity of vulnerability risks, wherein the target levels comprise: the method comprises the following steps of (1) an emergency level, a high-risk event level, a medium-risk event level, a low-risk event level and an information event level;
extracting the number of vulnerabilities corresponding to each target level of the target website in the current month from the data of the WEB vulnerability events in the monitoring data to obtain at least one group of vulnerability numbers;
calculating the weighted sum of the number of at least one group of vulnerabilities to obtain a risk value of the target website under the influence of the WEB vulnerability events of the current month;
and calculating to obtain a risk value of the target website under the influence of the WEB vulnerability event according to the risk value of the target website under the influence of the WEB vulnerability event in the current month and the month attenuation rate of the preset vulnerability risk value.
With reference to the first aspect, an embodiment of the present invention provides a sixth possible implementation manner of the first aspect, where calculating a weighted sum of at least one group of vulnerability numbers to obtain a risk value of a target website under the influence of a WEB vulnerability event in a current month includes:
equation of basis
Calculating a risk value of the target website under the influence of the WEB vulnerability event of the current month;
wherein, C2mIs a risk value, C, of the target website under the influence of the WEB vulnerability event in the current month21Is the ratio of the number of emergent holes to the total number of holes, C22Is the ratio of the number of high-risk leaks to the total number of leaks, C23Is the ratio of the number of the medium-risk leaks to the total number of the leaks, C24The ratio of the number of low-risk leaks to the total number of leaks, C25The ratio of the number of the information loopholes to the total number of the loopholes,
with reference to the first aspect, an embodiment of the present invention provides a seventh possible implementation manner of the first aspect, where calculating a risk value of a target website under the influence of a WEB vulnerability event according to a risk value of the target website under the influence of the WEB vulnerability event in a current month and a preset vulnerability risk value month attenuation rate includes:
equation of basis
Calculating the risk value of the target website under the influence of WEB vulnerability events, wherein CVThe risk value of a target website under the influence of WEB vulnerability events is NI which is 1-C of the first occurrence2mi<Value of i at 1, C2miAnd the risk value of the target website under the influence of the WEB vulnerability event in the ith month is shown.
With reference to the first aspect, an embodiment of the present invention provides an eighth possible implementation manner of the first aspect, where the calculating the risk values of the target website under the influence of different influence factors to obtain multiple risk values respectively further includes:
according to equation CstmpCalculating a risk value of the target website under the influence of historical intrusion events of the current month I (Domain ∈ E), wherein CstmpThe risk value of the target website under the influence of the historical intrusion event of the current month is represented by I, the I is an indication function, when the Domain epsilon E is not true, the value of the indication function is 0, otherwise, the value of the indication function is 1, and the Domain epsilon E is used for representing whether the target website has the intrusion event in the current month or not;
according to equation Cs=Cstmp*0.9iAnd calculating a risk value of the target website under the influence of the historical intrusion event, wherein i is a difference value between the current month and the target month, 0.9 is a preset historical intrusion risk value month attenuation rate, and the target month is a month in which the target website discovers the intrusion event most recently.
In a second aspect, an embodiment of the present invention provides a website risk value evaluation device based on cloud protection and a cloud monitoring system, including:
the influence factor data acquisition module is used for acquiring monitoring data of a target website, the monitoring data comprises monitoring data of different influence factors, and the influence factors comprise: attack events, WEB vulnerability events, historical invasion events;
each influence factor risk value calculation module is used for calculating the risk values of the target website under the influence of different influence factors respectively to obtain a plurality of risk values;
and the website risk value comprehensive module is used for calculating the weighted sum of the plurality of risk values to obtain the risk value comprehensive score of the target website, wherein the risk value comprehensive score is used for determining the attack probability of the target website.
The embodiment of the invention has the following beneficial effects:
in the website risk value evaluation method based on cloud protection and a cloud monitoring system provided by the embodiment of the invention, a server firstly obtains monitoring data of a target website, and the monitoring data is obtained based on a cloud protection platform and the cloud monitoring system. The monitoring data comprises monitoring data belonging to different influence factors (an attacked event, a WEB vulnerability event and a historical invasion event), and then risk values of the target website under the influence of the different influence factors are respectively calculated to obtain a plurality of risk values; and finally, calculating the weighted sum of the plurality of risk values to obtain a risk value comprehensive score of the target website, wherein the risk value comprehensive score is used for determining the probability of the target website being attacked. The method can comprehensively and accurately evaluate the risk value of the website through comprehensive analysis of multiple aspects of historical invasion events, WEB vulnerability events and attacked events, and can even provide the risk value as threat information data to other security manufacturers to realize information sharing.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a website risk value evaluation method based on a cloud protection and cloud monitoring system according to an embodiment of the present invention;
fig. 2 is a flowchart of another website risk value evaluation method based on a cloud protection and cloud monitoring system according to an embodiment of the present invention;
fig. 3 is a flowchart of another website risk value evaluation method based on cloud protection and a cloud monitoring system according to an embodiment of the present invention;
fig. 4 is a flowchart of another website risk value evaluation method based on cloud protection and a cloud monitoring system according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a website risk value evaluation device based on a cloud protection and cloud monitoring system according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The existing website security monitoring and risk value evaluation only rely on the statistical analysis of risk vulnerability events, and the security of the website cannot be comprehensively monitored. Based on this, the website risk value evaluation method and device based on the cloud protection and cloud monitoring system provided by the embodiment of the invention can comprehensively and accurately evaluate the risk value of the website through comprehensive analysis of historical invasion events, WEB vulnerability events and attacked events in many aspects.
To facilitate understanding of the embodiment, first, a positioning method of a network device disclosed in the embodiment of the present invention is described in detail.
The first embodiment is as follows:
the embodiment of the invention provides a website risk value evaluation method based on a cloud protection and cloud monitoring system, which comprises the following steps as shown in figure 1:
s101: acquiring monitoring data of a target website, wherein the monitoring data comprises monitoring data of different influence factors, and the influence factors comprise: attack events, WEB vulnerability events, historical intrusion events.
The cloud protection platform can effectively analyze, calculate and intercept network attacks and intrusion behaviors, specifically, can clean access flow of a managed website, intercept the attack behaviors, release normal access to guarantee safe operation of a rear website, and record access and attack records in a real-time stream processing mode.
The cloud monitoring system can detect basic resource information, security events, website vulnerabilities and website fingerprint information of a website, and can timely find risk vulnerabilities, intrusion events, high-risk ports and other risk information of the monitored website.
In this embodiment, based on the cloud protection platform and the cloud monitoring system, the server first obtains monitoring data of a target website, where the target website is a website that needs to be subjected to risk value evaluation at present. The monitoring data includes monitoring data of various influence factors, such as: data of an attacked event, a WEB vulnerability event and a historical invasion event.
S102: and respectively calculating the risk values of the target website under the influence of different influence factors to obtain a plurality of risk values.
And respectively calculating risk values of the target website under the influence of different influence factors according to the acquired monitoring data of the plurality of influence factors. The method specifically comprises the following steps: the risk value of the target website under the influence of the attack event, the risk value of the target website under the influence of the WEB vulnerability event and the risk value of the target website under the influence of the historical invasion event.
S103: and calculating the weighted sum of the plurality of risk values to obtain a risk value comprehensive score of the target website, wherein the risk value comprehensive score is used for determining the probability of the target website being attacked.
And finally, weighting and calculating the risk values of the target website under the influence of the plurality of influence factors to obtain the risk value comprehensive score of the target website.
The specific formula is as follows:
C=λ1CA+λ2Cv+λ3Cs
wherein C is the risk value comprehensive score of the target website, CAFor the risk value of the target website under the influence of the attack event, CVIs a risk value of a target website under the influence of WEB vulnerability events, CSAnd the risk value of the target website under the influence of the historical invasion event is shown. Lambda [ alpha ]i(i ═ 1,2,3) is the calculated weight for each dimension, and λ1+λ2+λ31, in the embodiment of the present invention, it may be set to 2: 3: 5.
step S102 is followed: respectively calculating risk values of the target website under the influence of different influence factors to obtain a plurality of risk values, and elaborating:
(1) calculating a risk value of the target website under the influence of the attack event, specifically referring to fig. 2:
s201: determining an influencing sub-factor of the attacked event; influencer factors include: attack time period, attack level.
S202: and calculating a first risk value of the target website under the influence of the attack time period and a second risk value of the target website under the influence of the attack level according to the data belonging to the attack event in the monitoring data.
Recording the calculated first risk value as C11And the second risk value is denoted as C12。
S203: and calculating the weighted sum of the first risk value and the second risk value to obtain the risk value of the target website under the influence of the attack event.
The specific calculation formula is as follows:
wherein, CAFor the risk value of the target website under the influence of the attack event, C11A first risk value, C, of the target website under the influence of the attack time period12Second risk value lambda of target website under the influence of attack level1iIs the weight of each of the influencing sub-factors, which may be set to 1: 1.
following the first risk value C11And a second risk value C12The calculation process of (2) is explained in detail:
a: calculating a first risk value C of a target website under the influence of an attack time periodAReferring to fig. 3, the method specifically includes the following steps:
s301: and respectively extracting the attack times of the target website in each time period from the data belonging to the attack events in the monitoring data.
S302: and calculating the risk value of the target website under the influence of each time period according to the attacked times of the target website in each time period.
Through equation Pi=Ki/NiCalculating a risk value of the target website under the influence of a time period i, wherein i is the ith time period in the multiple time periods, i is 1-m in sequence, m is the number of the multiple time periods, and PiIs a risk value, K, of the target website under the influence of the time period iiThe attack times of the target website in the time period i, NiThe total attack times of the target website in a plurality of time periods.
In order to improve the accuracy of website risk assessment, the attack time needs to be processed according to different regions for the geographic location features based on the IP, such as: according to the off-duty and sleeping habits of people, the 24 hours of a day can be divided into the following time periods for statistics respectively.
TABLE 1
| Serial number | Time period | Score ═ number of attacks/total number of attacks in the time period |
| 1 | 22:00~08:00 | C111(corresponding to the above P1) |
| 2 | 08:00~18:00 | C112(corresponding to the above P2) |
| 3 | 18:00~22:00 | C113(corresponding to the above P3) |
Since hackers prefer to launch attacks during off-hours, and generally users will respond significantly slower to an incident during off-hours. The first risk value is therefore calculated as:
wherein, C11A first risk value, C, of the target website under the influence of the attack time period11iIs a risk value, lambda, of the target website under the influence of the time period i11i(i is 1,2,3) is the weight of different attack time periods, and
in the embodiment of the present invention, it is set to 5: 1: 2.
s303: and calculating the weighted sum of the risk values of the target website under the influence of a plurality of time periods to obtain a first risk value.
B: calculating a second risk value of the target website under the influence of the attack level, specifically comprising:
and respectively extracting the attacked times of the target website and the accessed times of the target website from the data belonging to the attacked events in the monitoring data.
Through equation C12=V12Calculating a second risk value of the target website under the influence of the attack level, wherein C12Is the second risk value, V12Is the attack frequency; and V is12=NT/(NT+NV) Wherein N isTRepresenting the number of attacks on the target site, NVIndicating the number of times the target web site was accessed.
(2) Calculating a risk value C of a target website under the influence of WEB vulnerability eventsVSpecifically, see fig. 4 for details:
s401: dividing the WEB vulnerability event into target levels according to the severity of vulnerability risks, wherein the target levels comprise: the emergency level, the high-risk event level, the medium-risk event level, the low-risk event level and the information event level.
S402: and extracting the number of the vulnerabilities corresponding to the target website of the current month at each target level from the data of the WEB vulnerability events in the monitoring data to obtain at least one group of vulnerability numbers.
S403: and calculating the weighted sum of the number of the at least one group of vulnerabilities to obtain a risk value of the target website under the influence of the WEB vulnerability event of the current month.
Equation of basis
And calculating a risk value of the target website under the influence of the WEB vulnerability event of the current month.
Wherein,C2mIs a risk value, C, of the target website under the influence of the WEB vulnerability event in the current month21Is the ratio of the number of emergent holes to the total number of holes, C22Is the ratio of the number of high-risk leaks to the total number of leaks, C23Is the ratio of the number of the medium-risk leaks to the total number of the leaks, C24The ratio of the number of low-risk leaks to the total number of leaks, C25Is the ratio of the number of information holes to the total number of holes, lambda2iAre weights of different target levels, and
in the embodiment of the present invention, it may be set to 20: 15: 5: 2: 1.
s404: and calculating to obtain a risk value of the target website under the influence of the WEB vulnerability event according to the risk value of the target website under the influence of the WEB vulnerability event in the current month and the month attenuation rate of the preset vulnerability risk value.
Equation of basis
Calculating the risk value of the target website under the influence of WEB vulnerability events, wherein CVThe risk value of a target website under the influence of WEB vulnerability events is NI which is 1-C of the first occurrence2mi<Value of i at 1, C2miAnd the risk value of the target website under the influence of the WEB vulnerability event in the ith month is shown.
For example, C2m1If the value is more than 1, then i is 1; c2m1=0,C2m2> 1, then i takes 2, and so on.
(3) Calculating a risk value C of a target website under the influence of historical invasion eventsSThe method specifically comprises the following steps:
according to equation CstmpCalculating the risk value of the target website under the influence of the historical intrusion events of the current month I (Domain ∈ E).
Wherein, CstmpFor the risk value of a target website under the influence of historical intrusion events of the current month, I is an indication function, when the Domain E is not true, the value of the indication function is 0, otherwise, the value of the indication function is 1, and the Domain E is used for representing the targetAnd whether the website has invaded together in the current month or not is marked.
According to equation Cs=Cstmp*0.9iAnd calculating the risk value of the target website under the influence of the historical invasion event.
Wherein, i is the difference value between the current month and the target month, 0.9 is the preset historical intrusion risk value month attenuation rate, and the target month is the month in which the target website has found the intrusion event last time.
In the website risk value evaluation method based on cloud protection and a cloud monitoring system provided by the embodiment of the invention, a server firstly obtains monitoring data of a target website, and the monitoring data is obtained based on a cloud protection platform and the cloud monitoring system. The monitoring data comprises monitoring data belonging to different influence factors (an attacked event, a WEB vulnerability event and a historical invasion event), and then risk values of the target website under the influence of the different influence factors are respectively calculated to obtain a plurality of risk values; and finally, calculating the weighted sum of the plurality of risk values to obtain a risk value comprehensive score of the target website, wherein the risk value comprehensive score is used for determining the probability of the target website being attacked. The method can comprehensively and accurately evaluate the risk value of the website through comprehensive analysis of multiple aspects of historical invasion events, WEB vulnerability events and attacked events, and can even provide the risk value as threat information data to other security manufacturers to realize information sharing.
Example two:
an embodiment of the present invention provides a website risk value evaluation device based on a cloud protection and cloud monitoring system, and as shown in fig. 5, the device includes: an influence factor data acquisition module 51, an influence factor risk value calculation module 52 and a website risk value synthesis module 53.
The influence factor data obtaining module 51 is configured to obtain monitoring data of a target website, where the monitoring data includes monitoring data of different influence factors, and the influence factors include: attack events, WEB vulnerability events, historical invasion events; each influence factor risk value calculation module 52 is configured to calculate risk values of the target website under influence of different influence factors, respectively, to obtain a plurality of risk values; and the website risk value comprehensive module 53 calculates a weighted sum of the plurality of risk values to obtain a risk value comprehensive score of the target website, wherein the risk value comprehensive score is used for determining the probability that the target website is attacked.
In the website risk value evaluation device based on the cloud protection and cloud monitoring system provided by the embodiment of the invention, each module has the same technical characteristics as the website risk value evaluation method based on the cloud protection and cloud monitoring system, so that the functions can be realized. The specific working process of each module in the device refers to the above method embodiment, and is not described herein again.
The computer program product of the website risk value evaluation method based on the cloud protection and cloud monitoring system provided by the embodiment of the invention includes a computer readable storage medium storing a nonvolatile program code executable by a processor, and instructions included in the program code may be used for executing the method described in the foregoing method embodiment.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the apparatus and the electronic device described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (9)
1. A website risk value assessment method based on cloud protection and a cloud monitoring system is characterized by comprising the following steps:
acquiring monitoring data of a target website, wherein the monitoring data comprises monitoring data of different influence factors, and the influence factors comprise: attack events, WEB vulnerability events, historical invasion events;
respectively calculating risk values of the target website under the influence of different influence factors to obtain a plurality of risk values;
calculating the weighted sum of the plurality of risk values to obtain a risk value comprehensive score of the target website, wherein the risk value comprehensive score is used for determining the probability of the target website being attacked;
wherein, the calculating the risk values of the target website under the influence of different influence factors to obtain a plurality of risk values respectively further includes:
dividing the WEB vulnerability event into target levels according to the severity of vulnerability risks, wherein the target levels comprise: the method comprises the following steps of (1) an emergency level, a high-risk event level, a medium-risk event level, a low-risk event level and an information event level;
extracting the number of the vulnerabilities corresponding to the target website at each target level in the current month from the data belonging to the WEB vulnerability event in the monitoring data to obtain at least one group of vulnerability numbers;
calculating the weighted sum of the number of the at least one group of loopholes to obtain a risk value of the target website under the influence of the WEB loophole event of the current month;
and calculating to obtain a risk value of the target website under the influence of the WEB vulnerability event according to the risk value of the target website under the influence of the WEB vulnerability event in the current month and a preset vulnerability risk value month attenuation rate.
2. The method of claim 1, wherein calculating the risk values of the target website under the influence of different influence factors respectively to obtain a plurality of risk values comprises:
determining an influencing sub-factor of the attacked event; the influencer factors include: attack time period, attack level;
according to the data belonging to the attacked event in the monitoring data, calculating a first risk value of the target website under the influence of the attacked time period and calculating a second risk value of the target website under the influence of the attacked level;
and calculating the weighted sum of the first risk value and the second risk value to obtain the risk value of the target website under the influence of the attack event.
3. The method of claim 2, wherein the attack time period comprises a plurality of time periods, and wherein calculating the first risk value for the target website under the influence of the attack time period comprises:
respectively extracting the attack times of the target website in each time period from the data belonging to the attack event in the monitoring data;
calculating a risk value of the target website under the influence of each time period according to the attack times of the target website in each time period;
and calculating the weighted sum of the risk values of the target website under the influence of a plurality of time periods to obtain the first risk value.
4. The method of claim 3, wherein the calculating the risk value of the target website under the influence of each time period according to the attack times of the target website in each time period comprises:
through equation Pi=Ki/NiCalculating a risk value of the target website under the influence of a time period i, wherein i is the ith time period in the multiple time periods, i is 1 to m in sequence, m is the number of the multiple time periods, and P isiIs the risk value, K, of the target website under the influence of the time period iiThe number of times of attack, N, of the target website in the time period iiAnd the total attack times of the target website in the time periods are obtained.
5. The method of claim 2, wherein calculating a second risk value for the target website under the influence of the attack level comprises:
respectively extracting the attacked times of the target website and the accessed times of the target website from the data belonging to the attacked event in the monitoring data;
through equation C12=V12Calculating a second risk value of the target website under the influence of the attack level, wherein C12Is said second risk value, V12Is the attack frequency; and V is12=NT/(NT+NV) Wherein N isTRepresenting the number of times of attack of the target website, NVAnd representing the number of times the target website is accessed.
6. The method according to claim 1, wherein the calculating a weighted sum of the at least one group of vulnerability numbers to obtain a risk value of the target website under the influence of the WEB vulnerability event in the current month comprises:
equation of basis
Calculating a risk value of the target website under the influence of the WEB vulnerability event of the current month;
wherein, C2mIs a risk value, C, of the target website under the influence of the WEB vulnerability event in the current month21Is the ratio of the number of emergent holes to the total number of holes, C22Is the ratio of the number of high-risk leaks to the total number of leaks, C23Is the ratio of the number of the medium-risk leaks to the total number of the leaks, C24The ratio of the number of low-risk leaks to the total number of leaks, C25The ratio of the number of the information loopholes to the total number of the loopholes,
7. the method according to claim 6, wherein the step of calculating the risk value of the target website under the influence of the WEB vulnerability event according to the risk value of the target website under the influence of the WEB vulnerability event in the current month and a preset vulnerability risk value month attenuation rate comprises the steps of:
equation of basis
Calculating a risk value of the target website under the influence of the WEB vulnerability event, wherein CVNI is the first occurrence 1-C of the risk value of the target website under the influence of the WEB vulnerability event2mi<Value of i at 1, C2miAnd the risk value of the target website under the influence of the WEB vulnerability event in the ith month is obtained.
8. The method of claim 1, wherein calculating the risk values of the target website under the influence of different influence factors to obtain a plurality of risk values respectively, further comprises:
according to equation CstmpCalculating a risk value for the target website under the influence of the historical intrusion events for the current month I (Domain ∈ E), wherein CstmpFor the risk value of the target website under the influence of the historical intrusion event of the current month, I is an indication function, when the Domain is in the form of E and is not true, the value of the indication function is 0, otherwise, the value of the indication function is 1, and the Domain is in the form of E and is used for representing whether the target website has an intrusion event in the current month or not;
according to equation Cs=Cstmp*0.9iAnd calculating a risk value of the target website under the influence of the historical intrusion event, wherein i is a difference value between the current month and a target month, 0.9 is a preset historical intrusion risk value month attenuation rate, and the target month is a month in which the target website finds the intrusion event most recently.
9. The utility model provides a website risk value evaluation device based on cloud protection and cloud monitoring system which characterized in that includes:
the influence factor data acquisition module is used for acquiring monitoring data of a target website, wherein the monitoring data comprises monitoring data belonging to different influence factors, and the influence factors comprise: attack events, WEB vulnerability events, historical invasion events;
each influence factor risk value calculation module is used for calculating the risk values of the target website under the influence of different influence factors to obtain a plurality of risk values;
the website risk value comprehensive module is used for calculating the weighted sum of the risk values to obtain a risk value comprehensive score of the target website, wherein the risk value comprehensive score is used for determining the probability that the target website is attacked;
wherein, each influence factor risk value calculation module still includes:
dividing the WEB vulnerability event into target levels according to the severity of vulnerability risks, wherein the target levels comprise: the method comprises the following steps of (1) an emergency level, a high-risk event level, a medium-risk event level, a low-risk event level and an information event level;
extracting the number of the vulnerabilities corresponding to the target website at each target level in the current month from the data belonging to the WEB vulnerability event in the monitoring data to obtain at least one group of vulnerability numbers;
calculating the weighted sum of the number of the at least one group of loopholes to obtain a risk value of the target website under the influence of the WEB loophole event of the current month;
and calculating to obtain a risk value of the target website under the influence of the WEB vulnerability event according to the risk value of the target website under the influence of the WEB vulnerability event in the current month and a preset vulnerability risk value month attenuation rate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710732558.2A CN107360188B (en) | 2017-08-23 | 2017-08-23 | Website risk value evaluation method and device based on cloud protection and cloud monitoring system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710732558.2A CN107360188B (en) | 2017-08-23 | 2017-08-23 | Website risk value evaluation method and device based on cloud protection and cloud monitoring system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107360188A CN107360188A (en) | 2017-11-17 |
| CN107360188B true CN107360188B (en) | 2020-03-17 |
Family
ID=60289836
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710732558.2A Active CN107360188B (en) | 2017-08-23 | 2017-08-23 | Website risk value evaluation method and device based on cloud protection and cloud monitoring system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107360188B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108229176B (en) * | 2017-12-29 | 2020-11-20 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for determining protection effect of Web application |
| CN110868383A (en) * | 2018-12-24 | 2020-03-06 | 北京安天网络安全技术有限公司 | Website risk assessment method and device, electronic equipment and storage medium |
| CN110768945A (en) * | 2018-12-24 | 2020-02-07 | 北京安天网络安全技术有限公司 | Method and device for evaluating website safe operation condition and storage medium |
| CN110868385B (en) * | 2018-12-26 | 2022-02-11 | 北京安天网络安全技术有限公司 | Website safety operation capacity determination method and device, electronic equipment and storage medium |
| CN109617910B (en) * | 2019-01-08 | 2023-03-24 | 平安科技(深圳)有限公司 | Vulnerability risk assessment method and device, storage medium and server |
| CN110032869B (en) * | 2019-04-19 | 2022-08-09 | 湖南科技学院 | Cloud computing protection early warning system based on big data |
| CN110443451B (en) * | 2019-07-03 | 2022-12-30 | 深圳壹师城科技有限公司 | Event grading method and device, computer equipment and storage medium |
| CN110572402B (en) * | 2019-09-11 | 2021-11-16 | 国网湖南省电力有限公司 | Internet hosting website detection method and system based on network access behavior analysis and readable storage medium |
| CN110728458B (en) * | 2019-10-18 | 2022-07-29 | 支付宝(杭州)信息技术有限公司 | Target object risk monitoring method and device and electronic equipment |
| CN110851839B (en) * | 2019-11-12 | 2022-03-11 | 杭州安恒信息技术股份有限公司 | Risk-based asset scoring method and system |
| CN111600897B (en) * | 2020-05-21 | 2022-10-28 | 杭州安恒信息技术股份有限公司 | Network security event grade evaluation method, equipment and related equipment |
| CN111740992B (en) * | 2020-06-19 | 2022-08-30 | 北京字节跳动网络技术有限公司 | Website security vulnerability detection method, device, medium and electronic equipment |
| CN112039885B (en) * | 2020-08-31 | 2022-09-02 | 绿盟科技集团股份有限公司 | Website risk assessment method and device |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104618178A (en) * | 2014-12-29 | 2015-05-13 | 北京奇虎科技有限公司 | Website bug online evaluation method and device |
-
2017
- 2017-08-23 CN CN201710732558.2A patent/CN107360188B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104618178A (en) * | 2014-12-29 | 2015-05-13 | 北京奇虎科技有限公司 | Website bug online evaluation method and device |
Non-Patent Citations (3)
| Title |
|---|
| "基于插件的网络安全风险评估技术的研究与设计";谢惠琼;《中国优秀硕士学位论文全文数据库》;20111115;第63-66页 * |
| "基于模拟漏洞攻击的威胁评估研究";谢春梅;《电脑知识与技术》;20100630;第1-2页 * |
| 谢惠琼."基于插件的网络安全风险评估技术的研究与设计".《中国优秀硕士学位论文全文数据库》.2011, * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107360188A (en) | 2017-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107360188B (en) | Website risk value evaluation method and device based on cloud protection and cloud monitoring system | |
| US11265350B2 (en) | Cyber risk analysis and remediation using network monitored sensors and methods of use | |
| CN106716958B (en) | Lateral movement detection | |
| US8020210B2 (en) | System and method for assessing risk to a collection of information resources | |
| CN104836781B (en) | Distinguish the method and device for accessing user identity | |
| CN113542279B (en) | Network security risk assessment method, system and device | |
| TW201629824A (en) | Anomaly detection using adaptive behavioral profiles | |
| US9197657B2 (en) | Internet protocol address distribution summary | |
| US9674210B1 (en) | Determining risk of malware infection in enterprise hosts | |
| US11423143B1 (en) | Anomaly detection based on processes executed within a network | |
| WO2016109608A1 (en) | System for cyber insurance policy including cyber risk assessment/management service | |
| US20200244693A1 (en) | Systems and methods for cybersecurity risk assessment of users of a computer network | |
| CN114338372B (en) | Network information security monitoring method and system | |
| WO2019231826A1 (en) | Systems and methods for determining the efficacy of computer system security policies | |
| CN113711559A (en) | System and method for detecting anomalies | |
| CN108683662B (en) | Individual online equipment risk assessment method and system | |
| Sarabi et al. | Prioritizing Security Spending: A Quantitative Analysis of Risk Distributions for Different Business Profiles. | |
| do Nascimento et al. | A methodology for selecting hardware performance counters for supporting non-intrusive diagnostic of flood DDoS attacks on web servers | |
| Naseri et al. | Cerberus: exploring federated prediction of security events | |
| CN116260715B (en) | Account safety early warning method, device, medium and computing equipment based on big data | |
| Qassim et al. | Strategy to Reduce False Alarms in Intrusion Detection and Prevention Systems. | |
| Beigh | Framework for choosing best intrusion detection system | |
| KR101872406B1 (en) | Method and apparatus for quantitavely determining risks of malicious code | |
| US20140359780A1 (en) | Anti-cyber attacks control vectors | |
| JP6857627B2 (en) | White list management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 188 Lianhui street, Xixing street, Binjiang District, Hangzhou, Zhejiang Province Applicant after: Hangzhou Annan information technology Limited by Share Ltd Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Applicant before: Dbappsecurity Co.,ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |