The white ring border Analysis on confidence method that multi objective for private host scores
Technical field
The invention belongs to white environmental analysis art fields, and in particular to the white ring that a kind of multi objective for private host scores
Border Analysis on confidence method.
Background technology
Common private host Protection Product is divided into two major classes currently on the market:1. the Main Engine Safeguard based on blacklist;2.
Main Engine Safeguard based on white list technology.
The common Main Engine Safeguard product based on blacklist:Such as anti-virus software, worm killing tool etc., it relies primarily on
The modes such as virus base, worm library realize that security protection, this technology have often produced harm when being found that threat, and
The case where usually there is feature database update not in time in many important events (such as Intranet, classified network).
With the rapid development of host infiltration technology, the unknown attacks type such as APT, zero-day attacks becomes current cyberspace
The main bugbear of safety.Dependovirus library, worm library technological means be difficult to cope with this kind of novel threat.
Analysis in view of the above technology, it is proposed that the reason in the white ring border of each domain-specific host is built based on white list technology
It reads.
Pass through crucial mutual interlink inside IT system or at IT system and internal other systems, external network Interconnected Border etc.
Point on-premise network monitoring/safeguard, is in real time acquired network, and all monitoring data are sent to security management center and are led to
Unified statistical analysis and feature extraction are crossed, the different data streams such as normal, abnormal, illegal, malice are taken not according to analysis result
Same safe countermeasure blocks malicious attack and illegitimate traffic, so that the data flow in system is kept normal, clean, we claim
Such environment is white ring border.
Private host white ring border based on white list technology is divided into:Process white ring border, network flow white ring border, peripheral hardware class
White ring border.For private host protection, white list technology may be implemented by disposing initial stage one-step solidification, to reach forever
The target of safety long.
But although the theory that the white ring border of each domain-specific host is built currently based on white list technology achieves centainly
Achievement in research.However, these achievements in research are based largely on a set hypothesis:One new implementation is run for a long time
Private host white ring border is believable, in fact, such hypothesis and our daily cognitive presence error.
Invention content
The purpose of the present invention is to provide a kind of white ring border Analysis on confidence sides that the multi objective for private host scores
Method, solving user may be with the cognitive question of different security risks for different private host white ring borders.
To achieve the above object, the white ring border that a kind of multi objective for private host provided by the present invention scores is credible
Analysis method is spent, the analysis method allows information security management person more fully, entirely by the data correlation of multiple dimensions
Understand to face the details of white ring border confidence level;Increasing the data statistics repeatedly assessed at times, by white ring border confidence level
In the situation of change for breaking out or disclosing initial stage, follower is presented in the form of dynamic;Also pass through more intuitive diagrammatic representation
Effect is showed in visual form, is drawn a conclusion convenient for information security management person.
Specifically, the technical solution adopted by the present invention is:
A kind of white ring border Analysis on confidence method that multi objective for private host scores, the analysis method include such as
Lower step:
1) CVE vulnerability scannings
CVE vulnerability scannings, assessment are carried out to private host using the CVE vulnerability scannings module communicated to connect with private host
Private host current safety situation establishes state baseline, generates CVE vulnerability scannings result and is uploaded to Analysis on confidence unit;
2) application program white list monitors
Using the application program white list monitoring module communicated to connect with private host to the application program of private host into
Row state baseline monitors, and the element for violating private host application program is monitored and is alerted, and generates the white name of application program
Single monitored results are simultaneously uploaded to Analysis on confidence unit, and the application program includes executable file and script;
3) peripheral hardware white list monitors
State base is carried out to the Peripheral Interface of private host using the peripheral hardware white list module communicated to connect with private host
Line monitors, and the behavior for violating Peripheral Interface is monitored and is alerted, and generates peripheral hardware white list monitored results and be uploaded to can
Reliability Analysis unit;
4) network flow white list monitors
The network security of private host is advised using the network flow white list monitoring module communicated to connect with private host
State baseline monitoring is then carried out, and the flow for violating network security rule is monitored and is alerted, generates the white name of network flow
Single monitored results are simultaneously uploaded to Analysis on confidence unit;
5) interim dynamic release file monitor
Using the interim dynamic release file monitor module communicated to connect with private host to the interim dynamic of private host
Releasing document carries out state baseline monitoring, and the file come out to interim dynamic release is monitored and alerts, and generates interim dynamic
State releasing document monitored results are simultaneously uploaded to Analysis on confidence unit;
6) private host security baseline monitors
Using the Host Security baseline monitoring module communicated to connect with private host to the safe bases of the windows of private host
Line carries out state baseline monitoring, and the behavior of the windows security baseline to violating private host alerts, and generates special master
Machine security baseline monitored results are simultaneously uploaded to Analysis on confidence unit;
7) the multidimensional analysis statistics of monitored results
By the general loophole appraisement system CVSS being set in the Analysis on confidence unit, to being uploaded to confidence level point
Analyse CVE vulnerability scannings result, application program white list monitored results, peripheral hardware white list monitored results, the network flow in unit
White list monitored results, interim dynamic release file monitor result and private host security baseline monitored results carry out evaluation point
Analysis generates multidimensional radar map, forms the displaying to private host white ring border Analysis on confidence result.
Further, the CVE vulnerability scannings result includes:CVE-ID, loophole title, loophole type and hazard rating.
Further, the CVE vulnerability scannings carry out CVE vulnerability scannings using vulnerability database with double engines to private host.
Further, the application program white list monitored results include application program execute object, application program father
Process, application response mode and endanger possibility.
Further, the peripheral hardware white list monitored results include Peripheral Interface type, Peripheral Interface response mode and danger
Evil reason.
Further, the network flow white list monitored results include the discharge pattern for violating network security rule, sound
Answer mode and damage reason.
Further, the interim dynamic release file monitor result include interim dynamic release file execution object,
The parent process of object is executed, the response mode of object is executed and endangers possibility.
Further, the private host security baseline monitored results include violating the safe bases of windows of private host
The type of the behavior of line, the response mode of behavior and damage reason.
Further, the area coverage of the multidimensional radar map is bigger, shows that the white ring border confidence level of private host is lower.
Further, Analysis on confidence statistics repeatedly at times, multidimensional thunder are carried out using multidimensional radar map in step 7)
Extended mode is presented in area coverage up to figure, illustrates that the white ring border confidence level of private host is reducing, and area coverage, which is presented, shrinks
State illustrates that the white ring border confidence level of private host is being promoted.
The beneficial effects of the present invention are:
1) by the data correlation of multiple dimensions, allow information security management person more fully, comprehensively understand white ring
The details of border confidence level, that is, CVE vulnerability scannings are carried out to private host by CVE vulnerability scannings module, by applying journey
Sequence white list monitoring module is to the application program progress state baseline monitoring of private host, by peripheral hardware white list module to special
The Peripheral Interface of host carries out the monitoring of state baseline, by network flow white list monitoring module to the network security of private host
Regular carry out state baseline monitoring carries out shape by network flow white list monitoring module to the network security rule of private host
The monitoring of state baseline carries out state baseline prison by Host Security baseline monitoring module to the windows security baseline of private host
Control;
2) by the general loophole appraisement system CVSS being set in the Analysis on confidence unit, to being uploaded to confidence level
CVE vulnerability scannings result, application program white list monitored results in analytic unit, peripheral hardware white list monitored results, network flow
Amount white list monitored results, interim dynamic release file monitor result and private host security baseline monitored results are evaluated
Analysis;Increasing the repeatedly data statistics assessed at times, by white ring border confidence level in the situation of change for breaking out or disclosing initial stage,
Follower is presented in the form of dynamic;
3) multidimensional radar map is generated, the displaying to private host white ring border Analysis on confidence result is formed, by more straight
The diagrammatic representation effect of sight, is showed in visual form, is drawn a conclusion convenient for information security management person.
Description of the drawings
Fig. 1 is the white ring border Analysis on confidence method that a kind of multi objective for private host provided by the present invention scores
In each monitoring module and Analysis on confidence unit structural schematic diagram;
Fig. 2 is the white ring border Analysis on confidence method that a kind of multi objective for private host provided by the present invention scores
The private host white ring border Analysis on confidence multidimensional radar map of generation.
Specific implementation mode
Below by specific embodiment, the present invention is described further, but embodiment is not intended to limit the protection of the present invention
Range.
Embodiment 1
Referring to Fig. 1~Fig. 2, a kind of white ring border confidence level of multi objective scoring for private host provided by the present invention
Analysis method, the analysis method include the following steps:
1) CVE vulnerability scannings
CVE leakages are carried out to private host using the CVE vulnerability scannings module 10 with private host communication connection (not shown)
Hole is scanned, and private host current safety situation is assessed, and establishes state baseline, is generated CVE vulnerability scannings result and is uploaded to credible
Spend analytic unit 100;
2) application program white list monitors
Using the application program white list monitoring module 20 communicated to connect with private host to the application program of private host
Carry out state baseline monitoring, and the element for violating private host application program is monitored and is alerted, it is white to generate application program
List monitored results are simultaneously uploaded to Analysis on confidence unit 100, and the application program includes executable file and script;
3) peripheral hardware white list monitors
State is carried out to the Peripheral Interface of private host using the peripheral hardware white list module 30 communicated to connect with private host
Baseline monitors, and the behavior for violating Peripheral Interface is monitored and is alerted, and generates peripheral hardware white list monitored results and is uploaded to
Analysis on confidence unit 100;
4) network flow white list monitors
Using the network flow white list monitoring module 40 communicated to connect with private host to the network security of private host
Regular carry out state baseline monitoring, and the flow for violating network security rule is monitored and is alerted, it is white to generate network flow
List monitored results are simultaneously uploaded to Analysis on confidence unit 100;
5) interim dynamic release file monitor
Using the interim dynamic release file monitor module 50 communicated to connect with private host to the interim dynamic of private host
State releasing document carries out state baseline monitoring, and the file come out to interim dynamic release is monitored and alerts, and generates interim
Dynamic release file monitor result is simultaneously uploaded to Analysis on confidence unit 100;
6) private host security baseline monitors
Using the Host Security baseline monitoring module 60 communicated to connect with private host to the windows safety of private host
Baseline carries out state baseline monitoring, and the behavior of the windows security baseline to violating private host alerts, and generates special
Host Security baseline monitored results are simultaneously uploaded to Analysis on confidence unit 100;
7) the multidimensional analysis statistics of monitored results
It, can to being uploaded to by the general loophole appraisement system CVSS70 being set in the Analysis on confidence unit 100
CVE vulnerability scannings result, application program white list monitored results in Reliability Analysis unit, peripheral hardware white list monitored results, net
Network flow white list monitored results, interim dynamic release file monitor result and private host security baseline monitored results carry out
Evaluation analysis generates multidimensional radar map, forms the displaying to private host white ring border Analysis on confidence result.
Further, the CVE vulnerability scannings result includes:CVE-ID, loophole title, loophole type and hazard rating.
Further, the application program white list monitored results include application program execute object, application program father
Process, application response mode and endanger possibility.
Further, the peripheral hardware white list monitored results include Peripheral Interface type, Peripheral Interface response mode and danger
Evil reason.
Further, the network flow white list monitored results include the discharge pattern for violating network security rule, sound
Answer mode and damage reason.
Further, the interim dynamic release file monitor result include interim dynamic release file execution object,
The parent process of object is executed, the response mode of object is executed and endangers possibility.
Further, the private host security baseline monitored results include violating the safe bases of windows of private host
The type of the behavior of line, the response mode of behavior and damage reason.
Further, the area coverage of the multidimensional radar map is bigger, shows that the white ring border confidence level of private host is lower.
Embodiment 2
Further, the CVE vulnerability scannings carry out CVE vulnerability scannings using vulnerability database with double engines to private host.
Wherein, vulnerability database with double engines is the leakage using the vulnerability database in antivirus software, such as in kappa this base antivirus software
Vulnerability database in cave depot and McAfee antivirus softwares.
Remaining is the same as embodiment 1.
Embodiment 3
Analysis on confidence statistics repeatedly at times, the covering of multidimensional radar map are carried out using multidimensional radar map in step 7)
Extended mode is presented in area, illustrates that the white ring border confidence level of private host is reducing, and contracted state is presented in area coverage, illustrates special
The white ring border confidence level of host is being promoted.Remaining is the same as embodiment 1.
Although above having used general explanation and specific embodiment, the present invention is described in detail, at this
On the basis of invention, it can be made some modifications or improvements, or some function module is deleted, this is to people in the art
It is obvious for member.Therefore, it these modifications or improvements or deletes without departing from theon the basis of the spirit of the present invention,
Belong to the scope of protection of present invention.