White environment credibility analysis method for multi-index scoring of special host
Technical Field
The invention belongs to the field of white environment analysis technology, and particularly relates to a white environment credibility analysis method for multi-index scoring of a special host.
Background
Common special host computer protection products in the existing market are divided into two main categories: 1. host protection based on blacklist; 2. host protection based on white list technology.
Common blacklist-based host protection products: for example, antivirus software, worm searching and killing tools and the like mainly rely on virus libraries, worm libraries and other modes to realize safety protection, the technology often generates harm when a threat is discovered, and the situation that the feature libraries are not updated timely often occurs in a plurality of important occasions (such as internal networks, secret-involved networks and the like).
With the rapid development of the host penetration technology, unknown attack types such as APT and zero-day attack become the main problem of the security of the current network space. The technical means relying on virus libraries and worm libraries are difficult to deal with the novel threats.
Aiming at the analysis of the technology, the concept of constructing the white environment of the special host in each field based on the white list technology is provided.
The method comprises the steps of deploying network monitoring/protection equipment at key interconnection nodes such as interconnection boundaries of an IT system or interconnection boundaries of the IT system and other internal systems and an external network, collecting the network in real time, sending all monitoring data to a security management center, adopting different security coping strategies for different data streams such as normal, abnormal, illegal and malicious data streams according to analysis results through unified statistical analysis and feature extraction, blocking malicious attack and illegal flow, and enabling the data streams in the system to be kept normal and clean.
The special host white environment based on the white list technology is divided into: a process white environment, a network traffic white environment, a peripheral white environment. For the protection of the special host, the white list technology can achieve the aim of permanent safety by one-time curing at the initial stage of deployment.
However, the current concept of building the white environment of the special host in each field based on the white list technology has achieved certain research results. However, these findings are largely based on a given assumption: a newly implemented or long-running private host environment is trusted and, in fact, such assumptions are in error from our daily awareness.
Disclosure of Invention
The invention aims to provide a white environment credibility analysis method for multi-index scoring of a special host, which solves the cognitive problem that a user may have different security risks for different special host white environments.
In order to achieve the purpose, the invention provides the white environment credibility analysis method for the multi-index scoring of the special host, and the analysis method enables an information security manager to more fully and comprehensively know the detailed information of the white environment credibility through the data association of multiple dimensions; when data statistics of multiple time-interval evaluation is added, the change situation of white environment reliability in the initial period of outbreak or disclosure is presented to a spotlighter in a dynamic mode; and the chart is displayed in a visual mode through a more intuitive chart display effect, so that an information security manager can draw a conclusion conveniently.
Specifically, the technical scheme adopted by the invention is as follows:
a white-context trustworthiness analysis method for multi-index scoring of private hosts, the analysis method comprising the steps of:
1) CVE vulnerability scanning
Adopting a CVE vulnerability scanning module in communication connection with the special host to carry out CVE vulnerability scanning on the special host, evaluating the current safety condition of the special host, establishing a state baseline, generating a CVE vulnerability scanning result and uploading the CVE vulnerability scanning result to a credibility analysis unit;
2) application white list monitoring
An application program white list monitoring module in communication connection with the special host is adopted to perform state baseline monitoring on an application program of the special host, monitor and alarm elements violating the application program of the special host, generate an application program white list monitoring result and upload the application program white list monitoring result to a reliability analysis unit, wherein the application program comprises an executable file and a script;
3) peripheral white list monitoring
A peripheral white list module in communication connection with the special host is adopted to perform state base line monitoring on a peripheral interface of the special host, monitor and alarm behaviors violating the peripheral interface, generate a peripheral white list monitoring result and upload the result to a reliability analysis unit;
4) network traffic white list monitoring
A network flow white list monitoring module in communication connection with the special host is adopted to perform state base line monitoring on the network security rule of the special host, monitor and alarm the flow violating the network security rule, generate a network flow white list monitoring result and upload the network flow white list monitoring result to a reliability analysis unit;
5) temporary dynamic release file monitoring
A temporary dynamic release file monitoring module in communication connection with the special host is adopted to perform state baseline monitoring on the temporary dynamic release file of the special host, monitor and alarm the temporarily dynamically released file, generate a monitoring result of the temporary dynamic release file and upload the monitoring result to a reliability analysis unit;
6) private host security baseline monitoring
A host security baseline monitoring module in communication connection with the special host is adopted to perform state baseline monitoring on the windows security baseline of the special host, and alarm is performed on the behavior of violating the windows security baseline of the special host, so that a special host security baseline monitoring result is generated and uploaded to a reliability analysis unit;
7) multidimensional analytical statistics of monitoring results
And evaluating and analyzing the CVE vulnerability scanning result, the application program white list monitoring result, the peripheral white list monitoring result, the network flow white list monitoring result, the temporary dynamic release file monitoring result and the special host security baseline monitoring result which are uploaded to the credibility analysis unit through a general vulnerability evaluation system CVSS arranged in the credibility analysis unit to generate a multi-dimensional radar map and display the credibility analysis result of the special host white environment.
Further, the CVE vulnerability scanning result includes: CVE-ID, vulnerability header, vulnerability type, and hazard level.
Further, the CVE vulnerability scanning adopts a double-engine vulnerability library to carry out the CVE vulnerability scanning on the special host.
Further, the application white list monitoring result comprises an application execution object, a parent process of the application, an application response mode and a hazard possibility.
Further, the monitoring result of the white list of the peripheral equipment comprises the type of the peripheral equipment interface, the response mode of the peripheral equipment interface and the hazard reason.
Further, the network traffic white list monitoring result comprises a traffic type, a response mode and a hazard reason which violate a network security rule.
Further, the monitoring result of the temporary dynamic release file comprises an execution object of the temporary dynamic release file, a parent process of the execution object, a response mode of the execution object and a hazard possibility.
Further, the private host security baseline monitoring result comprises the type of behavior, the response mode of the behavior and the hazard reason of the behavior violating the windows security baseline of the private host.
Further, the larger the coverage area of the multi-dimensional radar map is, the lower the white environment reliability of the special host is.
Further, in the step 7), a multidimensional radar map is adopted to perform credibility analysis statistics for multiple time intervals, the coverage area of the multidimensional radar map is in an expanded state, which shows that the credibility of the white environment of the special host is reduced, the coverage area is in a contracted state, which shows that the credibility of the white environment of the special host is improved.
The invention has the beneficial effects that:
1) through data association of multiple dimensions, an information security manager can more fully and comprehensively know detailed information of the white environment reliability, namely, CVE vulnerability scanning is carried out on a special host through a CVE vulnerability scanning module, state baseline monitoring is carried out on an application program of the special host through an application program white list monitoring module, state baseline monitoring is carried out on a peripheral interface of the special host through a peripheral white list module, state baseline monitoring is carried out on network security rules of the special host through a network flow white list monitoring module, state baseline monitoring is carried out on the network security rules of the special host through a network flow white list monitoring module, and state baseline monitoring is carried out on windows security baselines of the special host through a host security baseline monitoring module;
2) evaluating and analyzing a CVE vulnerability scanning result, an application program white list monitoring result, an external white list monitoring result, a network flow white list monitoring result, a temporary dynamic release file monitoring result and a special host security baseline monitoring result which are uploaded to the credibility analysis unit through a general vulnerability evaluation system (CVSS) arranged in the credibility analysis unit; when data statistics of multiple time-interval evaluation is added, the change situation of white environment reliability in the initial period of outbreak or disclosure is presented to a spotlighter in a dynamic mode;
3) and generating a multi-dimensional radar map, displaying the reliability analysis result of the white environment of the special host, and displaying the result in a visual mode through a more visual chart display effect, so that an information security manager can draw a conclusion conveniently.
Drawings
Fig. 1 is a schematic structural diagram of each monitoring module and a reliability analysis unit in a white environment reliability analysis method for multi-index scoring of a special host according to the present invention;
fig. 2 is a multi-dimensional radar chart for analyzing the white environment reliability of the private host generated by the white environment reliability analysis method for multi-index scoring of the private host provided by the present invention.
Detailed Description
The present invention is further illustrated by the following specific examples, which are not intended to limit the scope of the invention.
Example 1
Referring to fig. 1 to 2, the present invention provides a white environment reliability analysis method for multi-index scoring of a private host, where the analysis method includes the following steps:
1) CVE vulnerability scanning
A CVE vulnerability scanning module 10 which is in communication connection with a special host (not shown) is adopted to carry out CVE vulnerability scanning on the special host, evaluate the current security condition of the special host, establish a state baseline, generate a CVE vulnerability scanning result and upload the CVE vulnerability scanning result to a credibility analysis unit 100;
2) application white list monitoring
An application white list monitoring module 20 in communication connection with the special host is adopted to perform state baseline monitoring on the application program of the special host, monitor and alarm elements violating the application program of the special host, generate an application white list monitoring result and upload the application white list monitoring result to a reliability analysis unit 100, wherein the application program comprises an executable file and a script;
3) peripheral white list monitoring
The peripheral white list module 30 which is in communication connection with the special host is adopted to perform state baseline monitoring on the peripheral interface of the special host, monitor and alarm behaviors violating the peripheral interface, generate a peripheral white list monitoring result and upload the result to the reliability analysis unit 100;
4) network traffic white list monitoring
A network flow white list monitoring module 40 which is in communication connection with the special host is adopted to perform state baseline monitoring on the network security rule of the special host, monitor and alarm the flow which violates the network security rule, generate a network flow white list monitoring result and upload the network flow white list monitoring result to a reliability analysis unit 100;
5) temporary dynamic release file monitoring
A temporary dynamic release file monitoring module 50 in communication connection with the special host is adopted to perform state baseline monitoring on the temporary dynamic release files of the special host, monitor and alarm the temporarily dynamically released files, generate a monitoring result of the temporary dynamic release files and upload the monitoring result to a reliability analysis unit 100;
6) private host security baseline monitoring
A host security baseline monitoring module 60 in communication connection with the special host is adopted to perform state baseline monitoring on the windows security baseline of the special host, and alarm is performed on the behavior of violating the windows security baseline of the special host, so that a special host security baseline monitoring result is generated and uploaded to the reliability analysis unit 100;
7) multidimensional analytical statistics of monitoring results
And evaluating and analyzing the CVE vulnerability scanning result, the application program white list monitoring result, the peripheral white list monitoring result, the network flow white list monitoring result, the temporary dynamic release file monitoring result and the special host security baseline monitoring result which are uploaded to the credibility analysis unit through a general vulnerability evaluation system CVSS70 arranged in the credibility analysis unit 100 to generate a multi-dimensional radar map and display the credibility analysis result of the special host white environment.
Further, the CVE vulnerability scanning result includes: CVE-ID, vulnerability header, vulnerability type, and hazard level.
Further, the application white list monitoring result comprises an application execution object, a parent process of the application, an application response mode and a hazard possibility.
Further, the monitoring result of the white list of the peripheral equipment comprises the type of the peripheral equipment interface, the response mode of the peripheral equipment interface and the hazard reason.
Further, the network traffic white list monitoring result comprises a traffic type, a response mode and a hazard reason which violate a network security rule.
Further, the monitoring result of the temporary dynamic release file comprises an execution object of the temporary dynamic release file, a parent process of the execution object, a response mode of the execution object and a hazard possibility.
Further, the private host security baseline monitoring result comprises the type of behavior, the response mode of the behavior and the hazard reason of the behavior violating the windows security baseline of the private host.
Further, the larger the coverage area of the multi-dimensional radar map is, the lower the white environment reliability of the special host is.
Example 2
Further, the CVE vulnerability scanning adopts a double-engine vulnerability library to carry out the CVE vulnerability scanning on the special host.
The dual-engine vulnerability library is a vulnerability library in antivirus software, such as a vulnerability library in the Kabaski antivirus software and a vulnerability library in the McAafe antivirus software.
The rest is the same as example 1.
Example 3
And 7) performing credibility analysis statistics for multiple time intervals by adopting the multidimensional radar map, wherein the coverage area of the multidimensional radar map is in an expanded state, which shows that the credibility of the white environment of the special host is reduced, the coverage area is in a contracted state, which shows that the credibility of the white environment of the special host is improved. The rest is the same as example 1.
Although the present invention has been described in detail with respect to the general description and the specific embodiments, it will be apparent to those skilled in the art that modifications or improvements may be made to the invention or a functional block may be deleted. Accordingly, such modifications or improvements or omissions may be made without departing from the spirit of the invention and within the scope of the appended claims.