CN110460481A - A kind of recognition methods of network key assets - Google Patents

A kind of recognition methods of network key assets Download PDF

Info

Publication number
CN110460481A
CN110460481A CN201910866476.6A CN201910866476A CN110460481A CN 110460481 A CN110460481 A CN 110460481A CN 201910866476 A CN201910866476 A CN 201910866476A CN 110460481 A CN110460481 A CN 110460481A
Authority
CN
China
Prior art keywords
asset
assets
network
key
core
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910866476.6A
Other languages
Chinese (zh)
Other versions
CN110460481B (en
Inventor
李春强
丘国伟
郑华梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingwei Xin'an Technology Co Ltd
Nanjing Jingwei Xin'an Technology Co Ltd
Original Assignee
Beijing Jingwei Xin'an Technology Co Ltd
Nanjing Jingwei Xin'an Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingwei Xin'an Technology Co Ltd, Nanjing Jingwei Xin'an Technology Co Ltd filed Critical Beijing Jingwei Xin'an Technology Co Ltd
Priority to CN201910866476.6A priority Critical patent/CN110460481B/en
Publication of CN110460481A publication Critical patent/CN110460481A/en
Application granted granted Critical
Publication of CN110460481B publication Critical patent/CN110460481B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of recognition methods of network key assets, including S1, counts all assets in current network;S2, one or more core asset is marked out;S3 forms network topological diagram by core of core asset, draws network associate relationship to the networked asset of statistics;S4, the Key Asset in current network is identified using Was Used method;S5, centered on a certain core asset, according to core asset incidence relation and fragile sexual intercourse, all assets in current network assets are at least divided into core asset, Key Asset and concern assets.Scheme provided by the invention effectively defines Key Asset; help to catch the key of problem; for core asset and Key Asset fragility repaired, it is perfect; overcome the deficiency of impartial protection in the prior art; the protection of enhancing is provided to the information system for saving more important information or being more likely to permeate by cybercriminal; accomplish to shoot the arrow at the target using technology provided by the invention, get twice the result with half the effort.

Description

A kind of recognition methods of network key assets
Technical field
The invention belongs to computer network security technology fields, particularly relate to a kind of identification side of network key assets Method.
Background technique
In recent years, the threat of network security increasingly increases severely with risk, it has also become the challenge of information age mankind's facing, Network security be because there is the presence in threat source because cyberspace is lucrative, threat source can comprehensive attack obtain Interests.It is also minor matter as hacker extorts, obtains wealth, some reaction hostile forces group can also upset society by network Meeting destroys national stability, in an organized way carries out high-intensitive continuous attack to target network.In particular with the arrival in 5G epoch, Industry internet is also faced with security threat, and the network attack of initiation often will cause influence more serious than the past.Network peace The threat faced entirely can come from many aspects, and change with the variation of time, and maximum feature is exactly not Xuan Erzhan initiates to strike a deadly blow by penetrating into the infrastructure network of other side at crucial moment.
Networked RAID strategy turns to from " equably protecting all digital display circuits " " to preservation more important information or more The protection of enhancing may be provided by the information system that cybercriminal or state adversary permeate, this just needs to protect Key Asset Shield, and instantly many methods are only defining assets, without defining Key Asset.The defining of Key Asset facilitates pair Network security defense mechanism becomes Initiative Defense from Passive Defence, prevents Key Asset fragility, key monitoring Key Asset shape Condition protects core asset.
For this purpose, those skilled in the art identify the Key Asset in network it is necessary to provide a kind of new technical solution, Those skilled in the art's technical problem urgently to be resolved is had become to the identification and protection of Key Asset in network.
Summary of the invention
To be overcome the problems, such as present in the relevant technologies at least to a certain extent, it is desired to be able to effectively identify in network Key Asset, targetedly ensured, the present invention provides a kind of recognition methods of network key assets.
To achieve the above object, the present invention provides a kind of recognition methods of network key assets, includes the following steps:
S1, all assets in current network are counted and form inventory;
S2, according to the service conditions in current network, mark out one or more core asset;
S3 forms network topological diagram by core of core asset, draws network associate relationship to the networked asset of statistics;
S4, the Key Asset in current network is identified using Was Used method;
In network topological diagram, using a certain core asset as source, go out in current network assets according to topological route calculation Each assets and core asset the degree of association, and the fragility of each assets in current network assets is measured, The Key Asset of a certain core asset in network is determined by the two elements;
S5, centered on a certain core asset, according to core asset incidence relation and fragile sexual intercourse, will be current All assets in networked asset are at least divided into core asset, Key Asset and concern assets.
Further, the degree of association C of each assets in the step S4 in current network assets and core asset is calculated Method are as follows:
C=α L+ β I
The formula had not only considered that networked asset was associated with the route of core asset, but also had taken into account the influence power of Key Asset; Wherein
L, I is the numerical value of 0-10;α is the weight of L, and β is the weight of Z;Alpha+beta=1;
C indicates the Key Asset degree of association;
Length of a certain assets to core asset shortest path in L expression current network assets;
I indicates the influence power of networked asset, is main parameter with amount of access, that is, flow place value, using flow as index Consider the dynamic change of influence power.
The a certain assets degree of association closer from core asset is higher in current network assets, i.e., passes through between core asset Equipment node it is fewer, the degree of association is higher;
Under similarity condition, user's amount of access of a certain assets is more in current network assets, and the degree of association is higher.The present invention In confirmation about path L value, to route quantity as the calculating standard of obstruction value;Its rule is as follows:
A, taking the L of core asset is 10, illustrates that correlation is bigger closer to 10;Closer to 0, illustrate that correlation is smaller;
It b, is radix with 10 using core asset as initial point, it is every to jump road by one with the associated networked asset of core asset N is reduced by numerical value, wherein N be 0.5 to 5 between any number, i.e., quite by core asset be origin, by routing be associated with shape At networked asset L value be 10-N;Wherein, 0.5,1,1.5,2,2.5,3,3.5 or 4 N;
B1 the network equipment with IP address) connecting with core asset is based on network topology, according to critical path method (CPM), from Core asset set out it is every by one jump routing L value cut obstruction value N;
B2 after) calculating the network equipment with IP address based on b1), the L value of the network equipment of no IP address, also using most Short-circuit shot, from the highest as the network without IP address of the L values of all network equipments with IP being connected recently with it The L value of equipment.
The influence power of networked asset is mainly determined by the network flow T of itself in the present invention;
In a network, certain assets compares other assets with more flows, that is, has more user's amount of access, accesses It measures higher attacker and arrives at core asset more easily by the network equipment;Flow highest number T in the network is taken, the network is taken Middle flow minimum t, the flow of any network equipment are tn, then the influence value I calculation formula of the network equipment are as follows:
I=10* (tn-t)/(T-t)
Further, fragility, which refers to, scores to weakness existing for the asset equipment in current network, and then judges Repair the priority level of different weakness;Wherein
The final score of loophole is up to 10, minimum 0;
The loophole of score 7~10 is typically considered to than more serious;
Score between 4~6.9 be in level vulnerability;
0~3.9 is then rudimentary loophole.
Further, in step s 4, it according to the degree of association and fragility drafting two-dimensional representation with core asset, closes Connection degree and fragility are all made of the grade classification of 0-10, wherein
(10,10) core asset in current network assets is indicated;
In (7,7) is that the degree of association is high, fragility is high for Key Asset;
(7,7) to belonging in the degree of association between (4,4), assets in fragility belong to concern assets.
As a preferred mode, the core asset refers to the assets that needs are laid special stress on protecting, and is that attacker finally thinks The assets for obtaining or destroying;Key Asset includes core asset;
On the one hand prevention module is provided in the recognition methods, the prevention module is used for core asset and crucial money The fragility of production is repaired, is perfect;Attack technology feature database is additionally provided in the prevention module;
On the other hand it is additionally provided with honey jar monitoring module, the honey jar monitoring module is used for the pass in the prediction module Key assets, core asset are imitated, are virtually utilized, and the sight of attacker is obscured, and are monitored attacker in time and are provided to key is imitated The attack technology and tool of the honey jar of production;
It further include analysis module and respond module, wherein
The data that the analysis module is used to export the honey jar monitoring module are analyzed, and the analysis module is also wrapped It includes and the attacker monitored in the honey jar monitoring module carries out attack technology used in virtual Key Asset and tool Analysis;The result that the respond module is used to analyze the analysis module automatically generates response command.
As a preferred mode, the analysis module further includes the attack to monitoring in the honey jar monitoring module Attack technology and tool used in person are analyzed;Wherein
Honey jar monitoring module monitor in real time attacker in current network systems attack technology used in Key Asset and Tool, and analyze it;
After analytical attack data, if known attack, i.e., the attack technology has defense technique database in prevention module In have corresponding defense technique, then call directly preset defense technique and protected;
If unknown attack, then honey jar monitoring module is sampled Source Tracing to attack source and sample and is added into Into attack technology feature database, and the networked asset that attacker is utilized adds in Key Asset library.
As a preferred mode, the result that respond module analyzes the analysis module automatically generates response command Afterwards, following movement is executed:
First: warning information being sent to administrator, while periodicity sending at the first time by modes such as mail/wechats The report of Cyberthreat situation, helps user to understand current network security state, updates Key Asset library;
Second: linkage blocks, and system of defense and perimeter security device link to Key Asset and block;
Third: linkage killing, system of defense and terminal security software are to Key Asset linkage killing;
4th: forensic tools packet provides Cyberthreat emergency response kit, can use work when attack occurs Tool packet carries out analysis evidence obtaining at the scene.
The technical solution that embodiments herein provides can include the following benefits: counting and works as first in the present invention All assets on preceding network mark out one or more core asset, and formed according to the service conditions in current network Network topological diagram, using a certain core asset as source, goes out current network assets according to topological route calculation in network topological diagram In each assets and core asset the degree of association, and the fragility degree of progress to each assets in current network assets Amount, the Key Asset of a certain core asset in network is determined by the two elements;The scheme provided through the invention can be effective Key Asset is defined, the key for catching problem is facilitated, for core asset and Key Asset fragility repaired, It is perfect, the deficiency of impartial protection in the prior art is overcome, to preservation more important information or is more likely to by cybercriminal's infiltration Information system provides the protection of enhancing, accomplishes to shoot the arrow at the target using technology provided by the invention, get twice the result with half the effort.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the implementation for meeting the application Example, and together with specification it is used to explain the principle of the application.
Fig. 1 is the recognition methods flow chart of inventive network Key Asset;
Fig. 2 is the identifying system module diagram of inventive network Key Asset;
Fig. 3 is inventory schematic diagram in the present invention;
Fig. 4 is asset equipment amount of access schematic diagram in the present invention;
Fig. 5 is in the present invention according to the degree of association and fragility drafting two-dimensional representation with core asset.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.
As shown in Figure 1, including the following steps: the present embodiment provides a kind of recognition methods of network key assets
S1, all assets in current network are counted and form inventory;
S2, according to the service conditions in current network, mark out one or more core asset;
S3 forms network topological diagram by core of core asset, draws network associate relationship to the networked asset of statistics;
S4, the Key Asset in current network is identified using Was Used method;
In network topological diagram, using a certain core asset as source, go out in current network assets according to topological route calculation Each assets and core asset the degree of association, and the fragility of each assets in current network assets is measured, The Key Asset of a certain core asset in network is determined by the two elements;
S5, centered on a certain core asset, according to core asset incidence relation and fragile sexual intercourse, will be current All assets in networked asset are at least divided into core asset, Key Asset and concern assets.
As shown in Fig. 2, it should be added that being used in the recognition methods of network key assets provided in this embodiment Corresponding system module, including networked asset identification module, core asset labeling module, network topology module, Key Asset are known Other module, Key Asset analysis module and Key Asset application module, wherein the style of work with regard to each module is done into one below Step explanation:
As shown in figure 3, counting all assets in current network using networked asset identification module and to form assets clear It is single;Such as server, the network equipment, data file, software asset, storage equipment and safety equipment etc., it is just different here One enumerates, and please refers to the signal inventory provided in Fig. 3.
The assets that networked asset identification module is counted using core asset labeling module, then according in current network Service conditions, mark out one or more core asset;Such as one in data assets, asset of equipments and operating system Or it is multiple.
Using network topology module to the networked asset of statistics, network topological diagram is formed, network associate relationship is drawn.
A network topological diagram is drawn in current network system, but there are one or more in a network topological diagram Core asset, it is assumed that only one core asset, just centered on the core asset, according to the incidence relation with core asset with And fragile sexual intercourse, all assets in current network assets are at least divided into core asset, Key Asset.
Multiple cores assets if it exists, such as data assets, asset of equipments, operating system, that is just respectively with each core money The degree of association and fragile sexual intercourse according to respective and core asset are produced, it will be in current network assets and centered on the core asset All assets be at least divided into core asset, Key Asset.
It should be added that Key Asset includes core asset, it also include that can directly or indirectly reach core asset Association assets.Such as host, account, process, port, data port, web site.The core asset, which refers to, needs emphasis to protect The assets of shield are that attacker finally wants the assets for obtaining or destroying.Core asset includes but is not limited to the number to be laid special stress on protecting According to assets, asset of equipments, operating system.The Key Asset be for a certain core asset, have the very strong degree of association and The assets of fragility.
It elaborates since step S4 below, each assets and core in the present embodiment in the degree of association, that is, networked asset The incidence relation of heart assets.Using two indices: path L, influence power I.All moneys on the network scanned by scanner It produces, and is based on network topological diagram, calculate the degree of association C with core asset.
The degree of association C of each assets and core asset in step S4 described in the present embodiment in current network assets is calculated Method are as follows:
C=α L+ β I
The degree of association depends on networked asset, and to the length in core asset path, (multi-layer switches etc. for needing to cross over are set It is standby), the influence power I of shortest path L and networked asset is chosen, is calculated in the present embodiment with amount of access, that is, flow place value.With stream Amount considers the dynamic change of influence power as index.
Wherein
L, I is the numerical value of 0-10;α is the weight of L, and β is the weight of Z;Alpha+beta=1;The value of α is greater than under normal circumstances β。
C indicates the Key Asset degree of association;
Length of a certain assets to core asset shortest path in L expression current network assets;
I indicates the influence power of networked asset, is main parameter with amount of access, that is, flow place value;Using flow as index Consider the dynamic change of influence power.
The a certain assets degree of association closer from core asset is higher in current network assets, i.e., passes through between core asset The equipment such as routing node it is fewer, the degree of association is higher;
Based on upper item, under similarity condition, user's amount of access of a certain assets is more in current network assets, and the degree of association is got over It is high.Namely there are more user's amount of access, the higher attacker of amount of access arrives at core more easily by the network equipment and provides It produces.
The formula had not only considered that networked asset was associated with the route of core asset, but also had taken into account the influence power of Key Asset, That is amount of access.As shown in figure 4, a is core asset, the length that e, d reach a is the same, but d but has more amount of access, closes Connection degree is greater than e.
In the present embodiment, about the confirmation of path L value, to route quantity as the calculating standard of obstruction value;Its rule is such as Under:
A, taking the L of core asset is 10, illustrates that correlation is bigger closer to 10;Closer to 0, illustrate that correlation is smaller;
It b, is radix with 10 using core asset as initial point, it is every to jump road by one with the associated networked asset of core asset N is reduced by numerical value, wherein N be 0.5 to 5 between any number, i.e., quite by core asset be origin, by routing be associated with shape At networked asset L value be 10-N;Wherein, 0.5,1,1.5,2,2.5,3,3.5 or 4 N;
Preferred N is 2 in the present embodiment, other numerical value are similarly, every to jump routing numerical value reduction 2 by one, that is, together The L value of networked asset is 8 in the Intranet that one routing is formed.
B1 the network equipment with IP address) connecting with core asset is based on network topology, according to critical path method (CPM), from Core asset set out it is every by one jump routing L value cut obstruction value N;As N=2, road is jumped by one from core asset is every Obstruction value 2 is cut by L value.
B2 after) calculating the network equipment with IP address based on b1), the L value of the network equipment of no IP address, also using most Short-circuit shot, from the highest as the network without IP address of the L values of all network equipments with IP being connected recently with it The L value of equipment.
In the present embodiment, the confirmation of the influence power I about networked asset is as follows:
The influence power of networked asset is mainly determined by the network flow T of itself.
In a network, certain assets compares other assets with more flows, that is, has more user's amount of access, The higher attacker of amount of access arrives at core asset more easily by the network equipment.Flow highest number T in the network is taken, this is taken Flow minimum t in network, the flow of any network equipment are tn, then the influence value I calculation formula of the network equipment are as follows:
I=10* (tn-t)/(T-t)
Influence power Score value
It is high 7-10 points (containing 7)
In 4-7 points (containing 4)
It is low 4 points or less
As a kind of preferred descriptions of expansion, the equipment for providing Web server is set as core asset, then corresponding Backup server, database server etc. can be set as same manufacturer and provide, and the degree of association should be closer.
After the path L and influence power I for determining networked asset, the pass of networked asset and core asset is calculated by the two Connection degree.
For this purpose, the network equipment and the degree of association C of core asset are distributed as follows:
The degree of association Score value
It is high 7-10 points (containing 7)
In 4-7 points (containing 4)
It is low 4 points or less
It is described as follows in the present embodiment about fragility V:
Fragility refers to CVSS fragility methods of marking..
Universal weak evaluation price system (CVSS) be by NIAC exploitation, FIRST maintenance an opening and can be by product The free accepted standard of manufacturer.It using the standard, can score weakness, and then us is helped to judge to repair different weakness Priority level.
CVSS:Common Vulnerability ScoringSystem, i.e. " general loophole points-scoring system ", are one " industry Open Standard is designed to the severity of evaluation and test loophole, and the urgency reacted needed for assisting in and important Degree ".
Its main purpose is to aid in people and establishes the standard for measuring loophole severity, and people is allowed to compare loophole Severity, so that it is determined that handling their priority.CVSS score is based on a series of measurement result in dimensions, these surveys It measures dimension and is referred to as measurement (Metrics).The final score of loophole is up to 10, minimum 0.
The loophole of score 7~10 is typically considered to than more serious,
Score between 4~6.9 be in level vulnerability,
0~3.9 is then rudimentary loophole.
Fragility Score value
It is high 7-10 points (containing 7)
In 4-7 points (containing 4)
It is low 4 points or less
As shown in figure 5, in step s 4, according to core asset the degree of association and fragility draw two-dimensional representation, The degree of association and fragility are all made of the grade classification of 0-10, wherein
(10,10) core asset in current network assets is indicated;
In (7,7) is that the degree of association is high, fragility is high for Key Asset;
(7,7) to belonging in the degree of association between (4,4), assets in fragility belong to concern assets.Except just belong to It is small to the harm of core asset in being not concerned with assets.
Need to expand supplementary explanation, 1, core asset clear first in the present invention, it is known that object to be protected;2, it looks for To Key Asset, loophole, patch installing are repaired, doing enhances, and carries out prevention on the path for reaching core asset;3, Key Asset is often It is attacker's focus of attention, by finally taking core asset to breaking through layer by layer for Key Asset.And duplicity is defendd It just can use this point, simulate Key Asset, spoofing attack person delays to attack, and protects core asset.
For this purpose, being attack as a preferred embodiment, the core asset refers to the assets that needs are laid special stress on protecting Person finally wants the assets for obtaining or destroying;Key Asset includes core asset.
On the one hand prevention module is provided in the recognition methods, the prevention module is used for core asset and crucial money The fragility of production is repaired, is perfect;Attack technology feature database is additionally provided in the prevention module;
On the other hand it is additionally provided with honey jar monitoring module, the honey jar monitoring module is used for the pass in the prediction module Key assets, core asset are imitated, are virtually utilized, and the sight of attacker is obscured, and are monitored attacker in time and are provided to key is imitated The attack technology and tool of the honey jar of production;
It further include analysis module and respond module, wherein the analysis module is used to export the honey jar monitoring module Data analyzed, the analysis module further includes to the attacker monitored in the honey jar monitoring module to virtual key Attack technology and tool used in assets are analyzed;The result that the respond module is used to analyze the analysis module is certainly It is dynamic to generate response command.
For example famous shake net event finally destroys core asset exactly by breaking through Key Asset layer by layer.
The circulation way of shake net virus: the target of attack of Stuxnet worm is that (i.e. core provides SIMATIC WinCC software It produces).The latter is mainly used for the data acquisition and monitoring of industrial control system, is generally deployed in dedicated internal lan, and With external the Internet implementation being isolated physically.In order to realize attack, Stuxnet worm takes multiple means to be permeated and passed It broadcasts, whole propagation thinking is: infection external host first;Then USB flash disk is infected, loophole is parsed using shortcut file, passes It is multicast to internal network;In Intranet, loophole is parsed by shortcut, RPC remotely executes loophole, printer background program service Loophole realizes the propagation between networked hosts;Finally arrive at the host for being mounted with WinCC software, expansion attack.
Using technical solution provided by the invention, the Key Asset to core asset and centered on core asset is all carried out Loophole inspection supplements degree of protection that is perfect, while utilizing defensive technology intensification network, analysis module described in the present embodiment It further include analyzing attack technology used in the attacker monitored in the honey jar monitoring module and tool;Wherein
Honey jar monitoring module monitor in real time attacker in current network systems attack technology used in Key Asset and Tool, and analyze it;After analytical attack data, if known attack, i.e., the attack technology is anti-in having for prevention module There is corresponding defense technique in imperial technical data library, then calls directly preset defense technique and protected;It is attacked if unknown It hits, then honey jar monitoring module is sampled Source Tracing to attack source and sample and adds it to attack technology feature database In, and the networked asset that attacker is utilized adds in Key Asset library.
On the other hand, it after the result that respond module analyzes the analysis module automatically generates response command, executes as follows Movement:
First: warning information being sent to administrator, while periodicity sending at the first time by modes such as mail/wechats The report of Cyberthreat situation, helps user to understand current network security state, updates Key Asset library;
Second: linkage blocks, and system of defense and perimeter security device link to Key Asset and block;
Third: linkage killing, system of defense and terminal security software are to Key Asset linkage killing;
4th: forensic tools packet provides Cyberthreat emergency response kit, can use work when attack occurs Tool packet carries out analysis evidence obtaining at the scene.
The scheme provided through the invention can effectively define Key Asset, facilitate the key for catching problem, for Core asset and the fragility of Key Asset are repaired, are perfect, the deficiency of impartial protection in the prior art are overcome, to preservation More important information is more likely to provide the protection of enhancing by the information system of cybercriminal's infiltration, using technology provided by the invention Accomplish to shoot the arrow at the target, get twice the result with half the effort.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is contained at least one embodiment or example of the application.In the present specification, schematic expression of the above terms are not Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any One or more embodiment or examples in can be combined in any suitable manner.
Although embodiments herein has been shown and described above, it is to be understood that above-described embodiment is example Property, it should not be understood as the limitation to the application, those skilled in the art within the scope of application can be to above-mentioned Embodiment is changed, modifies, replacement and variant.

Claims (10)

1. a kind of recognition methods of network key assets, it is characterised in that: include the following steps
S1, all assets in current network are counted and form inventory;
S2, according to the service conditions in current network, mark out one or more core asset;
S3, the networked asset to statistics form network topological diagram by core of core asset, draw network associate relationship;
S4, the Key Asset in current network is identified using Was Used method;
In network topological diagram, using a certain core asset as source, go out according to topological route calculation each in current network assets The degree of association of a assets and core asset, and the fragility of each assets in current network assets is measured, pass through The two elements determine the Key Asset of a certain core asset in network;
S5, centered on a certain core asset, according to core asset incidence relation and fragile sexual intercourse, by current network All assets in assets are at least divided into core asset, Key Asset and concern assets.
2. the recognition methods of network key assets according to claim 1, it is characterised in that: current net in the step S4 The degree of association C calculation method of each assets and core asset in network assets are as follows:
C=α L+ β I
The formula had not only considered that networked asset was associated with the route of core asset, but also had taken into account the influence power of Key Asset;Wherein
L, I is the numerical value of 0-10;α is the weight of L, and β is the weight of Z;Alpha+beta=1;
C indicates the Key Asset degree of association;
Length of a certain assets to core asset shortest path in L expression current network assets;
I indicates the influence power of networked asset, is main parameter with amount of access, that is, flow place value;Considered using flow as index The dynamic change of influence power is arrived.
3. the recognition methods of network key assets according to claim 2, it is characterised in that: a certain in current network assets The assets degree of association closer from core asset is higher, i.e., the node for the equipment passed through between core asset is fewer, and the degree of association is got over It is high;
Under similarity condition, user's amount of access of a certain assets is more in current network assets, and the degree of association is higher.
4. the recognition methods of network key assets according to claim 3, it is characterised in that: about the confirmation of path L value, To route quantity as the calculating standard of obstruction value;Its rule is as follows:
A, taking the L of core asset is 10, illustrates that correlation is bigger closer to 10;Closer to 0, illustrate that correlation is smaller;
It b, is radix with 10 using core asset as initial point, with the associated networked asset of core asset, every jump by one routes number Value reduce N, wherein N be 0.5 to 5 between any number, i.e., quite by core asset be origin, by routing association formed The L value of networked asset is 10-N;Wherein, 0.5,1,1.5,2,2.5,3,3.5 or 4 N;
B1 the network equipment with IP address) connecting with core asset is based on network topology, according to critical path method (CPM), from core Assets set out it is every by one jump routing L value cut obstruction value N;
B2 after) calculating the network equipment with IP address based on b1), the L value of the network equipment of no IP address also uses shortest path Shot, from the highest as the network equipment without IP address of the L values of all network equipments with IP being connected recently with it L value.
5. the recognition methods of network key assets according to claim 4, it is characterised in that: the influence of networked asset is advocated It to be determined by the network flow T of itself,
In a network, certain assets compares other assets with more flows, that is, has more user's amount of access, amount of access is got over High attacker arrives at core asset more easily by the network equipment;Flow highest number T in the network is taken, takes in the network and flows Minimum t is measured, the flow of any network equipment is tn, then the influence value I calculation formula of the network equipment are as follows:
I=10* (tn-t)/(T-t)。
6. the recognition methods of network key assets according to claim 1, it is characterised in that: fragility refers to current net Weakness existing for asset equipment in network scores, and then judges to repair the priority level of different weakness;Wherein
The final score of loophole is up to 10, minimum 0;
The loophole of score 7~10 is typically considered to than more serious;
Score between 4~6.9 be in level vulnerability;
0~3.9 is then rudimentary loophole.
7. the recognition methods of network key assets according to any one of claims 1 to 6, it is characterised in that: in step S4 In, according to the degree of association and fragility drafting two-dimensional representation with core asset, the degree of association and fragility are all made of 0-10's Grade classification, wherein
(10,10) core asset in current network assets is indicated;
In (7,7) is that the degree of association is high, fragility is high for Key Asset;
(7,7) to belonging in the degree of association between (4,4), assets in fragility belong to concern assets.
8. the recognition methods of network key assets according to claim 7, it is characterised in that: the core asset, which refers to, to be needed The assets to be laid special stress on protecting are that attacker finally wants the assets for obtaining or destroying;It is divided from 7 middle grades of power it is found that crucial money Producing includes core asset;
On the one hand it is provided with prevention module in the recognition methods, the prevention module is used for core asset and Key Asset Fragility is repaired, is perfect;Attack technology feature database is additionally provided in the prevention module;
On the other hand it is additionally provided with honey jar monitoring module, the honey jar monitoring module is used to provide the key in the prediction module Production, core asset are imitated, are virtually utilized, and the sight of attacker is obscured, and monitor attacker in time to imitation Key Asset The attack technology and tool of honey jar;
It further include analysis module and respond module, wherein
The data that the analysis module is used to export the honey jar monitoring module are analyzed, and the analysis module further includes pair The attacker monitored in the honey jar monitoring module analyzes attack technology used in virtual Key Asset and tool; The result that the respond module is used to analyze the analysis module automatically generates response command.
9. the recognition methods of network key assets according to claim 8, it is characterised in that: the analysis module further includes Attack technology used in the attacker monitored in the honey jar monitoring module and tool are analyzed;Wherein
Honey jar monitoring module monitors attacker's attack technology and tool used in Key Asset in current network systems in real time, And it analyzes it;
After analytical attack data, if known attack, i.e., the attack technology has in having in defense technique database for prevention module Corresponding defense technique then calls directly preset defense technique and is protected;
If unknown attack, then honey jar monitoring module is sampled Source Tracing and adds it to and attacks to attack source and sample It hits in technical characteristic library, and the networked asset that attacker is utilized adds in Key Asset library.
10. the recognition methods of network key assets according to claim 9, it is characterised in that: respond module is to described point After the result of analysis module analysis automatically generates response command, following movement is executed:
First: warning information being sent to administrator, while periodicity sending network at the first time by modes such as mail/wechats Threat situation report, helps user to understand current network security state, updates Key Asset library;
Second: linkage blocks, and system of defense and perimeter security device link to Key Asset and block;
Third: linkage killing, system of defense and terminal security software are to Key Asset linkage killing;
4th: forensic tools packet provides Cyberthreat emergency response kit, can use kit when attack occurs Analysis evidence obtaining is carried out at the scene.
CN201910866476.6A 2019-09-12 2019-09-12 Identification method of network key assets Active CN110460481B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910866476.6A CN110460481B (en) 2019-09-12 2019-09-12 Identification method of network key assets

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910866476.6A CN110460481B (en) 2019-09-12 2019-09-12 Identification method of network key assets

Publications (2)

Publication Number Publication Date
CN110460481A true CN110460481A (en) 2019-11-15
CN110460481B CN110460481B (en) 2022-02-25

Family

ID=68491931

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910866476.6A Active CN110460481B (en) 2019-09-12 2019-09-12 Identification method of network key assets

Country Status (1)

Country Link
CN (1) CN110460481B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111080425A (en) * 2019-12-11 2020-04-28 深圳盈佳信联科技有限公司 Receivable account asset equity checking system and method
CN112069269A (en) * 2020-08-27 2020-12-11 黄天红 Big data and multidimensional feature-based data tracing method and big data cloud server
CN113329038A (en) * 2021-08-03 2021-08-31 南京天华中安通信技术有限公司 Key digital asset protection method and device, electronic equipment and storage medium
CN115296917A (en) * 2022-08-09 2022-11-04 山东港口科技集团烟台有限公司 Asset exposure surface information acquisition method, device, equipment and storage medium
CN116599765A (en) * 2023-06-29 2023-08-15 软极网络技术(北京)有限公司 Honeypot deployment method

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100091354A (en) * 2009-02-10 2010-08-19 (주)닥터소프트 Apparatus and method for management of information technology resource
CN101964730A (en) * 2010-01-28 2011-02-02 北京邮电大学 Network vulnerability evaluation method
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN104798079A (en) * 2012-12-18 2015-07-22 迈克菲公司 Automated asset criticality assessment
CN105721459A (en) * 2016-01-29 2016-06-29 博雅网信(北京)科技有限公司 Risk evaluation method for virtual environment
CN107093152A (en) * 2017-04-24 2017-08-25 杭州创云智科技有限公司 Electric network composition fragility node recognition methods
EP3396612A1 (en) * 2017-04-24 2018-10-31 BlockSettle AB Method and system for creating a user identity

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100091354A (en) * 2009-02-10 2010-08-19 (주)닥터소프트 Apparatus and method for management of information technology resource
CN101964730A (en) * 2010-01-28 2011-02-02 北京邮电大学 Network vulnerability evaluation method
CN104798079A (en) * 2012-12-18 2015-07-22 迈克菲公司 Automated asset criticality assessment
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN105721459A (en) * 2016-01-29 2016-06-29 博雅网信(北京)科技有限公司 Risk evaluation method for virtual environment
CN107093152A (en) * 2017-04-24 2017-08-25 杭州创云智科技有限公司 Electric network composition fragility node recognition methods
EP3396612A1 (en) * 2017-04-24 2018-10-31 BlockSettle AB Method and system for creating a user identity

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111080425A (en) * 2019-12-11 2020-04-28 深圳盈佳信联科技有限公司 Receivable account asset equity checking system and method
CN112069269A (en) * 2020-08-27 2020-12-11 黄天红 Big data and multidimensional feature-based data tracing method and big data cloud server
CN113329038A (en) * 2021-08-03 2021-08-31 南京天华中安通信技术有限公司 Key digital asset protection method and device, electronic equipment and storage medium
CN115296917A (en) * 2022-08-09 2022-11-04 山东港口科技集团烟台有限公司 Asset exposure surface information acquisition method, device, equipment and storage medium
CN115296917B (en) * 2022-08-09 2023-07-07 山东港口科技集团烟台有限公司 Asset exposure surface information acquisition method, device, equipment and storage medium
CN116599765A (en) * 2023-06-29 2023-08-15 软极网络技术(北京)有限公司 Honeypot deployment method
CN116599765B (en) * 2023-06-29 2023-12-08 软极网络技术(北京)有限公司 Honeypot deployment method

Also Published As

Publication number Publication date
CN110460481B (en) 2022-02-25

Similar Documents

Publication Publication Date Title
CN110460481A (en) A kind of recognition methods of network key assets
EP2953298B1 (en) Log analysis device, information processing method and program
KR100955281B1 (en) Security Risk Evaluation Method for Threat Management
CN107483425B (en) Composite attack detection method based on attack chain
CN105009132A (en) Event correlation based on confidence factor
US10505986B1 (en) Sensor based rules for responding to malicious activity
CN108234419A (en) A kind of network attack monitoring method and device based on big data
JP2010539574A (en) Intrusion detection method and system
CN1996330A (en) Application of cut-sets to network interdependency security risk assessment
CN109995793A (en) Network dynamic threatens tracking quantization method and system
CN111181918B (en) TTP-based high-risk asset discovery and network attack tracing method
WO2018088383A1 (en) Security rule evaluation device and security rule evaluation system
KR20170058140A (en) An analysis system of security breach with analyzing a security event log and an analysis method thereof
CN105262730B (en) Monitoring method and device based on enterprise domain name safety
CN109561097A (en) Structured query language injects security flaw detection method, device, equipment and storage medium
JP6407184B2 (en) Attack countermeasure determination system, attack countermeasure determination method, and attack countermeasure determination program
WO2017033448A1 (en) Data processing device, data processing method, and program recording medium
CN113055362B (en) Method, device, equipment and storage medium for preventing abnormal behaviors
CN114189361B (en) Situation awareness method, device and system for defending threat
KR20220117866A (en) Security compliance automation method
EP2991305B1 (en) Apparatus and method for identifying web page for industrial control system
CN114006719A (en) AI verification method, device and system based on situation awareness
US8869267B1 (en) Analysis for network intrusion detection
Hooper An intelligent intrusion detection and response system using hybrid ward hierarchical clustering analysis
CN117220961B (en) Intrusion detection method, device and storage medium based on association rule patterns

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant