CN110460481A - A kind of recognition methods of network key assets - Google Patents
A kind of recognition methods of network key assets Download PDFInfo
- Publication number
- CN110460481A CN110460481A CN201910866476.6A CN201910866476A CN110460481A CN 110460481 A CN110460481 A CN 110460481A CN 201910866476 A CN201910866476 A CN 201910866476A CN 110460481 A CN110460481 A CN 110460481A
- Authority
- CN
- China
- Prior art keywords
- asset
- assets
- network
- key
- core
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of recognition methods of network key assets, including S1, counts all assets in current network;S2, one or more core asset is marked out;S3 forms network topological diagram by core of core asset, draws network associate relationship to the networked asset of statistics;S4, the Key Asset in current network is identified using Was Used method;S5, centered on a certain core asset, according to core asset incidence relation and fragile sexual intercourse, all assets in current network assets are at least divided into core asset, Key Asset and concern assets.Scheme provided by the invention effectively defines Key Asset; help to catch the key of problem; for core asset and Key Asset fragility repaired, it is perfect; overcome the deficiency of impartial protection in the prior art; the protection of enhancing is provided to the information system for saving more important information or being more likely to permeate by cybercriminal; accomplish to shoot the arrow at the target using technology provided by the invention, get twice the result with half the effort.
Description
Technical field
The invention belongs to computer network security technology fields, particularly relate to a kind of identification side of network key assets
Method.
Background technique
In recent years, the threat of network security increasingly increases severely with risk, it has also become the challenge of information age mankind's facing,
Network security be because there is the presence in threat source because cyberspace is lucrative, threat source can comprehensive attack obtain
Interests.It is also minor matter as hacker extorts, obtains wealth, some reaction hostile forces group can also upset society by network
Meeting destroys national stability, in an organized way carries out high-intensitive continuous attack to target network.In particular with the arrival in 5G epoch,
Industry internet is also faced with security threat, and the network attack of initiation often will cause influence more serious than the past.Network peace
The threat faced entirely can come from many aspects, and change with the variation of time, and maximum feature is exactly not
Xuan Erzhan initiates to strike a deadly blow by penetrating into the infrastructure network of other side at crucial moment.
Networked RAID strategy turns to from " equably protecting all digital display circuits " " to preservation more important information or more
The protection of enhancing may be provided by the information system that cybercriminal or state adversary permeate, this just needs to protect Key Asset
Shield, and instantly many methods are only defining assets, without defining Key Asset.The defining of Key Asset facilitates pair
Network security defense mechanism becomes Initiative Defense from Passive Defence, prevents Key Asset fragility, key monitoring Key Asset shape
Condition protects core asset.
For this purpose, those skilled in the art identify the Key Asset in network it is necessary to provide a kind of new technical solution,
Those skilled in the art's technical problem urgently to be resolved is had become to the identification and protection of Key Asset in network.
Summary of the invention
To be overcome the problems, such as present in the relevant technologies at least to a certain extent, it is desired to be able to effectively identify in network
Key Asset, targetedly ensured, the present invention provides a kind of recognition methods of network key assets.
To achieve the above object, the present invention provides a kind of recognition methods of network key assets, includes the following steps:
S1, all assets in current network are counted and form inventory;
S2, according to the service conditions in current network, mark out one or more core asset;
S3 forms network topological diagram by core of core asset, draws network associate relationship to the networked asset of statistics;
S4, the Key Asset in current network is identified using Was Used method;
In network topological diagram, using a certain core asset as source, go out in current network assets according to topological route calculation
Each assets and core asset the degree of association, and the fragility of each assets in current network assets is measured,
The Key Asset of a certain core asset in network is determined by the two elements;
S5, centered on a certain core asset, according to core asset incidence relation and fragile sexual intercourse, will be current
All assets in networked asset are at least divided into core asset, Key Asset and concern assets.
Further, the degree of association C of each assets in the step S4 in current network assets and core asset is calculated
Method are as follows:
C=α L+ β I
The formula had not only considered that networked asset was associated with the route of core asset, but also had taken into account the influence power of Key Asset;
Wherein
L, I is the numerical value of 0-10;α is the weight of L, and β is the weight of Z;Alpha+beta=1;
C indicates the Key Asset degree of association;
Length of a certain assets to core asset shortest path in L expression current network assets;
I indicates the influence power of networked asset, is main parameter with amount of access, that is, flow place value, using flow as index
Consider the dynamic change of influence power.
The a certain assets degree of association closer from core asset is higher in current network assets, i.e., passes through between core asset
Equipment node it is fewer, the degree of association is higher;
Under similarity condition, user's amount of access of a certain assets is more in current network assets, and the degree of association is higher.The present invention
In confirmation about path L value, to route quantity as the calculating standard of obstruction value;Its rule is as follows:
A, taking the L of core asset is 10, illustrates that correlation is bigger closer to 10;Closer to 0, illustrate that correlation is smaller;
It b, is radix with 10 using core asset as initial point, it is every to jump road by one with the associated networked asset of core asset
N is reduced by numerical value, wherein N be 0.5 to 5 between any number, i.e., quite by core asset be origin, by routing be associated with shape
At networked asset L value be 10-N;Wherein, 0.5,1,1.5,2,2.5,3,3.5 or 4 N;
B1 the network equipment with IP address) connecting with core asset is based on network topology, according to critical path method (CPM), from
Core asset set out it is every by one jump routing L value cut obstruction value N;
B2 after) calculating the network equipment with IP address based on b1), the L value of the network equipment of no IP address, also using most
Short-circuit shot, from the highest as the network without IP address of the L values of all network equipments with IP being connected recently with it
The L value of equipment.
The influence power of networked asset is mainly determined by the network flow T of itself in the present invention;
In a network, certain assets compares other assets with more flows, that is, has more user's amount of access, accesses
It measures higher attacker and arrives at core asset more easily by the network equipment;Flow highest number T in the network is taken, the network is taken
Middle flow minimum t, the flow of any network equipment are tn, then the influence value I calculation formula of the network equipment are as follows:
I=10* (tn-t)/(T-t)
Further, fragility, which refers to, scores to weakness existing for the asset equipment in current network, and then judges
Repair the priority level of different weakness;Wherein
The final score of loophole is up to 10, minimum 0;
The loophole of score 7~10 is typically considered to than more serious;
Score between 4~6.9 be in level vulnerability;
0~3.9 is then rudimentary loophole.
Further, in step s 4, it according to the degree of association and fragility drafting two-dimensional representation with core asset, closes
Connection degree and fragility are all made of the grade classification of 0-10, wherein
(10,10) core asset in current network assets is indicated;
In (7,7) is that the degree of association is high, fragility is high for Key Asset;
(7,7) to belonging in the degree of association between (4,4), assets in fragility belong to concern assets.
As a preferred mode, the core asset refers to the assets that needs are laid special stress on protecting, and is that attacker finally thinks
The assets for obtaining or destroying;Key Asset includes core asset;
On the one hand prevention module is provided in the recognition methods, the prevention module is used for core asset and crucial money
The fragility of production is repaired, is perfect;Attack technology feature database is additionally provided in the prevention module;
On the other hand it is additionally provided with honey jar monitoring module, the honey jar monitoring module is used for the pass in the prediction module
Key assets, core asset are imitated, are virtually utilized, and the sight of attacker is obscured, and are monitored attacker in time and are provided to key is imitated
The attack technology and tool of the honey jar of production;
It further include analysis module and respond module, wherein
The data that the analysis module is used to export the honey jar monitoring module are analyzed, and the analysis module is also wrapped
It includes and the attacker monitored in the honey jar monitoring module carries out attack technology used in virtual Key Asset and tool
Analysis;The result that the respond module is used to analyze the analysis module automatically generates response command.
As a preferred mode, the analysis module further includes the attack to monitoring in the honey jar monitoring module
Attack technology and tool used in person are analyzed;Wherein
Honey jar monitoring module monitor in real time attacker in current network systems attack technology used in Key Asset and
Tool, and analyze it;
After analytical attack data, if known attack, i.e., the attack technology has defense technique database in prevention module
In have corresponding defense technique, then call directly preset defense technique and protected;
If unknown attack, then honey jar monitoring module is sampled Source Tracing to attack source and sample and is added into
Into attack technology feature database, and the networked asset that attacker is utilized adds in Key Asset library.
As a preferred mode, the result that respond module analyzes the analysis module automatically generates response command
Afterwards, following movement is executed:
First: warning information being sent to administrator, while periodicity sending at the first time by modes such as mail/wechats
The report of Cyberthreat situation, helps user to understand current network security state, updates Key Asset library;
Second: linkage blocks, and system of defense and perimeter security device link to Key Asset and block;
Third: linkage killing, system of defense and terminal security software are to Key Asset linkage killing;
4th: forensic tools packet provides Cyberthreat emergency response kit, can use work when attack occurs
Tool packet carries out analysis evidence obtaining at the scene.
The technical solution that embodiments herein provides can include the following benefits: counting and works as first in the present invention
All assets on preceding network mark out one or more core asset, and formed according to the service conditions in current network
Network topological diagram, using a certain core asset as source, goes out current network assets according to topological route calculation in network topological diagram
In each assets and core asset the degree of association, and the fragility degree of progress to each assets in current network assets
Amount, the Key Asset of a certain core asset in network is determined by the two elements;The scheme provided through the invention can be effective
Key Asset is defined, the key for catching problem is facilitated, for core asset and Key Asset fragility repaired,
It is perfect, the deficiency of impartial protection in the prior art is overcome, to preservation more important information or is more likely to by cybercriminal's infiltration
Information system provides the protection of enhancing, accomplishes to shoot the arrow at the target using technology provided by the invention, get twice the result with half the effort.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the implementation for meeting the application
Example, and together with specification it is used to explain the principle of the application.
Fig. 1 is the recognition methods flow chart of inventive network Key Asset;
Fig. 2 is the identifying system module diagram of inventive network Key Asset;
Fig. 3 is inventory schematic diagram in the present invention;
Fig. 4 is asset equipment amount of access schematic diagram in the present invention;
Fig. 5 is in the present invention according to the degree of association and fragility drafting two-dimensional representation with core asset.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with as appended
The example of the consistent device and method of some aspects be described in detail in claims, the application.
As shown in Figure 1, including the following steps: the present embodiment provides a kind of recognition methods of network key assets
S1, all assets in current network are counted and form inventory;
S2, according to the service conditions in current network, mark out one or more core asset;
S3 forms network topological diagram by core of core asset, draws network associate relationship to the networked asset of statistics;
S4, the Key Asset in current network is identified using Was Used method;
In network topological diagram, using a certain core asset as source, go out in current network assets according to topological route calculation
Each assets and core asset the degree of association, and the fragility of each assets in current network assets is measured,
The Key Asset of a certain core asset in network is determined by the two elements;
S5, centered on a certain core asset, according to core asset incidence relation and fragile sexual intercourse, will be current
All assets in networked asset are at least divided into core asset, Key Asset and concern assets.
As shown in Fig. 2, it should be added that being used in the recognition methods of network key assets provided in this embodiment
Corresponding system module, including networked asset identification module, core asset labeling module, network topology module, Key Asset are known
Other module, Key Asset analysis module and Key Asset application module, wherein the style of work with regard to each module is done into one below
Step explanation:
As shown in figure 3, counting all assets in current network using networked asset identification module and to form assets clear
It is single;Such as server, the network equipment, data file, software asset, storage equipment and safety equipment etc., it is just different here
One enumerates, and please refers to the signal inventory provided in Fig. 3.
The assets that networked asset identification module is counted using core asset labeling module, then according in current network
Service conditions, mark out one or more core asset;Such as one in data assets, asset of equipments and operating system
Or it is multiple.
Using network topology module to the networked asset of statistics, network topological diagram is formed, network associate relationship is drawn.
A network topological diagram is drawn in current network system, but there are one or more in a network topological diagram
Core asset, it is assumed that only one core asset, just centered on the core asset, according to the incidence relation with core asset with
And fragile sexual intercourse, all assets in current network assets are at least divided into core asset, Key Asset.
Multiple cores assets if it exists, such as data assets, asset of equipments, operating system, that is just respectively with each core money
The degree of association and fragile sexual intercourse according to respective and core asset are produced, it will be in current network assets and centered on the core asset
All assets be at least divided into core asset, Key Asset.
It should be added that Key Asset includes core asset, it also include that can directly or indirectly reach core asset
Association assets.Such as host, account, process, port, data port, web site.The core asset, which refers to, needs emphasis to protect
The assets of shield are that attacker finally wants the assets for obtaining or destroying.Core asset includes but is not limited to the number to be laid special stress on protecting
According to assets, asset of equipments, operating system.The Key Asset be for a certain core asset, have the very strong degree of association and
The assets of fragility.
It elaborates since step S4 below, each assets and core in the present embodiment in the degree of association, that is, networked asset
The incidence relation of heart assets.Using two indices: path L, influence power I.All moneys on the network scanned by scanner
It produces, and is based on network topological diagram, calculate the degree of association C with core asset.
The degree of association C of each assets and core asset in step S4 described in the present embodiment in current network assets is calculated
Method are as follows:
C=α L+ β I
The degree of association depends on networked asset, and to the length in core asset path, (multi-layer switches etc. for needing to cross over are set
It is standby), the influence power I of shortest path L and networked asset is chosen, is calculated in the present embodiment with amount of access, that is, flow place value.With stream
Amount considers the dynamic change of influence power as index.
Wherein
L, I is the numerical value of 0-10;α is the weight of L, and β is the weight of Z;Alpha+beta=1;The value of α is greater than under normal circumstances
β。
C indicates the Key Asset degree of association;
Length of a certain assets to core asset shortest path in L expression current network assets;
I indicates the influence power of networked asset, is main parameter with amount of access, that is, flow place value;Using flow as index
Consider the dynamic change of influence power.
The a certain assets degree of association closer from core asset is higher in current network assets, i.e., passes through between core asset
The equipment such as routing node it is fewer, the degree of association is higher;
Based on upper item, under similarity condition, user's amount of access of a certain assets is more in current network assets, and the degree of association is got over
It is high.Namely there are more user's amount of access, the higher attacker of amount of access arrives at core more easily by the network equipment and provides
It produces.
The formula had not only considered that networked asset was associated with the route of core asset, but also had taken into account the influence power of Key Asset,
That is amount of access.As shown in figure 4, a is core asset, the length that e, d reach a is the same, but d but has more amount of access, closes
Connection degree is greater than e.
In the present embodiment, about the confirmation of path L value, to route quantity as the calculating standard of obstruction value;Its rule is such as
Under:
A, taking the L of core asset is 10, illustrates that correlation is bigger closer to 10;Closer to 0, illustrate that correlation is smaller;
It b, is radix with 10 using core asset as initial point, it is every to jump road by one with the associated networked asset of core asset
N is reduced by numerical value, wherein N be 0.5 to 5 between any number, i.e., quite by core asset be origin, by routing be associated with shape
At networked asset L value be 10-N;Wherein, 0.5,1,1.5,2,2.5,3,3.5 or 4 N;
Preferred N is 2 in the present embodiment, other numerical value are similarly, every to jump routing numerical value reduction 2 by one, that is, together
The L value of networked asset is 8 in the Intranet that one routing is formed.
B1 the network equipment with IP address) connecting with core asset is based on network topology, according to critical path method (CPM), from
Core asset set out it is every by one jump routing L value cut obstruction value N;As N=2, road is jumped by one from core asset is every
Obstruction value 2 is cut by L value.
B2 after) calculating the network equipment with IP address based on b1), the L value of the network equipment of no IP address, also using most
Short-circuit shot, from the highest as the network without IP address of the L values of all network equipments with IP being connected recently with it
The L value of equipment.
In the present embodiment, the confirmation of the influence power I about networked asset is as follows:
The influence power of networked asset is mainly determined by the network flow T of itself.
In a network, certain assets compares other assets with more flows, that is, has more user's amount of access,
The higher attacker of amount of access arrives at core asset more easily by the network equipment.Flow highest number T in the network is taken, this is taken
Flow minimum t in network, the flow of any network equipment are tn, then the influence value I calculation formula of the network equipment are as follows:
I=10* (tn-t)/(T-t)
Influence power | Score value |
It is high | 7-10 points (containing 7) |
In | 4-7 points (containing 4) |
It is low | 4 points or less |
As a kind of preferred descriptions of expansion, the equipment for providing Web server is set as core asset, then corresponding
Backup server, database server etc. can be set as same manufacturer and provide, and the degree of association should be closer.
After the path L and influence power I for determining networked asset, the pass of networked asset and core asset is calculated by the two
Connection degree.
For this purpose, the network equipment and the degree of association C of core asset are distributed as follows:
The degree of association | Score value |
It is high | 7-10 points (containing 7) |
In | 4-7 points (containing 4) |
It is low | 4 points or less |
It is described as follows in the present embodiment about fragility V:
Fragility refers to CVSS fragility methods of marking..
Universal weak evaluation price system (CVSS) be by NIAC exploitation, FIRST maintenance an opening and can be by product
The free accepted standard of manufacturer.It using the standard, can score weakness, and then us is helped to judge to repair different weakness
Priority level.
CVSS:Common Vulnerability ScoringSystem, i.e. " general loophole points-scoring system ", are one
" industry Open Standard is designed to the severity of evaluation and test loophole, and the urgency reacted needed for assisting in and important
Degree ".
Its main purpose is to aid in people and establishes the standard for measuring loophole severity, and people is allowed to compare loophole
Severity, so that it is determined that handling their priority.CVSS score is based on a series of measurement result in dimensions, these surveys
It measures dimension and is referred to as measurement (Metrics).The final score of loophole is up to 10, minimum 0.
The loophole of score 7~10 is typically considered to than more serious,
Score between 4~6.9 be in level vulnerability,
0~3.9 is then rudimentary loophole.
Fragility | Score value |
It is high | 7-10 points (containing 7) |
In | 4-7 points (containing 4) |
It is low | 4 points or less |
As shown in figure 5, in step s 4, according to core asset the degree of association and fragility draw two-dimensional representation,
The degree of association and fragility are all made of the grade classification of 0-10, wherein
(10,10) core asset in current network assets is indicated;
In (7,7) is that the degree of association is high, fragility is high for Key Asset;
(7,7) to belonging in the degree of association between (4,4), assets in fragility belong to concern assets.Except just belong to
It is small to the harm of core asset in being not concerned with assets.
Need to expand supplementary explanation, 1, core asset clear first in the present invention, it is known that object to be protected;2, it looks for
To Key Asset, loophole, patch installing are repaired, doing enhances, and carries out prevention on the path for reaching core asset;3, Key Asset is often
It is attacker's focus of attention, by finally taking core asset to breaking through layer by layer for Key Asset.And duplicity is defendd
It just can use this point, simulate Key Asset, spoofing attack person delays to attack, and protects core asset.
For this purpose, being attack as a preferred embodiment, the core asset refers to the assets that needs are laid special stress on protecting
Person finally wants the assets for obtaining or destroying;Key Asset includes core asset.
On the one hand prevention module is provided in the recognition methods, the prevention module is used for core asset and crucial money
The fragility of production is repaired, is perfect;Attack technology feature database is additionally provided in the prevention module;
On the other hand it is additionally provided with honey jar monitoring module, the honey jar monitoring module is used for the pass in the prediction module
Key assets, core asset are imitated, are virtually utilized, and the sight of attacker is obscured, and are monitored attacker in time and are provided to key is imitated
The attack technology and tool of the honey jar of production;
It further include analysis module and respond module, wherein the analysis module is used to export the honey jar monitoring module
Data analyzed, the analysis module further includes to the attacker monitored in the honey jar monitoring module to virtual key
Attack technology and tool used in assets are analyzed;The result that the respond module is used to analyze the analysis module is certainly
It is dynamic to generate response command.
For example famous shake net event finally destroys core asset exactly by breaking through Key Asset layer by layer.
The circulation way of shake net virus: the target of attack of Stuxnet worm is that (i.e. core provides SIMATIC WinCC software
It produces).The latter is mainly used for the data acquisition and monitoring of industrial control system, is generally deployed in dedicated internal lan, and
With external the Internet implementation being isolated physically.In order to realize attack, Stuxnet worm takes multiple means to be permeated and passed
It broadcasts, whole propagation thinking is: infection external host first;Then USB flash disk is infected, loophole is parsed using shortcut file, passes
It is multicast to internal network;In Intranet, loophole is parsed by shortcut, RPC remotely executes loophole, printer background program service
Loophole realizes the propagation between networked hosts;Finally arrive at the host for being mounted with WinCC software, expansion attack.
Using technical solution provided by the invention, the Key Asset to core asset and centered on core asset is all carried out
Loophole inspection supplements degree of protection that is perfect, while utilizing defensive technology intensification network, analysis module described in the present embodiment
It further include analyzing attack technology used in the attacker monitored in the honey jar monitoring module and tool;Wherein
Honey jar monitoring module monitor in real time attacker in current network systems attack technology used in Key Asset and
Tool, and analyze it;After analytical attack data, if known attack, i.e., the attack technology is anti-in having for prevention module
There is corresponding defense technique in imperial technical data library, then calls directly preset defense technique and protected;It is attacked if unknown
It hits, then honey jar monitoring module is sampled Source Tracing to attack source and sample and adds it to attack technology feature database
In, and the networked asset that attacker is utilized adds in Key Asset library.
On the other hand, it after the result that respond module analyzes the analysis module automatically generates response command, executes as follows
Movement:
First: warning information being sent to administrator, while periodicity sending at the first time by modes such as mail/wechats
The report of Cyberthreat situation, helps user to understand current network security state, updates Key Asset library;
Second: linkage blocks, and system of defense and perimeter security device link to Key Asset and block;
Third: linkage killing, system of defense and terminal security software are to Key Asset linkage killing;
4th: forensic tools packet provides Cyberthreat emergency response kit, can use work when attack occurs
Tool packet carries out analysis evidence obtaining at the scene.
The scheme provided through the invention can effectively define Key Asset, facilitate the key for catching problem, for
Core asset and the fragility of Key Asset are repaired, are perfect, the deficiency of impartial protection in the prior art are overcome, to preservation
More important information is more likely to provide the protection of enhancing by the information system of cybercriminal's infiltration, using technology provided by the invention
Accomplish to shoot the arrow at the target, get twice the result with half the effort.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is contained at least one embodiment or example of the application.In the present specification, schematic expression of the above terms are not
Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any
One or more embodiment or examples in can be combined in any suitable manner.
Although embodiments herein has been shown and described above, it is to be understood that above-described embodiment is example
Property, it should not be understood as the limitation to the application, those skilled in the art within the scope of application can be to above-mentioned
Embodiment is changed, modifies, replacement and variant.
Claims (10)
1. a kind of recognition methods of network key assets, it is characterised in that: include the following steps
S1, all assets in current network are counted and form inventory;
S2, according to the service conditions in current network, mark out one or more core asset;
S3, the networked asset to statistics form network topological diagram by core of core asset, draw network associate relationship;
S4, the Key Asset in current network is identified using Was Used method;
In network topological diagram, using a certain core asset as source, go out according to topological route calculation each in current network assets
The degree of association of a assets and core asset, and the fragility of each assets in current network assets is measured, pass through
The two elements determine the Key Asset of a certain core asset in network;
S5, centered on a certain core asset, according to core asset incidence relation and fragile sexual intercourse, by current network
All assets in assets are at least divided into core asset, Key Asset and concern assets.
2. the recognition methods of network key assets according to claim 1, it is characterised in that: current net in the step S4
The degree of association C calculation method of each assets and core asset in network assets are as follows:
C=α L+ β I
The formula had not only considered that networked asset was associated with the route of core asset, but also had taken into account the influence power of Key Asset;Wherein
L, I is the numerical value of 0-10;α is the weight of L, and β is the weight of Z;Alpha+beta=1;
C indicates the Key Asset degree of association;
Length of a certain assets to core asset shortest path in L expression current network assets;
I indicates the influence power of networked asset, is main parameter with amount of access, that is, flow place value;Considered using flow as index
The dynamic change of influence power is arrived.
3. the recognition methods of network key assets according to claim 2, it is characterised in that: a certain in current network assets
The assets degree of association closer from core asset is higher, i.e., the node for the equipment passed through between core asset is fewer, and the degree of association is got over
It is high;
Under similarity condition, user's amount of access of a certain assets is more in current network assets, and the degree of association is higher.
4. the recognition methods of network key assets according to claim 3, it is characterised in that: about the confirmation of path L value,
To route quantity as the calculating standard of obstruction value;Its rule is as follows:
A, taking the L of core asset is 10, illustrates that correlation is bigger closer to 10;Closer to 0, illustrate that correlation is smaller;
It b, is radix with 10 using core asset as initial point, with the associated networked asset of core asset, every jump by one routes number
Value reduce N, wherein N be 0.5 to 5 between any number, i.e., quite by core asset be origin, by routing association formed
The L value of networked asset is 10-N;Wherein, 0.5,1,1.5,2,2.5,3,3.5 or 4 N;
B1 the network equipment with IP address) connecting with core asset is based on network topology, according to critical path method (CPM), from core
Assets set out it is every by one jump routing L value cut obstruction value N;
B2 after) calculating the network equipment with IP address based on b1), the L value of the network equipment of no IP address also uses shortest path
Shot, from the highest as the network equipment without IP address of the L values of all network equipments with IP being connected recently with it
L value.
5. the recognition methods of network key assets according to claim 4, it is characterised in that: the influence of networked asset is advocated
It to be determined by the network flow T of itself,
In a network, certain assets compares other assets with more flows, that is, has more user's amount of access, amount of access is got over
High attacker arrives at core asset more easily by the network equipment;Flow highest number T in the network is taken, takes in the network and flows
Minimum t is measured, the flow of any network equipment is tn, then the influence value I calculation formula of the network equipment are as follows:
I=10* (tn-t)/(T-t)。
6. the recognition methods of network key assets according to claim 1, it is characterised in that: fragility refers to current net
Weakness existing for asset equipment in network scores, and then judges to repair the priority level of different weakness;Wherein
The final score of loophole is up to 10, minimum 0;
The loophole of score 7~10 is typically considered to than more serious;
Score between 4~6.9 be in level vulnerability;
0~3.9 is then rudimentary loophole.
7. the recognition methods of network key assets according to any one of claims 1 to 6, it is characterised in that: in step S4
In, according to the degree of association and fragility drafting two-dimensional representation with core asset, the degree of association and fragility are all made of 0-10's
Grade classification, wherein
(10,10) core asset in current network assets is indicated;
In (7,7) is that the degree of association is high, fragility is high for Key Asset;
(7,7) to belonging in the degree of association between (4,4), assets in fragility belong to concern assets.
8. the recognition methods of network key assets according to claim 7, it is characterised in that: the core asset, which refers to, to be needed
The assets to be laid special stress on protecting are that attacker finally wants the assets for obtaining or destroying;It is divided from 7 middle grades of power it is found that crucial money
Producing includes core asset;
On the one hand it is provided with prevention module in the recognition methods, the prevention module is used for core asset and Key Asset
Fragility is repaired, is perfect;Attack technology feature database is additionally provided in the prevention module;
On the other hand it is additionally provided with honey jar monitoring module, the honey jar monitoring module is used to provide the key in the prediction module
Production, core asset are imitated, are virtually utilized, and the sight of attacker is obscured, and monitor attacker in time to imitation Key Asset
The attack technology and tool of honey jar;
It further include analysis module and respond module, wherein
The data that the analysis module is used to export the honey jar monitoring module are analyzed, and the analysis module further includes pair
The attacker monitored in the honey jar monitoring module analyzes attack technology used in virtual Key Asset and tool;
The result that the respond module is used to analyze the analysis module automatically generates response command.
9. the recognition methods of network key assets according to claim 8, it is characterised in that: the analysis module further includes
Attack technology used in the attacker monitored in the honey jar monitoring module and tool are analyzed;Wherein
Honey jar monitoring module monitors attacker's attack technology and tool used in Key Asset in current network systems in real time,
And it analyzes it;
After analytical attack data, if known attack, i.e., the attack technology has in having in defense technique database for prevention module
Corresponding defense technique then calls directly preset defense technique and is protected;
If unknown attack, then honey jar monitoring module is sampled Source Tracing and adds it to and attacks to attack source and sample
It hits in technical characteristic library, and the networked asset that attacker is utilized adds in Key Asset library.
10. the recognition methods of network key assets according to claim 9, it is characterised in that: respond module is to described point
After the result of analysis module analysis automatically generates response command, following movement is executed:
First: warning information being sent to administrator, while periodicity sending network at the first time by modes such as mail/wechats
Threat situation report, helps user to understand current network security state, updates Key Asset library;
Second: linkage blocks, and system of defense and perimeter security device link to Key Asset and block;
Third: linkage killing, system of defense and terminal security software are to Key Asset linkage killing;
4th: forensic tools packet provides Cyberthreat emergency response kit, can use kit when attack occurs
Analysis evidence obtaining is carried out at the scene.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910866476.6A CN110460481B (en) | 2019-09-12 | 2019-09-12 | Identification method of network key assets |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910866476.6A CN110460481B (en) | 2019-09-12 | 2019-09-12 | Identification method of network key assets |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110460481A true CN110460481A (en) | 2019-11-15 |
CN110460481B CN110460481B (en) | 2022-02-25 |
Family
ID=68491931
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910866476.6A Active CN110460481B (en) | 2019-09-12 | 2019-09-12 | Identification method of network key assets |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110460481B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111080425A (en) * | 2019-12-11 | 2020-04-28 | 深圳盈佳信联科技有限公司 | Receivable account asset equity checking system and method |
CN112069269A (en) * | 2020-08-27 | 2020-12-11 | 黄天红 | Big data and multidimensional feature-based data tracing method and big data cloud server |
CN113329038A (en) * | 2021-08-03 | 2021-08-31 | 南京天华中安通信技术有限公司 | Key digital asset protection method and device, electronic equipment and storage medium |
CN115296917A (en) * | 2022-08-09 | 2022-11-04 | 山东港口科技集团烟台有限公司 | Asset exposure surface information acquisition method, device, equipment and storage medium |
CN116599765A (en) * | 2023-06-29 | 2023-08-15 | 软极网络技术(北京)有限公司 | Honeypot deployment method |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20100091354A (en) * | 2009-02-10 | 2010-08-19 | (주)닥터소프트 | Apparatus and method for management of information technology resource |
CN101964730A (en) * | 2010-01-28 | 2011-02-02 | 北京邮电大学 | Network vulnerability evaluation method |
CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
CN104798079A (en) * | 2012-12-18 | 2015-07-22 | 迈克菲公司 | Automated asset criticality assessment |
CN105721459A (en) * | 2016-01-29 | 2016-06-29 | 博雅网信(北京)科技有限公司 | Risk evaluation method for virtual environment |
CN107093152A (en) * | 2017-04-24 | 2017-08-25 | 杭州创云智科技有限公司 | Electric network composition fragility node recognition methods |
EP3396612A1 (en) * | 2017-04-24 | 2018-10-31 | BlockSettle AB | Method and system for creating a user identity |
-
2019
- 2019-09-12 CN CN201910866476.6A patent/CN110460481B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20100091354A (en) * | 2009-02-10 | 2010-08-19 | (주)닥터소프트 | Apparatus and method for management of information technology resource |
CN101964730A (en) * | 2010-01-28 | 2011-02-02 | 北京邮电大学 | Network vulnerability evaluation method |
CN104798079A (en) * | 2012-12-18 | 2015-07-22 | 迈克菲公司 | Automated asset criticality assessment |
CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
CN105721459A (en) * | 2016-01-29 | 2016-06-29 | 博雅网信(北京)科技有限公司 | Risk evaluation method for virtual environment |
CN107093152A (en) * | 2017-04-24 | 2017-08-25 | 杭州创云智科技有限公司 | Electric network composition fragility node recognition methods |
EP3396612A1 (en) * | 2017-04-24 | 2018-10-31 | BlockSettle AB | Method and system for creating a user identity |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111080425A (en) * | 2019-12-11 | 2020-04-28 | 深圳盈佳信联科技有限公司 | Receivable account asset equity checking system and method |
CN112069269A (en) * | 2020-08-27 | 2020-12-11 | 黄天红 | Big data and multidimensional feature-based data tracing method and big data cloud server |
CN113329038A (en) * | 2021-08-03 | 2021-08-31 | 南京天华中安通信技术有限公司 | Key digital asset protection method and device, electronic equipment and storage medium |
CN115296917A (en) * | 2022-08-09 | 2022-11-04 | 山东港口科技集团烟台有限公司 | Asset exposure surface information acquisition method, device, equipment and storage medium |
CN115296917B (en) * | 2022-08-09 | 2023-07-07 | 山东港口科技集团烟台有限公司 | Asset exposure surface information acquisition method, device, equipment and storage medium |
CN116599765A (en) * | 2023-06-29 | 2023-08-15 | 软极网络技术(北京)有限公司 | Honeypot deployment method |
CN116599765B (en) * | 2023-06-29 | 2023-12-08 | 软极网络技术(北京)有限公司 | Honeypot deployment method |
Also Published As
Publication number | Publication date |
---|---|
CN110460481B (en) | 2022-02-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110460481A (en) | A kind of recognition methods of network key assets | |
EP2953298B1 (en) | Log analysis device, information processing method and program | |
KR100955281B1 (en) | Security Risk Evaluation Method for Threat Management | |
CN107483425B (en) | Composite attack detection method based on attack chain | |
CN105009132A (en) | Event correlation based on confidence factor | |
US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
CN108234419A (en) | A kind of network attack monitoring method and device based on big data | |
JP2010539574A (en) | Intrusion detection method and system | |
CN1996330A (en) | Application of cut-sets to network interdependency security risk assessment | |
CN109995793A (en) | Network dynamic threatens tracking quantization method and system | |
CN111181918B (en) | TTP-based high-risk asset discovery and network attack tracing method | |
WO2018088383A1 (en) | Security rule evaluation device and security rule evaluation system | |
KR20170058140A (en) | An analysis system of security breach with analyzing a security event log and an analysis method thereof | |
CN105262730B (en) | Monitoring method and device based on enterprise domain name safety | |
CN109561097A (en) | Structured query language injects security flaw detection method, device, equipment and storage medium | |
JP6407184B2 (en) | Attack countermeasure determination system, attack countermeasure determination method, and attack countermeasure determination program | |
WO2017033448A1 (en) | Data processing device, data processing method, and program recording medium | |
CN113055362B (en) | Method, device, equipment and storage medium for preventing abnormal behaviors | |
CN114189361B (en) | Situation awareness method, device and system for defending threat | |
KR20220117866A (en) | Security compliance automation method | |
EP2991305B1 (en) | Apparatus and method for identifying web page for industrial control system | |
CN114006719A (en) | AI verification method, device and system based on situation awareness | |
US8869267B1 (en) | Analysis for network intrusion detection | |
Hooper | An intelligent intrusion detection and response system using hybrid ward hierarchical clustering analysis | |
CN117220961B (en) | Intrusion detection method, device and storage medium based on association rule patterns |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |