CN110460481B - Identification method of network key assets - Google Patents

Identification method of network key assets Download PDF

Info

Publication number
CN110460481B
CN110460481B CN201910866476.6A CN201910866476A CN110460481B CN 110460481 B CN110460481 B CN 110460481B CN 201910866476 A CN201910866476 A CN 201910866476A CN 110460481 B CN110460481 B CN 110460481B
Authority
CN
China
Prior art keywords
assets
asset
network
core
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910866476.6A
Other languages
Chinese (zh)
Other versions
CN110460481A (en
Inventor
李春强
丘国伟
郑华梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingwei Xinan Technology Co ltd
Nanjing Jingwei Xin'an Technology Co ltd
Original Assignee
Beijing Jingwei Xinan Technology Co ltd
Nanjing Jingwei Xin'an Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingwei Xinan Technology Co ltd, Nanjing Jingwei Xin'an Technology Co ltd filed Critical Beijing Jingwei Xinan Technology Co ltd
Priority to CN201910866476.6A priority Critical patent/CN110460481B/en
Publication of CN110460481A publication Critical patent/CN110460481A/en
Application granted granted Critical
Publication of CN110460481B publication Critical patent/CN110460481B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention provides a method for identifying network key assets, which comprises the steps of S1, counting all assets on the current network; s2, marking one or more core assets; s3, for the statistical network assets, forming a network topological graph by taking the core assets as a core, and drawing a network association relation; s4, identifying the key assets in the current network by adopting a two-element method; and S5, taking a certain core asset as a center, and dividing all the assets in the current network asset into at least the core asset, the key asset and the concerned asset according to the incidence relation and the vulnerability relation with the core asset. The scheme provided by the invention effectively defines the key assets, is beneficial to catching the key of the problem, repairs and perfects the vulnerability of the core assets and the key assets, overcomes the defect of equal protection in the prior art, provides enhanced protection for an information system which stores more important information or is more likely to be infiltrated by network criminals, and achieves the goal and double results with half the effort by adopting the technology provided by the invention.

Description

Identification method of network key assets
Technical Field
The invention belongs to the technical field of computer network security, and particularly relates to a method for identifying network key assets.
Background
In recent years, the threat and risk of network security are increasing dramatically, and the network security is a common challenge for people in the information age, because of the existence of a threat source, and because of the profitability of network space, the threat source can attack from all sides to obtain benefits. Like a hacker lassifying and acquiring wealth or a small thing, some adversarial force opposing groups can also disturb society through a network, destroy national stability and organically perform high-strength continuous attack on a target network. Particularly, with the advent of the 5G era, industrial internet also faces security threats, and the caused network attacks tend to cause more serious effects than in the past. The threat faced by network security can come from many aspects and change with time, and the biggest characteristic is that it can not fight, and by permeating into the infrastructure network of the other party, it can initiate a fatal click at a critical moment.
Network security and security policies have shifted from "protecting all digital systems equally" to providing enhanced protection for information systems that hold more important information or are more likely to be penetrated by cyber criminals or national adversaries, which requires protection of critical assets, and many current approaches are only defining assets, not critical assets. The definition of the key assets is beneficial to changing a network security defense mode from passive defense to active defense, preventing the vulnerability of the key assets, monitoring the key asset conditions in a key mode and protecting the core assets.
Therefore, there is a need for providing a new technical solution for identifying the key assets in the network, and the identification and protection of the key assets in the network has become a technical problem to be solved by those skilled in the art.
Disclosure of Invention
In order to overcome the problems in the related technology at least to a certain extent and expect that the key assets in the network can be effectively identified for targeted guarantee, the invention provides an identification method of the network key assets.
In order to achieve the above object, the present invention provides a method for identifying a network key asset, comprising the following steps:
s1, counting all assets on the current network and forming an asset list;
s2, marking one or more core assets according to the service condition in the current network;
s3, for the statistical network assets, forming a network topological graph by taking the core assets as a core, and drawing a network association relation;
s4, identifying the key assets in the current network by adopting a two-element method;
in a network topological graph, taking a certain core asset as a source, calculating the association degree of each asset in the current network asset and the core asset according to a topological route, measuring the vulnerability of each asset in the current network asset, and determining the key asset of the certain core asset in the network through the two elements;
and S5, taking a certain core asset as a center, and dividing all the assets in the current network asset into at least the core asset, the key asset and the concerned asset according to the incidence relation and the vulnerability relation with the core asset.
Further, the method for calculating the association degree C of each asset and the core asset in the current network asset in step S4 includes:
C=αL+βI
the formula not only considers the route correlation of the network assets and the core assets, but also considers the influence of the key assets; wherein
L, I are all values of 0-10; α is the weight of L and β is the weight of Z; α + β ═ 1;
c represents the key asset relevance;
l represents the length of the shortest path from one asset in the current network assets to the core assets;
and I represents the influence of the network assets, the access volume, namely the flow bit value is used as a main calculation index, and the dynamic change of the influence is considered by taking the flow as the index.
The closer one asset in the current network assets is to the core asset, the higher the association degree is, namely the fewer nodes of the equipment passing between the current network asset and the core asset are, the higher the association degree is;
under the same condition, the more the user access amount of a certain asset in the current network assets is, the higher the association degree is. In the invention, the confirmation of the path L value takes the number of routes as the calculation standard of the barrier value; the rule is as follows:
a. taking L of the core assets as 10, the closer to 10, the greater the correlation; closer to 0, indicating less correlation;
b. taking the core asset as an initial point and 10 as a base number, reducing N for each routing value of the network assets associated with the core asset, wherein N is any value between 0.5 and 5, namely, the core asset is taken as an origin, and the L value of the network assets formed by routing association is 10-N; wherein N is 0.5, 1, 1.5, 2, 2.5, 3, 3.5 or 4;
b1) the network equipment with the IP address connected with the core assets subtracts a barrier value N from a route L value of each hop starting from the core assets according to a shortest path method based on network topology;
b2) b1) calculating the L value of the network device without the IP address, and using the shortest path method to take the highest L value of all the network devices with the IP which are connected with the network device with the IP as the L value of the network device without the IP address.
The influence of the network assets in the invention is mainly determined by the network flow T of the network assets;
in the network, an asset has more traffic compared with other assets, namely, more users have access, and an attacker with higher access is easier to reach a core asset through the network equipment; taking the highest flow number T in the network, taking the lowest flow number T in the network, and taking the flow of any network equipment as TnThen, the influence value I of the network device is calculated by the following formula:
I=10*(tn-t)/(T-t)
further, vulnerability refers to scoring of vulnerabilities existing in asset devices in the current network, and then judging priority levels of repairing different vulnerabilities; wherein
The maximum final score of the vulnerability is 10, and the minimum score is 0;
the loopholes with the scores of 7-10 are generally considered to be serious;
the score is 4-6.9, and the intermediate-level bugs are obtained;
0 to 3.9 are low-level vulnerabilities.
Further, in step S4, a two-dimensional diagram is drawn according to the association degree and the vulnerability of the core assets, wherein the association degree and the vulnerability are classified by a grade of 0-10, wherein,
(10, 10) representing core assets among current network assets;
(7, 7) the assets with high relevance and high vulnerability are key assets;
the assets in the relationship degree, the vulnerability and the attention assets between (7, 7) and (4, 4).
As a preferred mode, the core asset refers to an asset which needs to be protected in an important way, and is an asset which an attacker finally wants to acquire or destroy; the key assets include core assets;
on one hand, the identification method is provided with a prevention module which is used for repairing and perfecting the vulnerability of the core assets and the key assets; an attack technical feature library is also arranged in the prevention module;
on the other hand, the system is also provided with a honeypot monitoring module, wherein the honeypot monitoring module is used for simulating and virtually utilizing the key assets and the core assets in the prevention module, confusing the sight of an attacker and timely monitoring the attack technology and tools of the attacker on the honeypot simulating the key assets;
further comprising an analysis module and a response module, wherein
The analysis module is used for analyzing the data output by the honeypot monitoring module, and the analysis module also comprises an attack technology and a tool used by an attacker monitored in the honeypot monitoring module for the virtual key assets; the response module is used for automatically generating a response command for the result analyzed by the analysis module.
Preferably, the analysis module further analyzes attack techniques and tools used by the attacker monitored in the honeypot monitoring module; wherein
The honeypot monitoring module monitors the attack technology and tools used by key assets of an attacker in the current network system in real time and analyzes the attack technology and tools;
after the attack data are analyzed, if the attack data are known attacks, namely the attack technology has a corresponding defense technology in a defense technology database of a prevention module, directly calling a preset defense technology for protection; if the attack is unknown, the honeypot monitoring module carries out sampling and tracing analysis on the attack source and the sample, adds the sample into the attack technical feature library, and supplements the network assets utilized by the attacker into the key asset library.
As a preferred mode, after the response module automatically generates a response command for the result analyzed by the analysis module, the following actions are performed:
firstly, the method comprises the following steps: sending alarm information to an administrator at the first time in a mail/WeChat mode and the like, and meanwhile, periodically sending a network threat situation report to help a user to know the current network security state and update a key asset library;
secondly, the method comprises the following steps: blocking in a linkage way, wherein a defense system and boundary safety equipment block key assets in a linkage way;
thirdly, the method comprises the following steps: linkage searching and killing, wherein the defense system and the terminal safety software perform linkage searching and killing on key assets;
fourthly: and the evidence obtaining tool kit provides a network threat emergency response tool kit, and can be used for analyzing and obtaining evidence on site when an attack event occurs.
The technical scheme provided by the embodiment of the application can have the following beneficial effects: according to the method, firstly, all assets on a current network are counted, one or more core assets are marked according to the service condition in the current network, a network topological graph is formed, in the network topological graph, the association degree of each asset in the current network assets and the core assets is calculated according to a topological route by taking a certain core asset as a source, the vulnerability of each asset in the current network assets is measured, and the key asset of a certain core asset in the network is determined through the two elements; the scheme provided by the invention can effectively define the key assets, is beneficial to catching the key of the problem, repairs and perfects the vulnerability of the core assets and the key assets, overcomes the defect of equal protection in the prior art, and provides enhanced protection for an information system which stores more important information or is more likely to be infiltrated by network criminals.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
FIG. 1 is a flow chart of a method of identifying network key assets of the present invention;
FIG. 2 is a schematic block diagram of an identification system for network critical assets of the present invention;
FIG. 3 is a schematic illustration of an asset list in the present invention;
FIG. 4 is a schematic view of asset device access volume in the present invention;
FIG. 5 is a two-dimensional schematic of the present invention plotted against the degree of association with a core asset and vulnerability.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
As shown in fig. 1, the present embodiment provides a method for identifying a network key asset, including the following steps:
s1, counting all assets on the current network and forming an asset list;
s2, marking one or more core assets according to the service condition in the current network;
s3, for the statistical network assets, forming a network topological graph by taking the core assets as a core, and drawing a network association relation;
s4, identifying the key assets in the current network by adopting a two-element method;
in a network topological graph, taking a certain core asset as a source, calculating the association degree of each asset in the current network asset and the core asset according to a topological route, measuring the vulnerability of each asset in the current network asset, and determining the key asset of the certain core asset in the network through the two elements;
and S5, taking a certain core asset as a center, and dividing all the assets in the current network asset into at least the core asset, the key asset and the concerned asset according to the incidence relation and the vulnerability relation with the core asset.
As shown in fig. 2, it should be added that corresponding system modules are used in the identification method for network key assets provided in this embodiment, and include a network asset identification module, a core asset tagging module, a network topology module, a key asset identification module, a key asset analysis module, and a key asset application module, where the following further explains the working functions of the modules:
as shown in fig. 3, a network asset identification module is used to count all assets on the current network and form an asset list; such as servers, network devices, data files, software assets, storage devices, security devices, etc., to name but a few, refer to the schematic list shown in fig. 3.
Adopting a core asset marking module to mark assets counted by a network asset identification module, and then marking one or more core assets according to the service condition in the current network; such as one or more of data assets, device assets, and operating systems.
And forming a network topology graph for the counted network assets by adopting a network topology module, and drawing a network association relation.
In the current network system, a network topology map is drawn, but one or more core assets exist in one network topology map, and if only one core asset exists, all the assets in the current network asset are divided into at least the core asset and the key asset according to the incidence relation and the vulnerability relation with the core asset by taking the core asset as the center.
If a plurality of core assets exist, such as data assets, equipment assets and operating systems, all the assets which are centered with the core assets in the current network assets are divided into at least the core assets and the key assets according to the association degree and the vulnerability relation of each core asset and the core assets.
It is noted that the key assets include core assets and also associated assets that can directly or indirectly reach the core assets. Such as a host, account, process, port, data port, web site, etc. The core assets are the assets needing important protection and are the assets which an attacker finally wants to acquire or destroy. Core assets include, but are not limited to, data assets, device assets, operating systems to be heavily protected. The key assets are those which have strong relevance and vulnerability to a certain core asset.
In the present embodiment, the association degree, i.e., the association relationship between each asset in the network assets and the core assets, will be described in detail from step S4. Two criteria were used: path L, influence I. And calculating the association degree C of all the assets on the network scanned by the scanner and the core assets based on the network topological graph.
In this embodiment, the method for calculating the association degree C between each asset and the core asset in the current network asset in step S4 includes:
C=αL+βI
the association degree depends on the length of the path from the network asset to the core asset (i.e. the device such as a routing switch that needs to be crossed), the shortest path L is selected, and the influence I of the network asset, and in this embodiment, the access volume, i.e. the traffic bit value, is used for calculation. The dynamic change of the influence is considered by taking the flow rate as an index.
Wherein
L, I are all values of 0-10; α is the weight of L and β is the weight of Z; α + β ═ 1; typically, α is greater than β.
C represents the key asset relevance;
l represents the length of the shortest path from one asset in the current network assets to the core assets;
i represents the influence of network assets, and the access quantity, namely the flow bit value is used as a main calculation index; the dynamic change of the influence is considered by taking the flow rate as an index.
The closer a certain asset in the current network assets is to the core asset, the higher the association degree is, namely the fewer nodes of the equipment such as a route passing between the network asset and the core asset are, the higher the association degree is;
based on the above, under the same condition, the more the user access amount of a certain asset in the current network assets is, the higher the association degree is. That is, there is more user access, and an attacker with higher access is more likely to reach the core asset through the network device.
The formula considers both the route associations of the network assets and the core assets, and the influence of the key assets, namely the access volume. As shown in fig. 4, a is a core asset, e and d reach the same length as a, but d has more access, and the association degree is greater than e.
In this embodiment, regarding the confirmation of the path L value, the number of routes is used as a calculation standard of the barrier value; the rule is as follows:
a. taking L of the core assets as 10, the closer to 10, the greater the correlation; closer to 0, indicating less correlation;
b. taking the core asset as an initial point and 10 as a base number, reducing N for each routing value of the network assets associated with the core asset, wherein N is any value between 0.5 and 5, namely, the core asset is taken as an origin, and the L value of the network assets formed by routing association is 10-N; wherein N is 0.5, 1, 1.5, 2, 2.5, 3, 3.5 or 4;
in this embodiment, preferably, N is 2, and in the same way for other values, the value of each route passing through one hop is reduced by 2, that is, the value of L of the network asset in the intranet formed by the same route is 8.
b1) The network equipment with the IP address connected with the core assets subtracts a barrier value N from a route L value of each hop starting from the core assets according to a shortest path method based on network topology; when N is 2, the L value is decremented by 2 every hop of the route from the core asset.
b2) B1) calculating the L value of the network device without the IP address, and using the shortest path method to take the highest L value of all the network devices with the IP which are connected with the network device with the IP as the L value of the network device without the IP address.
In this embodiment, the determination of the influence I on the network asset is as follows:
the impact of the network assets is mainly determined by its own network traffic T.
In a network, an asset has more traffic than other assets, i.e. there is more user access, and an attacker with a higher access is more likely to reach the core asset through the network device. Taking the highest flow number T in the network, taking the lowest flow number T in the network, and taking the flow of any network device as tn, the calculation formula of the influence value I of the network device is as follows:
I=10*(tn-t)/(T-t)
influence of force Score value
Height of 7-10 points (including 7)
In 4-7 points (including 4)
Is low in 4 or less
As a preferred development, if the device providing the Web server is set as a core asset, the corresponding backup server, database server, etc. may be set as provided by the same vendor, and the association should be more compact.
After the path L and the influence I of the network assets are determined, the association degree of the network assets and the core assets is calculated through the path L and the influence I.
To this end, the degree of association C of the network device with the core asset is assigned as follows:
degree of association Score value
Height of 7-10 points (including 7)
In 4-7 points (including 4)
Is low in 4 or less
The vulnerability V is explained in this example as follows:
the vulnerability refers to the CVSS vulnerability scoring method.
The universal vulnerability assessment system (CVSS) is an open standard developed by NIAC, maintained by FIRST, and can be adopted for free by product manufacturers. By using the standard, the vulnerability can be scored, thereby helping people judge the priority level for repairing different vulnerabilities.
The CVSS Common Vulnerability screening System, a "Universal Vulnerability Scoring System," is an industry-published standard designed to evaluate the severity of vulnerabilities and help determine the urgency and importance of a desired response.
Its main purpose is to help people establish criteria that measure the severity of vulnerabilities so that people can compare the severity of vulnerabilities to determine the priority of handling them. CVSS scores are based on measurements in a series of dimensions, referred to as Metrics (Metrics). The final score of the vulnerability is 10 at maximum and 0 at minimum.
Holes with a score of 7-10 are generally considered to be more severe,
the score is between 4 and 6.9, the intermediate level bugs are obtained,
0 to 3.9 are low-level vulnerabilities.
Vulnerability of Score value
Height of 7-10 points (including 7)
In 4-7 points (including 4)
Is low in 4 or less
As shown in fig. 5, in step S4, a two-dimensional schematic is drawn according to the association degree with the core asset and the vulnerability, both of which are classified by a scale of 0-10, wherein,
(10, 10) representing core assets among current network assets;
(7, 7) the assets with high relevance and high vulnerability are key assets;
the assets in the relationship degree, the vulnerability and the attention assets between (7, 7) and (4, 4). And the other ones belong to the careless assets, and have small harm to the core assets.
What needs to be expanded and supplemented is that 1, firstly, core assets are defined, and objects to be protected are known; 2. finding key assets, repairing holes, patching, enhancing and preventing on a path reaching the core assets; 3. the key assets are often the focus of attention of an attacker, and the key assets are finally taken to the core assets through layer-by-layer attack on the key assets. And the deceptive defense can just utilize the point to simulate the key assets, deceive attackers, delay attacks and protect core assets.
For this reason, as a preferred embodiment, the core asset refers to an asset that needs to be protected in an important way, and is an asset that an attacker finally wants to acquire or destroy; the key assets include core assets.
On one hand, the identification method is provided with a prevention module which is used for repairing and perfecting the vulnerability of the core assets and the key assets; an attack technical feature library is also arranged in the prevention module;
on the other hand, the system is also provided with a honeypot monitoring module, wherein the honeypot monitoring module is used for simulating and virtually utilizing the key assets and the core assets in the prevention module, confusing the sight of an attacker and timely monitoring the attack technology and tools of the attacker on the honeypot simulating the key assets;
the system comprises a honeypot monitoring module, an analysis module and a response module, wherein the analysis module is used for analyzing data output by the honeypot monitoring module, and the analysis module is also used for analyzing attack technologies and tools used by attackers monitored in the honeypot monitoring module for virtual key assets; the response module is used for automatically generating a response command for the result analyzed by the analysis module.
For example, a well-known network event is a process of breaking key assets layer by layer and finally breaking core assets.
The transmission mode of seismograph virus: the target of the Stuxnet worm attack is SIMATIC WinCC software (i.e., the core asset). The latter is mainly used for data acquisition and monitoring of industrial control systems, is generally deployed in a dedicated internal local area network, and is physically isolated from the external internet. In order to realize attack, Stuxnet worm adopts multiple means to permeate and spread, and the whole spreading idea is that an external host is infected firstly; then infecting a U disk, analyzing the vulnerability by using the shortcut file, and transmitting the vulnerability to an internal network; in the intranet, the vulnerability is analyzed through shortcuts, the RPC remote execution vulnerability and the printer background program service vulnerability, so that the propagation among networked hosts is realized; and finally, the attack is developed after the attack reaches the host computer with the WinCC software.
By utilizing the technical scheme provided by the invention, vulnerability inspection is carried out on core assets and key assets taking the core assets as the center, supplementation is complete, meanwhile, the protection level of the network is deepened by utilizing a defensive technology, and the analysis module also analyzes the attack technology and tools used by the attacker monitored in the honeypot monitoring module; wherein
The honeypot monitoring module monitors the attack technology and tools used by key assets of an attacker in the current network system in real time and analyzes the attack technology and tools; after the attack data are analyzed, if the attack data are known attacks, namely the attack technology has a corresponding defense technology in a defense technology database of a prevention module, directly calling a preset defense technology for protection; if the attack is unknown, the honeypot monitoring module carries out sampling and tracing analysis on the attack source and the sample, adds the sample into the attack technical feature library, and supplements the network assets utilized by the attacker into the key asset library.
On the other hand, after the response module automatically generates a response command for the result analyzed by the analysis module, the following actions are executed:
firstly, the method comprises the following steps: sending alarm information to an administrator at the first time in a mail/WeChat mode and the like, and meanwhile, periodically sending a network threat situation report to help a user to know the current network security state and update a key asset library;
secondly, the method comprises the following steps: blocking in a linkage way, wherein a defense system and boundary safety equipment block key assets in a linkage way;
thirdly, the method comprises the following steps: linkage searching and killing, wherein the defense system and the terminal safety software perform linkage searching and killing on key assets;
fourthly: and the evidence obtaining tool kit provides a network threat emergency response tool kit, and can be used for analyzing and obtaining evidence on site when an attack event occurs.
The scheme provided by the invention can effectively define the key assets, is beneficial to catching the key of the problem, repairs and perfects the vulnerability of the core assets and the key assets, overcomes the defect of equal protection in the prior art, and provides enhanced protection for an information system which stores more important information or is more likely to be infiltrated by network criminals.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present application, and that variations, modifications, substitutions and alterations may be made to the above embodiments by those of ordinary skill in the art within the scope of the present application.

Claims (9)

1. A method for identifying network key assets is characterized in that: comprises the following steps
S1, counting all assets on the current network and forming an asset list;
s2, marking one or more core assets according to the service condition in the current network;
s3, for the counted network assets, forming a network topological graph by taking the core assets as a core, and drawing a network association relation;
s4, identifying the key assets in the current network by adopting a two-element method;
in a network topological graph, taking a certain core asset as a source, calculating the association degree of each asset in the current network asset and the core asset according to a topological route, measuring the vulnerability of each asset in the current network asset, and determining the key asset of the certain core asset in the network through the two elements;
in step S4, a two-dimensional schematic is drawn according to the association degree with the core asset and the vulnerability, and the association degree and the vulnerability are graded, wherein,
the high association degree and the high vulnerability are key assets;
in the relevance, the assets in the vulnerability belong to the concerned assets;
the core assets are the assets needing important protection and are the assets which an attacker finally wants to obtain or destroy; the key assets include core assets;
s5, taking a certain core asset as a center, and dividing all assets in the current network asset into at least the core asset, the key asset and the concerned asset according to the incidence relation and the vulnerability relation with the core asset;
the method for calculating the association degree C of each asset and the core asset in the current network asset in step S4 includes:
C=αL+βI
the formula not only considers the route correlation of the network assets and the core assets, but also considers the influence of the key assets; wherein
L, I are all values of 0-10; α is the weight of L and β is the weight of Z; α + β ═ 1;
c represents the key asset relevance;
l represents the length of the shortest path from one asset in the current network assets to the core assets;
i represents the influence of network assets, and the access quantity, namely the flow bit value is used as a main calculation index; the dynamic change of the influence is considered by taking the flow rate as an index.
2. The method of identifying a network critical asset of claim 1, wherein: the closer one asset in the current network assets is to the core asset, the higher the association degree is, namely the fewer nodes of the equipment passing between the current network asset and the core asset are, the higher the association degree is;
under the same condition, the more the user access amount of a certain asset in the current network assets is, the higher the association degree is.
3. The method of identifying a network critical asset of claim 2, wherein: confirming the value of the path L, and taking the number of routes as a calculation standard of a barrier value; the rule is as follows:
a. taking L of the core assets as 10, the closer to 10, the greater the correlation; closer to 0, indicating less correlation;
b. taking the core asset as an initial point and 10 as a base number, reducing N for each routing value of the network assets associated with the core asset, wherein N is any value between 0.5 and 5, namely, the core asset is taken as an origin, and the L value of the network assets formed by routing association is 10-N; wherein N is 0.5, 1, 1.5, 2, 2.5, 3, 3.5 or 4;
b1) the network equipment with the IP address connected with the core assets subtracts a barrier value N from a route L value of each hop starting from the core assets according to a shortest path method based on network topology;
b2) b1) calculating the L value of the network device without the IP address, and using the shortest path method to take the highest L value of all the network devices with the IP which are connected with the network device with the IP as the L value of the network device without the IP address.
4. A method of identifying a network critical asset according to claim 3, characterized by: the impact of network assets is mainly determined by its own network traffic T,
in the network, an asset has more traffic compared with other assets, namely, more users have access, and an attacker with higher access is easier to reach a core asset through the network equipment; taking the highest flow number T in the network, taking the lowest flow number T in the network, and taking the flow of any network equipment as TnThen, the influence value I of the network device is calculated by the following formula:
I=10*(tn-t)/(T-t)。
5. the method of identifying a network critical asset of claim 1, wherein: the vulnerability refers to scoring of the vulnerability existing in the asset equipment in the current network, and further judging the priority level of repairing different vulnerabilities; wherein
The maximum final score of the vulnerability is 10, and the minimum score is 0;
the loopholes with the scores of 7-10 are considered to be serious;
the score is 4-6.9, and the intermediate-level bugs are obtained;
0 to 3.9 are low-level vulnerabilities.
6. A method of identifying a network critical asset according to any of claims 1 to 5, characterized by: in step S4, a two-dimensional schematic is drawn according to the association degree with the core asset and the vulnerability, both of which are classified by a scale of 0-10, wherein,
(10, 10) representing core assets among current network assets;
(7, 7) the assets with high relevance and high vulnerability are key assets;
the assets in the relationship degree, the vulnerability and the attention assets between (7, 7) and (4, 4).
7. The method of identifying a network critical asset of claim 6, wherein:
on one hand, the identification method is provided with a prevention module which is used for repairing and perfecting the vulnerability of the core assets and the key assets; an attack technical feature library is also arranged in the prevention module;
on the other hand, the system is also provided with a honeypot monitoring module, wherein the honeypot monitoring module is used for simulating and virtually utilizing the key assets and the core assets in the prevention module, confusing the sight of an attacker and timely monitoring the attack technology and tools of the attacker on the honeypot simulating the key assets;
further comprising an analysis module and a response module, wherein
The analysis module is used for analyzing the data output by the honeypot monitoring module, and the analysis module also comprises an attack technology and a tool used by an attacker monitored in the honeypot monitoring module for the virtual key assets; the response module is used for automatically generating a response command for the result analyzed by the analysis module.
8. The method of identifying a network critical asset of claim 7, wherein: the analysis module also analyzes the attack technology and tools used by the attacker monitored in the honeypot monitoring module; wherein
The honeypot monitoring module monitors the attack technology and tools used by key assets of an attacker in the current network system in real time and analyzes the attack technology and tools;
after the attack data are analyzed, if the attack data are known attacks, namely the attack technology has a corresponding defense technology in a defense technology database of a prevention module, directly calling a preset defense technology for protection;
if the attack is unknown, the honeypot monitoring module carries out sampling and tracing analysis on the attack source and the sample, adds the sample into the attack technical feature library, and supplements the network assets utilized by the attacker into the key asset library.
9. The method of identifying a network critical asset of claim 8, wherein: after the response module automatically generates a response command for the result analyzed by the analysis module, the following actions are executed:
firstly, the method comprises the following steps: sending alarm information to an administrator at the first time in a mail/WeChat mode and the like, and meanwhile, periodically sending a network threat situation report to help a user to know the current network security state and update a key asset library;
secondly, the method comprises the following steps: blocking in a linkage way, wherein a defense system and boundary safety equipment block key assets in a linkage way;
thirdly, the method comprises the following steps: linkage searching and killing, wherein the defense system and the terminal safety software perform linkage searching and killing on key assets;
fourthly: and the evidence obtaining tool kit provides a network threat emergency response tool kit, and can be used for analyzing and obtaining evidence on site when an attack event occurs.
CN201910866476.6A 2019-09-12 2019-09-12 Identification method of network key assets Active CN110460481B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910866476.6A CN110460481B (en) 2019-09-12 2019-09-12 Identification method of network key assets

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910866476.6A CN110460481B (en) 2019-09-12 2019-09-12 Identification method of network key assets

Publications (2)

Publication Number Publication Date
CN110460481A CN110460481A (en) 2019-11-15
CN110460481B true CN110460481B (en) 2022-02-25

Family

ID=68491931

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910866476.6A Active CN110460481B (en) 2019-09-12 2019-09-12 Identification method of network key assets

Country Status (1)

Country Link
CN (1) CN110460481B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111080425A (en) * 2019-12-11 2020-04-28 深圳盈佳信联科技有限公司 Receivable account asset equity checking system and method
CN112818068A (en) * 2020-08-27 2021-05-18 黄天红 Big data and multidimensional feature-based data tracing method and system
CN113329038B (en) * 2021-08-03 2021-10-19 南京天华中安通信技术有限公司 Key digital asset protection method and device, electronic equipment and storage medium
CN115296917B (en) * 2022-08-09 2023-07-07 山东港口科技集团烟台有限公司 Asset exposure surface information acquisition method, device, equipment and storage medium
CN116599765B (en) * 2023-06-29 2023-12-08 软极网络技术(北京)有限公司 Honeypot deployment method

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100091354A (en) * 2009-02-10 2010-08-19 (주)닥터소프트 Apparatus and method for management of information technology resource
CN101964730A (en) * 2010-01-28 2011-02-02 北京邮电大学 Network vulnerability evaluation method
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN104798079A (en) * 2012-12-18 2015-07-22 迈克菲公司 Automated asset criticality assessment
CN105721459A (en) * 2016-01-29 2016-06-29 博雅网信(北京)科技有限公司 Risk evaluation method for virtual environment
CN107093152A (en) * 2017-04-24 2017-08-25 杭州创云智科技有限公司 Electric network composition fragility node recognition methods
EP3396612A1 (en) * 2017-04-24 2018-10-31 BlockSettle AB Method and system for creating a user identity

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100091354A (en) * 2009-02-10 2010-08-19 (주)닥터소프트 Apparatus and method for management of information technology resource
CN101964730A (en) * 2010-01-28 2011-02-02 北京邮电大学 Network vulnerability evaluation method
CN104798079A (en) * 2012-12-18 2015-07-22 迈克菲公司 Automated asset criticality assessment
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN105721459A (en) * 2016-01-29 2016-06-29 博雅网信(北京)科技有限公司 Risk evaluation method for virtual environment
CN107093152A (en) * 2017-04-24 2017-08-25 杭州创云智科技有限公司 Electric network composition fragility node recognition methods
EP3396612A1 (en) * 2017-04-24 2018-10-31 BlockSettle AB Method and system for creating a user identity

Also Published As

Publication number Publication date
CN110460481A (en) 2019-11-15

Similar Documents

Publication Publication Date Title
CN110460481B (en) Identification method of network key assets
US11212299B2 (en) System and method for monitoring security attack chains
EP3588898B1 (en) Defense against apt attack
Allodi et al. Security events and vulnerability data for cybersecurity risk estimation
CN110620759B (en) Multi-dimensional association-based network security event hazard index evaluation method and system
AU2004289001B2 (en) Method and system for addressing intrusion attacks on a computer system
CN111490970A (en) Tracing analysis method for network attack
Fava et al. Projecting cyberattacks through variable-length markov models
JP2018530066A (en) Security incident detection due to unreliable security events
KR100955282B1 (en) Network Risk Analysis Method Using Information Hierarchy Structure
CN112383503A (en) Network security event processing method
CN107733699B (en) Internet asset security management method, system, device and readable storage medium
KR20170058140A (en) An analysis system of security breach with analyzing a security event log and an analysis method thereof
CN116016198B (en) Industrial control network topology security assessment method and device and computer equipment
CN114615016A (en) Enterprise network security assessment method and device, mobile terminal and storage medium
CN114095232A (en) Power information system dynamic threat quantitative analysis method based on hidden Markov
CN117478433B (en) Network and information security dynamic early warning system
Kim Potential risk analysis method for malware distribution networks
KR101113615B1 (en) Total analysis system of network risk and method thereof
CN115632884B (en) Network security situation perception method and system based on event analysis
CN114189361B (en) Situation awareness method, device and system for defending threat
Le et al. A threat computation model using a Markov Chain and common vulnerability scoring system and its application to cloud security
CN113055362B (en) Method, device, equipment and storage medium for preventing abnormal behaviors
US20230156019A1 (en) Method and system for scoring severity of cyber attacks
CN114006719B (en) AI verification method, device and system based on situation awareness

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant